diff --git a/files.csv b/files.csv
index 9532521ed..ccd96049f 100755
--- a/files.csv
+++ b/files.csv
@@ -34959,3 +34959,4 @@ id,file,description,date,author,platform,type,port
38685,platforms/linux/local/38685.py,"TACK 1.07 - Local Stack-Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,local,0
38686,platforms/linux/local/38686.py,"TUDU 0.82 - Local Stack-Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,local,0
38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field SEH Overflow",2015-11-12,"Nipun Jaswal",windows,dos,0
+38688,platforms/php/webapps/38688.txt,"b374k Web Shell - CSRF Command Injection",2015-11-13,hyp3rlinx,php,webapps,0
diff --git a/platforms/php/webapps/38688.txt b/platforms/php/webapps/38688.txt
new file mode 100755
index 000000000..45cbd8604
--- /dev/null
+++ b/platforms/php/webapps/38688.txt
@@ -0,0 +1,154 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt
+
+
+Vendor:
+============================================
+github.com/b374k/b374k
+code.google.com/p/b374k-shell/downloads/list
+code.google.com/archive/p/b374k-shell/
+
+
+Product:
+==============================================
+b374k versions 3.2.3 and 2.8
+
+b374k is a PHP Webshell with many features such as:
+
+File manager (view, edit, rename, delete, upload, download as archive,etc)
+Command execution, Script execution (php, perl, python, ruby, java,
+node.js, c)
+Give you shell via bind/reverse shell connect
+Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more
+using ODBC or PDO)
+Process list/Task manager.
+
+This is useful for system/web admin to do remote management without opening
+cpanel, connecting using ssh,
+ftp etc. All actions take place within a web browser.
+
+Note:
+b374k is considered by some as a malicious backdoor and is flagged by some
+AV upon download.
+
+
+Vulnerability Type:
+=============================
+CSRF Remote Command Injection
+
+
+Vulnerability Details:
+=====================
+
+No CSRF protection exists in b374k Web Shell allowing arbitrary OS command
+injection, if currently
+logged in user visits our malicious website or clicks our infected linxs.
+
+vulnerable b374k code:
+
+' method='post'>
+' />
+
+
+
+
+
+Exploit code(s):
+=================
+
+Run Windows calc.exe as POC...
+
+[CSRF Command Injections]
+
+ v3.2
+
+
+Adding password and packing to b374k single PHP file.
+
+c:\xampp\htdocs\b374k-master>php -f index.php -- -o myshell.php -p abc123
+ -s -b -z gzcompress -c 9
+b374k shell packer 0.4.2
+
+Filename : myshell.php
+Password : xxxxxx
+Theme : default
+Modules : convert,database,info,mail,network,processes
+Strip : yes
+Base64 : yes
+Compression : gzcompress
+Compression level : 9
+Result : Succeeded : [ myshell.php ] Filesize : 111419
+
+
+(CSRF Command injection 1)
+
+
+
+
+
+ v2.8
+
+(CSRF Command injection 2)
+
+
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Description:
+==================================================
+
+Request Method(s): [+] POST
+
+
+Vulnerable Product: [+] b374k 3.2 and 2.8
+
+
+Vulnerable Parameter(s): [+] terminalInput, cmd
+
+
+Affected Area(s): [+] OS
+
+
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx